Whose Law Governs Canadian Data?
The CLOUD Act, Executive Agreements and Digital Sovereignty
SPECIAL REPORT
MARCH 11, 2026
6. Microsoft's Digital Soverignty Assurances:
A Critical Analysis
6.1 Brad Smith’s CLOUD Act Stance
In December 2025, Microsoft announced a landmark C$19 billion investment in Canadian AI and cloud infrastructure spanning 2023 to 2027, including more than C$7.5 billion over the next two years. This represents the most significant financial commitment in Microsoft Canada’s history and is specifically directed toward building Canada’s artificial intelligence capabilities and digital infrastructure.
The investment will expand Microsoft’s Azure Canada Central and Canada East data centre regions, delivering secure, sustainable and scalable cloud and AI capabilities. New capacity is expected to come online in the second half of 2026.
President Brad Smith accompanied this announcement with pledges regarding Canadian digital sovereignty, including commitments to:
- challenge US legal orders for access to Canadian customer data when they are overbroad, unlawful or conflict with Canadian law;
- rely on comity-based arguments codified in the CLOUD Act to resist disclosure;
- resist attempts — including executive orders — to cut off cloud services to Canadian government clients; and
- leverage Microsoft’s diplomatic relationships and pursue litigation where necessary.
6.2 The June 2025 French Senate Testimony
Any assessment of Microsoft’s sovereignty assurances must be evaluated in light of the company’s sworn testimony before the French Senate on June 10, 2025.77
When asked directly whether he could guarantee, under oath, that data of French citizens stored in Microsoft’s cloud would never be transmitted to US authorities without explicit French authorization, Anton Carniaux, Microsoft France’s Director of Public and Legal Affairs, responded unequivocally: “Non, je ne peux pas le garantir — “No, I cannot guarantee it.”78
This admission, made under oath before a parliamentary body, confirms that Microsoft’s corporate assurances — however well-intentioned — cannot override the company’s legal obligations under US law. When a validly served US legal demand arrives, Microsoft must comply regardless of its contractual commitments to foreign customers.79
6.3 Why Microsoft’s Assurances Are Insufficient for Canadian Sovereignty
From a sovereignty perspective, the fundamental question is whether Canadian institutions, not foreign legislatures or foreign courts, decide who may access sensitive Canadian data. Microsoft’s commitments fail this test for several structural reasons.
6.3.1 Non-Sovereign Nature of Corporate Assurances
Microsoft’s pledges represent a private actor's policy choice, subject to change at the company's discretion, rather than durable legal guarantees rooted in Canadian legislation, Canadian courts, or binding international agreements negotiated by Canada. Microsoft’s admission “crystallizes a broader pattern of Canadian policy retreat in the digital domain” and demonstrates that “jurisdictional sovereignty in the age of cloud infrastructure defaults to the nation that controls the platform, not the country where the data resides.”80
6.3.2 Legal Constraints Under US Law
The CLOUD Act explicitly authorizes US law enforcement to require US providers to disclose data they control, including data stored abroad. Microsoft, as a US corporation, remains ultimately subject to US law. The French Senate testimony confirmed what European regulators and privacy advocates have long suspected: technical and contractual measures cannot overcome legal obligations.
6.3.3 Limited Grounds for Challenge
The CLOUD Act provides only limited grounds, primarily comity, on which providers may challenge orders. Section 103(c) permits a provider to move to modify or quash an order if compliance would require violating the laws of a “qualifying foreign government.” However, the seminal Bank of Nova Scotia cases from the 1980s demonstrate the severe limitations of comity-based challenges.81
In these cases, a US grand jury investigating drug trafficking and tax evasion subpoenaed records from the Bank of Nova Scotia’s branches in the Bahamas and Cayman Islands. The bank argued that compliance would violate Bahamian bank secrecy laws and that principles of international comity should preclude enforcement. The Eleventh Circuit Court of Appeals rejected these arguments, holding that US courts would enforce subpoenas against entities subject to US jurisdiction even when compliance would violate foreign law. The court imposed substantial fines totaling US$1.825 million for non-compliance. The Supreme Court denied certiorari, leaving this aggressive precedent in place.
US courts have consistently applied the Restatement’s comity balancing factors in a manner that prioritizes US governmental interests where a US entity has custody or control of documents.82 As the Eleventh Circuit stated: “this court simply cannot acquiesce in the proposition that United States criminal investigations must be thwarted whenever there is conflict with the interest of other states.”
6.4 Why Corporate Assurances Cannot Overcome Legal Obligations
The Bank of Nova Scotia precedent establishes the legal framework for evaluating all CLOUD Act challenges. US courts have consistently applied comity factors to prioritize US governmental interests when a US entity has custody or control of documents. The practical consequence is that corporate commitments to “challenge” or “resist” US legal demands, however well-intentioned, operate within a legal system that has repeatedly demonstrated its willingness to override foreign legal obligations when US interests are engaged.
This analysis does not suggest that corporate assurances are worthless. They may introduce procedural friction that delays compliance and provides opportunities for notice, but they cannot provide the legal protection that only Canadian law, applied by Canadian courts, can guarantee. (The policy implications are addressed in Section 12.)
Endnotes
77. French Senate, supra note 63.
78. Coverage includes: “Microsoft tells French lawmakers it can't protect user data from US demands” SDxCentral (July 21, 2025); “Microsoft exec admits it ‘cannot guarantee’ data sovereignty” The Register, (July 25, 2025).
79. Barry Appleton, “The Cloud Casts a Long Shadow: Microsoft, the CLOUD Act, and Canada's Vanishing Digital Sovereignty” Appleton's Clause & Effect (21 July 2025), https://barryappleton.substack.com/p/the-cloud-casts-a-long-shadow.
80. Appleton, “The Cloud Casts a Long Shadow.”
81. In Re Grand Jury Proceedings (Bank of Nova Scotia), supra note 77.
82. See Restatement (Third) of the Foreign Relations Law of the United States § 442 (1987); Société Nationale Industrielle Aérospatiale v United States District Court, 482 US 522 (1987); United States v First National City Bank, 396 F 2d 897 (2d Cir 1968).
Report Sections
- 1. Executive Summary
- 2. Decision Logic
- 3. U.S. Cloud Act
- 4. U.S. Personal Jurisdiction
- 5. Legislative Framework
- 6. Microsoft
- 7. Constitutional Standards
- 8. Executive Agreements
- 9. UK Apple Encryption
- 10. U.S. Policy Context
- 11. U.S. Extraterritorial Reach
- 12. Policy Recommendations
- 13. Concluding Thoughts
- 14. Appendix
- About the Author