A new government white paper on digital sovereignty says Ottawa can’t maintain full control over its data if its data storage supplier is subject to the laws of another country.
The statement you say is contradictory isn’t, in that they differentiate between “operate completely under Canadian jurisdiction” from businesses just ‘storing data in canada’, or ‘using a canadian supplier’. For example Telus is one of our big telcos. Telus has significant business ties to US companies, in that their email is just reselling either Microsoft or Google, and their VoiP is just reselling US Ring Central (even uses the same servers for call routing). Telus is currently a “Canadian” company that is effectively just a US software supplier, that has data ‘reside’ in Canada when it’s demanded by client/regulatory requirements. Telus is beholden to US laws and regulations. Even the data that Telus has “residing” in Canada, is potentially subject to US laws and regulations – that’s what the Cloud Act solidified: basically the US govts authority to coerce any business that wants to do business in/with the US, to give up that company’s data from anywhere in the world.
When it comes to something like AI and training on user data – companies like Microsoft and Google don’t really care all that much about Canada’s legislation / sovereignty, especially as the US is letting them write their own regulation down south. So any email that goes through US tech giant servers, is likely getting ingested / processed by US AI’s, with US laws / trends in mind.
It’s not contradictory really, though the lack of a link to the white paper is definitely lazy journalism. I’m ‘guessing’ the paper is here: https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/digital-sovereignty/gc-white-paper-data-sovereignty-public-cloud.html . I haven’t read through that yet, so its just a guess.
The statement you say is contradictory isn’t, in that they differentiate between “operate completely under Canadian jurisdiction” from businesses just ‘storing data in canada’, or ‘using a canadian supplier’. For example Telus is one of our big telcos. Telus has significant business ties to US companies, in that their email is just reselling either Microsoft or Google, and their VoiP is just reselling US Ring Central (even uses the same servers for call routing). Telus is currently a “Canadian” company that is effectively just a US software supplier, that has data ‘reside’ in Canada when it’s demanded by client/regulatory requirements. Telus is beholden to US laws and regulations. Even the data that Telus has “residing” in Canada, is potentially subject to US laws and regulations – that’s what the Cloud Act solidified: basically the US govts authority to coerce any business that wants to do business in/with the US, to give up that company’s data from anywhere in the world.
When it comes to something like AI and training on user data – companies like Microsoft and Google don’t really care all that much about Canada’s legislation / sovereignty, especially as the US is letting them write their own regulation down south. So any email that goes through US tech giant servers, is likely getting ingested / processed by US AI’s, with US laws / trends in mind.