Whose Law Governs Canadian Data?

The CLOUD Act, Executive Agreements and Digital Sovereignty

SPECIAL REPORT

MARCH 11, 2026

Barry Appleton

12. Policy Recommendations:
A Seven-Pillar Framework

The following recommendations are organized by policy domain and implementation timeframe. Each is designed to be actionable within existing constitutional authority. Together, they constitute a comprehensive response to the sovereignty challenges posed by the CLOUD Act.

12.1 CLOUD Act Negotiations: Suspend and Reassess

Central recommendation: Canada should suspend CLOUD Act executive agreement negotiations with the United States until constitutional compatibility concerns are resolved and robust safeguards — exceeding those in existing US-UK and US-Australia agreements — can be guaranteed.

12.1.1 Rationale

Since March 2022, Canada has been negotiating a bilateral executive agreement under Section 105 of the CLOUD Act. What Canadians must understand is that Section 103 — authorizing unilateral extraterritorial compulsion — is already operational. US authorities can today demand Canadian data from any provider subject to US jurisdiction, without notification to affected Canadians and without Canadian judicial review. An executive agreement would not create this exposure; it would formalize and accelerate it while removing the MLAT’s sovereignty layer entirely.

The existing US-UK agreement demonstrates operational reality at persistent, programmatic access to large volumes of data without individualized judicial authorization — what I call surveillance scale: the United Kingdom issued over 20,000 requests to US providers in two years, overwhelmingly for real-time interception rather than stored data.117 As The Citizen Lab concluded: “One would be hard pressed to find two democracies that are more incompatible when it comes to trying to align digital surveillance laws.”118

Specific actions:

  1. Formally suspend negotiations pending completion of a comprehensive constitutional impact assessment examining compatibility with Spencer, Bykovets and Section 8 of the Charter.
  2. Commission an independent legal analysis comparing existing CLOUD Act agreements (United States-United Kingdom, United States-Australia) with Canadian constitutional standards, to be made public before any executive agreement is finalized.
  3. Require parliamentary review of any proposed agreement through the Standing Committee on Public Safety and National Security, the Standing Committee on Science and Research, and the Standing Committee on Justice and Human Rights before ratification.
  4. Establish non-negotiable conditions for any future agreement, including: preservation of Canadian judicial authorization before Canadian data can be disclosed to US authorities; notification requirements for Canadian data subjects; enforceable remedies for individuals whose data is improperly accessed; and explicit carve-outs for government data and critical infrastructure.

12.2 Legislative Reform: Modernize Canada’s Blocking Legislation

Central recommendation: amend FEMA to address digital data compulsion and create meaningful legal consequences for unauthorized disclosure of Canadian data to foreign authorities.

12.2.1 Rationale

FEMA provides the Attorney General with the authority to prohibit compliance with foreign measures that adversely affect Canadian interests or infringe Canadian sovereignty.119 However, FEMA was developed primarily in response to US economic sanctions against Cuba and requires adaptation for the digital context. Several challenges must be addressed: the definition of “foreign tribunal” may not clearly encompass direct agency demands under the CLOUD Act; dual-listed Canadian companies face structural conflicts between FEMA compliance and US regulatory obligations; and enforcement mechanisms lack practical deterrent effect.

Specific legislative amendments:

  1. Expand FEMA’s scope to expressly cover disclosure demands under foreign data access laws, including the CLOUD Act, National Security Letters and equivalent instruments.
  2. Create sector-specific blocking orders for telecommunications providers, financial institutions and critical infrastructure operators, establishing clear obligations and consequences.
  3. Establish mandatory disclosure requirements requiring Canadian entities to notify designated Canadian authorities when they receive foreign compulsion demands affecting Canadian data.
  4. Introduce civil penalties and automatic stay mechanisms that create genuine compliance friction, moving beyond the current regime where violations require prosecution with Attorney General consent.
  5. Create statutory safe harbour for Canadian entities that refuse to comply with foreign data demands in reliance on FEMA blocking orders, protecting them from contractual and regulatory consequences.

Note on effectiveness: FEMA blocking orders cannot directly compel US-headquartered providers to resist US legal process. However, they can: create legal conflict that strengthens comity-based challenges under 18 U.S.C. § 2703(h); impose obligations on Canadian subsidiaries and affiliates; establish conditions for government procurement; and signal sovereign intent in international negotiations.120

12.3 Critical Infrastructure: Migrate to Canadian-controlled Systems

Central recommendation: migrate critical government systems — particularly national defence and security operations, government continuity, and income support and pensions —to Canadian-controlled infrastructure not subject to US jurisdiction under the CLOUD Act.

12.3.1 Rationale

Over 80 percent of Canadian cloud services rely on foreign infrastructure.121 The DND and CAF make significant use of Microsoft 365 through Defence 365, which serves as a common cloud infrastructure for collaboration across the DND/CAF. Under current arrangements, any data on these systems could, in theory, be subpoenaed by US authorities without Canadian judicial review. As the Privacy Commissioner noted: “data residency requirements alone cannot guarantee protection from foreign legal processes.”122

Microsoft’s June 2025 testimony before the French Senate confirmed this vulnerability with devastating clarity, as previously noted.  When asked whether he could guarantee French government data would not be transmitted to US authorities without French authorization, Microsoft France’s Carniaux responded that he could not provide such a guarantee. The same is true for Canadian data.

Specific actions:

  1. Conduct an immediate audit of all federal government cloud deployments to identify systems storing classified, protected or sensitive information on infrastructure subject to CLOUD Act jurisdiction.
  2. Establish migration timeline for Defence 365 and equivalent national security systems to Canadian-controlled alternatives, with interim technical protections (customer-controlled encryption) during transition.
  3. Invest in Canadian cloud capacity through public-private partnerships or direct investment in Shared Services Canada infrastructure, ensuring availability of sovereign alternatives for government workloads.
  4. Define “sovereign cloud” in procurement policy based on four criteria: jurisdictional control (provider not subject to foreign compulsion laws); operational control (Canadian administration without foreign override); cryptographic control (customer or Canadian authority holds encryption keys); and audit and enforcement authority (Canadian institutions possess meaningful oversight).

12.4. Procurement Reform: Sovereignty-based Criteria

Central recommendation: revise federal procurement policy to require sovereignty impact assessments for cloud services and establish mandatory criteria for sensitive government data.

12.4.1 Rationale

Current procurement frameworks treat cloud services primarily as commodity IT (internet technology) purchases rather than sovereignty-implicating infrastructure decisions. The result is that jurisdictional exposure to foreign legal process is not systematically assessed, and “data residency” requirements are treated as sufficient protection when they manifestly are not.

Specific actions:

  1. Amend the Treasury Board Directive on Service and Digital to require sovereignty impact assessments for all cloud procurements involving protected or classified information.
  2. Establish tiered procurement requirements based on data sensitivity: Tier 1 (classified/national security) — Canadian-controlled providers only, customer-held encryption keys mandatory; Tier 2 (protected/sensitive) — sovereignty-compliant providers preferred, encryption required; and Tier 3 (unclassified) — standard procurement with disclosure of jurisdictional exposure.
  3. Require provider disclosure of corporate structure, US jurisdictional exposure (stock listings, subsidiaries, US customers) and compliance history with foreign legal process.
  4. Include contractual termination rights triggered by provider compliance with foreign data demands affecting Canadian government data without Canadian authorization.

12.5 Technical Protections: Mandate Encryption Standards

Central recommendation: Mandate customer-controlled encryption for sensitive government data, ensuring that providers cannot comply with foreign disclosure demands because they cannot access intelligible data.

12.5.1 Rationale

Technical protections succeed where legal assurances fail. A provider cannot disclose data it cannot access. Customer-controlled encryption (where the government customer, not the cloud provider, holds decryption keys) creates a technical barrier to foreign compulsion that operates regardless of the provider’s legal obligations. The UK-Apple encryption controversy demonstrates both the importance of encryption and the pressure providers face to compromise it.123

Specific actions:

  1. Require customer-managed encryption keys for all Tier 1 and Tier 2 government cloud deployments, with keys held by Canadian government authorities rather than providers.
  2. Establish key management infrastructure within Shared Services Canada or the Communications Security Establishment Canada to support government-wide encryption key custody.
  3. Prohibit acceptance of encryption backdoor demands by providers serving Canadian government clients, with contractual consequences for compliance with foreign demands to weaken encryption.
  4. Develop Canadian cryptographic standards for government cloud deployments through the Canadian Centre for Cyber Security, ensuring interoperability while maintaining sovereign control.

12.6 Institutional Capacity: Invest in MLAT Infrastructure

Central recommendation: address MLAT delays through capacity investment rather than sovereignty bypass, preserving Canadian judicial oversight while improving operational efficiency.

12.6.1 Rationale

Proponents of CLOUD Act executive agreements frequently frame the issue as one of operational efficiency, arguing that direct provider access is necessary to address MLAT delays. This framing is misleading. The delays associated with MLATs are not primarily legal or constitutional in nature — they result from capacity constraints, resourcing decisions and administrative underinvestment. MLATs are deliberately designed to ensure that foreign investigative powers affecting Canadians are exercised through Canadian authorities, under Canadian law and subject to Canadian constitutional standards. Executive agreements do not “modernize” MLATs; they bypass them.

Specific actions:

  1. Increase staffing and technical capacity within Canada’s MLAT central authority (International Assistance Group, Department of Justice) to reduce processing times.
  2. Establish service-level standards with treaty partners, committing to specified response times for priority categories of requests.
  3. Digitize and standardize request formats to reduce administrative burden and enable faster processing.
  4. Prioritize serious-crime requests through existing judicial channels, ensuring that legitimate law enforcement needs are met without abandoning constitutional oversight.
  5. Publish annual statistics on MLAT request volumes, processing times and outcomes to enable evidence-based assessment of capacity needs.

12.7 Private Sector Obligations: Transparency and Compliance Framework

Central recommendation: establish disclosure obligations for Canadian telecommunications and critical infrastructure providers regarding CLOUD Act exposure, enabling informed decisions by consumers, businesses and government procurement officers.

12.7.1 Rationale

Major Canadian telecommunications providers (BCE, Rogers, TELUS) and technology companies (Shopify) maintain US connections — stock exchange listings, subsidiaries, institutional investors — that may expose them to CLOUD Act jurisdiction. Canadians cannot make informed choices about their data if this exposure is not disclosed.

Specific actions:

  • Require annual disclosure by designated critical infrastructure providers of: corporate structure and foreign jurisdictional exposure; volume of foreign legal demands received; volume of demands complied with; and categories of data affected.
  • Establish notification requirements obligating providers to inform Canadian customers when their data has been disclosed to foreign authorities, subject to limited exceptions for ongoing investigations.
  • Create regulatory guidance through the Canadian Radio-television and Telecommunications Commission and the Office of the Superintendent of Financial Institutions on CLOUD Act risk assessment and mitigation for regulated entities.
  • Consider designation authority enabling the Minister of Innovation, Science and Industry to designate specific providers as “critical digital infrastructure” subject to enhanced oversight and national security review of foreign acquisitions.

Endnotes

117. US DOJ, Report to Congress, supra note 92 , revealing that the United Kingdom issued over 20,000 requests to US providers in two years, overwhelmingly for interception rather than stored data.

118. Khoo and Robertson, “Canada-US Cross-Border Surveillance Negotiations.”

119. Foreign Extraterritorial Measures Act, supra note 116, (authorizing orders prohibiting compliance with foreign measures that adversely affect Canadian interests or infringe Canadian sovereignty).

120. In Re Grand Jury Proceedings (Bank of Nova Scotia), 691 F.2d 1384 (11th Cir. 1982); 740 F.2d 817 (11th Cir. 1984) (enforcing subpoenas despite foreign blocking statutes and imposing substantial fines for non-compliance).

121. Treasury Board of Canada Secretariat, supra note 6.

122. Privacy Commissioner of Canada, supra note 8.

123. Menn, “U.K. Orders Apple to Let It Spy”; Congressional Research Service, “Salt Typhoon Hacks.”

Report Sections

Download Paper
See Section 13
See Executive Summary