With today’s implementation of tariffs on both sides of the Canada-U.S. border, the level of mistrust between our countries has grown, whether urgent calls to “Buy Canadian” or boos and catcalls at the playing of the American national anthem. Should we continue down this path, Mr. Trump will surely seek to exploit more of Canada’s potential vulnerabilities. Last week, I co-wrote an op-ed with Kumanan Wilson on one such vulnerability: our health data, whose protection has yet to attract much attention but which could emerge as an issue.
Canada is fortunate to have access to unique population-based health data, thanks to our publicly funded health system. This data is essential not only for provision of care, but also for monitoring population-wide health trends and as an integral component in the coming health artificial-intelligence revolution.
Much of our health care data starts with family physicians, local hospitals and Canadian health research facilities, but later winds its way into the hands of international companies. Many of those companies are based in the U.S. and subject to foreign legislation that could compel disclosure, even over the privacy objections of affected individuals. In other words, Canadian health privacy safeguards may have limited effect once the data is outside the country and no longer in the hands of Canadian-controlled entities.
These concerns are not new. The security and sovereignty of our health data emerged as a controversial issue more than two decades ago in the aftermath of the 9/11 attacks and the introduction of the USA PATRIOT Act. That law, alongside other legislation, established powerful rights for governmental authorities to demand that U.S. companies – as well as those companies subject to U.S. jurisdiction – provide access to personal data on national-security grounds. In response, many Canadian organizations chose to store health data on Canadian-based computer servers as a means to protect this data from U.S. legislation. In fact, some provinces enacted legislation mandating that personal health data be retained within Canada.
And Canada is hardly alone in this regard. In recent years, many countries have enacted similar rules, often referred to as “data residency” or “data localization” requirements that restrict the flow of data across borders in the hope of enhancing the enforceability of national privacy rules.
Given recent turbulent events and the diminishing trust between Canada and the U.S., it is entirely possible that Washington would seek enhanced access to sensitive Canadian data, notably including financial and health data. This data could be invaluable for developing AI algorithms, for instance, a current priority of the Trump administration.
In fact, some of the largest electronic medical records providers, including Epic, Cerner and Meditech, are headquartered in the U.S. and may be unable to avoid American legislation mandating disclosure of data in their possession, potentially under the pretext of a specious national-security argument, for example. Such a scenario would raise privacy alarm bells leading to urgent calls for the government to better protect the health data of millions of Canadians.
Mandated data localization requirements would be an important policy response from Canada. While the end goal would be to establish viable Canadian-controlled cloud services ready to compete with U.S. giants, this may be a way off. An interim measure would involve further beefing up Canadian privacy law by ensuring that Canadian health data is encrypted, resides on servers in Canada and is subject to serious penalties for non-consensual disclosures.
Yet even data localization rules are not without their challenges, since they may create a conflict of laws that puts companies between a proverbial rock and a hard place: Canadian privacy laws mandating that health data remain in Canada, and U.S. rules requiring disclosure under some circumstances. Faced with such a conflict, U.S. companies might well look to the courts for guidance.
In similar circumstances – for example, conflicts between mandated disclosure rules and privacy-protecting Swiss banking laws – courts have considered whether the foreign rules amount to a “blocking statute” in which the company would face serious penalties in the event of unauthorized disclosure. If a blocking statute is in place, the data need not be disclosed. Canadian privacy law would not meet that standard in its current form, requiring that tougher penalties be put in place.
Now is the time for the government to pursue long overdue safeguards to better protect Canadian health data.
Related posts:
Why Years of Canadian Digital Policy Is Either Dead (Prorogation) or Likely to Die (Trump)
The Law Bytes Podcast, Episode 225: How Canada Can Leverage Digital Policy to Retaliate Against Trump’s Tariffs
The Law Bytes Podcast, Episode 226: Richard Gold on Why Canada Should Target U.S. Patents To Help Counter Tariff Trade Pressure
My personal experience with “Much of our health care data starts with family physicians, local hospitals and Canadian health research facilities” is that the computer systems for those places have a hard time talking to one another, if they can at all. A simple example would be the requirement for me to, every time I go to see a specialist, to bring a list of my medications with me (I live in Ontario).
So yes, while the issue exists, I am not so sure that it is at the top of the list of things that need to be addressed. First lets get the systems talking to one another seamlessly (hopefully saving the health care system some money), and just ensure that the data storage requirements reflect the privacy concerns.
What specific technological or legal mechanisms beyond encryption and data localization could Canada develop to ensure that health data remains Buckshot Roulette secure and sovereign, even if U.S. courts rule in favor of disclosure under national-security pretexts?
It would be fun if you could relax and join the game run 3 with me. An extremely attractive endless running game.
I did consider, when the “buy Canadian” campaign started, how ironic it was that many Canadians would not be able to do so when it came to getting blood tests and similar tests at a Canadian-owned medical lab. Our two largest chains, Dynacare and Lifelabs, are American owned.
While Lifelabs claims on its website that none of the health information it holds on millions of Canadians goes outside the country, I’ve never been able to find the same assurance on Dynacare’s site. And, my emails requesting such assurance to the company’s CPO were never returned.
It also irritates me that any profit from these operations are now accruing to their owners: an American healthcare conglomerate and a group of U.S-based robber funds.
Every track, regardless of length, feels like a new challenge; the notion of progression—where players may advance their drifting skills and go farther than their past effort—creates a positive loop. Drift Boss
The discussion of data localization is particularly relevant. While keeping Canadian health data within national borders could enhance privacy protections, it also presents challenges, such as legal conflicts with U.S. regulations that might still demand access. Strengthening Canadian privacy laws—including stricter penalties for unauthorized disclosure—seems like a necessary step to ensure data sovereignty.
You sprunki a bit of wisdom into my day, and now I feel equipped to tackle any challenge that comes my way