Whose Law Governs Canadian Data?

The CLOUD Act, Executive Agreements and Digital Sovereignty

SPECIAL REPORT

MARCH 11, 2026

Barry Appleton

8. Cloud Act Executive Agreements

8.1 What a CLOUD Act “Executive Agreement” Is

Under the US CLOUD Act, an “executive agreement” is a bilateral framework negotiated by the US Executive Branch that — once in force — permits foreign orders to be served directly on US service providers for data relating to serious crime, without routing the request through US courts via an MLAT for each request. In effect, it creates a standing authorization for provider-to-foreign-state disclosure under the foreign state’s legal process, subject to the statutory conditions embedded in the CLOUD Act framework.

It is essential to understand what an executive agreement does and does not do. It does not create US authority to compel Canadian data — that authority already exists under Section 103 and is being exercised today. What an executive agreement does is provide reciprocal Canadian authority to demand data directly from US providers, formalize the bypass of MLAT processes for both parties and confer international law legitimacy on extraterritorial enforcement that currently operates unilaterally. For Canada, the trade-off is stark: marginal operational gains in exchange for surrendering the principle that foreign surveillance of Canadians requires Canadian institutional authorization.

8.1.1 Case Study: The UK-US CLOUD Act Agreement Shows the Operational Reality

The UK-US Executive Agreement (in force October 3, 2022; renewed in November 2024) provides the clearest evidence of how “direct access” operates once the machinery is built. The US Department of Justice’s first-ever report to Congress on the Executive Agreement’s implementation, submitted in November 2024, reveals the following:89

Volume and character of requests:

  • As of October 2024, the United Kingdom issued 20,142 requests to US service providers under the Executive Agreement.
  • Over 99.8 percent of these (20,105) were issued under the UK Investigatory Powers Act and were predominantly wiretap/interception-style orders.
  • Fewer than 0.2 percent (only 37 requests) were overseas production orders for stored communications data.

Comparative context: The United Kingdom’s 20,142 wiretap-inclusive orders over two years dramatically exceeds US domestic practice. Federal and state law enforcement authorities in the United States (which has five times the population of the United Kingdom) obtained wiretap orders in criminal cases in only 4,507 instances during calendar years 2022 and 2023.90

US usage: The United States made only 63 requests to UK providers during the same period — a ratio of approximately 320:1.91 The asymmetry reflects the concentration of major global service providers in the United States.

MLAT displacement failure: Contrary to the CLOUD Act’s stated objective of alleviating MLAT burdens, the United Kingdom has continued using the MLAT process at the same rate as before the Executive Agreement.92  Nearly all UK requests through the Executive Agreement could never have been made using MLATs, since MLATs cannot be used for real-time interception authority.

Provider concerns: The Department of Justice (DOJ) report noted that unnamed providers warned the DOJ about recent changes to UK law that could “impede changes to privacy and security features that U.S. providers offer globally.” 93  This concern proved prescient when, in February 2025, the United Kingdom issued a Technical Capability Notice to Apple demanding global encryption backdoors.

8.2 Five Sovereignty-relevant Takeaways for Canada

  1. Direct access skews toward interception authorities. The United Kingdom’s overwhelming reliance on its interception statute demonstrates that executive agreements can become, in practice, high-volume channels for real-time surveillance — not merely stored “e-evidence” production.
  2. Stated congressional objectives are not being met. The executive agreement has not reduced MLAT burdens or displaced traditional diplomatic channels.
  3. Secrecy constraints reduce visibility. Provider nondisclosure obligations limit the ability to raise systemic concerns or conduct meaningful external scrutiny.
  4. Volume normalizes the bypass. Once thousands of requests move outside MLAT processes, the exceptional becomes routine.
  5. Encryption attacks follow. The United Kingdom leveraged its position under the Executive Agreement to demand global encryption backdoors, demonstrating how executive agreements can precede aggressive extraterritorial demands.

For Canada, the UK experience is an early warning that an executive agreement is not merely a faster MLAT. It is a different governance model: persistent direct access at surveillance scale.

8.3 Why an Executive Agreement Is Not Preferable for Canadian Digital Sovereignty

From a Canadian sovereignty standpoint, the objections to a CLOUD Act executive agreement are structural:

  • It replaces Canadian gatekeeping with corporate compliance. Under MLAT, Canada’s Central Authority and courts are the choke points. Under an executive agreement, the operational choke point becomes a provider's compliance team, subject to foreign law and secrecy obligations.
  • It shifts oversight away from Canadian constitutional standards. Norms available to Canadian Charter Section 8 protected persons (reasonable expectation of privacy; rejection of the US third-party doctrine) do not apply to the request, the standard or the scope when the order is not executed through Canadian process.
  • It is designed to bypass the “foreign request to Canadian process” model. That is the point of the instrument: speed via direct access. But “speed” here is achieved by removing a sovereignty layer, not by improving Canadian capacity.
  • It typically creates no enforceable rights for affected individuals. Existing agreements disclaim the creation of individual rights or remedies, leaving data subjects with little recourse if data is accessed or misused.
  • It does not stop what is already happening. Section 103 compulsion is operational now. An executive agreement would not reduce US access to Canadian data; it would add a second, normalized channel while removing the legal and diplomatic friction that currently attaches to unilateral extraterritorial demands.

Bottom line: an executive agreement is best understood as a direct-access architecture that treats cloud providers as cross-border enforcement intermediaries. That is governance by platform, not governance by Parliament.

8.3.1 Why “Efficiency” Is the Wrong Metric

Proponents of CLOUD Act executive agreements frequently frame the issue as one of operational efficiency, arguing that direct access to service providers is necessary to address delays associated with traditional MLAT processes. This framing is misleading and obscures the actual policy trade-off.

The delays associated with MLATs are not primarily legal or constitutional in nature. They are the result of capacity constraints, resourcing decisions and administrative under-investment, not an inherent inability of Canadian institutions to process foreign evidence requests. MLATs are deliberately designed to ensure that foreign investigative powers affecting Canadians are exercised through Canadian authorities, under Canadian law and subject to Canadian constitutional standards. As noted above, capacity constraints should be addressed through resourcing and institutional reform rather than by displacing Canadian judicial mediation.

Executive agreements do not “modernize” MLATs. They bypass them.

The speed gains achieved under an executive agreement are realized by removing Canadian judicial and governmental review, not by improving investigative cooperation. In practical terms, efficiency is purchased by eliminating the very safeguards that MLATs exist to preserve.

8.3.2 Canadian Officials Have Endorsed the CLOUD Act Model

A notable feature of the CLOUD Act debate is that Canadian public safety and justice officials have themselves articulated support for the framework, on grounds that inadvertently confirm the concerns this briefing raises.

Briefing materials from Public Safety Canada have characterized a potential CLOUD Act executive agreement with the United States as a mechanism to address “long delays in obtaining electronic evidence through traditional MLAT channels,” emphasizing the need for “timely and effective” access to data for serious crime and cybercrime investigations.94

These statements are revealing not for what they advocate but for what they omit. The MLAT process is not slow because of a legal defect; it is slow because it routes foreign evidence demands through Canadian institutions, under Canadian law, subject to Canadian constitutional standards. The “delays” officials identify are the temporal cost of sovereignty. When Canadian authorities describe CLOUD Act agreements as enabling “timely and effective” access, they are describing the removal of Canadian judicial gatekeeping as a benefit, without acknowledging that this gatekeeping is what distinguishes lawful process from foreign surveillance.

8.4 The 2022 Announcement: Canada Enters CLOUD Act Negotiations

On March 22, 2022, at the re-established Canada-US Cross-Border Crime Forum in Washington, DC, Canada formally announced it had entered negotiations with the United States for a bilateral executive agreement under the CLOUD Act.95 The announcement was made jointly by US Attorney General Merrick Garland and Secretary of Homeland Security Alejandro Mayorkas, together with Canada’s then-Minister of Justice David Lametti and Minister of Public Safety Marco Mendicino.

The joint statement declared that the governments “welcomed negotiations for a potential bilateral agreement in relation to the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act),” stating that such an agreement “would allow Canadian and U.S. investigative authorities to, more efficiently and effectively, access communications and associated data in the other country when this information is needed for the prevention, detection, investigation, and prosecution of serious crime, such as terrorism, child sexual exploitation and abuse, and cybercrime, while respecting privacy and civil liberties.”

These negotiations have proceeded without public discussion, disclosure or debate. Canadians have not been informed that their telecommunications metadata, banking records, insurance files and electronic communications and associated electronic data, including both content and non-content information, are already subject to US legal process, nor have they been consulted on whether Canada should negotiate an agreement to facilitate such access.

8.5 Status of Negotiations: 2022–Present

As of December 2025, more than three years after the announcement, no Canada-US CLOUD Act agreement has been finalized.96 The terms of the negotiations have not been made public, and the Canadian government has provided limited transparency regarding the status or substance of discussions.

As researchers Cynthia Khoo and Kate Robertson of The Citizen Lab observed in February 2025: “Since the 2024 U.S. Presidential election, Canada-U.S. relations have become increasingly strained and the subject of public concern. It should thus be of further concern to the public that, since 2022, the Canadian government has been quietly negotiating a bilateral law enforcement data-sharing agreement with the U.S. under the U.S. CLOUD Act. These negotiations are ongoing, even though the U.S. does not recognize human rights obligations beyond its own borders.” 97

8.6 Required Legislative Amendments

Implementation of a Canada-US CLOUD Act agreement would require substantial amendments to Canadian law. Canada would need to establish extraterritorial production orders, amend privacy legislation to authorize disclosures pursuant to foreign warrants and create reciprocal recognition mechanisms to give effect to US legal process in Canada.98

The Canadian Bar Association has recommended that any enabling legislation include a mechanism whereby foreign orders are reviewed by Canadian authorities for compliance with the bilateral agreement, and that Canadian service providers retain the right to seek review of requests in Canadian courts.99

8.7 Constitutional Concerns and Civil Society Opposition

Opposition to a Canada-US CLOUD Act agreement has intensified since negotiations were announced, uniting civil liberties organizations, privacy experts and the legal profession around a core concern: the constitutional incompatibility of Canadian and US surveillance law.

8.7.1 The Citizen Lab Analysis

In February 2025, researchers Khoo and Robertson of The Citizen Lab published a comprehensive analysis concluding that “one would be hard pressed to find two democracies that are more incompatible when it comes to trying to align digital surveillance laws.” The analysis identified third-party doctrine divergence, reproductive rights and civil liberties risks, and the “remedial no-man’s land” created by existing CLOUD Act agreements, which “have explicitly refused to establish any rights or remedies for individuals or companies whose data is subject to seizure.”

8.7.2 The Canadian Bar Association

The Canadian Bar Association’s (CBA’s) Privacy and Access Law Section formally raised concerns about proceeding with a CLOUD Act agreement without substantial safeguards, submitting detailed recommendations in November 2024. The CBA’s concerns included: preserving MLAT processes for requests targeting Canadians; exempting government data from CLOUD Act access; requiring Canadian judicial authorization before disclosure; amending privacy legislation to limit unintended disclosures; establishing notification requirements for Canadian data subjects; and creating mechanisms for Canadian judicial review of foreign orders.

8.7.3 Civil Liberties Coalition

In July 2025, the Canadian Civil Liberties Association (CCLA) joined 39 organizations and 122 experts in calling for withdrawal of Bill C-2, the Strong Borders Act, citing concerns that elements of the bill were “designed to align Canadian surveillance practices with U.S. practice, despite fundamental differences in our constitutional privacy protections and standards.”100

8.8 CBA Recommendations for Canada-US CLOUD Negotiations

In November 2024, the CBAs Privacy and Access Law Section submitted detailed recommendations regarding any Canada-US CLOUD Act agreement:

  1. Preserve MLAT for Canadians.
  2. Exempt government data.
  3. Amend the Criminal Code.
  4. Clarify privacy laws.
  5. Require Canadian notification.
  6. Canadian judicial review.

The policy implications of this analysis, including the recommendation regarding the status of negotiations, are addressed in Section 12.

Endnotes

89. US DOJ, Report to Congress on the Implementation of the US-UK CLOUD Act Agreement (November 2024),  https://www.documentcloud.org/documents/25551978-doj-report-to-congress-on-us-uk-cloud-act-agreement/.

90. Richard Salgado, “First Insights Into the US-UK CLOUD Act Agreement,” Lawfare (March 10, 2025), https://www.lawfaremedia.org/article/first-insights-into-the-u.s.-u.k.-cloud-act-agreement. See also Greg Nojeim, Testimony before the House Judiciary Committee, Subcommittee on Crime and Federal Government Surveillance (June 5, 2025), https://www.congress.gov/119/meeting/house/118335/witnesses/HHRG-119-JU08-Wstate-NojeimG-20250605.pdf.

91. US DOJ Report to Congress, supra note 92.  The statistics on requests are on pages 5-6 of the DOJ Report.

92. Salgado, supra note 93 (“the U.K. has continued to use the MLAT process at the same rate as before the CLOUD Act”).

93. Salgado, supra note 93..

94. Public Safety Canada, Briefing Materials on Canada-US CLOUD Act Negotiations (2022–2024) (describing executive agreement as addressing delays in electronic evidence production and emphasizing “timely and effective” investigative access).

95. Public Safety Canada, “The U.S. and Canada Reestablish the Cross-Border Crime Forum,” news release, March 22, 2022, https://www.canada.ca/en/public-safety-canada/news/2022/03/the-us-and-canada-reestablish-the-cross-border-crime-forum.html.

96. Osler, Hoskin & Harcourt LLP, “Data Sovereignty in Light of the CLOUD Act: Back to the Future?,” October 7, 2025, https://www.osler.com/en/insights/updates/data-sovereignty-in-light-of-the-cloud-act-back-to-the-future/ (“Canada has been negotiating a CLOUD Act agreement with the U.S. since 2022, but no agreement is currently in place”).

97. Khoo and Robertson, “Canada-U.S. Cross-Border Surveillance Negotiations.

98. International Centre for Criminal Law Reform, “Canada’s Future CLOUD Act Agreement with the United States,” March 29, 2022, https://icclr.org/2022/03/29/canadas-future-cloud-act-agreement-with-the-united-states/.

99. Canadian Bar Association, Privacy and Access Law Section, Submission on a Potential Canada–U.S. CLOUD Act Agreement (November 2024) at 3–5 (MLAT preservation), 6–7 (government data exemptions), 9–11 (judicial review), 12–14 (privacy-law amendments), https://nationalmagazine.ca/en-ca/articles/cba-influence/submissions/2025/how-to-address-canada-s-digital-data-disclosures-with-the-u-s.

100. Canadian Civil Liberties Association, “CCLA and coalition of coalitions call for withdrawal of Bill C-2” (July 14, 2025), https://ccla.org/privacy/ccla-joins-calls-for-withdrawal-of-bill-c-2/.

Report Sections

Download Paper
See Section 9
See Executive Summary