Ban Goc - Hotel California

In practical terms, if a GOC department uploads data to a cloud environment (e.g., Microsoft Azure, AWS, or a private data centre), that data cannot later be migrated or stored exclusively on servers located outside of Canada—even temporarily. It can “check out” of active use, but its physical storage location must remain within Canadian territory.

As one former Shared Services Canada director put it: “You can check out of the contract, but your data will be staying at the Hotel California for its entire lifecycle. And that’s exactly how we designed it.” For government IT decision-makers and cloud service providers, compliance with the Hotel California Ban is not optional—it is audited annually by the Office of the Auditor General of Canada. hotel california ban goc

In the world of information technology and cloud computing, the Government of Canada (GOC) operates under some of the strictest security and data sovereignty laws in the world. Among IT professionals and vendors working with Canadian public sector entities, a specific colloquialism has emerged: The “Hotel California” Ban. In practical terms, if a GOC department uploads

For government data, this is not a lyric—it is a legally binding directive. The “Hotel California” Ban is not a single law, but a shorthand for the combined effect of several federal policies that prohibit the removal of sensitive government data from Canadian physical borders once it has been entrusted to a cloud service provider or internal system. And that’s exactly how we designed it

The name, inspired by the famous 1977 Eagles song, captures a deceptively simple but ironclad principle: “You can check out any time you like, but you can never leave.”