Canada Data Privacy

Overview

AWS customers can design and implement an AWS environment and use AWS services in a manner that satisfies their obligations under Canadian federal, provincial, and territorial privacy laws.

Customers are always in control of how they manage and access their content stored on AWS. AWS does not have knowledge of what customers are uploading into its services, including whether or not that data is deemed subject to Canadian privacy laws, and customers are responsible for ensuring their own compliance with any applicable laws.

The AWS Data Processing Addendum (AWS DPA), also referred to as a data transfer agreement, applies globally and includes specific contractual commitments to adequately address the roles and obligations of each party with respect to the privacy and security of personal data.

There are several laws in Canada that relate to the protection of personal information. Enforcement of these laws is handled by various government organizations and agencies at the federal, provincial, and territorial levels.

At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) may apply to the collection, use, and disclosure of personal information within the private sector, and the Privacy Act may apply within the public sector. The Office of the Privacy Commissioner of Canada (OPC) oversees the application of both laws.

Canadian provinces and territories have also adopted their own privacy laws for both the public and private sectors, as well as privacy laws specific to certain types of personal data, such as personal health information. The OPC website provides an overview of these provincial and territorial laws and authorities.

For customers who wish to process their data in Canada, the AWS Canada (Central) Region near Montreal and the Canada (West) Region near Calgary are available. For a complete list of AWS Regions and services, visit the Global Infrastructure page.

FAQs

• How can customers determine which Canadian privacy law(s) apply to their use case?

  Whether, and the extent to which, an AWS customer is subject to PIPEDA, the Privacy Act, or any other Canadian privacy requirements may vary depending on the customer’s business and use case. Customers should consult their own legal advisors to understand the privacy laws to which they are subject.

• How can customers comply with Canadian privacy laws on AWS?

  Customers that are subject to Canadian privacy laws may have to comply with requirements relating to the collection, access, use, disclosure, and protection of personal information. AWS gives customers control over how their content is stored or processed when using AWS services, including control over how that content is secured and who can access that content. AWS provides services that customers can configure and use to aid in the security of personal information they store on AWS, and it is the responsibility of the customer to architect a solution that meets applicable privacy requirements.

  AWS provides workbooks, whitepapers, and best practice guides on our AWS Compliance Resources Page, and customers have on-demand access to AWS’s third-party audit reports in AWS Artifact.

• Do any Canadian privacy laws prohibit an AWS customer from transferring or storing personal data outside of Canada?

  Customers should consult their own legal advisors to determine which Canadian privacy laws or other obligations may apply to their organization and use case.

• Do any Canadian privacy laws require personal information to be encrypted?

  Entities subject to Canadian privacy laws are required to take steps to safeguard personal information, and it is the responsibility of each customer to determine whether encryption is necessary in order to satisfy its security and compliance obligations.

  AWS recommends that customers encrypt their data at rest and in transit as a best practice. For additional guidance, refer to Encrypting Data-at-Rest and Data-in-Transit.

• What is the customer's role in securing their content on AWS?

  When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:

  • Security measures that AWS implements and operates — "security of the cloud"; and
  • Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services — "security in the cloud".

  

  Under the AWS Shared Responsibility Model, AWS customers retain control of what security they choose to implement to protect their own content, platform, applications, systems, and networks, no differently than they would for applications in an on-site data center. Customers can use familiar security measures, such as encryption and multi-factor authentication, to protect their data and address their compliance requirements, in addition to AWS security services and features like AWS Identity and Access Management (IAM).

• Who can access customer content on AWS?

  Customers maintain ownership and control of their customer content and select which AWS services process, store, and host their customer content. AWS does not access or use customer content except as necessary to maintain or provide the AWS services selected by a customer or as necessary to comply with the law or a binding order of a governmental body, as set out in the AWS Customer Agreement.

  Customers using AWS services maintain control over their content within the AWS environment. They can:

  • Determine where it will be located, for example by selecting the type of storage environment and geographic location of that storage;
  • Control the format of their content, for example plain text, masked, anonymized, or encrypted, using either AWS-provided encryption or a third-party encryption mechanism of the customer’s choice;
  • Manage access controls, such as AWS Identity and Access Management (IAM); and
  • Control whether to use encryption, Amazon Virtual Private Cloud (VPC) features, and other network and data security measures to prevent unauthorized access.

  This allows AWS customers to control the entire lifecycle of their content on AWS and manage their content in accordance with their specific needs, including content classification, access control, retention and deletion.

• Where is customer content stored?

  The AWS Global Infrastructure gives you the flexibility of choosing how and where you want to run your workloads. As a customer, you choose the AWS Region(s) in which your customer content is stored, allowing you to deploy AWS services in the location(s) of your choice, in accordance with your specific requirements. If you want to discover our flexible storage options, see the AWS Regions webpage.

  You can replicate and back up your customer content in more than one AWS Region. We will not move your content outside of your chosen AWS Region(s) without your agreement, except in each case as necessary to comply with the law or a binding order of a governmental body. However, it is important to note that all AWS services may not be available in all AWS Regions. For more information about which services are available in which AWS Regions, see the AWS Regional Services webpage.

• What security measures does AWS have in place to protect systems?

  AWS is architected to be the most secure global cloud infrastructure on which to build, migrate, and manage applications and workloads. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls, including security configuration controls, to customers for the handling of personal data.

  AWS provides several compliance reports from third-party auditors who have tested and verified our compliance with a variety of security standards, including SOC 2 Type 2, ISO 27001, ISO 27017, and ISO 27018. In Canada, AWS services are also assessed by the Canadian Centre for Cyber Security.

  To provide transparency on the effectiveness of these measures, we provide access to the third-party audit reports in AWS Artifact. These reports show our customers that we are protecting the underlying infrastructure upon which they store and process personal data. For more information, visit our Compliance Resources.

• How does AWS secure its data centers?

  The AWS data center security strategy is assembled with scalable security controls and multiple layers of defence that help to protect your information. For example, AWS carefully manages potential flood and seismic activity risks. We use physical barriers, security guards, threat detection technology, and an in-depth screening process to limit access to data centers. We back up our systems, regularly test equipment and processes, and continuously train AWS employees to be ready for the unexpected.

  To validate the security of our data centers, external auditors perform testing on more than 2,600 standards and requirements throughout the year. This independent examination helps ensure that security standards are consistently being met or exceeded. As a result, the most highly regulated organizations in the world trust AWS to protect their data.

  Learn more about how we secure AWS data centers by design by taking a virtual tour.