Whose Law Governs Canadian Data?
The CLOUD Act, Executive Agreements and Digital Sovereignty
SPECIAL REPORT
MARCH 11, 2026
9. The UK-Apple Encryption Controversy:
A Warning for Canada
9.1 The Technical Capability Notice
In February 2025, The Washington Post reported that the United Kingdom had secretly issued a Technical Capability Notice (TCN) to Apple under the Investigatory Powers Act 2016 (commonly known as the “Snoopers’ Charter”).101 The order demanded that Apple create a backdoor allowing UK authorities to access all encrypted content uploaded to iCloud by any Apple user worldwide — not merely targeted accounts of UK residents.
This demand represents an extraordinary assertion of extraterritorial jurisdiction over encryption. The Investigatory Powers Act 2016 grants the UK Home Secretary authority to issue TCNs requiring telecommunications operators to maintain “permanent technical capabilities” enabling the interception of communications. Critically, the Investigatory Powers Act makes it a criminal offense for companies to disclose that they have received a TCN, creating a regime of secret compulsion.
Rather than comply, Apple chose to disable Advanced Data Protection for new UK users in February 2025. This decision meant that UK users lost access to the highest level of data protection available, but Apple avoided creating a global backdoor that would have compromised security for all users worldwide.
The legal asymmetry illustrated by the United Kingdom-United States example does not arise from any encryption-protective feature of the CLOUD Act itself, but from substantive limits embedded in US domestic law. US courts have been reluctant to compel the creation of encryption backdoors or new technical capabilities absent clear congressional authorization, including under the All Writs Act, reflecting concerns about undue burden and the limits of judicial authority in the absence of a statutory mandate.102 The CLOUD Act preserves these domestic limits and is encryption-neutral rather than encryption-protective.103
By contrast, other jurisdictions, including the United Kingdom, maintain domestic legal authorities that permit the imposition of technical capability obligations. The constitutional concern is therefore not that the CLOUD Act mandates decryption, but that its executive agreement framework enables the cross-border circulation of data obtained under foreign legal regimes that permit surveillance powers incompatible with Canadian constitutional standards.
9.2 Cybersecurity Implications: The Salt Typhoon Warning
The catastrophic risks of building surveillance backdoors into communications infrastructure were dramatically illustrated by the Salt Typhoon cyberattacks disclosed in late 2024.104
Salt Typhoon is an advanced persistent threat group attributed to China’s Ministry of State Security. Beginning as early as 2022, Salt Typhoon infiltrated the networks of at least nine major US telecommunications companies, including AT&T, Verizon, T-Mobile and Lumen Technologies.
Most alarmingly, Salt Typhoon specifically targeted the systems used for court-authorized wiretapping — the very infrastructure mandated by the Communications Assistance for Law Enforcement Act to enable lawful intercept capabilities. Chinese intelligence operatives gained access to call detail records and, in some cases, the actual contents of communications. The US Federal Bureau of Investigation confirmed that the hackers specifically targeted individuals involved in government or political activity.
In January 2025, the US Treasury Department sanctioned Sichuan Juxinhe Network Technology Co., Ltd., a Chinese cybersecurity company identified as having direct involvement in Salt Typhoon operations.
The Salt Typhoon attacks validate what security researchers have long warned: backdoors created for “lawful” surveillance will inevitably be discovered and exploited by malicious actors. Any encryption backdoor demanded under a CLOUD Act agreement or domestic surveillance law creates a systemic vulnerability.
Endnotes
101. Joseph Menn, “U.K. Orders Apple to Let It Spy on Users’ Encrypted Accounts,” The Washington Post, February 7, 2025, https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/; Joseph Menn, “Apple Yanks Encrypted Storage in U.K. Instead of Allowing Backdoor Access,” The Washington Post, February 21, 2025, https://www.washingtonpost.com/technology/2025/02/21/apple-yanks-encrypted-storage-uk-instead-allowing-backdoor-access/.
102. In re Apple, Inc., No. 15-mc-1902 (E.D.N.Y. February 29, 2016); see also Matt Apuzzo and Joseph Goldstein, “Apple Fights Order to Unlock San Bernardino Gunman’s iPhone,” The New York Times, February 17, 2016.
103. CLOUD Act, US DOJ, Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act (Washington, DC: US DOJ, April 2019), 9–11; Jennifer Daskal, “Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0,” Stanford Law Review Online 71 (May 2018): 9–48.; BSA | The Software Alliance, “The U.S. CLOUD Act: Myths vs. Facts,” April 2019.
104. US Department of the Treasury, “Treasury Sanctions Company Associated with Salt Typhoon” (January 17, 2025), https://home.treasury.gov/news/press-releases/jy2792; Congressional Research Service, “Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications” (January 23, 2025), https://www.congress.gov/crs-product/IF12798.
Report Sections
- 1. Executive Summary
- 2. Decision Logic
- 3. U.S. Cloud Act
- 4. U.S. Personal Jurisdiction
- 5. Legislative Framework
- 6. Microsoft
- 7. Constitutional Standards
- 8. Executive Agreements
- 9. UK Apple Encryption
- 10. U.S. Policy Context
- 11. U.S. Extraterritorial Reach
- 12. Policy Recommendations
- 13. Concluding Thoughts
- 14. Appendix
- About the Author