Home Ice Advantage: Securing Data Sovereignty for Canadians on Social Media

Abstract

More than three in four Canadians use social media platforms to connect with others here at and around the world, often sharing life’s most intimate moments through public posts and private messages. In doing so, Canadians entrust these companies to secure and protect their personal data, which can include a wide range of sensitive information, such as their political opinions, or details on their sex life, personal finances and health. These companies are also entrusted to secure the sensitive data that they track and store, such as users’ location, search histories and biometric information such as facial features. But that trust is waning. Our surveys of Canadians indicate that social media platforms are the least trusted organizations in Canada to keep personal data secure and to act in the best interests of the public. As legal battles swirl between Europe, the U.S. and China over how to protect Facebook and TikTok data travelling across borders, there remain inadequate protections over how Canadians’ personal data are transferred and stored. This threatens Canadian sovereignty, and the digital security and privacy of millions of Canadians. Personal data can be accessed by national security and law enforcement agencies without sufficient legal protection under Canadian law in countries around the world. Technology companies can experience buy-outs, mergers and bankruptcy that can change where personal data are stored and the privacy protection they receive. Malicious hackers can also take advantage of data stored in locations where the data are subject to weak data protection safeguards. Social media platforms store the personal data of their Canadian users around the world, and provide little to no transparency as to where their data are stored or transferred to third parties. Canadian privacy law does not require users to consent to personal data transfer outside of Canada. Our research shows that many popular platforms transfer data to a variety of jurisdictions, and none specifically cite Canada as a country of storage. Nor are there meaningfully enforced limits on the transfer of personal data to jurisdictions with insufficient protection against surveillance or unauthorized access. In the two decades since the enactment of Canada’s current privacy law, there has not been a single fine or enforced remedy against companies transferring personal data outside of Canada with insufficient protection. Jurisdictions around the world are introducing a range of new approaches to address these challenges and ensure data protection laws extend to data moved outside its borders, including outright bans on cross-border transfer, new requirements for informed consent, and rigorous evaluations of other jurisdictions’ data protection regimes. While these notions can challenge the idea of a free and open Internet, Canadians are looking for answers — our recent survey finds that 86% of Canadians support requirements to keep Canadians’ data within Canada. This discussion paper lays out public policy options for how Canadian privacy law should protect the security and privacy of personal data stored outside of Canada. Advancing these protections for Canadians should complement ongoing efforts to advance international cooperation and governance of digital privacy and security, for example through bi- and multilateral agreements. The global fight over data is likely only to intensify in the coming years, and a key test for Canada’s sovereignty will be how it is positioned among its international peers. Canada must define its position internationally, with the U.S., China, and the European Union all showing very different models of governance. This paper is meant to advance public engagement and policy development in Canada going forward to maintain our home ice advantage.