Storing Customer Data on Servers Outside Canada: Good or Bad Practice?

The issue: Can we send contact database files outside of Canada?
Pascale Guay
1 September 2013
Data Management
2 min 15
Conservation de données à l’extérieur du Canada : bonne ou mauvaise pratique ?

Over the past month, I’ve had to review several contractual clauses that organizations must follow under Canadian privacy laws. Research I conducted to verify if it was possible to use the services of third parties to process data. The issue: Can we send contact database files outside of Canada?

I will not give legal advice, but simply expose guideline rules that have helped us to determine if we could use the third party servers located outside of Canada. I invite you to consult your legal counsel for advice that applies to your organization and its territory. And, in the meantime, be immediately reassured, we keep our customers’ data in Canada.

To answer the question, I did some research on this subject.

The general conclusions that I take from my research are found on the website for the Office of the Privacy Commissioner of Canada. They give key recommendations that apply to all organizations in Canada:

The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.

Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.

No contract can override the criminal, national security or any other laws of the country to which the information has been transferred.

It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada.

Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.”

Because we are not able to ensure security and data access procedures, nor to discuss the contract with U.S. suppliers, we rejected the American solutions of cloud computing to prefer the use of data in Canada. Furthermore, even if the law is not formal in this regard, we will not take unnecessary risk of exposing ourselves to other acceptable data use practices, which are not permitted here in Canada at all, such as sharing contact lists.

Finally, to avoid any difficulties and meet the highest standards of safety, we prefer not to send or share any customer data on servers outside Canada. With all the controversy of the use of U.S. data with the Snowden case, I think it is a wise decision. What do you think?

Find out how your company can benefit from Dialog Insight.

Read also

Blog

How to Manage the Customer Lifecycle to Drive Loyalty and Increase Revenue

Learn how to turn each touchpoint into an opportunity for growth with lifecycle marketing tailored to your business model.

Blog

Cloud Act and Other Data Laws: What Your Business Needs to Know 

The Cloud Act isn’t the only law affecting your data privacy. Learn the legal risks and how to protect your business effectively.

Blog

Hosting vs. Data Management: What Businesses Need to Know 

Hosting your data in Canada or Europe isn’t enough. Learn why data control—not just location—is key to ensuring true data protection.

Omni-Channel Marketing Campaign

Is it time to break up with your A/B testing strategy?

You’re probably strapped for time and resources to understand what’s wrong with your A/B testing strategy. There are some common mistakes you should consider before heading to divorce court.

Data Management

A Quick Guide to Keeping Quality Email Lists

Having a quality email list does not only mean making sure you have people's permission to contact them. Continuous and proactive management is necessary to maintain this quality at all times.

Omni-Channel Marketing Campaign

Drive-to-store campaigns

Generating traffic in stores is often a goal to be achieved in retail stores. In addition to traditional advertising, the web can also do this very well. Here are a few examples.