The Code Canada Has Not Written
Some Things Canada needs for digital sovereignty in the CUSMA Review
The Code Canada Has Not Written: Some Things Canada needs for digital sovereignty in the CUSMA Review
By Prof. Barry Appleton | Appleton’s CLAUSE & EFFECT Substack| 10 June 2026 · Part 2 of 2
This is the second of a two-part series on Canada’s digital sovereignty under the USMCA-CUSMA review. Part One, “The Rules Washington Is Writing,” explained what U.S. AI and trade policy is actually trying to achieve and why Canada’s AI for All strategy collided with it on the day it was announced. This piece examines what Canada would need to do legislatively to give that strategy any protection at the USMCA-CUSMA review table and beyond. The analytical foundations are in Code Before Clause, Locked In and Locked Out, and Know Your Ground.
Canada’s AI strategy is right about the destination. It is wrong about the sequence. The domestic legal code must come before the treaty clause. Here is what the code would actually have to say.
Let’s get this straight. A sovereignty strategy without legislation is not a strategy. It is only a statement of intent. Governments publish statements of intent every day. Trade lawyers read them as admission documents: evidence that their client’s domestic measures are targets rather than defenses.
Canada’s new AI policy, entitled, “AI for All”, is a necessary statement of intent. Canada needs to build sovereign compute capacity, govern AI systems operating on its territory, and give its citizens meaningful protection from the surveillance pricing, algorithmic manipulation, and foreign data extraction that at least three American companies exercise over the daily lives of 40+ million Canadians. The ambition is exactly right. The legal sequence is precisely backward.
A sovereignty strategy without legislation is not a strategy. It is a target list.
I have made this argument before, in different registers. The five National Post columns from September and October 2025, on algorithmic empires, digital sharecroppers, the railway of the future, the surrender of foreign code, and algorithmic oversight, documented what digital dependency looks like in practice. My paper “Code Before Clause” (2025) argued that Canada must first build its domestic regulatory architecture before it translates those frameworks into trade commitments. “Locked In and Locked Out” (2026) mapped how USMCA-CUSMA’s digital provisions constrain Canada’s available tools. Canada’s AI for All, announced on June 4, is the moment when the argument meets the policy.
What USMCA-CUSMA actually permits
The starting point is what the USMCA-CUSMA treaty allows, because the existing treaty is the constraint that AI for All does not acknowledge.
USMCA-CUSMA Article 19.12 prohibits data localization requirements: a party may not require that data be stored or processed in its own territory as a condition of doing business there. Article 19.14 requires the free flow of information, including personal information, across borders. These two provisions, taken together, block the most direct tool of digital sovereignty: requiring that Canadian data stay in Canada.
Article 19.17 provides a privacy carve-out: a party may maintain measures inconsistent with Articles 19.12 and 19.14 if they are “necessary to achieve a legitimate public policy objective” and are “not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.” That carve-out is narrower than it looks. The “necessary” standard is demanding and based on decades of international trade practice. A measure must be shown to be required for the objective, not merely rationally related to it. And measures that facially target U.S. platforms will automatically face the discrimination argument.
For those readers eager to learn more, you can find the full analysis of these existing treaty constraints, including why the current provisions lock Canada into a 2018 digital architecture for sixteen more years if the review produces a simple extension, in my paper Locked In and Locked Out.
One carve-out the treaty contains that AI for All does not mention is Article 32.2, the essential security exception. A party may take measures it considers necessary to protect its essential security interests. The self-judging nature of this exception is significant: the standard requires only that the good faith government measure plausibly relate to genuine security concerns. It does not require them to second-guess the security determination. For AI systems deployed in critical infrastructure, energy grids, financial systems, health networks, communications, an Article 32.2 invocation is both legally available and legally defensible.1 Canada has not invoked it. In fact, we see no evidence that Canada has ever considered it.
USMCA-CUSMA gives Canada a constitutional shield for AI governance in critical infrastructure. Canada has not picked it up.
What the code would actually have to say
Writing the code before the clause means tabling implementing legislation in four specific areas, each designed to operate within the USMCA-CUSMA framework while giving AI for All’s commitments genuine legal force.
Sovereign compute through procurement, not localization. Article 19.12’s prohibition on data localization does not apply to government procurement. Article 19.2(a) explicitly carves out “government procurement of goods and services purchased for governmental purposes and not with a view to commercial resale.” A Canadian government that mandates Canadian-owned cloud infrastructure for its own operations, health data, defense data, census data, and critical infrastructure management is operating entirely within the treaty framework. The measure applies to the government’s own conduct, not to the private sector.2 That is a materially different legal posture than a general data residency requirement, and it is available right now. The implementing legislation for sovereign compute should specify government procurement standards for AI-capable infrastructure, with explicit invocations of Article 32.2 for designated critical systems.
AI governance for critical infrastructure under Article 32.2. The Locked In and Locked Out analysis establishes that algorithmic transparency requirements for AI systems deployed in critical infrastructure can be structured to invoke Article 32.2 without triggering Article 19.12’s localization prohibition, provided the obligation is framed around system-level security assessment rather than source-code disclosure.3 The EU’s AI Act demonstrates a workable path: confidential regulatory inspection, sandboxed testing environments, and output-based accountability that assesses what an algorithm does without requiring disclosure of how it is coded. A Canadian AI Safety Institute mandate should be modeled on this approach, with mandatory rather than voluntary evaluation for high-risk categories, and an explicit security-grounds justification that travels with every implementing measure.
Privacy legislation as a genuine Article 19.17 defense. The failed Bill C-27 (the Consumer Privacy Protection Act from the previous Parliament) was a vehicle for modernizing Canada’s federal privacy framework (no matter its serious flaws). Its successor legislation needs to be tabled before, not after, the USMCA-CUSMA review produces an outcome. Article 19.17’s privacy carve-out requires that the measure be enacted under law. An aspiration in a strategy document is not a law. To invoke the carve-out, Canada needs a statute. The surveillance pricing prohibition in AI for All similarly requires legislative grounding, the Competition Act amendment that makes algorithmic price discrimination actionable, before it can be defended as a legitimate public policy measure rather than a disguised restriction on American platforms.3
A Digital Sovereignty Act to tie it together. These individual legislative measures need an overarching statutory instrument that does three things: formally declares Canada’s digital infrastructure as a strategic national asset requiring domestic governance; provides the legal authorization for the Article 32.2 invocations that accompany specific AI and data measures; and establishes the institutional framework, including a reconstituted SAGIT advisory system with an AI and digital technology mandate, to review ART texts, side instruments, and settlement templates on an ongoing basis.4
In an algorithmic economy, code has become the new customs house. The rule of law must extend into that domain.
The sequence argument at the review table
My paper, Know Your Ground, identifies the Digital Sovereignty Act, SAGIT reconstitution, and sovereign compute framework as three of the five pre-July 1 review actions that would improve Canada’s structural position at the USMCA-CUSMA review. The argument for why the sequence matters is this: an agreement signed at the review table will bind Canada for six to sixteen years. If Canada arrives at that table with digital governance aspirations but no implementing legislation, it will be negotiating protections for measures that do not yet exist. Washington’s lawyers will offer to protect aspirations that have already been discounted, knowing Canada lacks the legal infrastructure to deliver them.
If Canada arrives with legislation tabled, Article 32.2 invocations on the record, and a sovereign compute procurement framework already in operation, the negotiation changes.
It is no longer about whether Canada can govern its digital economy. It is about how the treaty recognizes that Canada already does. The treaty follows the law. The law does not follow the treaty.
That is the Code Before Clause doctrine applied to AI governance. The sequence is not a procedural nicety. It is the difference between sovereignty and its simulation.
What should happen before July 1
Three things are still possible before the Joint Review’s formal opening, and each one changes Canada’s position at the table. Whether the review starts on Canada Day or at another time, there is no time to lose in implementing these protective policies.
Table the Digital Sovereignty Act, even in first reading. A bill tabled before July 1 is a legal fact. A strategy document published before July 1 is a political aspiration. Washington’s lawyers cannot dismiss a tabled bill the way they can dismiss a press release.
Issue formal Article 32.2 declarations for designated critical AI systems. These should accompany the AI Safety Institute’s initial evaluation mandate. A formal security declaration on the record before the review opens is available ground that cannot be claimed after a review commitment is made.
File in the Section 301 forced labour proceeding by July 6 and include in that filing Canada’s argument that the forum for any complaint about USMCA-CUSMA Article 23.6 performance is USMCA-CUSMA Chapter 31. As I argued in “Settled Out of Congress,” the forum-selection provision in the Trade Act is Canada’s procedural argument in that proceeding, and the record built there is the foundation for any panel that follows. Canada needs to put this on the record. It’s time to use U.S. law before U.S. trade regulators to protect Canada.
The Joint Review is not a negotiation about tariffs. It is a constitutional moment for the digital economy Canada will operate for the next sixteen years. The code Canada writes, or fails to write, before that table opens will determine whether AI for All becomes a governance achievement or a bargaining chip.
The treaty follows the law. The law does not follow the treaty.
Prof. Barry Appleton is Managing Partner of Appleton & Associates International Lawyers LP, Co-Director of the Center for International Law at New York Law School, and Interim Director of the Balsillie Legal Advisory Centre at the Balsillie School of International Affairs. This is Part 2 of a two-part series on digital sovereignty and trade. Part 1, “The Rules Washington Is Writing,” was published Tuesday.
© 2026 Barry Appleton. All rights reserved.
Barry Appleton, Locked In and Locked Out: How CUSMA’s Digital Trade Architecture Constrains Canadian Sovereignty, And Where the Exits Still Exist, SSRN Working Paper No. 6390198 (Mar. 28, 2026) (analyzing how USMCA-CUSMA Articles 19.12, 19.14, and 19.17 constrain Canada’s digital governance toolkit, and how Article 32.2 combined with thw essential security interest plausibility standard provides a pathway for AI governance measures in critical infrastructure through confidential regulatory inspection modelled on the EU AI Act).
Canada-United States-Mexico Agreement art. 19.2(a) (providing that Chapter 19 does not apply to government procurement of goods and services purchased for governmental purposes and not with a view to commercial resale); see also USMCA-CUSMA art. 19.12 (prohibiting localization requirements but subject to the Article 19.2 scope limitations).
Consumer Privacy Protection Act (former Bill C-27, 44th Parliament, died on the order paper); Barry Appleton, Code Before Clause: Building Canada’s Digital Defences Before Negotiating Trade (Balsillie Papers, 2025) (arguing that legislatures must first establish domestic frameworks for AI, data protection, and platform accountability before translating those frameworks into trade commitments, and that the USMCA-CUSMA review should codify rather than pre-empt democratically determined digital sovereignty arrangements).
Barry Appleton, Law, Not Leverage: A Rules-Based Path for the USMCA Review, Rebuttal Submission, Docket No. USTR-2025-0004 (Dec. 12, 2025) (arguing that “in an algorithmic economy, code has become the new customs house” and that “the rule of law must extend into that domain”); see also Barry Appleton, Algorithmic Empire and the New Digital Colonialism: The Legal Struggle for Technological Self-Determination in the Age of AI, SSRN Working Paper No. 5389292 (2025).