The CLOUD Act: Canada's Sovereignty Problem Nobody in Ottawa Wants to Name Out Loud

March 2026 | midagent | John Pope

Somewhere deep in the bowels of Shared Services Canada there is a document that most Canadians will never read, and like Lord Voldermort, most senior public servants would prefer not to discuss or name it in public. It is a government evaluation covering the period from 2018 to 2024, and it contains a finding that deserves to be read aloud in the next Cabinet meeting on digital sovereignty. And then ideally blasted from the Centre Block Peace Tower on continuous loop for whole the nation to hear.

From fiscal year 2019 to 2023, Microsoft Azure was the single most-used cloud provider across the Government of Canada — consumed at four times the rate of Amazon Web Services and Salesforce combined. TradingView Four times.

And here is the part that makes this a national sovereignty issue rather than merely a procurement footnote: if you use a US-owned cloud provider — AWS, Microsoft Azure, or Google Cloud — your data can be legally accessed by US authorities, regardless of whether it's stored in Canada. Trade with Estonia

That is not a theoretical risk. It is the explicit, operational design of American law. The Department of National Defence runs Defence 365 on Microsoft platforms. Major Canadian banks and financial service providers, telecommunications providers like Rogers and TELUS, and federal departments are all directly subject to or depend on services subject to U.S. jurisdiction. Wikipedia

We have built our national digital infrastructure on a legal foundation that belongs to another country. And we've been doing it for years, with full knowledge of the implications, because we had no credible domestic alternatives.

That last part matters. This post is not a prosecution. It is an observation — and ultimately, an invitation.

The Law Nobody Wants to Talk About

The Clarifying Lawful Overseas Use of Data Act — the CLOUD Act — was signed into US law in March 2018 during the first Trump Administration. Its mechanism is straightforward, but its implications are significant. The CLOUD Act allows US authorities to demand access to data from American companies, even if that data is stored on servers located outside the US. Sevenpeakssoftware

The critical distinction — the one that gets lost in every conversation about "data residency" — is the difference between where data is stored and who has the legal authority to access it. Jurisdiction overrides geography. If your cloud vendor is foreign-owned, Canadian data sovereignty risks persist because foreign courts can compel access under statutes such as the US CLOUD Act. Yahoo!

This is not a hypothetical. When Microsoft's executives were pressed directly during a French Senate inquiry, they confirmed that if presented with a properly framed US government request, Microsoft would be "absolutely" obliged to comply — regardless of what its contracts say, regardless of where the data is stored, and regardless of the assurances made to foreign governments. Wikipedia

The Government of Canada's own white paper on this subject has acknowledged the problem with unusual clarity: "As long as a cloud service provider that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data." Global Finance Magazine

Ottawa wrote that sentence. And then signed another round of cloud contracts.

What We Actually Know

Let's be specific, because specificity is what moves policy conversations.

Newly released documents show Ottawa has spent almost $1.3 billion on cloud services provided by US companies, with most of the money going to Microsoft — and its uses include what the government itself calls "mission-critical" defence applications. Fiveable This information was extracted not through an independent audit, but through a question posed by a Conservative MP in the House of Commons — which tells you something about how proactively the government has chosen to disclose it.

Shared Services Canada — the central IT service provider for 43 federal agencies, operating roughly 700 data centres running 14,000 applications — has established multiple contract vehicles providing AWS services and support to all Canadian federal government departments, agencies, and Crown corporations. CNBC

Then there is Palantir. The Department of National Defence signed a $14.4 million contract with Palantir in March 2020 for the use of its Gotham software — a system that allows organizations to integrate datasets for analysis and decision-making, including in combat situations. Fortune The contract was not publicly disclosed at the time. It was revealed through Parliamentary filings in late 2025. Palantir was founded by Trump ally Peter Thiel and has publicly tied itself to the US economic and security agenda. Fortune It has since signed a contract with the US Army worth up to $10 billion — making it one of the most significant defence intelligence contractors in the world, deeply embedded in the US national security apparatus.

Canada's Department of National Defence was, until recently, running classified data analytics on Palantir's platform. The department "declined to provide details on what information Palantir's software processed or analyzed," citing national security reasons.

Let that sit for a moment.

The Negotiation Nobody Asked For

The story gets more consequential. Since 2022, the Canadian government has been quietly negotiating a bilateral law enforcement data-sharing agreement with the United States under the CLOUD Act — negotiations that are ongoing. MEED

The Citizen Lab at the University of Toronto has published one of the most thorough legal analyses of what this agreement would mean in practice. Legal researchers Cynthia Khoo and Kate Robertson warn that a Canada-US CLOUD agreement would extend the reach of US law enforcement into Canada's digital terrain to an unprecedented extent — effectively allowing US police to demand personal data directly from any provider of an "electronic communication service" in Canada, so long as it had some ties to the US. MEED

These negotiations are now taking place in a fundamentally different geopolitical context than when they began. In early 2025, Washington Post reporting revealed the UK had been secretly ordered to create a global encryption backdoor. Apple disabled Advanced Data Protection in the UK rather than comply. Reports surfaced that the CIA would "use espionage to give Trump extra leverage in trade negotiations." Canada-US trade relations collapsed into tariff warfare. European Commission

And yet the CLOUD Act negotiations continued.

Legal scholar Barry Appleton, whose December 2025 working paper on this subject represents the most rigorous publicly available treatment of the issue, frames the stakes precisely: this debate is not only about privacy or law enforcement efficiency — it is about sovereignty, prosperity, and agency. Does Canada retain meaningful choice, or have convenience and path dependence foreclosed our options? Wikipedia

Nobody Chose This. Almost Everyone Accepted It.

Here is the point that needs to be made fairly, because fairness is what allows productive conversations to happen.

The public servants and procurement officers who migrated Canadian government workloads onto US cloud platforms were not making reckless decisions. They were making rational ones. Microsoft committed $19 billion CAD between 2023 and 2027 to Canadian digital and AI infrastructure. Citrini Research AWS built Canadian-region data centres and spent years pursuing federal contracts through every legitimate channel available. The tools were good. The price was competitive. The alternatives were, for most of the last decade, genuinely limited.

Path dependence is a real force in institutional decision-making. Once 14,000 government applications are running on a platform, the switching costs are not trivial. Once procurement frameworks are structured around US hyperscalers, reorienting them requires political will and technical capacity that doesn't materialize overnight. The people who made these decisions were not asleep. They were operating within the constraints they had.

But constraints change. And the geopolitical context of 2026 is not the geopolitical context of 2018.

The Citizen Lab has specifically warned that a Canada-US CLOUD Act agreement could make the Canadian government and technology sector complicit in the data-fuelled criminalization and persecution of historically marginalized groups in the US. Global Finance Magazine That is not a fringe concern. It is a direct implication of agreeing to data-sharing protocols with an administration that has demonstrated it will use government data systems for domestic political enforcement.

The question for Ottawa is not whether past decisions were reasonable. They were. The question is whether they remain defensible in the present environment — and whether Canada now has options it didn't have before.

The Answer is Yes

The technical and legal case for sovereign digital infrastructure has never been stronger. Using a Canadian-owned service provider that has no operations or representatives in the US — where data is stored and accessed only in Canada — is an effective path to achieving genuine data sovereignty. Center for Data Innovation

Canadian providers operating on Canadian-owned infrastructure, using open-standard architectures that are independently auditable, are no longer a theoretical proposition. They exist. The capability gap that made US hyperscalers the only practical option a decade ago has narrowed materially.

The $1.3 billion that has flowed to US cloud providers for federal government workloads represents, among other things, $1.3 billion that did not build Canadian sovereign infrastructure, did not develop Canadian AI capability, and did not insulate Canadian government intelligence from American legal jurisdiction.

That is not an accusation. It is an opportunity cost — one that future procurement decisions can begin to address.

The Deputy Ministers, ADMs, and CIOs who read this and feel the uncomfortable recognition of a problem they already know exists are not the adversaries in this story. They are the decision-makers who now have something they didn't have before: a legitimate alternative, a deteriorating status quo, and a geopolitical moment that has made the conversation unavoidable.

The question is no longer whether Canada needs sovereign digital infrastructure. Ottawa's own white papers have answered that. The question is whether Canada retains the capacity to make meaningful choices about its own data governance — or whether path dependence, procurement inertia, and the gravity of existing contracts will make that choice for us. Wikipedia

The window to act with intention, rather than react to crisis, is open.

But it will not stay open indefinitely.