Data sovereignty in light of the CLOUD Act: back to the future?

Ottawa and provincial governments across the country are facing demands for Canadians’ data to be protected — in part — from foreign access under a U.S. law known as the CLOUD Act. These demands have become more pronounced in light of recent bilateral political developments and the reemergence as a high-profile issue of “data sovereignty” — that is, ensuring Canadian courts have exclusive authority over data within Canada’s borders. Some commentators are similarly expressing concerns about the security of data stored with U.S. cloud providers, and the adoption of “sovereign cloud” solutions is increasingly being discussed at all levels of government.

These discussions are happening at a time when

• there are no documented cases of foreign government or law enforcement access to the data of Canadian enterprises processed within cloud services
• misconceptions about the CLOUD Act are common (for example, the CLOUD Act does not create surveillance powers or unfettered access to materials stored within cloud or other digital services in Canada)
• using a Canadian service provider or storing data in Canada does not guarantee data will be beyond the reach of courts in other countries
• a prominent attempt to mandate data sovereignty in British Columbia has been reversed
• it is increasingly clear that effective management of information in the digital age requires a risk-based approach that considers all relevant factors and costs, including the availability of technology-based solutions

Osler’s partners Michael Fekete and John Salloum have prepared an update which explores the prevalence of foreign access to electronic records stored in Canada, the impact of the CLOUD Act, and options for addressing related perceived risks.

You can access the update on Osler’s website.

This content has been updated on October 7, 2025 at 16 h 01 min.