Canadians’ electronic health records need more protections to prevent foreign entities from accessing patient data, according to commentary in the Canadian Medical Association Journal.

“Canadian privacy law is badly outdated,” said Michael Geist, law professor and Canada Research Chair in internet and e-commerce law at the University of Ottawa and co-author of the commentary. “We’re now talking about decades since the last major change.”

Geist says electronic medical records systems from clinics and hospitals — containing patients’ personal health information — are often controlled by U.S. companies. The data is encrypted and primarily stored on cloud servers in Canada, but because those are owned by American companies, they are subject to American laws.

For example, Geist points out, the U.S. passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018, which can compel companies to disclose customer information for criminal investigations, even if it’s stored outside the United States. The law allows for bilateral agreements with the U.S. and other countries. Canada and the U.S. began negotiations in 2022.

The companies have “Canadian laws that may say they’ve got to provide appropriate protections for that data,” Geist said. “But they may have U.S. law that could compel them to disclose that information.”

Canada’s laws, Geist says, have not yet found a way to respond to that.

Canadians’ electronic health records need more protections to prevent foreign entities from accessing patient data, according to commentary in the Canadian Medical Association Journal.

“Canadian privacy law is badly outdated,” said Michael Geist, law professor and Canada Research Chair in internet and e-commerce law at the University of Ottawa and co-author of the commentary. “We’re now talking about decades since the last major change.”

Geist says electronic medical records systems from clinics and hospitals — containing patients’ personal health information — are often controlled by U.S. companies. The data is encrypted and primarily stored on cloud servers in Canada, but because those are owned by American companies, they are subject to American laws.

For example, Geist points out, the U.S. passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018, which can compel companies to disclose customer information for criminal investigations, even if it’s stored outside the United States. The law allows for bilateral agreements with the U.S. and other countries. Canada and the U.S. began negotiations in 2022.

The companies have “Canadian laws that may say they’ve got to provide appropriate protections for that data,” Geist said. “But they may have U.S. law that could compel them to disclose that information.”

Canada’s laws, Geist says, have not yet found a way to respond to that.