Whose Law Governs Canadian Data? The CLOUD Act, Digital Sovereignty.
Why Canadians Should Pay Attention Now
Whose Law Governs Canadian Data? The CLOUD Act, Digital Sovereignty.
Why Canadians Should Pay Attention Now
Prof. Barry Appleton
Appleton’s Clause & Effect Substack Blog | January 4, 2026
When Canadians hear about the U.S. CLOUD Act, many assume it is a narrow American law—designed to help U.S. police retrieve emails stored overseas. That assumption is understandable.
It is also wrong.
The CLOUD Act has quietly reshaped the legal environment governing Canadian data, Canadian institutions, and Canadian constitutional protections—often without public debate in Canada.
My new working paper, Whose Law Governs Canadian Data? The CLOUD Act, Executive Agreements, and Digital Sovereignty explain why. This blog is the accessible version.
What Is the CLOUD Act?
The CLOUD Act—short for the Clarifying Lawful Overseas Use of Data Act—was enacted by the United States in 2018.1 The CLOUD Act arose from a legal dispute between U.S. law enforcement and Microsoft over whether American warrants could reach data stored on servers in Ireland. Before that case could be decided, Congress stepped in and resolved the question by extending U.S. legal reach, not limiting it.2
At its core, the CLOUD Act does two things:
First, it confirms that U.S. authorities can compel any service provider subject to U.S. jurisdiction to disclose data that provider controls—regardless of where that data is physically stored.
Second, it creates a framework for “executive agreements” that allow foreign governments to request data directly from U.S. providers, bypassing traditional diplomatic channels.
Both elements matter for Canada—but in different ways.3
The Surprise: Control Matters More Than Location
For decades, Canadian policymakers relied on two comforting assumptions: data stored in Canada is governed by Canadian law, and foreign access to Canadian data flows through Canadian courts.
The CLOUD Act disrupts both.
The most consequential—and least understood—feature of the CLOUD Act is this: U.S. law focuses on who controls the provider, not where the data physically sits.
Section 103 applies U.S. warrants to data within a provider’s “possession, custody, or control.” The server’s location is legally irrelevant. A Canadian government ministry using Microsoft 365 may have data physically stored in Montréal—but if Microsoft’s U.S. parent can access it, so can U.S. authorities. All companies with minimum contacts with the U.S. are covered by this section.
A Practical Example
Imagine a Canadian healthcare authority stores patient records with a U.S.-headquartered cloud provider. The provider builds a data centre in Toronto and assures the authority that data will remain in Canada.
Under the CLOUD Act, if U.S. law enforcement issues a warrant to the provider’s American headquarters, the provider must comply—even if the data never leaves Canadian soil, and even if compliance violates Canadian privacy law. The Canadian healthcare authority may never be notified. Canadian courts would not review the request. This is not a hypothetical. It is the current legal regime.
Important Clarification: This Already Applies
Canada does not need to sign a CLOUD Act executive agreement for this exposure to exist. The baseline reach of U.S. law already extends wherever Canadian institutions rely on U.S.-linked cloud services.
Executive agreements do something different. They accelerate, normalize, and scale cross-border access—and they raise distinct constitutional concerns, as discussed below.
The Constitutional Collision: Two Privacy Doctrines
Here is where Canadians should pay close attention.
The United States and Canada have developed fundamentally different approaches to digital privacy. Understanding this difference explains why the CLOUD Act framework is constitutionally problematic for Canada.
The U.S. Third-Party Doctrine
American law operates under the “third-party doctrine,” rooted in the Fifth Amendment. If you voluntarily share information with a third party—your bank, your phone company, your cloud provider—you have “assumed the risk” that the third party may disclose it. You retain no reasonable expectation of privacy.4
Under this doctrine, vast categories of digital information can be accessed by U.S. authorities without a warrant and without notice to the individual.
Canada’s Charter Approach
The Supreme Court of Canada has explicitly rejected this reasoning. In R. v. Spencer (2014) and R. v. Bykovets (2024), the Court held that Canadians retain a reasonable expectation of privacy in their digital information—even when intermediaries hold that data.5 Privacy is not forfeited simply because data passes through a service provider.
This is not a minor doctrinal difference. It is a fundamental constitutional divergence.
A CLOUD Act executive agreement would allow U.S. authorities to access Canadian data using standards that would be unconstitutional if applied by Canadian authorities in Canada. Thus, the CLOUD Act bypasses Canadian data privacy constitutional protections, as U.S. Courts would never consider them as binding or relevant.
Why the UK Experience Matters
The United Kingdom was the first country to sign a CLOUD Act executive agreement with the United States. It entered into force in 2022.
Within two years, UK authorities made over 20,000 direct requests to U.S. providers—nearly all of which involved interception or wiretap-style authorities. The traditional Mutual Legal Assistance Treaty (MLAT) process, which required judicial review in both countries, became marginal rather than central.6
This is surveillance at scale—enabled by an agreement marketed as an “efficiency improvement.”
Canada announced negotiations toward a similar agreement in March 2022.7 Those negotiations appear to be ongoing.
Corporate Assurances Are Not Sovereignty
Cloud providers emphasize transparency reports, legal challenges to government requests, and data residency options. These efforts are real and sometimes meaningful. But they have hard limits.
The limits of corporate assurances were starkly illustrated in June 2025, when Microsoft France’s Director of Public and Legal Affairs, Anton Carniaux, testified under oath before a French Senate inquiry commission investigating digital sovereignty in public procurement. When asked directly whether he could guarantee that data belonging to French citizens—even data hosted under government procurement agreements—would not be transmitted to U.S. authorities without French authorization, Carniaux’s response was unequivocal: “Non, je ne peux pas le garantir”—”No, I cannot guarantee it.”8
This admission is significant for several reasons. First, it came from a senior legal official testifying under oath—not in marketing materials or policy statements, but in a formal parliamentary proceeding where perjury carries consequences. Second, it concerned data hosted in European Union data centres, demonstrating that the physical location of servers provides no immunity from U.S. jurisdiction. Third, it occurred despite Microsoft’s substantial investment in “sovereign cloud” infrastructure and its February 2025 completion of an “EU Data Boundary” designed to reassure European customers.
The technical measures Microsoft described at the hearing—including Pierre Lagarde’s testimony that “since January 2025, under contractual guarantee, our European customers’ data does not leave the EU”—were acknowledged to be fundamentally limited by extraterritorial U.S. legal authority. As Carniaux confirmed, if presented with a properly framed U.S. government request, Microsoft would be “absolutely” obliged to comply.9
The French Senate inquiry was triggered in part by controversy over the Health Data Hub (Plateforme des données de santé), which hosts sensitive French health records on Microsoft Azure—a decision critics argued compromised sovereign control over citizen medical data. The inquiry also examined French government contracts with Microsoft worth between €74 million and €152 million for educational software deployed across public schools and universities.10
Under U.S. law, no company can override a valid federal subpoena—regardless of what its contracts say or assurances from corporate executives.
Sovereignty cannot be outsourced to a terms-of-service agreement.
Why U.S. Strategy Now Matters
Some may wonder whether the CLOUD Act framework reflects settled law or live policy. Recent U.S. actions suggest the latter.
The 2025 National Security Strategy, released on November 30, 2025, explicitly frames data infrastructure, supply chains, and digital access as instruments of American national power11 The document reasserts the Monroe Doctrine for the Western Hemisphere—a “Trump Corollary” that prioritizes hemispheric control over multilateral restraint.
Then came January 3, 2026. The United States launched Operation Absolute Resolve—airstrikes and a military raid on Venezuela that resulted in the capture and extradition of President Nicolás Maduro. President Trump announced that the U.S. would “run the country” until a transition could be arranged, citing American interests in Venezuelan oil reserves.12
Taking place 36 years to the day after Manuel Noriega’s surrender concluded the 1989 U.S. invasion of Panama, the Venezuela operation drew immediate historical comparisons.
Whatever one’s view of the legality of the Venezuela intervention, it confirms something important: the United States treats its stated legal and strategic frameworks as operational commitments, not academic theories. When the National Security Strategy says data access and infrastructure control matter, Canada should assume that U.S. agencies act accordingly.
The Canadian Context: Trade, Data, and Sovereignty
Canadians watching the U.S.-Canada trade conflict unfold over the past year will recognize a pattern: unilateral U.S. demands, rapid escalation, and Canadian responses constrained by deep economic integration.
The CLOUD Act operates on the same logic—but in the digital domain.
Canada’s exposure is substantial. Over 80% of Canadian cloud services rely on foreign—primarily U.S.—infrastructure. The Department of National Defense runs Defense 365 on Microsoft platforms. Major Canadian banks and financial service providers, telecommunications providers like Rogers and TELUS, and federal departments are all directly subject to or depend on services subject to U.S. jurisdiction.
The 2026 USMCA/CUSMA review is already raising questions about economic dependence. The CLOUD Act raises parallel questions about digital dependence—and whether Canada has retained the capacity to make meaningful choices about its own data governance.
What Canada Can Do
Meaningful Canadian digital policy does not require withdrawal from global markets. But it does require clarity and choice.
My new working paper recommends a seven-pillar framework.13
1. Suspend CLOUD Act negotiations until constitutional compatibility and robust safeguards can be assured.
2. Modernize blocking legislation—amend the Foreign Extraterritorial Measures Act to to address digital data compulsion.14
3. Migrate critical infrastructure—move national security, defense, social programs, border systems, and continuity-of-government systems to Canadian-controlled platforms that have no CLOUD Act exposure.
4. Reform procurement policy—implement sovereignty-based criteria for government contracts, with tiered requirements based on data sensitivity.
5. Mandate encryption standards—require customer-controlled, entirely domestic encryption for sensitive data [with no U.S. minimum contacts], so providers do not have to comply with foreign demands.
6. Invest in MLAT capacity in Canada—address delays in the existing treaty process without abandoning judicial oversight.
7. Require private sector transparency—mandate that critical infrastructure providers disclose foreign jurisdictional exposure and legal demands received.
What Comes Next
This debate is not only about privacy or law enforcement efficiency. It is about three more profound questions that Canadian digital policy must answer:
Sovereignty—who has final legal authority over Canadian data?
Prosperity—how does cloud dependence shape our economic capacity and strategic leverage?
Agency—does Canada retain meaningful choice, or have convenience and path dependence foreclosed our options?
These themes deserve their own treatment. They are the subject of the upcoming edition of Appleton’s Clause & Effect.
Read the Full CLOUD Act Paper
Please read the working draft of my full documented legal article.
Barry Appleton, “Whose Law Governs Canadian Data? The CLOUD Act, Executive Agreements, and Digital Sovereignty” SSRN Working Paper (December 2025)
Barry Appleton is a Distinguished Senior Fellow and Co-Director of the Center for International Law at New York Law School, Managing Partner at Appleton & Associates International Lawyers LP, and a Fellow and Scholar at the Balsillie School of International Affairs.
January 4, 2026
CLOUD Act, Pub. L. No. 115-141, § 103 (2018), https://www.congress.gov/115/plaws/publ141/PLAW-115publ141.pdf.
Microsoft Corp. v. United States, 138 S. Ct. 1186 (2018) (The case at the Supreme Court was made moot by CLOUD Act passage).
See Barry Appleton, Whose Law Governs Canadian Data? The CLOUD Act, Executive Agreements, and Digital Sovereignty, Working Paper (Dec. 22, 2025), at 7–12, available at https://papers.ssrn.com/abstract=5955017.
Smith v. Maryland, 442 U.S. 735 (1979).
R. v. Spencer, 2014 SCC 43; R. v. Bykovets, 2024 SCC 6.
U.S. Dep’t of Justice, First CLOUD Act Agreement Implementation Report 12–14 (2024).
U.S. Dep’t of Justice, United States and Canada Welcome Negotiations of CLOUD Act Agreement (Mar. 22, 2022), https://www.justice.gov/opa/pr/united-states-and-canada-welcome-negotiations-cloud-act-agreement.
Audition de MM. Anton Carniaux, directeur des affaires publiques et juridiques, et Pierre Lagarde, directeur technique du secteur public, de Microsoft France [Hearing of Messrs. Anton Carniaux, Director of Public and Legal Affairs, and Pierre Lagarde, Technical Director of the Public Sector, Microsoft France], Sénat de la République française, Commission d’enquête sur la souveraineté numérique (June 10, 2025), https://www.senat.fr/compte-rendu-commissions/20250609/ce_souverainete.html [hereinafter French Senate Testimony]. When asked directly whether he could guarantee under oath that data of French citizens would not be transmitted to U.S. authorities without French authorization, Carniaux responded: “Non, je ne peux pas le garantir“—”No, I cannot guarantee it.” See also Steve Ranger, Microsoft Exec Admits It ‘Cannot Guarantee’ Data Sovereignty, The Register (July 25, 2025), https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee/.
Ibid. Carniaux confirmed that if presented with a properly framed U.S. government request, Microsoft would be “absolutely” obliged to transmit the requested data—while noting this “has not affected any European company, or a public sector body” to date. Pierre Lagarde, Microsoft France’s Technical Director for the Public Sector, testified that “since January 2025, under contractual guarantee, the data of our European clients does not leave the EU, whether at rest, in transit, or being processed.” Id. These technical and contractual measures were acknowledged to be legally subordinate to U.S. compulsion authority under the CLOUD Act. See Camille Biet, Microsoft Tells French Lawmakers It Can’t Protect User Data from US Demands, SDxCentral (July 21, 2025), https://www.sdxcentral.com/news/microsoft-tells-french-lawmakers-it-cant-protect-user-data-from-us-demands/.
The French Senate inquiry was prompted in part by ongoing controversy over the Plateforme des données de santé (Health Data Hub), created in 2019 to advance French medical research using sensitive citizen health records hosted on Microsoft Azure. Commission President Simon Uzenat characterized the arrangement as illustrating “the ambiguities, delays, and contradictions of public action regarding digital sovereignty.” French Senate Testimony, supra note X. The inquiry also examined French government procurement contracts with Microsoft for educational software deployed across public schools and universities, valued between €74 million and €152 million. See Frank Schräer, Sovereign EU Cloud Debacle: Microsoft Cannot Prevent US Access, Born’s Tech and Windows World (July 26, 2025), https://borncity.com/win/2025/07/26/sovereign-eu-cloud-debacle-microsoft-cannot-prevent-us-access/; Big Tech’s “Sovereign Cloud” Promises Just Collapsed—In Their Own Words, Nextcloud Blog (Sept. 9, 2025), https://nextcloud.com/blog/big-techs-sovereign-cloud-promises-just-collapsed-in-their-own-words/.
White House, National Security Strategy (Nov. 30, 2025), https://www.whitehouse.gov/wp-content/uploads/2025/12/2025-National-Security-Strategy.pdf.
President Donald J. Trump, Remarks at Mar-a-Lago (Jan. 3, 2026) (”We’re going to run the country until such time as we can do a safe, proper, and judicious transition”).
Appleton, supra note 2, at 28–35.
See Foreign Extraterritorial Measures Act, R.S.C. 1985, c. F-29.
The piece correctly identifies the CLOUD Act as a fundamental sovereignty challenge, though the dynamics have shifted sharply since Canada began negotiations in 2022. Here's the reality: no amount of Canadian data residency works if the infrastructure is U.S.-owned or operated. Canada's own Treasury Board acknowledged this bluntly: "As long as a cloud service provider that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data." The bilateral CLOUD Act agreement negotiations, now three years old and stalled, would allow U.S. law enforcement direct access to Canadian data without traditional judicial oversight mechanisms. What's changed is the geopolitical context. Under the current U.S. administration, concerns about intelligence overreach have intensified, and researchers warn the agreement could extend U.S. surveillance reach into Canada "to an unprecedented extent." The real policy question Appleton's raising isn't whether the CLOUD Act matters—it does—but whether Canada should sign away more direct-access pathways, or instead invest in sovereign cloud infrastructure before signing away the ability to regulate it.
Please, let there be someone in government who is aware of all article comments and also your comments AND will act accordingly. I understand Airbus is looking for a new European cloud to get out of the current American owned cloud.