Whose Law Governs Canadian Data?
The CLOUD Act, Executive Agreements and Digital Sovereignty
SPECIAL REPORT
MARCH 16, 2026
2. Decision Logic for Canadian Policymakers
The CLOUD Act presents Canadian policymakers with a fundamental choice between two governance models. The consequences of that choice extend far beyond operational efficiency.
Table 1: Two Governance Paths
2.1 The Core Question
Which constitutional order will govern Canadian data — Canadian law applied by Canadian courts or US law applied by US authorities without Canadian oversight?
Three threshold questions for any policy decision:
- Jurisdictional exposure: is the provider or system subject to US legal compulsion? (If uncertain, assume yes.)
- Data sensitivity: would unauthorized disclosure engage Charter-protected interests, including national security, section 8 privacy rights, section 7 security-of-the-person and due-process interests, section 15 equality concerns or democratic governance more broadly?
- Technical protection: can data be rendered inaccessible to the provider through customer-controlled encryption?
If jurisdictional exposure exists and data sensitivity is high, Canadian-controlled alternatives or robust technical protections are required — regardless of contractual assurances or data residency arrangements.
Section 12 below provides detailed recommendations for implementing this framework across seven policy domains.
Report Sections
- 1. Executive Summary
- 2. Decision Logic
- 3. U.S. Cloud Act
- 4. U.S. Personal Jurisdiction
- 5. Legislative Framework
- 6. Microsoft
- 7. Constitutional Standards
- 8. Executive Agreements
- 9. UK Apple Encryption
- 10. U.S. Policy Context
- 11. U.S. Extraterritorial Reach
- 12. Policy Recommendations
- 13. Concluding Thoughts
- About the Author