Whose Law Governs Canadian Data?

The CLOUD Act, Executive Agreements and Digital Sovereignty

SPECIAL REPORT

MARCH 11, 2026

1. Executive Summary

1.1 The Core Problem

Canadian government data — including national defence communications — can be compelled by US authorities without Canadian judicial review or governmental notification. This is not a hypothetical risk. It is the operational reality created by the US Clarifying Lawful Overseas Use of Data or CLOUD Act of 2018.

When a senior Microsoft executive was asked under oath before the French Senate in June 2025 whether he could guarantee that French government data stored in Microsoft’s cloud would never be transmitted to US authorities without French authorization, his answer was unequivocal: “Non, je ne peux pas le garantir” — “No, I cannot guarantee it.”

The same is true for Canadian data.

1.2 Why This Matters Now

Over 80 percent of Canadian cloud services rely on foreign infrastructure. Critical government systems — including the Department of National Defence’s Defence 365 platform — depend on US-headquartered providers. Canada’s largest telecommunications companies (Rogers, BCE, TELUS), financial services providers and technology firms maintain extensive US connections that expose them to CLOUD Act jurisdiction.

Storing data on Canadian soil does not protect it. The CLOUD Act compels disclosure based on who controls the data, not where it is stored. A US legal demand served on Microsoft, Amazon or Google requires compliance regardless of contractual commitments to Canadian customers or data residency arrangements.

Digital sovereignty, as used in this report, refers to the capacity of the Canadian government to exercise enforceable legal and constitutional control over data access, processing and disclosure. It does not depend on provider nationality or data residency alone. In principle, non-Canadian providers may form part of a sovereign digital ecosystem if — and only if — they are locally anchored in Canada, subject exclusively to Canadian law for data access purposes and insulated from conflicting extraterritorial legal obligations.

1.3 What Policymakers Should Understand

1.3.1 US Jurisdiction Is Broader Than Official Claims Suggest

The US Department of Justice asserts that CLOUD Act jurisdiction is “strictly constrained” by constitutional limits. This claim does not withstand scrutiny. Under the “national contacts” doctrine, US courts assess jurisdiction against a company’s aggregate ties to the United States as a whole — not to any individual state. For Canadian companies with New York Stock Exchange (NYSE) listings, US institutional investors, American subsidiaries or US customers, the jurisdictional threshold is remarkably low.

BCE’s August 2025 acquisition of Ziply Fiber — a US telecommunications company — transforms Canada’s largest telecom into a North American operator almost certainly subject to CLOUD Act compulsion. TELUS operates in the US with 1,600+ US employees through TELUS Digital. Shopify processes 57 percent of its transactions in the United States and now lists New York as a principal executive office.

1.3.2 Corporate Assurances Cannot Override Legal Obligations

Microsoft’s December 2025 announcement of C$19 billion in Canadian artificial intelligence (AI) investment came with pledges to challenge US legal orders and resist disclosure of Canadian data. These commitments are well-intentioned but legally insufficient.

The Bank of Nova Scotia legal cases from the 1980s established that US courts will enforce subpoenas against entities subject to US jurisdiction even when compliance violates foreign law — and will impose substantial fines for non-compliance. Microsoft’s French Senate testimony confirmed what these precedents make clear: when a valid US legal demand arrives, US companies must comply.

1.3.3 Canadian and US Constitutional Standards Are Fundamentally Incompatible

The Supreme Court of Canada has explicitly rejected the US “third-party doctrine.” In R v Spencer (2014) and R v Bykovets (2024), the Court held that Canadians retain a reasonable expectation of privacy in electronic data held by service providers. The US constitutional framework reaches the opposite conclusion — enabling warrantless access to metadata and business records that Canadian law would protect.

A CLOUD Act agreement would allow US authorities to obtain Canadian data using legal standards that would be unconstitutional if applied in Canada.

1.3.4 Empirical Evidence from the UK Shows Executive Agreements Operate at Surveillance Scale

In 2024, the US Department of Justice confirmed that the United Kingdom issued over 20,000 direct requests to US providers in two years, overwhelmingly for interception, not for stored data — demonstrating that executive agreements normalize high-volume, secret surveillance outside mutual legal assistance treaty (MLAT) oversight. This represents persistent, programmatic access to large volumes of data without individualized judicial authorization.

1.3.5 The 2022 CLOUD Act Negotiations Should Be Suspended

Since March 2022, Canada has been negotiating a bilateral CLOUD Act executive agreement with the United States. More than three years later, no agreement has been finalized — and that delay may be fortunate.

What Canadians must understand is that Section 103 of the US CLOUD Act — authorizing unilateral extraterritorial compulsion — is already operational. US authorities can today demand Canadian data from any provider subject to US jurisdiction, without notification to affected Canadians and without Canadian judicial review. An executive agreement under Section 105 would not create this exposure; it would formalize and accelerate it while removing the MLAT’s sovereignty layer entirely.

As The Citizen Lab’s February 2025 analysis concluded: “One would be hard pressed to find two democracies that are more incompatible when it comes to trying to align digital surveillance laws.”¹ Existing CLOUD Act agreements with the United Kingdom and Australia establish no rights or remedies for individuals whose data is seized — creating what researchers term a “remedial no-man’s land.”

A CLOUD Act agreement would expand, not limit, US jurisdictional assertions by providing consent under international law to extraterritorial enforcement.

1.3.6 The Broader US Policy Context Is Concerning

The November 2025 US National Security Strategy declares that agreements with dependent allies “must be sole-source contracts for our companies”² and instructs Washington to “push out foreign companies that build infrastructure in the region.”³ The July 2025 White House AI Action Plan frames technological dominance — including “cloud dominance” — as a national security imperative.

These are not abstract policy positions. They are the context within which CLOUD Act powers will be deployed.

1.4 Policy Recommendations: A Seven-Pillar Framework

Canada possesses the legal authority and institutional capacity to respond. The question is whether there is political will to act. Section 12 of this report sets out detailed recommendations organized around seven pillars:

Suspend CLOUD Act negotiations. Halt executive agreement negotiations until constitutional compatibility is established and safeguards exceeding existing US-UK and US-Australia agreements can be guaranteed.
Modernize blocking legislation. Amend the Foreign Extraterritorial Measures Act to address digital data compulsion with sector-specific blocking orders, mandatory disclosure requirements and civil penalties.
Migrate critical infrastructure. Transfer national defence and security systems — including Defence 365 — to Canadian-controlled infrastructure not subject to US jurisdiction.
Reform procurement policy. Establish tiered sovereignty requirements for cloud procurements based on data sensitivity, with mandatory criteria for classified and protected information.
Mandate encryption standards. Require customer-controlled encryption for sensitive government data, ensuring providers cannot comply with foreign demands because they cannot access intelligible data.
Invest in MLAT capacity. Address processing delays through institutional investment rather than sovereignty bypass, preserving Canadian judicial oversight of foreign data requests.
Establish private sector transparency. Create disclosure obligations for telecommunications and critical infrastructure providers regarding CLOUD Act exposure and compliance with foreign legal demands.

These recommendations are designed to be actionable within existing constitutional authority. Together, they constitute a comprehensive response to the sovereignty challenges posed by the CLOUD Act.

1.5 The Choice before Canada

The decisions policymakers make in the coming months — on CLOUD Act negotiations, on critical infrastructure procurement, on encryption standards — will determine whether Canada retains meaningful sovereignty over its digital domain.

The alternative is accepting foreign surveillance of Canadians — data compelled without notification, without due process and without Canadian judicial oversight — as the operational norm. The Canadian data is ultimately subject to the legal process of a foreign jurisdiction whose constitutional framework operates on fundamentally different principles than our own. That is not a trade-off. It is nothing less than a surrender.

Endnotes

1. Cynthia Khoo and Kate Robertson, “Canada-U.S. Cross-Border Surveillance Negotiations Raise Constitutional and Human Rights Whirlwind Under U.S. CLOUD Act,” (The Citizen Lab, February 24, 2025) https://citizenlab.ca/2025/02/canada-us-cross-border-surveillance-cloud-act/.

2. The White House, National Security Strategy of the United States of America (November 2025) at 18-19, https://www.whitehouse.gov/wp-content/uploads/2025/12/2025-National-Security-Strategy.pdf.