Canada’s data sovereignty landscape is shifting faster than most organizations realize – and according to Rob Falzon, Head of Engineering in the Office of the CTO at Check Point Software Technologies, the conversation isn’t happening early enough.
In this episode, Falzon breaks down the regulatory pressure building around Canadian data – including Quebec’s Law 25, Bill C-8, and new federal PIPEDA reform expected this spring that is expected to include data sovereignty provisions. He draws a sharp distinction between data residency (where data sits at rest) and data sovereignty (control over the entire processing chain) that many partners and their customers are still conflating – and explains why contracts alone can’t solve the problem.
Falzon unpacks the CLOUD Act dimension: if data lives in the U.S., it is accessible to the U.S. government regardless of where your company is headquartered or what your service agreement says.
For MSPs, the conversation turns to opportunity. Recent research from Kiteworks found that 23% of Canadian organizations experienced a data sovereignty incident last year, and mid-market firms lag enterprise by 15 to 25 percentage points in sovereignty maturity – despite facing the same penalties. Falzon’s advice: lead with risk, not product.
He also raises a recent U.S. legal judgment holding that all data entered into ChatGPT belongs to OpenAI – and asks whether organizations using AI services even know where that data is going.
Check Point launched a dedicated Canadian data region for CloudGuard WAF in March, opening doors to government and regulated-sector contracts that were previously unavailable to partners. But Falzon’s bigger point is this: the regulatory picture is still coming into focus, and MSPs who get educated now – before the legislation fully lands – have a real chance to stake out expertise and become the trusted voice in the room when urgency hits.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Spotify | Amazon Music | Android | iHeartRadio | Youtube Music | RSS
Read Full Transcript
Robert Dutt: Hello and welcome to In The Channel from ChannelBuzz.ca, bringing news and information to the Canadian IT channel community for the last 16 years. I’m Robert Dutt, editor of ChannelBuzz.ca and your host for the show.
There’s a phrase you’re probably hearing more and more in customer conversations: data sovereignty. And if you’re not hearing it yet, you probably will soon. Canada’s regulatory landscape around data is shifting fast. Quebec’s Law 25 is already in force with real financial penalties. Bill C-8, the Critical Cyber Systems Protection Act, is working its way through committee. New federal privacy reform is expected this spring, and underneath all of that, there’s a growing realization that the old assumption—that if it’s okay for the U.S., it’s okay for us—may not hold up much longer.
My guest today is Rob Falzon, Head of Engineering in the Office of the CTO at Check Point Software Technologies. Rob has spent over 30 years in large-scale security architecture, including government work, and he’s been with Check Point for over two decades. He’s based here in Canada and has a front-row seat to how this market handles security and compliance differently from the rest of the world. We’re going to talk about what’s driving the urgency around data sovereignty in Canada right now, the distinction between data residency and data sovereignty that a lot of partners are still conflating, and what it all means practically for MSPs serving the Canadian mid-market.
Let’s get right into it—my chat with Rob Falzon.
Rob, thanks for taking the time. I appreciate it.
Robert Falzon: No trouble.
Robert Dutt: You’ve been in the industry a long time, with Check Point for two decades, and you’ve had a front-row seat to how the Canadian market specifically handles security and compliance. For an audience of Canadian VARs and MSPs, how has the data conversation in Canada changed over, say, the last 18 months or so? It feels like something’s shifted in that discussion.
Robert Falzon: Yeah, there’s been a significant shift. In the past, obviously, we’ve seen the changes that have happened with our neighbors to the south and how the climate and atmosphere have changed. It’s caused folks in Canada to have a closer look at what their various different arrangements are from a trust perspective, and what their comfort level might be in where they store their data and how they manage that data—and where their customers are based as well.
I think that’s been the primary change in the last few months specifically. For a long time, we’ve had this feeling that Canada and the U.S. have been sort of the same. There wasn’t really a big concern because we have agreements back and forth. A lot of the recent changes have forced us to really revisit those arrangements and see: are we actually making sure that the information is safe and protected? As a result of that, we’ve been getting those questions at Check Point, and it’s incumbent upon us to manage it in such a way that our customers get the security and safety they need while meeting their business requirements.
Robert Dutt: From the regulatory side of things, there’s a lot going on. We have Quebec’s Law 25 in place with real penalties behind it. We have Bill C-8 working its way through committee. There’s going to be PIPEDA reform coming up sometime fairly soon, which is rumored to include data sovereignty provisions. Back in November, the government introduced the Digital Sovereignty Framework. For a Canadian MSP who hasn’t been tracking all of this closely, what’s the picture they need to have in their head right now of the regulatory scene?
Robert Falzon: Well, like you pointed out, there’s no comprehensive federal law just yet. As you mentioned, there are a number of things on the table and we have some direct focus now from the federal government. There’s a minister assigned specifically for AI that’s taking a very close look at how Canada is managing that. We also have this provincial patchwork. Ontario probably has the most established AI-specific roles so far. Alberta’s Privacy Commissioner also has a report they released last year talking about Alberta creating its own AI law and updating its privacy legislation.
All of these changes are happening fairly quickly right now, and it’s incumbent upon MSPs to make sure they’re aware of what these changes are and where they are operating their businesses. There are two aspects to this. The first is the business side: if you have customers that want to consume your services, you need to make sure your services are consumable by them—that you are meeting their data regulation requirements and that the residency and sovereignty requirements these new pieces of legislation introduce are met by whatever services you’re providing.
The challenge is that there’s not a lot of clarity right now around what these actual services are. Maybe AI is touching it, or some security component is touching it, but maybe it’s a different type of service related to marketing. This is going to be a challenge for MSPs to make sure they understand their compliance obligations and to closely look at their service offerings. They need to start to decouple what we used to think was an accepted understanding—that if it was okay for the U.S., it was okay for us. It’s not going to be the same anymore.
Robert Dutt: There’s another piece of legislation, not necessarily on our side, but the CLOUD Act hanging over all this. Can you walk us through how the CLOUD Act changes the calculus for Canadian organizations using a U.S.-headquartered cloud or security provider?
Robert Falzon: There are a few things here to unpack. First of all, it’s not finalized; there are still a lot of negotiations underway. This started back in 2021 or 2022, and obviously, when that started, we were in a completely different geopolitical context than we have today. That’s transformed things into a more complex policy debate and even, to some degree, a national security debate.
For us, we’re going to have to start looking very carefully about what regulations we put in place at the federal level that impact us from a legal compliance perspective. Is your CISO well aware of what your obligations are under this? I think if I look at what’s going to change, we’re still going to have to start hosting much of the information we work with in Canada. Anything related to security rule sets, business transaction information—all of this is going to have to be stored in Canada.
If you are still leveraging contracts that you might have in the U.S., you’re going to have to look at how you separate out those specific types of data that are protected by law and have them processed and stored in Canada. You may not be able to get out of some of these hosting contracts in the U.S., but the fact is, if that data is in the U.S., it’s going to be available to the U.S. government. If that availability contravenes any legislation we have here, it’s something you’re going to be liable for.
Robert Dutt: A lot of times, maybe at the customer level and the partner level, there’s some conflation between data residency and data sovereignty. Can you break that apart? I think when a lot of people hear, “We have a Canadian data center,” they assume the compliance checkbox is checked.
Robert Falzon: Yeah. The difference fundamentally is essentially data at rest versus data in motion. If you are storing databases or static information about customers, that data must be resident in Canada. Data sovereignty is essentially the entire chain. Any processing has to be done in Canada, storage has to be done in Canada—the data cannot leave the country or its control sphere the entire time it’s in your possession. I think that’s a critical differentiation because they are often, as you say, conflated to be the same thing.
Robert Dutt: What does a sovereignty-defensible architecture actually look like? What are the non-negotiables to make sure you’re covered off there, especially as a service provider?
Robert Falzon: You have to look at all of your vendors. You have to make sure that not only are you managing your data effectively yourself, but that all of the vendors you interact with are also following the same guidelines. The challenge here is that we are so integrated with U.S. providers—cloud providers, data center providers. All of those things need to come together, and we need to be aware at all times where this information is stored.
Our understanding of where that data is has to improve, so we need better tools to manage that visibility. But we also need to start making actual changes in our infrastructure to make sure it physically resides in Canada. And then we need to look at the rule sets you’re using to manage that data. Do you have the proper security context to store and manipulate that information strictly in Canada as per data sovereignty regulations?
Robert Dutt: Let’s bring this to the partner level. There’s a recent survey from Kiteworks that shows 23% of Canadian organizations experienced a data sovereignty incident last year. Mid-market firms lag enterprise by 15 to 25 percentage points in maturity, but they face the same penalties. For an MSP serving that mid-market space, where’s the actual opportunity in terms of educating and compliance?
Robert Falzon: Well, if MSPs are at the stage where they’re concerned and trying to get information, imagine where many of our customers are standing. Customers are trusting their partners to provide them with guidance and leadership. If we think about verticals like healthcare, financial services, or the public sector—these are not organizations that typically have heavy internal services or the skill sets to make these decisions about where their cloud data is processed.
They’re relying on partners for that. If there are issues, the buck stops with the customer themselves. By helping to educate their customers—making them aware of coming changes, understanding the differences between sovereignty and residency, and looking at their other vendors—partners can take a leadership position. There’s a bit of a vacuum right now in speaking with both partners and customers, where everybody’s just going, “I wonder what’s going to happen next? Am I even ready for this?” It’s a great opportunity to improve their business.
Robert Dutt: Is the first question to that customer the general, “Do you know where your data is living and who has access to it?” Or what’s the first concrete question an MSP can take to their customers?
Robert Falzon: Well, there are a whole lot of things. First, partners are going to have a better understanding of their customer profile. If they have customers with significant multi-cloud complexity or exposure to the CLOUD Act, they’ll want to start by talking to them about their immediate risk.
The challenge we often have is that we want to go in and talk about how a product or service is going to make a difference. Ultimately, what we really need to do is share the conversation about risk. The risk conversation is often overlooked in favor of saying, “I’d like this customer to buy some more Check Point.” But at the end of the day, all of that comes back to their understanding of what the risk is. I would start with risk: talk about what’s in the CLOUD Act, talk about complexity, and talk to them about AI data exfiltration and how that impacts leakage from a legal perspective. Stay away from conversations about specific products and focus on the business outcomes for the customers. That’s what’s going to get you the traction.
Robert Dutt: Check Point launched a dedicated Canadian region for CloudGuard Web Application Firewall in March at the Victoria Privacy Summit. What’s driving security vendors specifically to put in infrastructure in Canada right now?
Robert Falzon: This is an interesting question because it’s really not a “right now” thing. This is something we’ve been actively looking at for some time. It’s not as easy as just saying, “I’m going to do this in Canada only.” There’s a lot of backend stuff that has to happen. Five years ago, the technology and infrastructure available were somewhat limited. You have to be able to trust the infrastructure you’re placed in.
It’s taken years to get here, and we’re quite confident in our ability to deliver the exact same level of quality as we did when it was solely based in the U.S. Countries around the world are starting to take a close look at their most important assets—data and intellectual property—and seeing how easily technology is being used to gain access to private information. Companies would be well-served to understand that this has been a long cycle; it’s not something that just happened overnight.
Robert Dutt: For a partner who’s already selling Check Point solutions, what practically changes for them now that this Canadian data region is in place? What deals or conversations does it unlock?
Robert Falzon: Certainly anywhere where privacy is paramount, it’s going to have a huge impact because you can start the conversation with the understanding that anything we’re talking about today is going to be data resident and data sovereign to your Canadian customers. That immediately sets you apart from many other vendors who cannot make that claim.
If you can address the concern of privacy legislation right out of the gate, then you can focus on the actual business outcomes. It’s going to open doors with agencies very sensitive to this—government entities at the municipal, federal, and provincial levels that might have been off-the-table to a partner that didn’t have solutions meeting those criteria.
Robert Dutt: For the MSP who’s a little earlier in the process, what’s the first practical step internally to make sure you’re building this out as an opportunity?
Robert Falzon: You have to be extremely well-educated in the legal aspects because you’re going to want to make sure you have a compliance story and accountability you can speak to with your customers. But looking at all the uncertainty relating to AI and machine learning, being able to tie data residency and sovereignty into how that impacts their ability to utilize these new technologies would be a real door opener.
There’s a tremendous amount of misunderstanding and lack of information available to customers currently running these solutions. If I were a partner today, I’d be looking at how I have the conversation about security, privacy, and data sovereignty in terms of their ability to be more competitive in the future by leveraging these advanced technologies in a secure way.
Robert Dutt: What’s the risk of doing nothing? If I’m a partner and I decide to just keep selling the same way and assume data sovereignty is someone else’s problem, what does that look like 12 months from now?
Robert Falzon: Hopefully your customers are already taking a zero-trust approach, so it might be easy to say, “I’ll wait until this settles a bit.” It’s not crazy to think that could still be effective. But if one waits too long and it becomes legislation, now you’re playing catch-up. You won’t be perceived as a leader in the space, and as we know, it’s much harder to win business away from someone else than it is to keep business you already have.
Robert Dutt: Last question: what’s the thing about data sovereignty in Canada right now that you think isn’t getting enough attention?
Robert Falzon: I think honestly, the conversation about data sovereignty and residency itself is not mentioned enough. It seems to be addressed after the fact. I’m starting to see it come to the forefront, but I still don’t have conversations on a daily basis about this. Even though this announcement was made, I’m still not getting a lot of phone calls about what this means for me, and I would have expected to get a lot more.
If we look forward five years, we’ll look back at this and go, “Wow, I can’t believe we only just got that then.” Things are moving so rapidly. If we look at the adoption of AI internal to large corporations—I’ll ask them if they are using AI services, where those services are based, and what the legal ramifications are. Nobody is talking about where the data from ChatGPT lives.
There was a legal judgment in the U.S. a couple of weeks back where it was agreed that all data entered into ChatGPT belongs to them—it belongs to OpenAI. Imagine if that’s your company’s data, and you don’t even know it’s leaving because the services you’ve invested in are hosting data all over the world and not in Canada. That’s a risk that’s really not being discussed in an appropriate way.
Robert Dutt: It’s an interesting indicator. If the conversation isn’t happening early, it suggests we’re still early in the cycle, and that’s an opportunity for an MSP to stake out a brand in this space.
Robert Falzon: Exactly. At this very moment, anyone in the partner ecosystem should be looking at their internal systems and processes and finding out how compliant they are personally. If you don’t understand your internal architecture and what partnerships you have in your own pipeline, you’re going to be well behind when it actually comes to implementation.
Robert Dutt: Great insights. Thank you very much for your time, Rob.
Robert Falzon: Thank you so much.
Robert Dutt: There you have it, Rob Falzon from Check Point Software Technologies. I’d like to thank Rob for his time and for a conversation that I think went well beyond the usual talking points. Thank you for listening.
Here’s a few things that stood out for me from this conversation. First, there’s a really important distinction between data residency and data sovereignty that Rob laid out cleanly. Residency is about where the data sits at rest. Sovereignty is about the entire chain—processing, storage, the works—and making sure none of it leaves the country’s control sphere. If your customers think having a Canadian data center checks the compliance box, that’s a conversation worth having with them.
Second, there was that striking point about AI data exfiltration. A recent U.S. legal judgment held that all data entered into ChatGPT belongs to OpenAI. If your customers are using AI services and don’t know where that data is going and who owns it once it gets there, that’s a risk that most people simply aren’t talking about yet.
And that brings me to what I think was the most telling moment: Rob’s candid admission that even after Check Point’s Canada data region announcement, he’s not getting a lot of calls about data residency. That tells me we’re still early. The regulatory picture is coming into focus, but it’s not fully formed yet, and a lot of partners and customers are in wait-and-see mode. That’s actually an opportunity. If you’re an MSP who moves now—gets educated on the regulatory landscape, audits your own internal compliance, and starts leading the sovereignty conversation with your customers—you have a chance to stake out real expertise and become the trusted voice before this becomes urgent and everyone’s scrambling.
Follow or subscribe to the show. You can find In The Channel on Apple Podcasts, Spotify, YouTube, and most podcast directories. Ratings and reviews are always appreciated—they help other folks in the channel find us. Until next time, I’m Robert Dutt for ChannelBuzz.ca, and I’ll see you in the channel.
