Canadian Data Residency - Everything You Need to Know

One of the riskiest moves in shifting to the cloud is choosing a company to provide your managed cloud hosting services. Depending on what type of cloud hosting and data storage you choose, your data could be stored on servers in another country.

There are several risks in housing your data in an unknown location:

  • The laws of the other country may not provide adequate protection.
  • You may not have any way to recover lost data should the company go out of business.
  • The country may be politically or economically unstable, resulting in the loss of your data.

If you are an Alberta-based business with compliance requirements you must meet, this guide will help you understand Canadian Data Residency and how you can meet residency requirements, move your data to the cloud, and benefit from cost-effective risk mitigation.

Canada Privacy Act

Email encryption, worrying about data storage, or storing data outside of business walls were matters of little or no concern when every company kept paper files in locked cabinets.

Canada has been regulating the management of personal information privacy for almost 35 years, ever since the Government of Canada enacted the Privacy Act in 1983.

This Act applied to departments within the Government of Canada as well as each provincial government system.

Twenty years later, in order to address the privacy issues that accompanied the development of online commerce, the 1983 requirements were broadened to include private sector organizations that electronically maintain personal information.

Data Residency Laws in Canada

Canadian data residency requirements were initially developed to address Canadian government agencies shifting to the cloud as part of the cloud-first adoption strategy.

The government established this cloud-first strategy in recognition that the private industry needs to:

  • Deliver services at the same speed and ease, and
  • Ensure the personal data they processed and stored was as protected as possible.

However, further risks associated with storing data in the cloud outside of the country, even in the US, were identified. Subsequently, the government developed measures to address how and where data could be stored through Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

Alberta’s and British Columbia’s version of PIPEDA is the Personal Information Protection Act (PIPA). Other regulations addressing data privacy that may impact your business include:

  • PHIPA: Personal Health Information Protection Act (ON)
  • PHIPAA: Personal Health Information Privacy and Access Act (NB)
  • PHIA: Personal Health Information Act (NS, NL)
  • Quebec Privacy Act (QB)


These new parameters were established in 2004 under the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA originally applied only to the federally regulated private sector.

For example, banks, airlines, and telecommunications companies were required to follow the guidelines, but businesses, such as retailers, were not subject to its conditions.

More recently, PIPEDA was amended to include provincially regulated organizations, such as many businesses within the retail sector, service industries, manufacturing, and more.

However, the requirements do not apply to personal employee information; rather, they apply strictly to personal consumer information.

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), thereby amending PIPEDA.

There are numerous additional requirements within the DPA, but we place an emphasis on the stipulation that Canadian citizens’ digital information stored within Canadian borders can only be distributed by means of email encryption systems.

Data Residency Requirements for Canadian Businesses

While PIPEDA does not mandate that companies keep their data within Canadian borders, it does specify how Canadian citizens’ information can be stored.

Businesses are held responsible for the data they collect, process, transfer, and store. Additionally, they are mandated to provide protection of that data at all times.

Because the laws are different in countries outside of Canada, protecting data during transmission and storage to a foreign cloud server puts your business at risk. The rules are even stricter for certain industries, such as the financial sector.

In addition, businesses that have customers in the EU or California may also be subject to additional privacy regulations from the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Achieving Data Residency in the Cloud

The ITeam can provide email encryption and storage compliance by using Microsoft 365 and  Microsoft Azure.

Microsoft Azure includes a strong email encryption system and is now available through local datacenter regions in Toronto and Québec City.

Furthermore, Microsoft 365 has the capability of providing in-country data residency.

Thus, The ITeam can offer a combination of 365 and Azure that meets the encryption and data residency requirements of the DPA.

Azure Data Residency Key Questions and Answers

The following is a brief Q&A regarding some of the central issues involved in DPA cloud compliance:

Does any encrypted document ever reside on US or foreign soil?

No. If you use a Canadian billing address for your data, Microsoft 365 and Azure cloud services will be hosted automatically in a Canadian data center.

Does all information remain in Canada?

Yes. Microsoft hosts data based on geographic location, so all information remains in Canada. More specifically, as described above, the data is stored regionally in Toronto and Québec City.

What are the most important elements of encryption?

Regulated data is encrypted both while it is “at rest” and while it is being transmitted between a data center and a user. The level and type of encryption used to protect files and emails can be customized by end users and administrators. This allows maximum data security and management flexibility.

How is in-country data center integrity ensured?

Microsoft Azure uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East, and Africa), and Asia, so security keys can be used only in the region of residency.

Is data ownership and control compromised in any way?

No. Both Microsoft 365 and Microsoft Azure leave data ownership and control in the hands of individual organizations. Neither data ownership nor data control is ever compromised.

Microsoft Azure provides organizations with a reliable, scalable, and secure infrastructure environment, allowing organizations to improve customer experience, drive innovation, and manage costs. With the availability of Canada-based data cloud services and storage, it is worth considering shifting your organization to the cloud and evaluating solutions like Microsoft Azure.

The ITeam is a Microsoft Certified Partner committed to helping Calgary- and Alberta-based businesses develop proactive IT strategies that keep them competitive. Contact us to learn more.