Whose Law Governs Canadian Data?
The CLOUD Act, Executive Agreements and Digital Sovereignty
SPECIAL REPORT
MARCH 11, 2026
2. Decision Logic for Canadian Policymakers
The CLOUD Act presents Canadian policymakers with a fundamental choice between two governance models. The consequences of that choice extend far beyond operational efficiency.
Table 1: Two Governance Paths
| Path A: Executive Agreement | Path B: Sovereign Controls + MLAT |
| Access Model Direct foreign access to Canadian data via providers |
Access Model
Foreign requests processed through Canadian authorities under Canadian law |
| Judicial Oversight No Canadian judicial gatekeeping |
Judicial Oversight Canadian courts review foreign requests under Charter standards |
| Operational Scale Normalizes high-volume, interception-scale requests (20,000+ annually under UK agreement) |
Operational Scale Maintains deliberate process; serious crimes prioritized through existing channels |
| Constitutional Alignment Accepts US third-party doctrine incompatible with Canadian Spencer/Bykovets decisions |
Constitutional Alignment Preserves privacy protections for Charter-protected persons whose data is subject to protection under section 8 of the Charter |
| Trade-off Gains marginal processing speed; surrenders constitutional control |
Trade-off Requires capacity investment; maintains sovereignty and bargaining leverage |
2.1 The Core Question
Which constitutional order will govern Canadian data — Canadian law applied by Canadian courts or US law applied by US authorities without Canadian oversight?
2.2 Three Threshold Questions For Any Policy Decision:
- Jurisdictional exposure: is the provider or system subject to US legal compulsion? (If uncertain, assume yes.)
- Data sensitivity: would unauthorized disclosure engage Charter-protected interests, including national security, section 8 privacy rights, section 7 security-of-the-person and due-process interests, section 15 equality concerns or democratic governance more broadly?
- Technical protection: can data be rendered inaccessible to the provider through customer-controlled encryption?
If jurisdictional exposure exists and data sensitivity is high, Canadian-controlled alternatives or robust technical protections are required — regardless of contractual assurances or data residency arrangements.
Section 12 provides detailed recommendations for implementing this framework across seven policy domains.
Report Sections
- 1. Executive Summary
- 2. Decision Logic
- 3. U.S. Cloud Act
- 4. U.S. Personal Jurisdiction
- 5. Legislative Framework
- 6. Microsoft
- 7. Constitutional Standards
- 8. Executive Agreements
- 9. UK Apple Encryption
- 10. U.S. Policy Context
- 11. U.S. Extraterritorial Reach
- 12. Policy Recommendations
- 13. Concluding Thoughts
- 14. Appendix
- About the Author