The Senate resolved into a Committee of the Whole in order to receive the Honourable Evan Solomon, P.C., M.P., Minister of Artificial Intelligence and Digital Innovation, to consider the subject of artificial intelligence.
Senator Hay: I worry about sovereignty and governance a lot, and I know that we cannot sit on the sidelines, that a steady state will, in fact, not only abdicate our leadership but also put our sovereignty at risk.
As well, end-to-end sovereignty may not be viable for many countries, Canada possibly included. We know that data travels and often boomerangs outside Canada before it lands in Canada for storage.
We know that data is not necessarily under Canadian control when it sits on a foreign-owned cloud by a foreign-owned company, even on our soil. You’ve spoken about sovereignty, not solitude.
I believe you’ve signalled openness to U.S. companies on a hybrid, sovereign cloud; we likely have to do that.
What specific legal mechanisms, governance and infrastructure will ensure Canadian data is protected from foreign reach, such as instruments like the U.S. CLOUD Act?
Mr. Solomon: Senator Hay, first of all, thank you for the work you’ve done on AI education. It was a great pleasure and an honour to appear with you about that.
You’re asking an incredibly important question. We hear about the CLOUD Act, the PATRIOT Act and about Canadians wanting to make sure their information is protected.
Let me just be as clear as I can with everybody here. Sensitive, important government data will be controlled under Canadian law in Canadian data centres, full stop. This is really important for sovereign data.
Data sovereignty is also not just about storing data here in Canada. It is not enough to have the data centre located here, because if it’s stored in an American cloud, it could be subject to the CLOUD Act.
Let’s be clear: The CLOUD Act is also subject to warrants. It is very specific but, nonetheless, subject to foreign law.
So I will say that we will make sure that in our strategy — and we are currently doing this — we build up not only our sovereign Canadian companies but also sovereign cloud.
Now, you mentioned hybrid. There are many levels of data that people will protect at different levels. Very sensitive data will require a fully Canadian sovereign cloud, and that will be for government choices.
For other levels of data, there may be different models, what’s called “two-key security,” where the data is inaccessible even if the CLOUD Act were invoked. If the two-key security is encrypted, the data would still not be available, but, at the same time, you might lose access to the tools to use that data.
The issue of sovereignty is very important for sensitive workloads, and we’ll be working with that. Again, for the most sensitive government service data, I just want to say that our standard is clear: Canadian law, Canadian governance, hosted on Canadian-resident infrastructure, secured with strong technical protections.