Whose Law Governs Canadian Data?

The CLOUD Act, Executive Agreements and Digital Sovereignty

SPECIAL REPORT

MARCH 11, 2026

Barry Appleton

3. Understanding the U.S. CLOUD Act

3.1 What Is the CLOUD Act?

The CLOUD Act is a US federal law enacted on March 23, 2018, as part of the Consolidated Appropriations Act.1 The CLOUD Act fundamentally expanded the extraterritorial reach of US law enforcement by clarifying that US legal process can compel the production of electronic data, regardless of where it is physically stored — including data stored on servers located in Canada or any other foreign country.

The core statutory provision, codified at 18 U.S.C. § 2713, provides that a covered provider “shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, [author’s emphasis] regardless of whether such communication, record or other information is located within or outside of the United States.”

3.2 Entities Subject to CLOUD Act Jurisdiction

The CLOUD Act applies to two categories of service providers defined in the Stored Communications Act:2

  • Electronic Communication Service (ECS): Defined under 18 U.S.C. § 2510(15) as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” This includes email providers, messaging services, telecommunications companies and social media platforms. The CLOUD Act covers electronic communications and associated electronic data, including both content and non-content information.
  • Remote Computing Service (RCS): Defined under 18 U.S.C. § 2711(2) as “the provision to the public of computer storage or processing services by means of an electronic communications system.” This encompasses cloud storage providers, data processing services, hosting platforms and software-as-a-service providers. Entities that provide secure message-hosting services, such as insurers and financial institutions, fall within the broad RCS definition.

The jurisdictional reach is remarkably broad. Unlike some US regulatory frameworks — such as the Office of Foreign Assets Control economic sanctions programs, which focus primarily on transactions involving US persons, US dollar clearing or entities with a specific US nexus — the CLOUD Act asserts jurisdiction over any provider subject to US jurisdiction, regardless of where the provider is headquartered or where its data is stored.

3.3 Canadian Government and Critical Infrastructure Exposure

The CLOUD Act does not itself confer jurisdiction; it operates once US courts determine that jurisdiction exists under ordinary constitutional principles. However, the scope of Canadian exposure to CLOUD Act jurisdiction is extensive.

According to the Canadian government, over 80 percent of Canadian cloud services rely on foreign infrastructure.3 This creates systemic dependency on providers subject to foreign legal process.

Particularly concerning is the exposure of critical government systems. The Department of National Defence (DND) and Canadian Armed Forces (CAF) make significant use of Microsoft 365 through their defence-tailored product called Defence 365, which serves as a common cloud infrastructure for collaboration across DND/CAF, with stakeholders and other government departments.4 Under current arrangements, any data on these systems could, in theory, be subpoenaed by US authorities without Canadian judicial review.

As the Privacy Commissioner of Canada noted in the 2023-2024 annual report, “data residency requirements alone cannot guarantee protection from foreign legal processes.”5 Microsoft’s subsequent admission before the French Senate confirmed this assessment. The policy implications of this exposure are addressed below in Section 12.

3.4 How Can the CLOUD Act Apply to Canadian Data?

The CLOUD Act applies to Canadian data through multiple pathways:

  • Direct application to US-headquartered providers: When Canadians use services provided by US-headquartered companies — Microsoft, Google, Amazon Web Services, Apple, Meta or others — their data is subject to CLOUD Act jurisdiction regardless of where it is physically stored.
  • Application through corporate control: The CLOUD Act’s “possession, custody or control” language extends its reach to data held by foreign subsidiaries of US companies.6
  • Application to foreign companies with US presence: The CLOUD Act is not limited to US-headquartered companies. Any provider of electronic communication services or remote computing services that is subject to US jurisdiction can be compelled to produce data. A company is subject to US jurisdiction if it has “minimum contacts” with the United States — a standard discussed in detail in section 4.1 below.7
  • Application through network transit and routing infrastructure: CLOUD Act exposure is not limited to data at rest with a provider. Canadian data may also be exposed during transit when it is routed through US network infrastructure — even when both the sender and recipient are located in Canada. Research on Canadian internet routing patterns has documented that a significant proportion of domestic Canadian internet traffic “boomerangs” through US network exchange points or travels over US-controlled fibre routes before returning to Canadian endpoints, sometimes without the knowledge of the data’s owner.8 Because the CLOUD Act’s “electronic communication service” definition encompasses providers that facilitate the transmission of electronic communications, data in transit through US-based or US-controlled network infrastructure may be interceptable under US legal authority regardless of its Canadian origin and destination. This network-layer vulnerability underscores why data sovereignty cannot be achieved through storage-location requirements alone; genuine protection requires what scholars and practitioners increasingly term “full-stack sovereignty” — control not only over data storage but over the computer, networking and routing infrastructure through which data flows.9

3.5 What “Sovereign Cloud” Means for Canadian Policy

For the purposes of Canadian digital sovereignty, a “sovereign cloud” is not defined by server location alone. Data residency is a necessary but insufficient condition.

A cloud service qualifies as “sovereign” only where Canada retains effective control across four dimensions:

  1. Jurisdictional control: the provider and relevant operating entities are not subject to foreign legal regimes that can compel disclosure of Canadian data without Canadian authorization.
  2. Operational control: day-to-day administrative access, system management and security operations are exercised by entities accountable under Canadian law, without unilateral override by foreign parent companies.
  3. Cryptographic control: encryption keys for sensitive data are held by Canadian customers or Canadian authorities, not by providers subject to foreign compulsion.
  4. Audit and enforcement authority: Canadian institutions possess meaningful audit rights, transparency mechanisms, and enforcement tools to verify compliance and respond to foreign legal demands.

Cloud offerings that rely solely on Canadian data centres, contractual assurances or voluntary corporate commitments — while preserving foreign jurisdictional exposure or provider-held keys — do not meet this standard.

In short: sovereignty is about control, not geographic coordinates.

Endnotes

1. Clarifying Lawful Overseas Use of Data Act, HR 4943, 115th Cong, Pub L No 115-141, Div V (2018), codified at 18 USC § 2713 (herein referred to as the “CLOUD Act”); US DOJ, “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act” (April 2019), https://www.justice.gov/d9/press-releases/attachments/2019/04/10/department_of_justice_cloud_act_white_paper_2019_04_10_final_0.pdf.

2. Stored Communications Act, Pub. L. No. 99-508, tit. II, 100 Stat. 1848 (1986), codified as amended at 18 USC § 2701–2713. The Act was amended by the CLOUD Act in 2018 to clarify that disclosure obligations apply to data within a provider’s “possession, custody, or control,” regardless of storage location.

3. Treasury Board of Canada Secretariat, “Government of Canada White Paper: Data Sovereignty and Public Cloud” (2018, updated 2023), https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html (stating that “[a]s long as a CSP that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data”); IDC Canada, Canadian Cloud Services Market Analysis (2024) (reporting that over 80 percent of Canadian enterprises use foreign-headquartered cloud providers); Cybersecure Policy Exchange (Dais), Toronto Metropolitan University, Submission on Canada’s National Cyber Security Strategy (June 2024), https://dais.ca/reports/submission-for-canadas-national-cyber-security-strategy/ (identifying foreign cloud dependency as a significant national security concern).

4. Alexander Rudolph, “Microsoft Admits: US Law Supersedes Canadian Sovereignty,” Canadian Cyber in Context, July 21, 2025, https://www.cyberincontext.ca/p/microsoft-admits-us-law-supersedes.

5. Privacy Commissioner of Canada, Annual Report to Parliament 2023-24 (Ottawa: Office of the Privacy Commissioner, 2024) at 34.

6. See Gucci America, Inc. v Weixing Li, 768 F.3d 122 (2d Cir. 2014); In re Vitamin C Antitrust Litigation, 837 F.3d 175 (2d Cir. 2016). US courts apply a functional test examining whether the entity served with process has the practical ability to obtain the documents, regardless of formal corporate separateness.

7. International Shoe Co. v Washington, 326 US 310, 316 (1945). For analysis of how personal jurisdiction doctrine applies in the CLOUD Act context, see Tim Cochrane, “Hiding in the Eye of the Storm Cloud: How CLOUD Act Agreements Expand U.S. Extraterritorial Investigatory Powers,” Duke Journal of Comparative & International Law 32, no. 1 (2021): 153, 187–201.

8. Andrew Clement, “IXmaps: Tracking Your Personal Data Through the NSA’s Warrantless Wiretapping Sites,” Proceedings of the IEEE International Symposium on Technology and Society (2014); IXmaps Research Project, Canadian Internet Routing and NSA Surveillance Vulnerabilities, University of Toronto Faculty of Information, https://ixmaps.ca. Clement’s multi-year research project documented that substantial volumes of domestic Canadian internet traffic transit through US network exchange points — including facilities identified as National Security Agency surveillance nodes — before returning to Canadian recipients, thereby exposing nominally Canadian communications to US interception authority.

9. Barry Appleton, “Railway of the Future: Ottawa Is Letting Foreign Countries Dictate Our Governance,” National Post, September 30, 2025, A9, https://nationalpost.com/opinion/ai-and-cloud-infrastructure-is-the-railway-of-the-future-why-isnt-canada-building-it;  EPFL, ETH Zurich and Swiss National Supercomputing Centre (CSCS), “Apertus: A Fully Open, Transparent, Multilingual Language Model,” press release, September 2, 2025, https://actu.epfl.ch/news/apertus-a-fully-open-transparent-multilingual-lang/.

Report Sections

Download Paper
See Section 4
See Executive Summary