Insights · Data sovereignty

The US CLOUD Act and Canadian data: what it actually means for your business

A 2018 US law can reach data sitting in a Canadian data centre. Here’s how the CLOUD Act works, who it touches, and what a proportionate response looks like.

What it boils down to

The CLOUD Act lets US authorities compel a provider under US jurisdiction to produce data in its custody or control, wherever in the world that data sits. A Microsoft 365 tenant or an AWS account in a Canadian region has Canadian residency — it doesn’t have Canadian jurisdiction. For most businesses this calls for a documented risk decision, not an exit from the cloud.

  • The law follows the company that controls the data, not the country where the servers stand.
  • Orders are targeted legal process in criminal investigations — nothing like open-ended surveillance of Canadian tenants.
  • Canadian regions remain worth using: they settle residency and lighten your Law 25 obligations.
  • Provider ownership, encryption key custody and contract terms are the levers you actually control.

Where the law comes from — and what it says

The Clarifying Lawful Overseas Use of Data Act became US law in March 2018, and it exists because of a court fight. In the Microsoft Ireland case, US prosecutors demanded emails stored in Dublin; Microsoft argued that an American warrant stopped at the American border, and the dispute went all the way to the Supreme Court. Congress cut it short by amending the Stored Communications Act: a provider subject to US jurisdiction must now produce data in its “possession, custody, or control” no matter where it chose to store it. The US Department of Justice publishes its own explanation of the act, and it’s blunt on this point: control decides, not geography.

Two boundaries keep the law narrower than its reputation. It operates through ordinary criminal legal process — a warrant or court order aimed at specific accounts — and grants no standing right to browse foreign data. And it gives providers a path to challenge an order when complying would put them in conflict with another country’s law. Neither boundary makes the reach disappear; both matter when you’re sizing the actual risk.

Why “hosted in Canada” doesn’t close the question

The reassurance most businesses reach for is residency: our data sits in Toronto or Montreal, so Canadian law applies. Residency and jurisdiction are different questions, though — we’ve written a separate piece on the difference between data residency and data sovereignty. A US-controlled provider that stores your data in a Canadian data centre is still a US-controlled provider; the building’s postal code doesn’t change who can be ordered to produce what’s inside.

The exposure runs wider than most tech stacks let on. In Upper Harbour’s Canadian Technology Sovereignty Index, an analysis of 768 SaaS and cloud tools used by Canadian organizations, 59% are US-parented and so fall under the CLOUD Act, and only 19% are fully Canadian-owned. Odds are your own stack — accounting, CRM, file storage, email — follows a similar split.

What it means for your Microsoft 365 or AWS tenant

Microsoft and Amazon are American companies, so tenants in Azure Canada Central or Canada East and workloads in AWS ca-central-1 sit within the act’s reach. That’s the plain reading, and no configuration setting changes it. What Canadian regions buy you is still real: residency commitments you can show a client or an auditor, lower latency, and a lighter assessment when Law 25 asks where personal information goes.

It’s also worth saying what a CLOUD Act order looks like in practice. It names specific accounts in a criminal investigation; it is not a standing feed of Canadian tenants. The major providers publish law-enforcement request reports, say they redirect governments to the customer where they can, and have fought orders in court before. None of that is a guarantee. It does mean that for a typical SMB, the probability of an order ever touching your tenant is low — and that the decision in front of you is how much residual risk your data can carry, not whether to abandon the platforms your business runs on.

Where Law 25 and PIPEDA come in

Quebec’s Law 25 requires a privacy impact assessment (EFVP) before personal information is communicated outside the province, weighing the sensitivity of the data, how it will be protected, and the legal regime it lands in. The CLOUD Act is exactly the kind of factor that assessment exists to weigh. Even with a Canadian region, technical support and administrative access often happen from outside Quebec — which is why careful organizations run the assessment and keep it on file rather than assuming the region settles the matter.

Federally, PIPEDA takes the accountability route: your organization stays responsible for personal information it hands to a service provider, including one that processes it abroad. The Office of the Privacy Commissioner’s guidelines on cross-border processing expect contractual protections and transparency — telling people, plainly, that their information may be stored or processed in another country and become accessible to its courts and law enforcement. Neither regime forbids US providers. Both insist the choice be examined and documented rather than made by default.

A proportionate response: what you can actually control

Start with an ownership check. The question is who controls each provider up the chain — a Canadian brand with a US parent counts as US-controlled, and the CLOUD Act reaches subsidiaries. Then classify: most operational data isn’t worth restructuring your stack over, but personal information under Law 25, health data and public-sector work may justify stronger measures.

From there, the levers are practical. Keep workloads in Canadian regions — necessary for residency and Law 25, just not sufficient on their own. Look at encryption with customer-held keys for the workloads that support it; a provider can’t produce readable data it can’t decrypt, though the big productivity suites need some access to function, which limits this lever. Tighten contracts: data-processing terms, a commitment to notify you of government demands where the law allows, a commitment to challenge overbroad orders. And for the systems where jurisdiction is a hard requirement rather than a preference, the cleaner answer is a provider that answers to Canadian law in the first place — the case we lay out on our Canadian data sovereignty page.

A risk to weigh, not a fire to fight

For most SMBs, the honest ranking puts phishing, ransomware and weak identity controls well above a foreign warrant on the list of things likely to hurt you this year. The CLOUD Act deserves a considered answer, documented once and revisited when your stack or your obligations change — not a panic migration. If your clients, your regulator or your own risk tolerance push jurisdiction up that list, that’s a scoping conversation we’re glad to have.

FAQ

Frequently asked questions

Does the CLOUD Act apply to data stored in Canada?

Yes, whenever the company that controls the data is subject to US jurisdiction. The act requires providers to produce data in their possession, custody or control regardless of where it’s stored, so a US-owned provider’s Canadian data centre offers no shield by itself. What limits the reach is the process: orders come through criminal legal process aimed at specific accounts, and a provider can challenge an order that conflicts with another country’s law.

Is the CLOUD Act bulk surveillance of Canadian companies?

No. It’s a production law rather than a collection program: US authorities need legal process, such as a warrant, tied to specific accounts in a criminal investigation. The major cloud providers publish law-enforcement request reports and say they redirect governments to the customer where possible. For a typical Canadian SMB, the realistic probability of an order touching your data is low — the point of assessing it is to make that judgment deliberately, not to assume it’s zero.

Does hosting in a Canadian region protect us from the CLOUD Act?

Not by itself. Canadian regions settle where your data lives — residency — and that’s worth having: it answers client and auditor expectations and simplifies the assessments Law 25 requires. But the act follows the provider’s jurisdiction rather than the server’s location, so a US-controlled provider’s Canadian region remains within reach. Treat Canadian regions as necessary but not sufficient.

Can we keep using Microsoft 365 or AWS and still comply with Law 25?

Yes. Law 25 doesn’t ban US providers; it requires that any communication of personal information outside Quebec be assessed first — an EFVP weighing the sensitivity of the data, the safeguards around it and the legal regime it lands in, the CLOUD Act included. With Canadian regions, sensible configuration and documented assessments, Microsoft 365 and AWS remain defensible choices for most organizations. What trips organizations up is skipping the assessment; the platform choice itself usually holds up fine.

What actually reduces our exposure?

Four levers, roughly in order of effort. Check who owns each provider up the ownership chain, because a US parent brings US jurisdiction with it. Classify your data so stronger measures go where they’re justified. Use customer-held encryption keys where the workload supports them, which limits what a provider can produce in readable form. And put protections in the contract — notice of government demands where the law allows, and a commitment to challenge overbroad orders. For systems where jurisdiction is a hard requirement, a Canadian-owned provider remains the cleanest option.

Continue reading

Not sure where your data actually stands?

We map where your data lives, who controls it, and what Law 25 expects — then give you a plan scaled to your real risk.