If you’ve followed privacy laws for the last decade in Canada, you know that there are several cases where personal data must remain on Canadian soil. This deployment of IDVPN is on Canadian soil and compliant with these laws, yet provides an offering you’ve not seen before.
We’ll start at the federal level, where PIPEDA states that information can cross a border, but the company doing so is responsible during the transit and outsourcing.
Alberta and Quebec restrict the transfer of public sector personal data outside of Canada, and sometimes outside of the province. British Columbia (30.1 and 33.1) and Nova Scotia prohibit government institutions, Crown agents, and their service providers from moving personal data outside Canada, with a few exceptions.
This has been a big issue for organizations in Canada that want to leverage the tech services of American/foreign companies. Until now.
We’ve invented a novel approach, that keeps the personal information of Canadians on Canadian soil, while allowing full access to foreign tech services. What happens is the user registers with us, as they would with any regular application — disclosing their identity to us for any necessary compliance reasons such as verifying they are of a certain age, or that they are not on a known money laundering sanctions list. For each verified user in our system, we will generate them a virtual ID for each (foreign) web application that they interact with — within in our platform. We will never expose their real name or ID attributes under any conditions. So even if we know your name as Mark Smith in our system, we will generate you a new ID, such as “Veronica Sechelt” for application 1, and “James McArthur” for application 2.
This provides two amazing benefits. The first, is that now Canadian organizations that have been bound by Canadian privacy laws to protect Canada’s information can still do so, while allowing the user access to foreign tech applications and services. The other benefit is we do this while still maintaining any regulatory compliance requirements. Say for example the RCMP provide a production order to us that says “James McArthur was participating in illegal activity on application2”, we can then, after having our lawyers review the request as authentic, identify James McArthur as really being Mark Smith.
We’re eager to find American/foreign tech service providers that are willing to incorporate our simple OpenID Connect (OIDC) login framework, providing access to Canadians that until now they may not have had access to — and in the same breath we’re eager to work with Canadians crown corps, governments, and organizations the capability to integrate with these services.
In summary, ID VPN will collect the real name information of users, and we would send any apps they use a virtual id or pseudonym for each user — the real personal information never leaving Canadian soil.