Whose Law Governs Canadian Data?
The CLOUD Act, Executive Agreements and Digital Sovereignty
SPECIAL REPORT
MARCH 11, 2026
10. The U.S. Policy Context: National Security Strategy and Digital Dominance
Any assessment of CLOUD Act implications for Canada must be situated within the broader context of US digital policy. Recent developments make clear that the United States views technological dominance — including over cloud infrastructure, data flows and algorithmic systems — as a core national security priority.
10.1 The 2025 National Security Strategy
The November 2025 US National Security Strategy contains language with direct implications for Canadian digital sovereignty. The Strategy’s Western Hemisphere section declares that “the terms of our agreements, especially with those countries that depend on us most and therefore over which we have the most leverage, must be sole-source contracts for our companies” and states that Washington should “make every effort to push out foreign companies that build infrastructure in the region.”105
The Strategy instructs every US embassy to identify commercial opportunities for American firms and directs all US officials to serve as commercial advocates. It emphasizes “U.S.-built energy infrastructure, U.S.-backed access to critical minerals, and cyber networks secured with American technology.”106 These formulations suggest that allied markets may be viewed as captive rather than competitive.
10.2 The White House AI Action Plan
The July 2025 White House AI Action Plan declares it a “national security imperative for the United States to achieve and maintain unquestioned and unchallenged global technological dominance.”107 The Plan fuses AI development with “financial infrastructure, cloud dominance, and payment systems,”108 positioning algorithmic power as a national asset. This framing has direct implications for how CLOUD Act powers may be deployed and expanded.
10.3 The USMCA Review and Digital Governance
The ongoing 2025 United States-Mexico-Canada Agreement (USMCA) Review provides further context. US Trade Representative Jamieson Greer’s December 10, 2025 remarks at the Atlantic Council confirmed that the United States is conducting the review through bilateral rather than trilateral channels and described it as a “forcing function” that could lead to “a replacement” of the agreement.109 Ambassador Greer acknowledged using tariff negotiations to pressure digital governance outcomes, noting disappointment that the European Union has shown “zero moderation” in digital enforcement and reaffirming that the United States will not “allow that regulation to be outsourced.”
These developments suggest that trade tools are increasingly being deployed to influence digital governance outcomes, heightening the risk that CLOUD Act mechanisms may be leveraged as part of broader economic pressure campaigns.
10.4 Implications for Canadian Policy
As this author argued in his December 2025 rebuttal testimony to the US Trade Representative, Canadian digital sovereignty is not a threat to US interests but a strategic asset for both countries.110 A Canada that retains the legal and institutional capacity to exclude high-risk providers, audit AI systems and enforce its own cybersecurity standards provides “trusted capacity within the hemisphere” and “regulatory diversity rather than technological monoculture.”111 The USMCA review should “codify, not pre-empt” democratically determined digital sovereignty arrangements.
10.5 Trade and Treaty Considerations
Concerns are sometimes raised that Canadian measures to protect digital sovereignty, such as sovereign cloud procurement criteria, jurisdictional exclusions, or encryption key controls, could conflict with Canada’s trade obligations, particularly under the Canada-United States-Mexico Agreement (CUSMA) or USMCA.
These concerns are addressed in detail in Section 12 of this report, which analyzes how the seven-pillar framework for Canadian response can be implemented consistently with Canada’s trade commitments. The short answer is that CUSMA contains explicit national security, law enforcement and public policy exceptions that preserve Canada’s authority to regulate in areas implicating constitutional rights, public safety and the administration of justice. Jurisdiction-based procurement criteria that focus on control, auditability and encryption-key custody are governance measures, not prohibited data localization requirements.
Trade agreements are not suicide pacts. They do not require Canada to surrender constitutional control over its data.
Endnotes
105. The White House, supra note 2 at 18-19..
106. The White House, supra note 2 at 18-19.
107. The White House, supra note 3.
108. The White House, supra note 3 at i.
109. Atlantic Council, “Inside the Trump trade strategy with US Trade Representative Jamieson Greer” Transcript (10 December 2025), https://www.atlanticcouncil.org/news/transcripts/inside-the-trump-trade-strategy-with-us-trade-representative-jamieson-greer/.
110. Barry Appleton, “Law, Not Leverage: A Rules-Based Path for the USMCA Review—Rebuttal Comments to the US Trade Representative” Docket No. USTR-2025-0004 (December 12, 2025), https://ssrn.com/abstract=5668791.
111. Appleton, “Law, Not Leverage.”
Report Sections
- 1. Executive Summary
- 2. Decision Logic
- 3. U.S. Cloud Act
- 4. U.S. Personal Jurisdiction
- 5. Legislative Framework
- 6. Microsoft
- 7. Constitutional Standards
- 8. Executive Agreements
- 9. UK Apple Encryption
- 10. U.S. Policy Context
- 11. U.S. Extraterritorial Reach
- 12. Policy Recommendations
- 13. Concluding Thoughts
- 14. Appendix
- About the Author