Skip to main content
Foundations of Digital Sovereignty ~ Chapter 5

Clouds Without Borders: Why Data Residency 5 Is Not Data Sovereignty

Download PDF
Key Takeaways
The Cloud
Cloud Security
Sovereignty Washing
Flying Blind
Conclusion
Solutions
Key Takeaways
The Cloud
Cloud Security
Sovereignty Washing
Flying Blind
Conclusion
Solutions
Anchor navigation

For decades, Canadian policymakers have operated on the assumption that data residency is enough to guarantee Canada’s digital sovereignty. That assumption is wrong.

Two pieces of U.S. legislation, the CLOUD Act and the Foreign Intelligence Surveillance Act, give American authorities the ability to access data held by U.S.-based cloud providers, regardless of where that data physically sits.

This matters for Canada, because three foreign hyperscalers dominate the Canadian cloud market — Amazon Web Services (AWS), Microsoft and Google.

As hyperscalers respond to growing demand for sovereign cloud with rebranded marketing rather than genuine governance solutions, Canada risks spending billions on infrastructure that does not actually protect the interests of all Canadians.

As we confront an increasingly volatile geopolitical landscape, Canadians are seeking to protect our national sovereignty. As we assess our vulnerabilities, Canada cannot ignore the reality that most of our digital infrastructure is both owned and controlled by foreign companies.

So of course, Canada should just build cloud infrastructure, right? But as we’ve already explored in previous chapters of Foundations of Digital Sovereignty, it is deeply misguided to rush out and spend billions of dollars on infrastructure, if we don’t have a clear strategy for governance and economic value capture.

As we will see in this chapter, sovereignty does not depend on whether servers and data centres are physically located on Canadian soil. Governance is what matters, and Canada needs a clear strategy for meaningful governance of our digital systems.

Key Takeaways

  1. Amazon Web Services, Microsoft and Google collectively hold roughly 63% of the global cloud market — and dominate the Canadian market similarly. Canada has very little autonomy over its own data when it sits with these providers.
  2. The U.S. CLOUD Act allows American law enforcement to access data stored by U.S.-based companies anywhere in the world. Microsoft confirmed to the French Senate that it could not refuse handing over data to U.S. authorities, regardless of where it was stored.
  3. FISA Section 702 goes further — allowing warrantless surveillance of non-American persons by compelling data from U.S.-based cloud providers for broadly defined national security purposes. Canada’s own government has identified FISA as the “primary risk” to data sovereignty.
  4. “Sovereignty washing” is a growing problem: hyperscalers are marketing data residency as sovereignty while obscuring their fundamental legal vulnerabilities. Of cloud tools used by Canadian organizations that offer Canadian data residency, 88% remain exposed to the CLOUD Act.
  5. Governance must come before infrastructure. The $240 million Cohere investment — directed to a data centre built in partnership with U.S.-based CoreWeave — illustrates exactly what happens when spending outpaces governance.

The Cloud

Cloud services are typically provided through three service models:
  • Infrastructure as a Service (IaaS) affords the customer the greatest level of control over their computing environment, and includes many offerings from AWS, Microsoft and Google.
  • Platform as a Service (PaaS) represents a blend between supplier and customer control, including examples like Google App Engine or Micro- soft Azure App Service.
  • Software as a Service (SaaS) offers ready-to-use applications that can be accessed over the internet. Familiar applications like Microsoft 365, Google Workspace or Dropbox are all examples of SaaS.

In spite of the imagery it evokes, cloud infrastructure is mostly about networking cables and warehouses full of racks of computing equipment. “The cloud” is a term used interchangeably to refer to a huge range of systems and processes — essentially all computing functions that are not handled locally on the device that you’re using.

As an example, the government of Canada has complex and diverse computing requirements, which include a mix of storage, compute, and other cloud services. A scan through the list of approved cloud services available to the Government of Canada reflects this diversity, including everything from storage, networking, databases, developer tools, customer relations management, analytics, and AI and machine learning.

Canadian companies have a similar array of needs, depending on their size and sector.

Amazon Web Services, ChatGPT, and YouTube all provide cloud services, but each of these services will have their own characteristics, infrastructure requirements and different governance requirements.

This is why, as we have already illustrated in the previous chapters of Foundations of Digital Sovereignty, our governance efforts must be focused on upstream factors — data, intellectual property and governance frameworks, like technical standards.

When looking at the current state of play in Canadian cloud capacity, one vulnerability comes into sharp focus: our reliance on foreign service providers.

Cloud Security

Three American cloud service providers (CSPs) dominate the global market — Amazon Web Services with a 29% market share, Microsoft with 20% and Google with 13%. The Canadian market is similarly dominated by these same players, although there are few publicly disclosed numbers on its exact shape.

The so-called hyperscalers benefit from economies of scale. Our dependence can be weaponized in other ways as well. The American hyperscalers already make it difficult for clients to switch cloud providers, or use multiple different services at once, due to a lack of interoperability between their cloud environments, limited transparency and high egress fees.

Sometimes, they even fail to provide export tools for migrating data in the first place, and anti-circumvention laws make it illegal for us to bypass these locks and reverse engineer our own data export tools. Canada effectively has very little autonomy over its own data when it is in the hands of CSPs.

Moreover, in the context of American hyperscalers in particular, there are two U.S. laws that have important national security implications for Canadian data.

It is important to note that similar concerns would exist if Canadian cloud services were dominated by Chinese companies, or any other major geopolitical player. But we will focus on the United States in this paper, because that’s the reality we live in.

The U.S. CLOUD Act

American companies are subject to the 2018 CLOUD Act (“Clarifying Lawful Overseas Use of Data Act”) which asserts that U.S. law enforcement agencies can access data stored by U.S.-based companies, even when housed abroad.

The CLOUD Act does not create broad surveillance powers, but instead applies quite narrowly to ongoing criminal investigations, and still requires warrants to be issued by an American court.

The CLOUD Act also preserves methods to challenge a warrant if it creates a conflict with the laws of another country.

In the wake of the CLOUD Act coming into force, all the major CSPs emphasized that the law had little bearing on protections offered to customers.

Amazon states that the CLOUD Act “resulted in zero disclosures of AWS enterprise or government customer content stored outside the U.S. to the U.S. government, since [Amazon] started reporting the statistic in 2020” and reports on the law enforcement information requests it receives.

In a blog post about its data practices, Microsoft states that it “does not provide any government with direct and unfettered access to [its] customers’ data […nor…] with [the] encryption keys or the ability to break [their] encryption.”

In the FAQ section, it states that the CLOUD Act did not change its principles and customer commitments that relate to government requests for data. Microsoft publishes outcomes of requests it receives for customer data. However, Microsoft also recently confirmed their powerlessness where the CLOUD Act is concerned. When asked by the French Senate whether it could guarantee that a French citizen’s data would not be transmitted to U.S. authorities without the explicit authorization from French authorities, Microsoft’s answer was no. This admission confirms that data residency is not enough to guarantee sovereignty over Canadian data.

As The Globe and Mail’s Joe Castaldo and Pippa Norman point out, the number of law enforcement requests for data stored abroad might be fairly low. They report that Microsoft received a total of 5,560 information requests from American law enforcement, but only 52 warrants were for data stored abroad.

The CLOUD Act also applies to Canadian companies that have a substantial enough presence in the U.S., meaning that even procuring from a Canadian company will not necessarily mean that data is protected from potential access by U.S. authorities.

Foreign Intelligence Surveillance Act

The Foreign Intelligence Surveillance Act (FISA) is more problematic. The government of Canada even identified FISA as the “primary risk” to data sovereignty, due to its potential for allowing the U.S. government to access Canadian information, without even notifying Canada.

Specifically, Section 702 of FISA, added in 2008, provides a legal framework for the U.S. to conduct surveillance of non-American persons located outside of the U.S. by compelling information, without requiring a warrant, from U.S.-based electronic communications providers, including CSPs.

The type of information to be collected is foreign intelligence information — loosely defined as information allowing the U.S. to protect itself against hostility from foreign governments. Concerns have been raised over Section 702’s potential for warrantless surveillance of the data of non-U.S. persons for “vague” national security reasons.

Both FISA and the CLOUD Act represent obvious vulnerabilities to Canada’s national security, but the United States has clearly signalled through multiple strategic documents that they see dominance in this space as a geopolitical imperative.

Sovereignty Washing

In spite of the CLOUD Act and FISA, the hyperscalers are positioning themselves as another option for sovereign cloud services in Canada. For example, Google recently announced its sovereign cloud offering for Canadian consumers.

But critics have observed that Google and other hyperscalers are simply adapting their marketing strategies in recognition of the growing demand for sovereign cloud, by emphasizing data localization and robust security practices, while neglecting to mention their fundamental vulnerabilities. In essence they are exploiting that there is no clear consensus on what sovereign cloud means.

Recent research from Upper Harbour finds that out of 715 of SaaS and Iaas tools used by Canadian organizations, 63% are parented in the U.S. and hence subject to the CLOUD Act.

Only 18% are Canadian-owned.

Out of the tools that offer Canadian data residency, often as a promise of sovereignty, 88% remain exposed to the CLOUD Act. Another tactic that the hyperscalers are employing is to partner with local companies, which only complicates efforts to assess sovereignty.

This tactic can also be observed in Canada: in December 2024, Cohere received $240 million in federal funding for its new data centre project, which it is building in partnership with U.S.-based CoreWeave. This investment under the Sovereign AI Compute Strategy has attracted criticism for benefiting a U.S.-based company.

Flying Blind

In September 2025, Prime Minister Carney said that his new Major Projects Office would be supporting the development of a Canadian sovereign cloud.

The government has also been working on defining data sovereignty through research and white papers though requirements remain unclear.

The Minister of AI and Digital Innovation, Evan Solomon, has been emphasizing the importance of building more Canadian infrastructure to achieve digital sovereignty. Minister Solomon has continued to implement the $2.4 billion package of measures to “secure Canada’s AI advantage” including the Sovereign AI Compute Fund to increase Canadian-owned AI infrastructure. However, in practice we see the pitfalls of rushing ahead with an infrastructure strategy without any clear governance strategy.

An initial investment under the Sovereign AI Compute Strategy has attracted criticism for primarily benefiting a U.S.-based company.

While Canadian-based Cohere was the recipient of the funding, the money ultimately went to CoreWeave, an American company, to build infrastructure. Given CoreWeave’s involvement, there are concerns that the data involved may ultimately be subject to the CLOUD Act and FISA.

Conclusion

The easiest way to think about Canada’s digital infrastructure is by focusing on the data centres, the networking cables, and hard infrastructure. But as we’ve seen, the fixation on data residency and “sovereign” compute capacity fails to engage with the most important dimensions of the digital economy.

Canada must have a comprehensive governance strategy that meaningfully addresses data control, IP ownership, and the marketplace frameworks that shape the digital economy.

In the following chapters of Foundations of Digital Sovereignty, we will look into the ways that Canada can assert meaningful sovereign control over cloud systems and build up compute capacity for the benefit of Canadian companies. These policies will work in concert with a National Data Trust, an Innovation Asset Bank, and other policy ideas that we have already discussed in Chapters 1-4.

By taking a holistic approach, and taking inspiration from peer nations that are grappling with the very same policy challenges, we can move Canada along the spectrum toward more sovereign infrastructure.

Solutions

Canada needs to clearly understand the risks posed by our reliance on foreign hyperscalers and think strategically about what trade-offs to accept. There are several policy levers at our disposal for addressing and mitigating these risks:

1. The Canadian government should develop and adopt a procurement strategy that categorizes government data according to its sensitivity and assigns sovereignty requirements accordingly.

For some use cases, procuring from American hyperscalers is appropriate, for others, we should procure from Canadian CSPs with limited or no presence in the U.S. to better protect data from foreign access.

2. Canada should adapt existing legislative and regulatory instruments to the cloud services market, including tools related to competition policy, blocking statutes, and utility regulation.

Strengthened contractual obligations in procurement and a concerted effort to preserve our digital autonomy in trade agreements are other policy levers we can employ.

3. Canada should invest in the development of publicly-anchored digital infrastructure to create compute capacity for researchers, public service delivery and innovative Canadian businesses.

Such investment will further broaden the suite of options available for compute requirements, and strategically fortify governance efforts.

Don’t Miss an Update,
Subscribe to
Newsletter
Subscribe to receive our weekly newsletter that include reports, updates and much more.
Fields marked with an asterisk (*) are required

Newsletter

By subscribing, you agree to our Privacy Policy.
You can unsubscribe at any time.