Whose Law Governs Canadian Data?

The CLOUD Act, Executive Agreements and Digital Sovereignty

SPECIAL REPORT

MARCH 11, 2026

Barry Appleton

5. Legislative Framework

5.1 Background: The Microsoft Ireland Case

The CLOUD Act emerged from United States v Microsoft Corp. (2018), where Microsoft challenged a US warrant seeking customer emails stored on servers in Ireland.61 Before the Supreme Court could rule, Congress passed the CLOUD Act, mooting the case while clarifying US law enforcement’s authority to compel production of data regardless of storage location.

5.2 Relationship to the Canada-US MLAT

The Canada-United States MLAT embodies a constitutional allocation of investigative authority. Foreign law enforcement officials do not exercise coercive powers within Canada. Instead, requests for evidence located in Canada are routed through Canadian public authorities and, where required, Canadian courts applying Canadian law and Charter standards.62

The significance of the MLAT framework is not efficiency but institutional control. The point at which compulsion occurs — the issuance and execution of a production order or warrant — is an act of Canadian legal authority. This ensures democratic accountability, judicial supervision, proportionality review and compatibility with Canadian constitutional norms.63

CLOUD Act-style “direct-to-provider” mechanisms do not modernize this framework. They displace it. By allowing foreign legal process to be executed through private intermediaries subject to foreign jurisdiction, such mechanisms reroute coercive authority away from Canadian institutions and into a foreign constitutional order that Canada has explicitly declined to adopt.64

5.2.1 How MLAT Requests Work in Practice: The Normal “Foreign Request” Pathway

Before any CLOUD-style direct-to-provider system, the default method for foreign law enforcement to obtain evidence in Canada is mutual legal assistance (MLA/MLAT). The core point is not speed; it is institutional control: MLATs force foreign demands for evidence in Canada to pass through Canadian public authorities and (where required) Canadian courts.

A simplified MLAT workflow (Canada–US) looks like this:

  1. Foreign authority prepares the request (for example, US investigators identify a target account, device identifier, subscriber data, content or intercept assistance).
  2. Request is transmitted government-to-government to Canada’s Central Authority (federal officials responsible for MLAT administration).
  3. Canadian officials review the request for legal sufficiency and compatibility with Canadian law, including proportionality, Charter risk and whether the request is appropriately scoped.
  4. Canadian legal process is obtained where needed (for example, production order/warrant under Canadian law). This step is the sovereignty hinge: the coercive act occurs through Canadian legal authority, not a foreign process.
  5. Evidence is collected in Canada (from providers or custodians) under Canadian legal constraints, including applicable notice/gag rules, minimization and judicial supervision where required.
  6. Evidence is transmitted back to the requesting state, typically with conditions on use, onward disclosure, and compliance undertakings.

Why this matters: MLATs embed the principle that foreign police do not execute investigative powers inside Canada without Canadian oversight. A CLOUD-style bypass mechanism shifts that baseline by allowing requests to land on providers (or corporate parents) without Canadian institutional involvement — functionally converting Canadian territory into a foreign evidence reservoir governed by foreign legal standards.

5.3 Two Core Mechanisms

The CLOUD Act operates through two distinct but cumulative mechanisms — one unilateral and already in force, the other bilateral and contingent on negotiation.

5.3.1 Extraterritorial Compulsion (Section 103)

Section 103 of the CLOUD Act clarifies that US legal process under the Stored Communications Act applies to data within a provider’s “possession, custody, or control,” regardless of where the data is physically stored.65 This authority is fully operational. US authorities may compel production of Canadian data from any provider subject to US jurisdiction without Canadian notification, without Canadian judicial authorization, and without any bilateral agreement.

5.3.2 Executive Agreement Framework (Section 105)

Section 105 authorizes bilateral executive agreements permitting foreign governments to request data directly from US providers, bypassing traditional MLAT processes. Canada has been negotiating such an agreement since March 2022.66

The critical point for Canadian policymakers is structural. Section 103 establishes unilateral extraterritorial compulsion as the baseline. Section 105 does not constrain that power; it adds a parallel channel that normalizes direct access at surveillance scale, creating persistent, programmatic access to large volumes of data without individualized judicial authorization. The policy question is therefore not whether an executive agreement creates new exposure, but whether Canada should consent to, accelerate and institutionalize a model that removes Canadian judicial gatekeeping from the evidentiary chain.67

While public data on Canadian MLAT processing times remains limited, capacity constraints should be addressed through resourcing and institutional reform rather than by displacing judicial mediation.

5.4 Why “Possession, Custody or Control” Defeats Data Residency Claims

A central vulnerability in Canadian approaches to cloud governance lies in the legal meaning of “possession, custody or control” under US law. The CLOUD Act deliberately shifts the jurisdictional trigger for compelled disclosure away from the physical location of data and toward the corporate and operational control exercised by service providers subject to US jurisdiction. This shift renders data residency — standing alone — an insufficient safeguard for Canadian data sovereignty.

US courts have long interpreted “possession, custody, or control” functionally rather than formally. The inquiry is not limited to where data are stored or which corporate entity nominally holds them, but whether the entity served with legal process has the practical ability to obtain the data. Courts routinely compel production where a parent corporation retains legal authority, technical access or operational leverage over data held by subsidiaries or affiliates, even where those entities are incorporated abroad and the data are stored extraterritorially.68

Recent scholarship analyzing the CLOUD Act confirms that the statute largely codifies this existing jurisprudence rather than creating a narrow or exceptional regime. Justin Hemmings, Sreenidhi Srinivasan and Peter Swire demonstrate that courts assess “control” along two principal axes: legal control, such as contractual rights, corporate governance authority or ownership interests; and day-to-day operational control, including routine administrative access, credentialed technical capability or centralized management of infrastructure.69 Where either form of control is substantial, US courts have been prepared to compel production. Corporate separateness, internal access restrictions or localization architectures do not defeat jurisdiction where the parent entity can, in practice, cause the data to be produced.

This doctrine has direct implications for Canadian public-sector cloud procurement. Many arrangements marketed as “Canadian regions,” “data residency solutions” or even “sovereign cloud” offerings preserve precisely the forms of control that US courts consider dispositive: centralized identity management, remote administrative access, unified security operations, parent-level audit rights, and contractual powers to reconfigure or access systems in exigent circumstances. In such configurations, data stored exclusively on Canadian soil may nonetheless fall squarely within the “possession, custody, or control” of a US-headquartered provider for purposes of US legal process.70

This implies a tiered approach to procurement. Providers should be assessed against sovereignty criteria including jurisdictional exposure, auditability and susceptibility to foreign compulsion. Trust is a legal condition, not a geopolitical presumption.

From a constitutional perspective, this exposure is not merely theoretical. Canadian Charter jurisprudence has explicitly rejected the US “third-party doctrine,” recognizing that individuals retain a reasonable expectation of privacy in digital records held by service providers.71 This protection extends to Charter-protected persons whose data is subject to protection under section 8 of the Charter. The CLOUD Act, by contrast, operates within a US constitutional framework that treats provider-held data as subject to significantly weaker privacy protections. The result is a structural incompatibility: Canadian institutions may store data in cloud services in reliance on Canadian constitutional norms, while those same data remain legally accessible under a foreign constitutional order that Canada has deliberately declined to adopt.

Accordingly, assurances grounded in data localization, contractual commitments or voluntary corporate resistance to foreign orders cannot substitute for sovereign legal control. Where a cloud provider remains subject to US jurisdiction and retains operational or legal control over Canadian data, CLOUD Act exposure is a matter of legal architecture, not corporate intent. For Canadian policymakers, the relevant question is therefore not where data are stored, but who ultimately controls them, under which legal system and with what constitutional constraints.

5.5 Data Owner Rights and Protective Mechanisms: The Hard Limits

From the perspective of Canadian data subjects, the CLOUD Act provides no enforceable rights. Data owners are not notified of foreign demands, have no standing to challenge production orders and receive no post-disclosure remedy. Whatever procedural protections exist operate exclusively between the provider and the requesting state.72

Corporate contractual commitments and “sovereign cloud” assurances do not alter this reality. A provider subject to US jurisdiction cannot contract out of statutory disclosure obligations. When a valid US legal order is issued, compliance is mandatory, regardless of foreign law, customer agreements or data residency arrangements.73

5.5.1 Comity as a Limited and Discretionary Doctrine

Proponents of the CLOUD Act frequently invoke international comity as a safeguard against conflicts with foreign law. In theory, comity permits a US court to modify or quash an order where compliance would require a provider to violate the law of a foreign state. In practice, this protection is narrow, discretionary and structurally biased toward enforcement.

US courts have consistently treated comity not as a jurisdictional limitation but as a balancing exercise in which US investigative interests routinely prevail. The Bank of Nova Scotia cases illustrate the point: US courts enforced subpoenas against entities subject to US jurisdiction despite clear conflicts with foreign secrecy laws, imposing substantial fines for non-compliance.74

The CLOUD Act codifies rather than corrects this imbalance. Section 103(c) preserves comity only as an ex post, provider-initiated remedy. It confers no rights on affected data subjects, assigns no role to foreign courts, and provides no assurance that foreign constitutional standards will be respected.75

For Canadian purposes, comity is therefore not a meaningful safeguard. It does not restore Canadian judicial oversight, does not ensure Charter-equivalent protections and does not prevent unilateral execution of foreign legal process against Canadian-located data. It functions as a safety valve for providers — not as a sovereignty-preserving mechanism for states.76

Endnotes

61. United States v Microsoft Corp., 138 S. Ct. 1186 (2018) (per curiam) (dismissing case as moot following passage of the CLOUD Act). See also Jennifer Daskal, “Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0,” (2019) 71:9 Stanford Law Review 9.

62. Treaty between the Government of Canada and the Government of the United States of America on Mutual Legal Assistance in Criminal Matters, March 18, 1985, Can TS 1990 No 19.

63. R v Spencer, 2014 SCC 43; R v Bykovets, 2024 SCC 6 (affirming judicial gatekeeping and reasonable expectation of privacy in third-party-held data).

64. Barry Appleton, “Whose Law Governs Canadian Data?” (2025) at Part 5; Citizen Lab, “Canada-U.S. Cross-Border Surveillance Negotiations Raise Constitutional and Human Rights Concerns,” (2025).

65. 18 USC § 2713; United States v Microsoft, supra note 64 (mootness following enactment).

66. Public Safety Canada, “The U.S. and Canada Reestablish the Cross-Border Crime Forum” (March 22, 2022).

67. Khoo and Robertson, “Canada-U.S. Cross-Border Surveillance Negotiations.

68. Gucci America, supra note 9; In re Grand Jury Investigation of Possible Violations of 18 USC § 1956 & 50 USC § 1705, 381 F. Supp. 3d 37 (D.D.C. 2019), aff’d sub nom. In re Sealed Case, 932 F.3d 915 (D.C. Cir. 2019).

69. Hemmings, Srinivasan & Swire, supra note 62, 2, 631–90.

70. Cochrane, supra note 10 at 153–208.

71. R. v Spencer and R. v Bykovets supra note 66.

72. Congressional Research Service, Law Enforcement Access to Overseas Data Under the CLOUD Act (LSB10125).

73. French Senate, supra note 63; Appleton, Clause & Effect (July 21, 2025).

74. In re Grand Jury Proceedings (Bank of Nova Scotia), 691 F 2d 1384 (11th Cir 1982); 740 F 2d 817 (11th Cir 1984).

75. 18 USC § 2703(h) (motion to quash or modify based on “qualifying foreign government” conflict); Restatement (Third) of the Foreign Relations Law of the United States §442. (1987).

76. Société Nationale Industrielle Aérospatiale v United States District Court, 482 US 522 (1987) (comity/balancing in cross-border evidence disputes).

Report Sections

Download Paper
See Section 6
See Executive Summary