Our economic stability depends on the strength of our supply chains. As world politics and offshore trade routes become increasingly unstable, so does our supply of essential goods and services, making it a matter of national importance to foster and support homegrown solutions.

Our government has invested billions to repatriate our supply chains, most recently, a $2.6 million investment under the National Trade Corridors Fund: “The digital project and study selected for investment intend to harness data and technological solutions to generate supply chain efficiencies along key Canadian trade corridors.”i

As we prioritize a national data supply chain strategy, it’s crucial that we not lose focus on the risks that data may face. Protecting our data from foreign access must be paramount.

Data sovereignty and the data supply chain

In a digital world, data supply chains play a crucial role in protecting sovereignty. We don’t allow foreign interests to own or control Canadian utilities, municipalities, national defense, or other critical infrastructure because we can’t risk letting a foreign power control the systems we need to function as a sovereign nation.

Data is part of our critical infrastructure, and whoever governs the cloud where it’s stored controls the data. Repatriating our data supply chain is an imperative—especially when it comes to sensitive government and citizen information. Canadian data requires a Canadian-controlled sovereign cloud.

Foreign owned = Foreign controlled

The Government of Canada white paper on Data Sovereignty and Public Cloud states, “As long as a CSP that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data.”ii

A CSP with offshore operations could be required to provide Canada’s sensitive data to a foreign government, exposing public service clients to a framework that doesn’t guarantee security and compliance.

When major US players like Amazon, Microsoft, and Google dominate 61 percent of Canada’s cloud market, users face the very real possibility that their data supply chain is subject to foreign laws because their CSP operates outside Canadian jurisdiction.

The true meaning of compliance

While the hyperscalers will tell you that they store your data locally, the truth is, their supply chain includes third-party contractors who have access to your data and can be forced by foreign governments to hand it over. And since the winds of politics can change direction at any time, you never know when your data could be at risk of foreign seizure.

The Government of Canada white paper on data sovereignty and public cloud states that, “Lack of full data sovereignty has the potential to damage the GC and third parties. Sensitive GC data could be subject to foreign laws and be disclosed to another government.”iii

For example, while your US-based CSP may have local offices in each country where they provide cloud services, as American companies they are subject to the US CLOUD Act. In its Data Law blog, Microsoft states, “The CLOUD Act amends US law to make clear that law enforcement may compel US-based service providers to disclose data that is in their ‘possession, custody, or control’ regardless of where the data is located.” iv

This means that data stored on US platforms such as Azure, Google, and AWS can be subject to a warrant or subpoena by the US federal government.v

And it puts Canadian data privacy at risk.

Here’s what a fully compliant CSP should provide:

· Cloud services aligned with Canadian government regulations, reducing legal risks and ensuring seamless compliance.

· Streamlined audits that ensure compliance with Canadian laws.

· All data managed within Canadian boundaries.

A true north strong solution: Protecting Canadian sovereignty

Canadians should have confidence that their personal information will be safe when they access public services. Ensuring data privacy and compliance fosters public trust and builds a strong and free society, able to function efficiently without fear of foreign interference. As a Canadian-owned and -operated company, ThinkOn is an exclusive Canadian provider with the contractual capability to sell and deliver cloud-based data management services to support both Federal Government Sensitive (PBMM) workloads and workloads from other levels of public sector entities in Canada.

Data sovereignty is our best defence against foreign interference

To protect our freedoms and Canadian values, we need to keep our data in Canada, where local laws and regulations will restrict foreign access.

At ThinkOn, we work with a select group of trusted partners. We don’t hide their identities because it’s important for you to know who has access to your data. With ThinkOn’s Canadian Sovereign Cloud, we guarantee a Canadian-only approach to data management that ensures all data remains within Canadian borders.

ThinkOn’s true sovereign cloud is operated by domestic cloud providers who offer dedicated cloud storage that complies with Canadian privacy laws. Being local means we can respond faster to security threats, data privacy rule changes, and shifts in the political landscape.

Protecting Canadian sovereignty: What you need to ask your CSP

Asking your cloud provider straight-talk questions makes the difference between maintaining control over your data or sacrificing your data privacy:

1. Is my data protected from foreign third parties in storage, transit, and during access?

2. Is my cloud provider certified to manage Protected B data in Canada?

3. Is my cloud provider compliant with the Canadian PBMM framework agreement?

4. Can my cloud provider provide full transparency on where their affiliates are located?

5. Is data managed by my CSP subject to the US Cloud Act or other foreign legislation?

If your CSP can’t—or won’t—answer these questions, they aren’t providing a true Canadian Sovereign Cloud.

Invest in homegrown talent to support domestic supply chains

ThinkOn is 100 percent Canadian-owned. We hire Canadians to manage our public service clients’ data, ensuring secure access within our borders. Our customer service is provided by local compliance experts who understand changing Canadian laws and industry regulations.

Here at ThinkOn, we understand the importance of homegrown solutions and technology advancements. As part of our mandate to support advanced research and development, and contribute to Canada’s skills development, ThinkOn has partnered with Canadore College in North Bay, Ontario to open a Global Security Event Operations Centre (SOC) run by a Canadian research and response team.

Our association with Canadore is an investment in developing home-grown talent, offering opportunities to skilled Canadian cybersecurity students and contributing to the future of the Canadian technology industry and Canadian data sovereignty.

Learn how to protect Canadian data sovereignty in our ThinkOn Data Sovereignty blog series or listen to the Cloud First to Cloud Smart podcast on CGE Radio.

About ThinkOn: Think On, Inc. is a Canadian-owned and -operated company. With data centres across Canada, ThinkOn is the only Canadian CSP capable of offering complete data sovereignty to the Government of Canada, including secure operational supply chain sovereignty. We are PBMM certified and the first Canadian VMware Sovereign Cloud partner, providing the most secure environment for Canadian data.

i Government of Canada. Transport Canada. 2024. “Government of Canada invests in projects in Quebec to improve supply chains.” https://www.canada.ca/en/transport-canada/news/2024/01/government-of-canada-invests-in-projects-in-quebec-to-improve-supply-chains.html

ii Treasury Board of Canada Secretariat. “Government of Canada White Paper: Data Sovereignty and Public Cloud” https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html

iii Ibid.

iv Microsoft. “About our practices and your data.” https://blogs.microsoft.com/datalaw/our-practices/#how-many-enterprise-cloud-impacted

v The US Department of Justice. “The Purpose and Impact of the Cloud Act,” https://www.justice.gov/criminal-oia/page/file/1153466/download