The Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. PIPEDA also applies to federal works, undertakings and businesses in respect of employee personal information. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them.
The storage of nearly all personal information relating to clients or customers is now regulated by Canadian Privacy Laws. That means that you are required by law to know where your data is, and you also have to have policies and procedures in place to handle data breaches when they occur. If you store your data outside of the country you must disclose the details to your customers about where their data is kept, and being protected.
If you don't take reasonable action to protect this data, you could be fined up to $100,000 in the province of Alberta alone. Services like Dropbox, OneDrive, Box.com and SugarSync host their data outside of Canada, and are subject to US data privacy laws such as the Patriot Act, meaning the protection of your data is truly out of your hands, and can be used by officials of that location.
There are certain pieces of data, such as health care related information, that must be stored within Alberta. If you use a data storage provider that is across the border, you have to disclose to your customers that you are doing so, and you will have to be able to have proof with that provider as to what steps are being taken to secure that data.