Particularly alarming,” experts say that Canadian health data may still be vulnerable to U.S. actors. This worry comes from the unintended consequences of the Clarifying Lawful Overseas Use of Data Act (CLOUD) Act, passed in 2018. Michael Geist, a law professor at the University of Ottawa, makes an absolutely critical point. This legislation now requires American companies to provide customer information necessary for US criminal investigations, no matter where that data may be stored.
Geist has warned that Canadians could be profiting foreign companies from the use of Canadians’ health data. He continues to call for tougher provincial legislation on the issue. He further recommends improvements to the federal Personal Information Protection and Electronic Documents Act (PIPEDA), so that Canadians are protected from any possible U.S. data requests.
With data privacy discussions heating up, Geist advocates for the establishment of Canadian cloud servers specifically for health data. He has been a big proponent for having this information kept on Canadian soil. This change would therefore insulate it from foreign government pressure or intimidation.
The Implications of the CLOUD Act
This now infamous CLOUD Act gives U.S. law enforcement the power to access data. This is true even when that data is hosted by American companies on servers outside the United States. This has raised alarms among experts, and for good reason, as to how it puts Canadians’ personal health information at risk.
“It scares me to think how few Canadians understand what this law means,” Geist further observes. He concluded that Canadian privacy laws are inadequate to address the harms posed by American legislation. This U.S. law would allow companies to be required to disclose highly sensitive health information. Geist calls for a thorough evaluation of these laws, stating, “Canadian laws that may say they’ve got to provide appropriate protections for that data, but they may have U.S. law that could compel them to disclose that information.”
Discussions between Canada and the U.S. on a possible CLOUD Act agreement have been ongoing since 2022. Meghan DeMaria Geist urges Canada to take a bold step forward to safeguard its citizens’ data.
The Need for Enhanced Data Protections
Dr. Sheryl Spithoff, of the family and community medicine department at the University of Toronto, shares Geist’s worries. She emphasizes the importance of additional protections for patient data, stating, “This data is patient data. It belongs to patients. That should be used for reasons that are in their interests, that bring them benefit, that don’t cause harm.”
Dr. Lorian Hardcastle, an assistant professor at the University of Calgary, reminds us that health data is very personal. She cautions that any further development of fractious political relations between Canada and the U.S. will increase public anxiety about what is being done with their information, how it’s being stored and used, etc. Hardcastle argues, “There is a compelling argument to be made to say, ‘Well, you know, we just need to have this information stored in Canada and not have those dealings with American companies.’”
The risks of cross-border data transfers have led to demands for wider legislative reforms in Canada. Geist argues that a modernized privacy framework is essential to make sure that Canadians’ health information doesn’t end up in the wrong hands.
The Role of Cloud Service Providers
According to Synergy Research Group, three U.S. cloud service providers— Google Cloud, Microsoft Azure, and Amazon Web Services —control 61% of the market. This dominance makes the data privacy landscape particularly problematic in Canada. These companies each have policies regarding government data requests that they claim adhere to the law.
For instance, Microsoft states, “Microsoft’s compliance team reviews government demands for customer data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.” Customer trust is the foundation of Amazon’s business, so they are committed to protecting customer privacy. They only disclose customer data when a lawfully issued and enforceable subpoena requires it.
Despite these assurances, experts such as Michael Geist remain cautiously pessimistic. For one, they are skeptical that these companies can really keep Canadian health data safe from U.S. legal requests. He argues for the necessity of Canadian cloud servers that can house sensitive health information without interference from foreign laws. He asserts, “We should be the ones to benefit from that. We should be the ones who are entitled to appropriate privacy protections.”
