Whose Law Governs Canadian Data?

The CLOUD Act, Executive Agreements and Digital Sovereignty

SPECIAL REPORT

MARCH 11, 2026

7. Comparative Constitutional Standards

7.1 The US Third-party Doctrine

Understanding the constitutional gulf between Canada and the United States on digital privacy requires examining the US “third-party doctrine,” a constitutional principle that has no equivalent in Canadian jurisprudence.

The third-party doctrine originates from Smith v Maryland (1979).⁸³ The Supreme Court held that individuals have no “reasonable expectation of privacy” in information they voluntarily convey to third parties. Under this doctrine, the Fourth Amendment’s protection against unreasonable searches does not apply to information held by banks, telephone companies, internet service providers or cloud storage companies.

7.2 Canadian Charter Protections: R. v Spencer

Canadian constitutional law has taken a fundamentally different path from the United States. In R. v Spencer (2014), the Supreme Court of Canada unanimously rejected the notion that privacy interests are extinguished when information is shared with third-party service providers.⁸⁴

Justice Cromwell held that subscriber information “can reveal intimate details of the lifestyle and personal choices of the individual” and that “the Internet has become an extension of the individual’s private existence.” The Court explicitly rejected the American third-party doctrine, holding that “the reasonable expectation of privacy is a normative rather than a descriptive standard.”

7.3 R v Bykovets: The “First Digital Breadcrumb”

The Supreme Court extended Spencer’s reasoning in R. v Bykovets (2024), holding that IP (internet protocol) addresses themselves are protected by Section 8 of the Charter.⁸⁵ Justice Karakatsanis described the IP address as “the first digital breadcrumb” that can reveal “a constellation of private information about the user.”

7.4 The Constitutional Tension

The doctrinal divergence outlined above creates a fundamental problem for any Canada-US CLOUD Act agreement. Under the CLOUD Act framework, US authorities can obtain Canadian data from US-affiliated providers using legal standards that Spencer and Bykovets have declared unconstitutional in Canada. The CLOUD Act does not require US authorities to satisfy Canadian constitutional standards before compelling disclosure of Canadian data — it requires only compliance with US law.

This is not a theoretical concern. As Citizen Lab has observed, “one would be hard pressed to find two democracies that are more incompatible when it comes to trying to align digital surveillance laws.”⁸⁶ The incompatibility runs deeper than procedural differences: it reflects fundamentally different conceptions of the relationship between the individual, the state and the intermediaries that hold personal data.87

Cochranes analysis of CLOUD Act agreements under both Fourth Amendment and European Convention on Human Rights (ECHR) Article 8 frameworks demonstrates that the privacy safeguards embedded in existing agreements fall significantly short of the standards Canadians expect under the Charter.⁸⁸

An executive agreement cannot resolve this tension — it can only paper over it by substituting US constitutional standards for Canadian ones whenever US authorities seek Canadian data.

Endnotes

83. Smith v Maryland, 442 US 735 (1979).

84. R. v Spencer, supra note 66.

85. R. v Bykovets, supra note 66.

86. See R v Love, 2022 ABCA 269, https://canlii.ca/t/jqpsr; Citizen Lab, “Canada-U.S. Cross-Border Surveillance Negotiations.”

87. The US third-party doctrine holds that individuals have no reasonable expectation of privacy in information voluntarily conveyed to third parties. This doctrine enabled warrantless surveillance of metadata and business records until partially limited by Carpenter v United States, 585 US 296 (2018).

88. Cochrane, “Digital Privacy Rights,” examining the Fourth Amendment and ECHR Article 8 implications of CLOUD Act executive agreements.

Report Sections

Download Paper

See Section 8

See Executive Summary