Whose Law Governs Canadian Data?

The CLOUD Act, Executive Agreements and Digital Sovereignty

SPECIAL REPORT

MARCH 11, 2026

4. U.S. Personal Jurisdiction Doctrine:
What Canadians Need to Know

A critical issue for Canadian policymakers is understanding how US courts determine whether a foreign entity — including a Canadian company — is subject to US jurisdiction for CLOUD Act purposes. The US constitutional framework governing personal jurisdiction operates on principles largely unfamiliar to Canadian lawyers, and the US government’s official position on jurisdictional constraints may significantly overstate the protections available to foreign service providers.

4.1 The “Minimum Contacts” Test

Under US constitutional law, the Due Process Clause of the Fifth Amendment (for federal process) and the Fourteenth Amendment (for state process) limit a court’s authority to exercise jurisdiction over a defendant. The foundational case is International Shoe Co. v Washington (1945), which held that due process requires a defendant to have “minimum contacts” with the forum such that the exercise of jurisdiction does not offend “traditional notions of fair play and substantial justice.”¹⁰

The minimum contacts analysis has evolved through subsequent Supreme Court decisions into a doctrine of “purposeful availment” — the requirement that a defendant has “purposefully avail[ed] itself of the privilege of conducting activities within the forum State, thus invoking the benefits and protections of its laws.”¹¹ For internet-era service providers, courts have applied variations of this test, including the “Zippo sliding scale” for assessing web-based contacts¹² and in appropriate cases, the “Calder effects test” for intentional conduct directed at forum residents.¹³ In the CLOUD Act context, these jurisdictional tests matter because they help determine whether a foreign-based service provider’s online operations — such as interactive services, targeted content or intentional engagement with US users — are sufficient to establish US personal jurisdiction, thereby subjecting the provider to compulsory US legal process for data within its possession, custody or control, regardless of where that data is stored.

Applying these principles, the practical implications for Canadian companies are significant. A Canadian company that offers electronic communication services or remote computing services to persons in the United States — even without physical presence in the United States — may, depending on the totality of circumstances, establish sufficient “minimum contacts” with the United States,¹⁴ through a range of ordinary commercial and digital activities.

These may include maintaining ongoing commercial relationships with US customers;¹⁵ repeatedly routing transactions through US-based financial infrastructure or correspondent banking systems;¹⁶ targeting advertising or marketing to US markets;¹⁷ entering into contracts governed by US law or that deliberately affiliate the company with US legal protections and obligations;¹⁸ or hosting online content or services that are intentionally directed at, and monetized from, US audiences.¹⁹ In the aggregate, such contacts may be sufficient to support the exercise of US personal jurisdiction over a foreign service provider notwithstanding the absence of any physical presence in the United States.²⁰

4.2 Federal “National Contacts” Doctrine and CLOUD Act Exposure

In federal-question cases arising under statutes that authorize nationwide or worldwide service of process, US courts have long held that the relevant inquiry under the Fifth Amendment Due Process Clause is whether the defendant has sufficient contacts with the United States as a whole, rather than with any particular state.²¹ This “national contacts” approach reflects the principle that, where Congress legislates on matters of national scope, personal jurisdiction analysis is anchored to the sovereign reach of the United States itself.²²

Courts applying this framework have emphasized that Fifth Amendment due process imposes a general fairness inquiry incorporating the familiar International Shoe standard, but assessed against aggregate US contacts and with fewer territorial constraints than apply under the Fourteenth Amendment.²³ As a result, foreign defendants may be subject to US federal jurisdiction even where their contacts with any single state would be insufficient, provided that their overall US contacts demonstrate purposeful availment of the US market or legal order.²⁴

This doctrine is directly relevant to the CLOUD Act. The Stored Communications Act, as amended, is a federal statutory regime enforced through federal courts, and the CLOUD Act compulsion operates only once a provider is subject to US federal jurisdiction. In that context, even relatively modest but deliberate engagement with US users, infrastructure or markets may satisfy Fifth Amendment due process when assessed on a national-contacts basis, thereby exposing foreign service providers to compulsory US legal process for data within their possession, custody or control.²⁵

4.3 The Fifth Amendment Due Process Does Not Meaningfully Constrain CLOUD Act Jurisdiction

US government statements asserting that the CLOUD Act is “strictly constrained”²⁶ by Fifth Amendment due process protections substantially overstate the practical limits those protections impose. In federal-question cases governed by nationwide service of process, courts have long applied a national-contacts framework under which due process is satisfied so long as the defendant has sufficient aggregate contacts with the United States as a whole, assessed through a generalized fairness inquiry.²⁷ This approach affords Congress wide latitude to extend federal jurisdiction²⁸ and imposes significantly fewer territorial constraints than the state-based Fourteenth Amendment analysis familiar to Canadian lawyers.²⁹

As multiple courts and commentators have observed, Fifth Amendment due process in this context functions less as a robust jurisdictional barrier than as a minimal reasonableness check, one that is rarely dispositive where a foreign entity has deliberately engaged with US markets, users or infrastructure.³⁰ The result is that constitutional “constraints” invoked by the US Department of Justice do not operate as meaningful safeguards against CLOUD Act compulsion for foreign service providers with routine US commercial or digital ties.³¹

Reliance on these constraints, therefore, provides little practical protection for Canadian data, particularly where the provider falls within the Stored Communications Act’s definitions of electronic communication service or remote computing service and maintains ongoing engagement with the United States.³²

4.3.1. Why Due Process Constraints Are Illusory

The US Department of Justice has officially asserted that the CLOUD Act does not expand US jurisdiction and that personal jurisdiction over foreign providers is “strictly constrained by the personal jurisdiction requirement contained within the Constitution’s Fifth Amendment Due Process Clause.”³³ This position — that constitutional protections meaningfully limit CLOUD Act assertions over foreign service providers — has been forcefully challenged by legal scholars.

Tim Cochrane’s analysis in the Duke Journal of Comparative & International Law argues that this official position is misleading. Cochrane demonstrates that “it is seriously questionable whether the Due Process Clause imposes any meaningful restrictions” in the CLOUD Act context.³⁴ His analysis identifies several reasons why Canadian policymakers should not rely on US constitutional constraints to protect Canadian data:

First, CLOUD Act executive agreements expand enforcement jurisdiction at public international law. When a foreign state enters a CLOUD Act agreement with the United States, it “consents” (in international law terms) to US assertions of jurisdiction over its territory. This consent significantly weakens any comity-based challenges and removes one of the few practical obstacles to extraterritorial enforcement.³⁵
Second, Congress possesses broad authority to extend federal courts’ personal jurisdiction. Constitutional scholar Stephen Sachs has argued that “Congress can extend the federal courts’ personal jurisdiction as far as it wants.”³⁶ While the Supreme Court has recently narrowed personal jurisdiction in some contexts,³⁷ these limitations apply primarily to general jurisdiction (requiring a defendant be “at home” in the forum) rather than specific jurisdiction arising from targeted conduct.
Third, it remains unclear whether foreign persons and entities are entitled to Fifth Amendment due process protections at all. The Supreme Court’s extraterritorial jurisprudence — including cases involving Guantanamo detainees — suggests a context-specific, functional analysis rather than automatic extension of constitutional protections to non-citizens abroad.³⁸

4.4 Third-Country Interception Authority

A further dimension of CLOUD Act exposure concerns interception of communications involving persons located in neither the requesting nor the receiving state. Legal scholars have identified what Albert Gidari termed “the big interception flaw” in CLOUD Act agreements: they permit either party to require a covered provider to intercept the communications of users located in third countries “without the approval of that sovereign nation and perhaps even without its knowledge.”³⁹

Under US law, an “interception" occurs where communications are heard (the “listening post”), where the target device is located or where interception equipment diverts communications.⁴⁰ This means a UK wiretap order served on a US provider could lawfully intercept communications of a Canadian user without Canadian authorization — provided the communications were routed through US-based infrastructure and “listened to” by UK authorities.

For Canada, this raises a troubling prospect: even absent a Canada-US CLOUD Act agreement, Canadian communications may already be subject to foreign interception through CLOUD Act mechanisms that bypass the Canadian legal process entirely.

4.5 “International Shoe’s Days May Be Numbered”

Perhaps most concerning for foreign entities relying on US constitutional constraints is that the International Shoe framework itself has been questioned by sitting Supreme Court Justices. In Ford Motor Co. v Montana Eighth Judicial District Court (2021), Justice Gorsuch’s concurrence questioned whether the International Shoe approach remains appropriate for modern commerce, and Justice Alito asked, “whether the case law we have developed... is well suited for the way in which business is now conducted.”⁴¹

As Cochrane observes, these judicial reservations suggest that “International Shoe’s days may be numbered.”⁴² For Canadian policymakers, this means that even the existing — already limited — constitutional framework for jurisdictional analysis may evolve in ways that further expand US extraterritorial reach into companies that operate in Canada but have some incidental US connections.

4.6 Implications for Canadian Service Providers

Canadian telecommunications providers (Rogers, Bell, TELUS), financial and banking providers, technology companies (Shopify) and financial institutions with US business contacts should understand that:

Any service offering that falls within the Stored Communications Act's definitions of ECS or RCS may be subject to CLOUD Act compulsion if the provider has sufficient US contacts.
US constitutional protections, including the Fifth Amendment Due Process Clause, may not meaningfully constrain US jurisdiction over Canadian providers.
A Canada-US CLOUD Act executive agreement — currently under negotiation — would expand rather than limit US jurisdictional assertions by removing public international law obstacles to extraterritorial enforcement.
Companies should conduct jurisdiction-specific risk assessments and consider operational structures that minimize US jurisdictional exposure, including customer-controlled encryption that limits the provider’s ability to comply with disclosure demands.

4.7 Case Studies: Canadian Telecommunications and Technology Companies

The abstract principles of US personal jurisdiction doctrine have concrete implications for major Canadian telecommunications and technology companies. This section examines specific US connections that may subject Canada's largest service providers to CLOUD Act compulsion.

4.7.1 US Stock Exchange Listings and Institutional Ownership

Canada’s three largest telecommunications providers — Rogers Communications, BCE Inc. and TELUS Corporation — are all dual listed on US stock exchanges, a factor that creates multiple potential bases for US personal jurisdiction.

Table 2: Canadian Telecommunications Providers with US Ownership

Company	US Listing	US Institutional Ownership	SEC Filing Obligations
Rogers Communications	NYSE: RCI	~45% US institutional shareholders⁴³	Form 20-F; subject to US securities law
BCE Inc.	NYSE: BCE	Significant US institutional investors⁴⁴	Form 20-F; subject to US securities law
TELUS Corporation	NYSE: TU	Significant US institutional investors⁴⁵	Form 20-F; subject to US securities law

Data compiled by the author from publicly available corporate disclosures, including SEC filings, company annual reports, investor materials, and stock exchange records.

Dual listing on US exchanges creates a substantial nexus with the United States that goes well beyond passive market exposure. These companies:

Submit to Securities and Exchange Commission (SEC) jurisdiction: By listing on US exchanges, Canadian telecommunications providers voluntarily submit to the regulatory jurisdiction of the US SEC, accepting obligations under US securities law, including the Securities Exchange Act of 1934 and the Sarbanes-Oxley Act of 2002.
Engage US financial infrastructure: Dual-listed companies routinely conduct transactions through US dollar clearing systems and correspondent banking relationships, factors that US courts have found sufficient to establish purposeful availment.⁴⁶
Cultivate US investor relationships: Through investor roadshows, analyst calls, and shareholder communications directed at US institutional investors, these companies deliberately affiliate themselves with US capital markets.
Enter contracts governed by US law: Bond indentures, credit facilities and other financing arrangements frequently incorporate New York law choice-of-law provisions and submission to New York court jurisdiction.

Under the “purposeful availment” doctrine articulated in Burger King Corp. v Rudzewicz,⁴⁷ such deliberate engagement with US markets and legal frameworks may constitute sufficient “minimum contacts” to support personal jurisdiction — particularly when assessed on an aggregate, national-contacts basis under Fifth Amendment due process analysis.

4.7.2 Direct US Operations and Subsidiaries

Beyond securities listings, major Canadian telecommunications providers maintain direct operational presence in the United States through subsidiaries and acquisitions.

BCE Inc. / Bell Canada

In August 2025, BCE completed its acquisition of Ziply Fiber, a US telecommunications company operating in the states of Washington, Oregon, Idaho and Montana, for approximately C$5 billion.⁴⁸ Ziply Fiber operates as a wholly owned subsidiary of BCE and provides fiber-optic internet services to residential and business customers across the Pacific Northwest.

This acquisition transforms BCE from a purely Canadian telecommunications provider into a North American operator with direct US presence. BCE now:

operates US telecommunications infrastructure;
employs US personnel;
serves US customers directly; and
maintains US business records and customer data.

For CLOUD Act purposes, this operational footprint almost certainly satisfies personal jurisdiction requirements. BCE is no longer merely a Canadian company with US investor contacts; it is now a provider of electronic communications services to US customers through US-based infrastructure.

TELUS Corporation

TELUS operates extensive US operations through TELUS Digital (formerly TELUS International), which maintained dual listings on both the NYSE and Toronto Stock Exchange until TELUS acquired the remaining public shares in September 2025.⁴⁹ TELUS Digital’s US presence includes:

TELUS International (US) Corp.: A US subsidiary headquartered in Las Vegas, Nevada, with over 1,600 employees.⁵⁰
Gerent: A US-based Salesforce consultancy acquired in May 2025.⁵¹
Multiple US client service operations: TELUS Digital provides digital customer experience services to major US technology companies

TELUS Digital’s business involves precisely the types of services — digital customer experience, data processing and AI data annotation — that fall within the Stored Communications Act’s definitions of electronic communication services and remote computing services.

Rogers Communications

While Rogers does not maintain the same direct US operational presence as BCE or TELUS, its NYSE listing, substantial US institutional ownership (approximately 45 percent of outstanding shares),⁵² and ongoing commercial relationships with US content providers, equipment manufacturers and financial institutions create significant jurisdictional exposure.

4.7.3 Canadian Technology Companies: The Shopify Example

The CLOUD Act’s jurisdictional reach extends beyond traditional telecommunications providers to any company offering “electronic communication services” or “remote computing services.: Canadian technology companies with substantial US connections face analogous exposure.

Shopify Inc. provides a particularly instructive example. The Ottawa-headquartered e-commerce platform:

transferred its US listing from the NYSE to NASDAQ in March 2025, becoming a component of the NASDAQ-100 index;⁵³
processes the majority of its transactions in the United States — 57 percent of Shopify’s US$292.3 billion in 2024 gross merchandise volume was processed in the United States;⁵⁴
maintains US offices, including operations in San Francisco and New York with approximately 900 combined employees;⁵⁵
operates US subsidiaries, including Shopify Data Processing (USA) Inc. and Shopify Holdings (USA) 2 Inc.;⁵⁶ and
filed a 10-K domestic issuer form in February 2025 listing New York as a “principal executive office” alongside Ottawa, with the majority of segmented assets now reported as located in the United States.⁵⁷

Shopify’s platform enables millions of merchants to process payments, communicate with customers and store transaction data — activities that squarely fall within the Stored Communications Act’s definition of remote computing services. A US legal demand served on Shopify could theoretically compel production of merchant and customer data regardless of where that data is stored.

4.7.4 Jurisdictional Implications

The US connections documented above have significant implications for Canadian data sovereignty.

Multiple Jurisdictional Hooks

Each company presents multiple independent bases for US personal jurisdiction:

Table 3: Jurisdictional Factors

Jurisdictional Factor	Rogers	BCE	TELUS	Shopify
US stock exchange listing	✓	✓	✓	✓
US institutional investors	✓	✓	✓	✓
US subsidiaries	—	✓	✓	✓
US employees	—	✓	✓	✓
US customers served directly	—	✓	✓	✓
SEC reporting obligations	✓	✓	✓	✓

Data compiled by the author from publicly available corporate disclosures and legal sources, including corporate filings, company reports, and publicly documented information on U.S. listings, subsidiaries, operations, and investor ownership.

Aggregate National Contacts

Under the Fifth Amendment national-contacts framework applicable to federal statutory cases like CLOUD Act compulsion, these connections are assessed in the aggregate against the United States as a whole — not against any individual state.⁵⁸ This substantially lowers the jurisdictional threshold compared to state-court analysis under the Fourteenth Amendment.

“Possession, Custody or Control” Extends to Subsidiaries

The CLOUD Act’s “possession, custody or control” language means that data held by Canadian parent companies may be reachable through their US subsidiaries, and vice versa. US courts have consistently held that corporate separateness does not defeat compelled disclosure where the entity served with process has practical ability to obtain the data.⁵⁹

Electronic Communication Services and Remote Computing Services

All four companies examined provide services that fall within the Stored Communications Act’s jurisdictional definitions:

Rogers, BCE, TELUS: As telecommunications providers, they offer “electronic communication services” including mobile messaging, email and voice services.
Shopify: As a cloud platform, it provides “remote computing services” including data storage and processing.
TELUS Digital: Its customer experience and data annotation services involve processing and storing electronic communications on behalf of clients.

4.7.5 Practical Consequences for Canadian Data

The jurisdictional exposure documented above means that:

Customer data held by Canadian telecommunications providers may be subject to CLOUD Act compulsion regardless of where that data is physically stored, if the provider is subject to US personal jurisdiction.
Data localization provides limited protection when the cloud provider or telecommunications company remains subject to US jurisdiction through stock listings, subsidiaries or commercial relationships.
Corporate assurances of data sovereignty cannot override legal obligations: As Microsoft’s June 2025 French Senate testimony confirmed,⁶⁰ companies subject to US jurisdiction must comply with validly served US legal process regardless of contractual commitments to foreign customers.
Canadian judicial oversight may be bypassed entirely: Under current law, US authorities can obtain Canadian telecommunications data directly from US-affiliated providers without any involvement of Canadian courts or governmental authorities.

Endnotes

10. International Shoe, supra note 10.

11. The “purposeful availment” doctrine derives from the Supreme Court’s decision in Hanson v Denckla, 357 US 235 (1958), which held that due process requires that a defendant “purposefully avail [] itself of the privilege of conducting activities within the forum State.” The doctrine was refined in World-Wide Volkswagen Corp v Woodson, 444 US 286 (1980), and Burger King Corp v Rudzewicz, 471 US 462 (1985). For internet-specific application, see Zippo Mfg Co v Zippo Dot Com, Inc, 952 F Supp 1119 (WD Pa 1997).

12. Zippo Manufacturing Co. v Zippo Dot Com, Inc., 952 F. Supp. 1119, 1124–26 (W.D. Pa. 1997).

(Establishing the influential “sliding scale” framework under which personal jurisdiction is assessed based on the interactivity and commercial nature of a defendant’s website, ranging from passive informational sites to highly interactive platforms conducting business with forum residents.) See also: ALS Scan, Inc. v Digital Service Consultants, Inc., 293 F.3d 707, 713–15 (4th Cir. 2002). (Adopting and refining Zippo by holding that jurisdiction exists where a defendant directs electronic activity into the forum with the manifest intent of engaging in business or interactions there.) Although later Supreme Court decisions emphasize defendant-focused contacts, lower courts continue to rely on Zippo-style analysis to assess interactive online services.

13. Calder v Jones, 465 US 783, 789–90 (1984). (Holding that personal jurisdiction may be exercised where a defendant commits an intentional act expressly aimed at the forum state, knowing that the brunt of the harm will be felt there.) See also: Walden v Fiore, 571 US 277, 287–90 (2014). (Clarifying that the Calder test requires forum-directed conduct by the defendant itself, not merely foreseeable effects experienced by the plaintiff.)

14. International Shoe, supra note 10. (Foundational standard: minimum contacts assessed under the totality of circumstances, not physical presence.)

15. Ford Motor Co. v Montana Eighth Judicial District Court, 592 US 351, 360–66 (2021).
(Systematically serving a US market through customers and commercial relationships supports jurisdiction.)

16. Licci ex rel. Licci v Lebanese Canadian Bank, SAL, 732 F.3d 161, 170–73 (2d Cir. 2013). (Repeated use of US financial infrastructure, including US-dollar transactions, constitutes purposeful availment.)

17. Mavrix Photo, Inc. v Brand Technologies, Inc., 647 F.3d 1218, 1229–31 (9th Cir. 2011).
(Targeted advertising and monetization of a US audience support personal jurisdiction.)

18. Burger King Corp. v Rudzewicz, 471 US 462, 473–76 (1985). (Purposeful availment may be established through contracts governed by US law and deliberate affiliation with the forum.)

19. ALS Scan, Inc. v Digital Service Consultants, Inc., 293 F.3d 707, 713–15 (4th Cir. 2002); Zippo Manufacturing Co. v Zippo Dot Com, Inc., 952 F. Supp. 1119, 1124–26 (W.D. Pa. 1997).
(Jurisdiction based on intentional online activity and interactive services directed at a US audience.)

20. Walden v Fiore, 571 US 277, 284–90 (2014); Cochrane, “Hiding in the Eye of the Storm Cloud,”195–201. (Jurisdiction focuses on the defendant’s own contacts with the forum; applied in CLOUD Act context to foreign providers.)

21. Briesch v Automobile Club of Southern California, 40 F. Supp. 2d 1318, 1322–23 (D. Utah 1999) (holding that where a federal statute authorizes nationwide service of process, the relevant inquiry is whether the defendant has minimum contacts with the United States as a whole); SEC v Knowles, 87 F.3d 413, 417 (10th Cir. 1996).

22. Go-Video, Inc. v Akai Electric Co., 885 F.2d 1406, 1415–16 (9th Cir. 1989) (adopting national-contacts analysis under the Fifth Amendment in federal statutory cases).

23. In re Tribune Co., 418 B.R. 116, 129–30 (Bankr. D. Del. 2009) (describing Fifth Amendment due process as a “general fairness test” incorporating International Shoe but applied to national contacts); Charan Trading Corp. v Uni-Marts, LLC (In re Uni-Marts, LLC), 399 B.R. 400, 406 (Bankr. D. Del. 2009).

24. Haile v Henderson National Bank, 657 F.2d 816, 824–25 (6th Cir. 1981) (recognizing Congress’s authority to provide for national service of process and jurisdiction based on nationwide contacts); Medeco Security Locks, Inc. v Fichet-Bauche, 568 F. Supp. 405, 408–09 (W.D. Va. 1983).

25. Stephen E. Sachs, “How Congress Should Fix Personal Jurisdiction,” 108 Harvard Law Review 1301, 1316–22 (2019); Cochrane, “Hiding in the Eye of the Storm,” 186–94.

26. Cochrane, supra note 10 at 153, 186–94.

27. Briesch v Automobile Club of Southern California, 40 F. Supp. 2d 1318, 1322–23 (D. Utah 1999); SEC v Knowles, 87 F.3d 413, 417 (10th Cir. 1996) (holding that where a federal statute authorizes nationwide service of process, Fifth Amendment due process turns on contacts with the United States as a whole).

28. Stephen E. Sachs, “How Congress Should Fix Personal Jurisdiction,” 108 Harvard Law Review 1301, 1316–22 (2019).

29. Go-Video, Inc. v Akai Electric Co., 885 F.2d 1406, 1415–16 (9th Cir. 1989); Haile v Henderson National Bank, 657 F.2d 816, 824–25 (6th Cir. 1981).

30. In re Tribune Co., 418 B.R. 116, 129–30 (Bankr. D. Del. 2009); Charan Trading Corp. v Uni-Marts, LLC (In re Uni-Marts, LLC), 399 B.R. 400, 406 (Bankr. D. Del. 2009).

31. Cochrane, supra note 10 at 186–94.

32. Sachs, “How Congress Should Fix Personal Jurisdiction.”

33. US DOJ, supra note 1 at 3. (“The [CLOUD] Act does not create any new legal rights for the U.S. government to access data... When a qualifying foreign government’s order seeks data stored in the United States, providers must comply only if doing so would not cause them to violate the laws of the United States, including the Fourth and Fifth Amendment protections of the U.S. Constitution.”

34. Cochrane, supra note 10 at 187. Cochrane argues that “it is seriously questionable whether the Due Process Clause imposes any meaningful restrictions” on CLOUD Act jurisdiction over foreign service providers. See also Anthony J. Colangelo, “A Unified Approach to Extraterritoriality” (2011) 97 Virginia Law Review 1019 at 1107 (“[I]t is far from clear that Fifth Amendment due process even cares about other nations’ sovereignty interests.”).

35. Tim Cochrane, “Digital Privacy Rights and CLOUD Act Agreements,” 47 Brooklyn Journal of International Law 1, 185–201 (2021).

(“This article critiques this belief, examining the impact of CLOUD Act agreements at public and private international law, as well as domestic US and UK law. While the removal of conflicts is a significant private international law benefit itself, CLOUD Act agreements also allow signatory states to significantly expand enforcement jurisdiction over overseas providers at public international law.”).

36. Stephen E. Sachs, “The Unlimited Jurisdiction of the Federal Courts” (2021) 106 Virgina Law Review 1703 at 1728-29 (“In general, Congress can extend the federal courts’ personal jurisdiction as far as it wants...”). See discussion in Cochrane, “Hiding in the Eye of the Storm Cloud,” supra note 10 at 195–98.

37. Daimler AG v Bauman, 571 US 117 (2014); Bristol-Myers Squibb Co. v Superior Court, 582 US 255 (2017) (narrowing specific jurisdiction to claims arising from or related to defendant’s forum contacts)

38. See United States v Verdugo-Urquidez, 494 US 259 (1990) (declining to extend Fourth Amendment protections to non-resident aliens abroad); Boumediene v Bush, 553 US 723 (2008) (extending habeas corpus but through a functional, context-specific analysis). The application of Fifth Amendment due process constraints to foreign persons in the CLOUD Act context remains largely untested.

39. Albert Gidari, “The Big Interception Flaw in the US-UK Cloud Act Agreement,” Stanford Law School Center for Internet and Society (October 2019), https://cyberlaw.stanford.edu/blog/2019/10/big-interception-flaw-us-uk-cloud-act-agreement /.

40. See United States v Denman, 100 F.3d 399 (5th Cir. 1996); Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010).

41. Ford Motor Co. v Montana Eighth Judicial District Court, 141 S. Ct. 1017, 1036–39 (2021) (Gorsuch, J., concurring). Justice Alito similarly questioned “whether the case law we have developed... is well suited for the way in which business is now conducted.” Ibid. at 1032 (Alito, J., concurring). See Cochrane, “Hiding in the Eye of the Storm Cloud,” 199-200.

42. See Cochrane, supra not 10 at 199-200.

43. Rogers Communications Inc. (RCI), Form 20-F Annual Report (2024), filed with the US SEC (disclosing US stock exchange listing and institutional ownership); SEC Form 13F Filings, Q3 2025 (reporting substantial US institutional holdings). See also Rogers Communications Inc., Management Information Circular (2025) at 12–14 (detailing shareholding structure and US investor composition).

44. BCE Inc., Form 20-F Annual Report (2024), filed with the US SEC.

45. TELUS Corporation, Form 20-F Annual Report (2024), filed with the US SEC.

46. See Licci, supra note 13, at 170–73 (repeated use of US financial infrastructure, including US-dollar transactions, constitutes purposeful availment).

47. Burger King, supra note 15, at 473–76.

48. BCE Inc., “BCE Completes Acquisition of Ziply Fiber,” news release (August 1, 2025), https://www.bce.ca/news-and-media/releases/show/BCE-completes-acquisition-of-Ziply-Fiber ; BCE Inc., Form 20-F Annual Report (2025), filed with the US SEC (reporting acquisition value of approximately US$3.6 billion).

49. TELUS Corporation, “TELUS Completes Acquisition of Remaining TELUS Digital Shares,” news release (September 2025), https://www.telus.com/en/about/news-and-events/media-releases; TELUS Corporation, Form 20-F Annual Report (2025), filed with the US SEC.

50. TELUS Corporation, Form 20-F Annual Report (2024), filed with the US SEC (disclosing TELUS Digital’s US subsidiary operations and employee count); TELUS Digital, “About Us,” https://www.telusinternational.com/about (describing the US operational footprint including its Las Vegas headquarters and over 1,600 US employees).

51. TELUS Digital, “TELUS Digital Announces Acquisition of Gerent,” news release, May 28, 2025.

52. Rogers Communications Inc., Form 20-F Annual Report (2024), filed with the US SEC. For institutional ownership data, see SEC Form 13F filings by major US institutional investors.

53. Shopify Inc., Form 10-K Annual Report (2024), filed with the US SEC, at 1 (noting transfer of listing to NASDAQ Global Select Market effective March 31, 2025); NASDAQ, “NASDAQ-100 Index Annual Changes,” news release (May 19, 2025) (announcing Shopify’s addition to the NASDAQ-100).

54. Shopify Inc., supra note 56, at 38 (reporting gross merchandise volume of US$292.3 billion for fiscal 2024, with approximately 57 percent processed in the United States).

55. Shopify Inc., supra note 56, at 28 (listing principal executive offices in Ottawa, Ontario and noting US operational presence); Shopify Inc., “About Shopify,” https://www.shopify.com/about (describing global operations including US headquarters functions).

56. Shopify Inc., supra note 56, Exhibit 21.1 (List of Subsidiaries), filed with the US SEC (identifying US subsidiaries including Shopify Data Processing (USA) Inc., Shopify Payments (USA) Inc., and Shopify Holdings (USA) 2 Inc.).

57. BNN Bloomberg, “Canada Tech Firm Shopify Fuels Fear of US Move with Filing Change,” February 28, 2025; TD Securities Inc., Research Note, February 2025 (analyzing Shopify’s 10-K filing).

58. See Briesch, supra note 24, at 1322–23; See SEC, supra note 18, at 417.

59. See Gucci America, supra note 9; Justin Hemmings, Sreenidhi Srinivasan and Peter Swire, “Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the CLOUD Act,” 10 Journal of National Security Law & Policy 631 (2020).