Whose Law Governs Canadian Data?

The CLOUD Act, Executive Agreements and Digital Sovereignty

SPECIAL REPORT

MARCH 11, 2026

Barry Appleton

11. The CLOUD Act in the Longer U.S. Pattern of Extraterritorial Reach

The CLOUD Act is not an anomaly. It is the data-access counterpart to a longer US practice of asserting extraterritorial jurisdiction where US interests are engaged, shifting jurisdictional hooks away from territory and toward nexus (corporate presence, control, financial rails, infrastructure dependence). The CLOUD Act’s key move is to make provider “possession, custody or control” — not server location — the trigger for compelled disclosure, anchoring extraterritorial reach in corporate structure and operational access.

11.1 How Canada Has Responded in the Past: FEMA as a sovereignty template

Canada has not been passive in the face of US extraterritorial measures. The principal domestic tool is the Foreign Extraterritorial Measures Act (FEMA), which empowers cabinet/Attorney General mechanisms to restrict compliance with foreign measures that adversely affect Canadian interests. FEMA has been used as a sovereignty shield, including by blocking orders in response to US extraterritorial sanctions and procurement measures.

11.2 FEMA’s Potential Application to Digital Data Compulsion

FEMA’s existing architecture, while developed primarily in response to US economic sanctions against Cuba, contains provisions that could be adapted to address the CLOUD Act’s compulsion to obtain Canadian data. Section 3 of FEMA permits the Attorney General to issue orders prohibiting or restricting the production and disclosure to a foreign tribunal of documents located in Canada or under the possession or control of Canadian citizens or residents, and the giving of evidence by Canadian citizens or residents to foreign tribunals.112

These powers may be exercised when the Attorney General is of the opinion that the foreign tribunal is exercising powers that “adversely affect significant Canadian interests in relation to international trade or commerce involving a business carried on in whole or in part in Canada” or that “infringe Canadian sovereignty.”113

11.3 Adaptation Challenges

Several challenges would need to be addressed before FEMA could serve as an effective blocking mechanism for CLOUD Act demands:

  1. Definition of “foreign tribunal”: CLOUD Act demands are served directly on providers by US law enforcement agencies, typically without judicial involvement at the demand stage. Whether an agency subpoena or National Security Letter qualifies as action by a foreign tribunal under FEMA remains unclear.
  2. Conflict of laws for dual-listed companies: Canadian telecommunications providers with US stock exchange listings (BCE, Rogers, TELUS) face structural conflicts: FEMA compliance could jeopardize their US market access and Security Exchange Commission reporting obligations, while CLOUD Act compliance could violate FEMA.114
  3. Enforcement practicality: FEMA violations require prosecution with consent of the Attorney General of Canada.115 There have been no prosecutions under the existing Cuba-related FEMA Order, despite apparent violations.
  4. Provider-side enforcement cap: FEMA orders bind Canadian persons and corporations, but the ultimate target of CLOUD Act compulsion, the US-headquartered cloud provider, is beyond Canadian jurisdictional reach.

11.4 The Legal Effect of FEMA Blocking Orders

It is important to understand what FEMA can and cannot accomplish. FEMA cannot compel US-headquartered providers to refuse CLOUD Act demands; those providers are subject to US jurisdiction and US law. What FEMA can do is create a legal conflict that strengthens comity-based challenges in US courts, impose compliance obligations on Canadian subsidiaries and affiliates of US providers, and establish procurement conditions that favour providers not subject to conflicting foreign legal obligations.

The 2014 FEMA Order regarding the Alaska “Buy America” ferry terminal project demonstrates that Canada can and will use FEMA in specific commercial contexts.116 Whether there is political will to extend this model to digital infrastructure is a policy question, not a legal one.

Specific recommendations for FEMA modernization, including proposed legislative amendments, are set out in Section 12, Pillar B.

11.5 What Canada Can Do Now: A Framework for Response

Canada possesses substantial legal authority to respond to CLOUD Act challenges. The question is not whether tools exist, but whether there is political will to deploy them. The following framework organizes available measures by implementation complexity and timeframe.

11.5.1 Immediate Executive Actions (No Legislative Change Required)

The federal government can act immediately on several fronts: suspending CLOUD Act executive agreement negotiations pending constitutional assessment; auditing government cloud deployments for CLOUD Act exposure; issuing procurement guidance requiring sovereignty impact assessments; and commissioning independent legal analysis of existing US-UK and US-Australia agreements.

11.5.2 Legislative Modernization

FEMA provides a foundation for blocking legislation but requires amendment to address digital data compulsion effectively. Parliament can expand FEMAs scope to cover CLOUD Act demands, create sector-specific blocking orders, establish mandatory disclosure requirements and introduce civil penalties with automatic stay mechanisms.

11.5.3 Technical and Institutional Investment

Longer-term measures include migrating critical infrastructure to Canadian-controlled systems, mandating customer-controlled encryption for sensitive government data, investing in MLAT processing capacity and establishing disclosure obligations for critical infrastructure providers.

Section 12 provides detailed recommendations organized by policy domain, with specific actions, responsible authorities and implementation timelines.

Endnotes

112. Foreign Extraterritorial Measures Act, RSC 1985, c F-29, s 3.

113. Foreign Extraterritorial Measures Act, RSC 1985, c F-29, s 3.

114. See Norton Rose Fulbright, “Between a rock and a hard place: Canadian companies face increased risks following US decision to implement Title III right of action,” (2019), https://www.nortonrosefulbright.com/en/knowledge/publications/60af4e56/between-a-rock-and-a-hard-place-canadian-companies-face-increased-risks-following.

115. FEMA, s 7(3).

116. Certain Foreign Extraterritorial Measures (United States) Order, 2014, SOR/2015-12.

Report Sections

Download Paper
See Section 12
See Executive Summary