Canadians’ electronic health records require enhanced safeguards to prevent foreign entities from accessing patient data, as outlined in a commentary published in the Canadian Medical Association Journal.
According to Michael Geist, a law professor and Canada Research Chair in internet and e-commerce law at the University of Ottawa, Canadian privacy laws are significantly outdated, with no major updates for decades. Geist highlights that electronic medical records, containing personal health information, are often managed by U.S. companies. While this data is encrypted and primarily stored on Canadian cloud servers, the ownership by American companies subjects it to U.S. laws.
For instance, Geist points out the Clarifying Lawful Overseas Use of Data (CLOUD) Act passed by the U.S. in 2018. This law allows for the disclosure of customer information stored outside the U.S. for criminal investigations, potentially impacting Canadian data. While Canada and the U.S. are in negotiations regarding this issue, Geist emphasizes the need for Canadian laws to address these challenges.
The CMAJ commentary raises concerns about privacy, security, and economic risks associated with foreign companies holding and utilizing Canadian data. The potential misuse of this information for surveillance or commercial purposes poses significant threats. Additionally, ongoing political tensions between Canada and the U.S. may heighten concerns about data storage and usage.
Dr. Sheryl Spithoff, an assistant professor at the University of Toronto, stresses the importance of protecting patient data and ensuring it is used for the benefit of individuals without causing harm. Geist also warns about the potential exploitation of Canadians’ health data by foreign companies, emphasizing the need for privacy protections and data sovereignty.
Leading U.S. cloud companies, including Google Cloud, Microsoft Azure, and Amazon Web Services, respond to data disclosure concerns by highlighting their commitment to privacy and compliance with legal requirements. However, privacy experts emphasize the inadequacy of Canada’s current laws in safeguarding data sovereignty and call for stronger measures to protect Canadian data.
Geist advocates for strengthening provincial laws and the federal Personal Information Protection and Electronic Documents Act (PIPEDA) to establish safeguards against potential U.S. data requests. He recommends developing Canadian cloud servers for health data and hosting data within Canada to benefit Canadians and support the development of health AI algorithms tailored to the Canadian population.