North America Cloud Compliance & Data Privacy


Written by Michael Higashi

Data Privacy and Regulatory Compliance InDepth: North America

For the modern enterprise handling sensitive, personal consumer information, such as credit and debit card numbers or private health and medical records, the importance of regulatory compliance can’t be overstated—and neither can the complexities of regulatory compliance. The cloud piles on additional complications. Cloud computing itself may create new risks for data security, and the multinational nature of many established, enterprise-grade cloud service providers (CSPs) means that data residency and inconsistent or conflicting data privacy regulations come into play as well. Untangling the web of data privacy regulations and industry best standards will take time and effort. In this series, we’ll help you figure out where your organization stands and what you need to do in order to maintain regulatory compliance across all the regions in which your data may roam. Today, let’s take a look at North American data privacy regulations.

United States Cloud Compliance & Data Privacy

With over 20 sector-specific federal data security laws in place and hundreds of state privacy laws as well, the United States places strong restrictions on the overall use and transmission of private data. In fact, security breach notifications were a US invention; 47 US states, Washington DC, and most US territories mandate that organizations must notify state residents of security breaches that involve residents’ names as well as at least one piece of sensitive data, such as a social security or other government-issued identification number or a credit or debit card number in combination with any authentication information that would allow access to a resident’s financial account. Additionally, breaches of healthcare information, information from financial institutions, and breaches of government agency information must be disclosed, per national laws.

Among the most notable US data privacy laws are HIPAA and HITECH, which seek to protect individuals’ medical privacy through standards of data protection that apply to health plans, healthcare clearinghouses, and healthcare providers that conduct some of their operations electronically. Meanwhile, the Gramm-Leach-Bliley Act (GLBA) works to protect individuals’ sensitive financial information.

Canada Cloud Compliance & Data Privacy

Like the United States, Canada has enacted strong restrictions on private data. Over 25 different federal, provincial, and territorial privacy statutes govern the protection of individuals’ information in the private, public, and healthcare sectors. Canada’s primary federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), applies to all organizations that collect, use, and disclose consumer personal information during the course of commercial activities, with personal data defined as any information about an identifiable individual.

Canada’s five provinces all have enacted their own data privacy laws. The Personal Information Protection Acts of British Columbia and Alberta are similar to PIPEDA, while Ontario’s Personal Information Protection Act, Quebec’s An Act respecting the protection of personal information in the private sector, and New Brunswick’s Personal Health Information Privacy and Access Act govern the protection of personal healthcare and medical information.

Mexico Cloud Compliance & Data Privacy

Unlike the United States and Canada, Mexico’s data privacy legislation can be considered moderate, with just one main federal law, the Federal Law on Protection in Mexico of Personal Data held by Private Parties having gone into force in mid-2010, with additional regulations and guidelines enacted in the years after. Mexico’s breach notification requirements are quite strict, however. All material breaches must be reported promptly to the data subject, along with information description of the issue, the data exposed, what actions are recommended to mitigate the damage of the breach, what actions the data controller will take to correct the issue, and the steps data subjects can take to obtain additional information.

One of the primary areas of focus for Mexico’s data privacy legislation is the protection of personal data that can be used to discriminate against data subjects. For this reason, sensitive personal data in the context of Mexican data privacy law includes information such as racial or ethnic origin, genetic information and other data related to present or future health status, and information on religious, political, and labor affiliations and philosophical or moral beliefs.

As you can see, the North American continent alone is home to a staggering diversity of data privacy legislation protecting a wide variety of individuals’ identifying, financial, and even social data. This is even more true of the globe as a whole.

Need to learn more about data privacy legislation around the world? Download our ebook, Global Guide to Data Protection Laws, today.