Canadians’ social media data not stored in country, study finds | #socialmedia


Reading Time: 4 minutes

By Pooja Rambaran

Social media platforms such as Facebook and Twitter transfer and store user data in a variety of jurisdictions outside of Canada, according to a recent discussion paper by the Cybersecure Policy Exchange (CPX) at Ryerson.

The study found that most social media privacy policies do not explicitly state the jurisdictions in which the personal data of their users are stored, processed and transferred. This means that “social media platforms can easily transfer personal data between various countries with little oversight or transparency,” the paper reads.

Yuan Stevens, co-author of the study, said the core belief of the paper is that “people in Canada deserve to have control and autonomy over their personal data as a critical aspect of cybersecurity.”

Stevens described personal data as anything that relates to someone as a specific, identifiable person. 

Almost every major social media platform—including Facebook, Instagram, LinkedIn, Snapchat, Twitter and TikTok—has faced major security breaches in the last five years, according to the CPX report written by Stevens, Mohammed Masoodi and Sam Andrey. 

In 2018, Cambridge Analytica, a data analytics company, was found responsible for improperly collecting personal data of millions of Facebook users. The paper states of these 87 million users, more than 600,000 were Canadians.

As technological companies routinely face buy-outs, mergers and bankruptcies, the storage and protection of personal data may change outside of Canadian regulation. “Malicious hackers can also take advantage of data stored in locations where the data are subject to weak data protection safeguards,” the paper states.  

“Our data protection laws have historically given ample freedom to corporations to treat our personal data as they please with little legal oversight,” said Stevens. 

The Personal Information Protection and Electronic Documents Act (PIPEDA) is responsible for protecting the personal data of social media users in Canada. 

However, it does not prohibit companies from transferring data to third parties or other jurisdictions. When transferring this data to third parties, PIPEDA cited that organizations should provide a comparable level of protection for the collected data to what it would’ve received had it remained within the company. 

Yet the act does not specify the meaning of the term “comparable level of protection” and this is left up to the discretion of the individual companies.

“The self-regulatory approach of PIPEDA fundamentally jeopardizes the security, privacy and protection of personal data for users of social media platforms,” the paper reads, adding that this data can be transferred to a variety of jurisdictions without the knowledge of Canadian social media users and with little restrictions under the Canadian privacy law. 

“People in Canada deserve to have control and autonomy over their personal data as a critical aspect of cybersecurity”

On the contrary, the European Union’s (EU) General Data Protection Regulation (GDPR), requires organizations that collect personal data of their constituents to comply with their obligations, including legally-binding corporate rules or clear consent for the transfer of data, the paper states. 

Those who violate the privacy and security standards set by the GDPR are subject to harsh fines, possibly amounting to as high as 20 million euros, according to the GDPR website. 

“In Europe, data protection is an extension of human rights, where the right to control your personal data…is a part of informational self-determination,” said Stevens. “But in Canada, our data protection laws ensure no such protection to people.”

The researchers of the study found that some Canadians were mainly concerned with external government surveillance primarily from China and the U.S. Other Canadians indicated a lack of trust with current Canadian institutions as they believe that storage in Canada could still be improperly surveilled or used, the paper states. 

The authors of the paper suggested three policy changes that can be employed by the Canadian government to improve their current data protection laws—comparable protection, consent and special protections for sensitive personal data. 

A recent survey by CPX found that 86 per cent of Canadians support policies to keep Canadians’ data within Canada. 

Siya Joshi, a first-year computer science student, was previously unaware that Canadian laws allow companies to release user information across borders. 

“I would like to know where any personal information I store on my