Canadians' health data at risk of being handed over to U.S. authorities, experts warn

CBC

31-07-2025

Canadians' electronic health records need more protections to prevent foreign entities from accessing patient data, according to commentary in the Canadian Medical Association Journal.
"Canadian privacy law is badly outdated," said Michael Geist, law professor and Canada Research Chair in internet and e-commerce law at the University of Ottawa and co-author of the commentary. "We're now talking about decades since the last major change."
Geist says electronic medical records systems from clinics and hospitals — containing patients' personal health information — are often controlled by U.S. companies. The data is encrypted and primarily stored on cloud servers in Canada, but because those are owned by American companies, they are subject to American laws.
For example, Geist points out, the U.S. passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018, which can compel companies to disclose customer information for criminal investigations, even if it's stored outside the United States. The law allows for bilateral agreements with the U.S. and other countries. Canada and the U.S. began negotiations in 2022.
The companies have "Canadian laws that may say they've got to provide appropriate protections for that data," Geist said. "But they may have U.S. law that could compel them to disclose that information."
Canada's laws, Geist says, have not yet found a way to respond to that.
How health data could be used
The CMAJ commentary says "serious privacy, security, and economic risks arise when companies in other countries hold and use Canadian data."
Among them, the authors point to the potential use of that information for law enforcement surveillance, or by private companies seeking to use the data to make money.
Health data is deeply personal, and ongoing Canada-U.S. political tensions may cause some to be even warier about where and how their information is stored and used, says Lorian Hardcastle, assistant professor in the law faculty and Cumming School of Medicine at the University of Calgary.
"There is a compelling argument to be made to say, 'Well, you know, we just need to have this information stored in Canada and not have those dealings with American companies,'" said Hardcastle.
Aside from the CLOUD Act, another concern Geist lays out is the potential for foreign companies to profit off of Canadians' health data. With the growth of AI, Geist says that data has become increasingly valuable — a tremendous pool of information that could potentially be used to generate AI algorithms. (The cloud companies say their customers own and control their own data.)
"We should be the ones to benefit from that," Geist said. "We should be the ones who are entitled to appropriate privacy protections."
Dr. Sheryl Spithoff, an assistant professor at the University of Toronto, says these risks highlight how Canada's privacy laws fall short.
"This data is patient data. It belongs to patients. That should be used for reasons that are in their interests, that bring them benefit, that don't cause harm."
Tech companies respond
The CMAJ commentary says three U.S. cloud companies dominate: Google Cloud, Microsoft Azure and Amazon Web Services.
Google told CBC News that "customer data belongs to our customers, not to Google Cloud." It says, like many tech companies, it gets requests from governments and courts to disclose customer information, usually as part of criminal investigations. The company says it follows a "transparent, fair, and thorough process" to respond. It didn't comment specifically about Canadian health data.
"Google provides a response on a case-by-case basis, taking into account different circumstances and informed by legal requirements, customer agreements, and privacy policies," it said.
"We are committed to protecting privacy while also complying with applicable laws."
Microsoft said that in the second half of 2022, of the nearly 5,000 demands for "consumer data" it received from U.S. law enforcement, 53 warrants sought content stored outside of the U.S.
"Microsoft's compliance team reviews government demands for customer data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order."
Amazon said it "does not disclose customer information in response to government demands unless we're required to do so to comply with a legally valid and binding order."
In a statement, a spokesperson for Amazon Web Services wrote "there have been no data requests to AWS that resulted in disclosure to the U.S. government of enterprise or government content data stored outside the U.S. since we started reporting the statistic."
Limits to Canada's privacy laws
Privacy experts say the failure of Canada's privacy laws to keep pace with changing technology has put the country's data sovereignty at risk.
Geist says strengthening provincial laws and the federal Personal Information Protection and Electronic Documents Act, known as PIPEDA, could help create a guardrail against potential U.S. data requests reaching into Canada.
In his commentary, Geist calls for "stronger penalties for unauthorized disclosure of personal information without consent and guidance that foreign court orders related to Canadian data are unenforceable in Canada."
Innovation, Science and Economic Development Canada says PIPEDA applies when transferring data across the border, but Geist says the law itself isn't robust enough.
Geist also calls for the country to develop Canadian cloud servers for health data, and to ensure that data is hosted on Canadian soil.
The wealth of health information generated by the health-care system should stay in Canada and benefit Canadians, Geist says. He and his co-authors see the potential for health AI algorithms to be developed in Canada by Canadian companies, with robust safeguards, to support health-care decisions "based on data representative of Canada's population."