The head of Norton Rose’s tech group says cross-border data flows are getting increased scrutiny
Canadian companies are no longer treating data localization as a niche compliance task; they are treating it as a strategic choice that affects their exposure to foreign laws, national security risk, and ensures operational resilience, says Imran Ahmad, a senior partner at Norton Rose Fulbright Canada LLP, and the firm’s Canadian head of technology and co-head of cybersecurity and data privacy. Data sovereignty is the “hottest topic right now,” he says.
For years, cross-border transfers sat in the background of outsourcing deals and privacy policies, handled by boilerplate language and vague assurances from global vendors. That is changing as clients ask hard questions about how statutes such as the US CLOUD Act and the Patriot Act intersect with their use of cloud and SaaS tools. Ahmad says conversations that once felt theoretical now trigger concrete moves to reshape where sensitive systems live.
He sees the sharpest change among hospitals, telecoms, utilities, and other critical infrastructure players, which cannot tolerate uncertainty about who may gain access to their schematics and operational data. “For them, keeping the data within Canada became a real concern,” he says, pointing to clients such as electricity distributors and generators where “these are very sensitive schematics that you don’t want out there.” Those organizations now probe whether data ever leaves Canada, how redundancy is architected, and what happens when system failures force data to cross borders.
Those concerns are leading to concrete action. Ahmad describes organizations that have already taken “some steps to repatriate, where it wasn’t the case, the data into Canada,” either by switching to vendors that can guarantee local hosting or by pressing existing providers to “move it into Canada, period.” Once these projects start, data location stops being a narrow IT issue and becomes part of wider governance work that maps what the organization holds, ranks it by sensitivity, and decides what must stay on Canadian soil.
That governance work is no longer confined to policies that sit unread on a shelf. “I’ve seen more data retention schedules and policies being updated in the last 12 months than I did the year prior,” he says. Organizations are finally aligning retention, deletion, and storage standards with explicit rules on jurisdiction and access, and building a more rigorous inventory of critical data sets and vendors.
Regulators are reinforcing this shift. Canada has yet to replace PIPEDA, and Bill C-27 died when Parliament was prorogued, but Ottawa cannot stand still if it wants to preserve the EU adequacy ruling that allows data to move freely between Canada and Europe. Ahmad underscores that Europeans “have deemed our laws to be sufficiently protecting personal information just like they would within the EU. … They’ve been very kind to us, to put it mildly, to keep that process in place,” he says. “We have adequacy, but adequacy is not indefinite,” and he expects any new federal law to follow Quebec’s lead, which requires organizations to conduct a privacy impact assessment before transferring data outside the province.
Even under existing rules, expectations around vetting foreign vendors have tightened. Ahmad notes that, even though our federal privacy statute is not as robust as it should be now, the Office of the Privacy Commissioner still provides guidance on data transfers. That means a Canadian organization that wants to use a foreign cloud provider can no longer treat this as a straightforward procurement choice. He stresses that companies “will have to conduct, or should be conducting, a privacy impact assessment,” and then a threat or cyber impact assessment to test security safeguards, before they negotiate contractual protections such as data deletion rights, and limits on cross-border redundancy paths.
Contract language itself is also under greater scrutiny. For traditional cloud and outsourcing deals, Ahmad says, “data deletion is one that comes up a lot,” and he spends time with clients on data redundancy, and on data deletion or suppression after contracts end. These points, once treated as boilerplate, now go to the heart of who can access an organization’s data, where, and for how long.
Artificial intelligence sharpens that risk calculus further. “AI agreements are much more complex in some ways, but also simple in others. Because the issue spot can be easy, but the solution can be more difficult,” he says. Ahmad contrasts a conventional database, where a company can honour a right‑to‑be‑forgotten request by deleting the fields tied to an individual, with an LLM trained on the same data. “You go to an LLM and say, ‘All the data I gave you by accident, or that I don’t want to give you anymore, I want you to delete it.’ That is almost impossible to do,” he says. That reality is pushing corporate clients to draw harder lines in AI contracts. Data use clauses that used to be brushed off as harmless boilerplate have become, as Ahmad puts it, “often sticking points,” and, in some cases, effectively non-negotiable when vendors insist on using customer information to train global models.
Financial institutions and telecommunications companies are shaping the response inside Canada. Ahmad points to existing OSFI expectations that already require some banking data to be onshore, and to the heavy investment by telcos and others in Canadian hyperscale data centres, as signals that localization is moving from theory to infrastructure. “The banks and the financial institutions, along with the telecommunication firms, are going to drive the data localization, data sovereignty piece,” he says, adding that these players “have the wherewithal, financially and just knowledge-wise, to build” the domestic capacity.
Crucially, the conversation has moved to the very top of the house. Ahmad observes that “data localization and data sovereignty, a lot of the discussions are starting at the board level.” He sees boards engaging directly with data residency issues as part of their oversight of strategy and geopolitical risk. Directors want to know whether the company is “well-positioned to make sure this happens in a way where we’re not abused or taken advantage of.”
For Canadian organizations that want to stay ahead of tightening localization and cross-border rules, rather than scramble when regulators or customers come calling, Ahmad suggests a few key steps. First, they should invest real time in governance by understanding what data the business has, where it sits, how sensitive it is, and how it is segmented, because “you can tier your data, you don’t have to put it in one place.” Second, they should maintain a detailed inventory of critical third-party providers and push those vendors to provide up-to-date privacy impact and threat assessments, rather than relying on assurances that may be years old.
Canada may see itself as a smaller market compared to the United States, yet Ahmad stresses that it remains a G7 economy with sophisticated companies that should negotiate from a position of strength when contracting with foreign vendors. “We have huge R&D and innovation, we have world-class companies, we should be able to negotiate aggressively as needed.”
