The Mark 2010

When our online activities cross international borders, they are no longer protected by Canadian law.

Like many countries, we’ve become dependent on a lot of services controlled by entities beyond our borders. Often, unbeknownst to us, our digital activities expose us to powerful foreign legislation like the U.S. Patriot Act and its far-reaching powers.

In the physical world, when we cross the border into another country, we understand – or should understand – that we are now subject to the laws of that country. What many don’t realize, though, is that our digital transactions and data cross borders with great frequency.

It is often very difficult or impossible to determine whether our digital activities are wholly contained within Canada or not. It would seem natural that a transaction between a Canadian consumer and a Canadian company would be wholly under the jurisdiction – and protection – of Canadian law, but is it true? What if the website is hosted on a server located in the U.S.? What if payment is made through American-owned PayPal? Even a seemingly insignificant detail such as an email confirmation of a transaction that is sent to a Gmail or Hotmail account takes the transaction information through foreign-owned servers.

Most Canadians who are online use foreign-owned services like Google, YouTube, Skype, MSN Messenger, Twitter, or Facebook, to name only a few. And while we may occasionally consider whether or not we want these companies collecting data about what we say and do online, we seldom, if ever, consider the broader implications of that data collection. Collectively, it paints a detailed picture of individual Canadians – and when that data resides beyond our borders, it is also largely beyond our control and potentially subject to intrusive foreign laws.

Furthermore, companies are increasingly building services on scalable cloud computing platforms offered by companies like IBM, Microsoft, and Amazon that are usually hosted elsewhere. Many companies also use online software services provided by a third party, and have no idea where their data actually resides.

We’re effectively outsourcing much of the digital infrastructure of our online world. And when you do that, you can lose control. While we can control some of what happens within our borders – for example, Canadian privacy laws made Facebook change how it operates in Canada – we simply can’t control what occurs beyond them.

This isn’t a plea for regulatory intervention. But we do need to consider our digital sovereignty as part of our national digital strategy. It is important to educate consumers and companies about the risks associated with data that transcends borders.

The responsibility for the privacy and security of our data cannot be ignored. We need to ensure that we have digital infrastructure services that are wholly contained within our country.