Customers - particularly in Canada - often wonder if they can legitimately store their data in the public cloud. The short answer in almost all cases seems to be yes, with British Columbia public-sector (and industries serving them) being a complicated exception.
ITBusiness.ca has published a good article on this topic that includes an interview with a computer science doctoral candidate specializing in privacy in Canada. It's useful reading on the topic and addresses many of the relevant legislation and questions.
When speaking about cloud, the terms “data sovereignty” and “data residency” come up frequently. Within the private sector, there is still a great deal of FUD (fear, uncertainty, and doubt) about topics such as the Patriot Act. A fair bit has been written about this topic here on ITBusiness.
The abridged version of the discussion is simply that while private companies may want to keep data in Canada for customer perception or personal comfort reasons, there is no valid regulatory reason not to put data outside of Canada. There is also not much extra protection from U.S. law enforcement. See “Keeping data here no protection against US” as a good article on the topic.
The question then moves to public sector organizations who have to abide by different regulations and privacy legislation than most private sector companies. PIPEDA impacts everyone, and needs to be taken very seriously by public sector, but what about regulations such as the Personal Health Information Protection Act (PHIPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). Do they limit what public sector organizations can put in the cloud?