Data sovereignty: looking to the past as Canada decides how to move forward Data sovereignty: looking to the past as Canada decides how to move forward

We expect 2026 to be the year in which the Government of Canada reveals its strategy in response to vocal calls for digital and artificial intelligence (AI) policies that prioritize data sovereignty. “Data sovereignty” refers to the need to ensure that Canadian courts have exclusive authority over data that is collected, stored or processed within Canada’s borders. In particular, industry experts have recommended that Canada take measures to ensure data remains in Canada and is insulated from search warrants or production orders issued in foreign jurisdictions.

Data sovereignty was one of the core issues raised in a recent Government of Canada consultation to gather input for a new national AI strategy that is expected no later than 2026. If the strategy identifies data sovereignty as a priority, the implications for public sector organizations and private sector businesses will be significant. Technology ecosystems that rely on globally developed and delivered solutions would be replaced, at least in part, with solutions delivered using domestic data processing by Canadian-controlled entities.

Impact of the CLOUD Act

Much of the policy discussion regarding data sovereignty has been focused on the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which the U.S. Congress enacted in 2018. Whether the CLOUD Act warrants prioritizing data sovereignty is a topic of ongoing debate.

While the CLOUD Act did clarify that a provider of electronic communication or cloud services is required to comply with search warrants issued in relation to information stored outside the U.S., it did not create new authority for U.S. law enforcement to obtain data. For example, it did not create surveillance powers or unfettered access to materials stored within cloud or other digital services. Instead, it applied traditional rules to service providers under the jurisdiction of U.S. courts, including non-U.S. based companies that operate in the U.S. At the same time, it maintained common law rights of providers to challenge judicial warrants if compliance would violate another country’s laws. 

The CLOUD Act also authorized the negotiation of reciprocal, bilateral agreements between the U.S. and foreign governments. Such agreements would allow law enforcement in both countries to reduce delays in complying with cross-border requests for information through mutual legal assistance treaties (also known as MLATs). Although Canada has been negotiating a CLOUD Act agreement with the U.S. since 2022, no agreement is currently in place.

Factors to consider in formulating Canada’s response

In fashioning Canada’s data sovereignty strategy, it will be important for policymakers to take into account a broad range of considerations, including five critical factors.

First, storing data in Canada provides no guarantee it will not be accessed pursuant to foreign legal orders.Data processed in Canada by a foreign service provider or by a Canadian-owned service provider that has operations or representatives in a foreign country may be subject to legal orders outside Canada. For example, the CLOUD Act applies to any service provider that is subject to the jurisdiction of the U.S. This means that U.S. law enforcement can serve legal process on the U.S. entity, compelling it to produce data, even if the data is held by a foreign affiliate. The factual question for a U.S. court to consider will be whether the service provider in the U.S. has “custody, control, or possession” over the data stored in another jurisdiction.

Second, there is little or no evidence of foreign access to documents or communications in Canada belonging to or emanating from government or enterprise users. This invites an inquiry about whether a digital or AI strategy that prioritizes data sovereignty is even warranted.Major cloud service providers regularly publish transparency reports that are designed to inform the public about the number and types of requests for user data they receive from governments and courts worldwide, including the U.S. While these reports do not typically identify requests for data stored in Canada, the global numbers make it clear that the prevalence of disclosures of government or enterprise customer content stored outside the U.S. is very low.

Third, statutory rules mandating data sovereignty in British Columbia’s public sector have been largely repealed, making it important to consider whether similar new requirements in 2025 would be viable. Twenty years ago, data sovereignty was a high profile topic of discussion in Canada following the 2001 passing of the U.S.A. PATRIOT Act, together with the rapid adoption of cloud services. Legislative and regulatory responses also varied widely then. Provincial governments in British Columbia and Nova Scotia enacted strict data access and location laws applicable to personal information in the custody or control of public bodies.

The Government of British Columbia, however, amended its public sector privacy law in 2021 to remove the most restrictive elements of its data location and data access requirements. At the time, B.C. made clear it was changing its data residency rules “so public bodies can use modern tools while continuing to protect personal information.” Stated another way, the province essentially acknowledged that absolute data sovereignty is not achievable in an interconnected world, as it undercuts the ability of universities, schools, hospitals and government ministries to innovate, manage costs and operate effectively. Ultimately, these requirements became unsustainable in light of the low likelihood of public sector data being the subject of an information demand by a foreign government.

Fourth, strategies to enhance digital sovereignty exist, but they have limits and increase costs.

For example, using a Canadian-owned and -operated service to store and process data in Canada may insulate data from some orders of foreign courts, but this approach can negatively impact the availability of innovative tools and increase operating costs.

Similarly, keeping data “on-premise” in Canada may insulate the data from foreign warrants if the organization is owned and controlled in Canada and has no foreign presence. However, maintaining on-premises infrastructure is costly, requires extra measures for backup and disaster recovery and often lacks scalability and access to the latest cyber-defences.

It is also the case thatimplementing a “fully sovereign” public cloud solution can address data sovereignty concerns. But such a solution would require data to be processed, transmitted and stored exclusively in Canada, making its viability questionable.Canada’s Treasury Board has even gone so far in a recent report to indicate that achieving a state of complete digital sovereignty is impossible.

The fifth and final critical factor to consider in formulating Canada’s data sovereignty strategy is that technological solutions are constantly emerging. Technology provides a range of options for ensuring that customers maintain control over their data and for mitigating or eliminating data sovereignty risks.

Looking to the past to formulate a strategy for the future

The B.C. government’s decision to amend its public sector privacy law in 2021 provides some lessons learned that can help inform Canada’s future policy decisions about data sovereignty.

Most importantly, Canada should avoid a one-size-fits-all approach.Consistent with data privacy laws, a risk-based approach to data sovereignty is needed. Strict on-premises data sovereignty safeguards may be appropriate for data that implicates national security or military operations, but applying these same safeguards to less sensitive information will often be disproportionate to the level of risk.

A risk-based approach requires taking into account all social and economic factors. Building data centres in Canada may be the easy part of developing a “sovereign” solution. The more challenging — and costly — part may be sourcing sovereign products and services to deploy in them. Moreover, sovereign products and services are unlikely to offer the same range of productivity enhancing features as products and services available through the public cloud.

It must also be recognized that there are economic factors that make sovereign cloud solutions difficult to achieve. Building domestic data centres provides no assurance that sovereign cloud solutions will flourish. Established cloud service providers have been building their technology stacks for decades, making development of a competitive sovereign cloud economically challenging. Moreover, procuring bespoke solutions that are unable to fully leverage commercially available software and infrastructure can be expected to increase significantly the cost of a project, while reducing interoperability and resilience.

What to expect in 2026

There are stakeholders across the public and private sectors in Canada with much to lose or gain depending upon how the Government of Canada decides to update its AI strategy. Many Canadian-based suppliers are emphasizing the data sovereignty benefits of domestically controlled tech ecosystems, while some foreign suppliers are pointing to costs and risks of limiting competition. We anticipate the government will take into account both of these perspectives and identify a pragmatic strategy for the path forward, acknowledging the importance of global tech ecosystems, while also investing in domestic digital capacity so that sovereignty considerations can be prioritized when warranted in the circumstances.