What are the most important issues with respect to data residency? With US/global giants (CenturyLink, IBM/SoftLayer, and by next year, Microsoft) operating multiple IaaS data centers in Canada, it would appear that the location-based objections to use of non-Canadian hosting firms are evaporating.
There are, however, additional issues with the Patriot Act that may still give Canadian organizations (especially, those in regulated industries) some pause. In particular - as Marc Pare of CloudOps pointed out in a recent post on the Cloud.ca site (https://cloud.ca/jurisdiction-matters-cloud-iaas-threatened-in-europe-and-thrives-in-canada/) - there's the fact that the Patriot Act extends to data held in other jurisdictions by US-headquartered organizations. This data is subject to Patriot Act regulation, too.
While Marc is right about the law, it seems to me that this is more an issue of perception than reality. It's hard to tell how widely applied the Patriot Act has been (since firms subject to it are prohibited from publicizing that fact), and there are in any event reciprocal clauses in Canadian law that allow for serious prosecutions to extend into Canada. This isn't to say that residency isn't a real issue, but I think it will need to be defined in ways that recognize different levels of exposure and requirement - and which extend beyond storage and backup to transmission (knowing, post-Snowden, that PRISM sniffs US data traffic, does the key question shift from "can you host data in Canada at redundant sites" to "can you manage transmission paths so that they stay north of the border?").
TCBC has two working groups - cloud security and governance, risk and compliance - that are looking at this issue from different directions. I'll update this post as we get more clarity from these groups!