Whose Law Governs Canadian Data?

Canada faces a defining choice on digital sovereignty. The question is not whether the CLOUD Act poses risks to Canadian data. That question has been answered. Microsoft’s June 2025 testimony before the French Senate removed any remaining doubt: US-headquartered providers cannot guarantee that Canadian data will remain beyond the reach of US legal process, regardless of where that data is stored or what contractual commitments are made.

The question now is what Canada will do about it.

Three realities should guide Canadian policy. First, the status quo is untenable. Over 80 percent of Canadian cloud services depend on foreign infrastructure. Critical government systems operate on platforms subject to CLOUD Act jurisdiction. This is not a theoretical vulnerability; it is an operational fact. Second, the legal protections Canada might rely upon provide less security than official statements suggest. The Bank of Nova Scotia precedent confirms that US courts will enforce disclosure orders even when compliance requires violating foreign law. The UK experience confirms these concerns at operational scale. Third, the bilateral context has shifted. The November 2025 US National Security Strategy characterizes allied markets as opportunities for American commercial dominance. Canada should calibrate its expectations accordingly.

Section 12 sets out a comprehensive seven-pillar framework for a Canadian response. The recommendations address the full spectrum of available measures, from immediate executive actions requiring no legislative change to longer-term institutional reforms. Together, they constitute a coherent strategy for preserving Canadian sovereignty over Canadian data.

The Supreme Court of Canada has articulated a constitutional vision in which Canadians retain a reasonable expectation of privacy in their electronic communications, even when those communications are held by third-party service providers. The CLOUD Act operates within a constitutional framework that reaches the opposite conclusion. These two visions cannot be reconciled through corporate goodwill or contractual drafting.

Canada must choose which constitutional order will govern Canadian data.

The decisions made in the coming months will shape Canada’s digital sovereignty for a generation. They deserve the attention this briefing has sought to provide.

The policy window is open. CLOUD Act negotiations remain incomplete. Critical infrastructure and procurement decisions are being made. The USMCA review creates both risks and opportunities for digital governance. In each of these domains, Canada retains agency, but only if it exercises that agency deliberately.