They are adamant about using “Canadian resident” cloud services, that are provided by US controlled cloud service providers. In these cases, data sits in “Canadian” data centers, at least partially, but is effectively controlled, and accessible by, US companies. Data residency doesn’t prevent the data from being processed, accessed or used by foreign countries, it just means you need to save a copy on a Canadian server. But even data on foreign servers (to the USA), if/when accessible by US companies, the USA government, through the patriot act and cloud act, has established such data is very much within their scope.
Consider a company like Telus. Telus offers email, but it’s actually just gmail or O365. Gmail and O365 are both US controlled companies. The servers are generally within US-based cloud service providers. Telus offers Business Connect for VOIP services. That service is actually just Ring Central. They even route all your traffic through US-based Ring Central servers. That data is exposed to US companies. That’s one of Canada’s major telcos, shoveling everyone’s data over to the USA.
Even the Canadian government has stated that having your data in a US-company controlled tech stack means you have no data sovereignty. The most likely reason the Canadian govt is trying to build a bunch of data centers, is because they want to make sure they have the infrastructure for a ‘sovereign’ public cloud service provider, as an alternative to USA’s AWS/Azure – similar to setups you see in the EU. In the white paper linked above, they effectively admit that the data residency requirements in Privacy legislation is insufficient for protecting Canada’s data / systems – but they can’t realistically think about pushing privacy legislation to change from ‘residency’ to ‘sovereignty’ until they have the infrastructure to support most critical industries in a sovereign space.
Having access to this data, to use however they want, is also something that Rubio explicitly ordered the US Govt wings to fight to maintain access to in foreign nations. They’re actively integrating any data they can touch into their AI surveillance programs, and view other nations taking back control of their data as a “national security threat” to the USA. And they explicitly want to challenge any legislation, such as bill c-22, as part of that initiative.
That’s a great response. Thank you. I now worry that far too many people are lulled into a false sense of security because they run a VM on GCP based in Montreal.
Well, if it makes you feel better, a smaller business doing that is a big nothin-burger in some ways. I mean, our financial regulators have all of their data in US cloud service providers – the same regulators that demand industry submit copious amounts of private data to them for “risk management” reasons. Like in BC, if you have a mortgage with a credit union, that credit union submits your job title, employer, income, strata fees, address, loan amounts, etc etc in plain text to a Microsoft portal – so it’s all up for grabs by the USA, through the regulators that are claiming they ‘reduce’ risk.
So even if you have a bank/CU that’s largely sovereign in its own stack, they’ll STILL have exposure to this crap because our govt is so janked.
Going for sovereign-minded providers helps a bit, at least in terms of resiliency against US pressures, and for (HOPEFUL) future proofing once the govt gets its shit together.
Like I’m pissed off that BC is losing its last semi-sovereign open bond credit union. If you can find a financial institution that takes data sovereignty seriously, they’ll be in a ‘better’ position to protect your data if/when the govt shifts its policies, and they’ll be in a better position in general in terms of withstanding any US pressure on existing services (even if they wont be perfect). But you really gotta treat it as a “this is the best we can do, for now” type thing, and try to keep up the pressure to remove those ties.
I’d say the same goes for other industries as well, but I’d focus most on trying to get sovereign minded setups for any critical industry that you find yourself using regularly. I’d also try to make sure to explicitly add more sovereign-oriented news sources to feeds where possible – cbc, local news rags, etc. To effect change, for any coop/AGM type thing that you can attend/ask questions, prod about the data sovereignty issue. Like if Credit Union AGMs all had members asking these questions, regulators would take notice, and it’d get a LOT more traction.
For luxuries, I’d still personally try to avoid the USA – but luxuries are luxuries. Whatever makes you happy, gotta have some joy in this dumpster fire we’re all wading through.
They are adamant about using “Canadian resident” cloud services, that are provided by US controlled cloud service providers. In these cases, data sits in “Canadian” data centers, at least partially, but is effectively controlled, and accessible by, US companies. Data residency doesn’t prevent the data from being processed, accessed or used by foreign countries, it just means you need to save a copy on a Canadian server. But even data on foreign servers (to the USA), if/when accessible by US companies, the USA government, through the patriot act and cloud act, has established such data is very much within their scope.
Consider a company like Telus. Telus offers email, but it’s actually just gmail or O365. Gmail and O365 are both US controlled companies. The servers are generally within US-based cloud service providers. Telus offers Business Connect for VOIP services. That service is actually just Ring Central. They even route all your traffic through US-based Ring Central servers. That data is exposed to US companies. That’s one of Canada’s major telcos, shoveling everyone’s data over to the USA.
Even the Canadian government has stated that having your data in a US-company controlled tech stack means you have no data sovereignty. The most likely reason the Canadian govt is trying to build a bunch of data centers, is because they want to make sure they have the infrastructure for a ‘sovereign’ public cloud service provider, as an alternative to USA’s AWS/Azure – similar to setups you see in the EU. In the white paper linked above, they effectively admit that the data residency requirements in Privacy legislation is insufficient for protecting Canada’s data / systems – but they can’t realistically think about pushing privacy legislation to change from ‘residency’ to ‘sovereignty’ until they have the infrastructure to support most critical industries in a sovereign space.
Having access to this data, to use however they want, is also something that Rubio explicitly ordered the US Govt wings to fight to maintain access to in foreign nations. They’re actively integrating any data they can touch into their AI surveillance programs, and view other nations taking back control of their data as a “national security threat” to the USA. And they explicitly want to challenge any legislation, such as bill c-22, as part of that initiative.
*made some edits to clarify some bits a little.
That’s a great response. Thank you. I now worry that far too many people are lulled into a false sense of security because they run a VM on GCP based in Montreal.
Well, if it makes you feel better, a smaller business doing that is a big nothin-burger in some ways. I mean, our financial regulators have all of their data in US cloud service providers – the same regulators that demand industry submit copious amounts of private data to them for “risk management” reasons. Like in BC, if you have a mortgage with a credit union, that credit union submits your job title, employer, income, strata fees, address, loan amounts, etc etc in plain text to a Microsoft portal – so it’s all up for grabs by the USA, through the regulators that are claiming they ‘reduce’ risk.
So even if you have a bank/CU that’s largely sovereign in its own stack, they’ll STILL have exposure to this crap because our govt is so janked.
So basically we are all just fucked no matter what we do?
Going for sovereign-minded providers helps a bit, at least in terms of resiliency against US pressures, and for (HOPEFUL) future proofing once the govt gets its shit together.
Like I’m pissed off that BC is losing its last semi-sovereign open bond credit union. If you can find a financial institution that takes data sovereignty seriously, they’ll be in a ‘better’ position to protect your data if/when the govt shifts its policies, and they’ll be in a better position in general in terms of withstanding any US pressure on existing services (even if they wont be perfect). But you really gotta treat it as a “this is the best we can do, for now” type thing, and try to keep up the pressure to remove those ties.
I’d say the same goes for other industries as well, but I’d focus most on trying to get sovereign minded setups for any critical industry that you find yourself using regularly. I’d also try to make sure to explicitly add more sovereign-oriented news sources to feeds where possible – cbc, local news rags, etc. To effect change, for any coop/AGM type thing that you can attend/ask questions, prod about the data sovereignty issue. Like if Credit Union AGMs all had members asking these questions, regulators would take notice, and it’d get a LOT more traction.
For luxuries, I’d still personally try to avoid the USA – but luxuries are luxuries. Whatever makes you happy, gotta have some joy in this dumpster fire we’re all wading through.