Clouds Without Borders: Data Residency Is Not Data Sovereignty

Since the beginning of our Foundations of Digital Sovereignty policy project, we’ve been saying that governance is key to digital sovereignty.

It doesn’t actually matter where the servers are located, if we’re not asserting meaningful governance over the IP, data, technical standards, and commercial activity happening across digital platforms.

In the past couple years, Canadians have woken up to the reality that sovereignty matters — including in the digital realm — and we see politicians responding.

Unfortunately, too many people in Canada are still stuck in the mindset that it matters whether the servers are physically located on Canadian soil.

The uncomfortable reality is that two American laws — the CLOUD Act and FISA — give U.S. government agencies the power to compel cloud service providers to hand over data, even if that data isn’t actually stored in the U.S.A.

We get into detail about these two laws, and about the implications for Canadian digital infrastructure security in Chapter 5 of Foundations of Digital Sovereignty.

But the truth is, FISA and the CLOUD Act are just the most glaring, clear-cut instance of a larger principle: We need to actually govern the digital realm.

It’s simple and comforting to think that we can assert our digital sovereignty by insisting that Canadian data is stored in Canadian data centres. But that’s just not how the digital realm works.

If we actually meaningfully want to protect Canadians’ data and ensure that it isn’t vulnerable to foreign interference, we need to do the hard and complicated work of developing strategies for data governance, technical standards, corporate ownership and control.

FISA and the CLOUD Act represent obvious security concerns for Canadians’ data, but the principle here goes far beyond just security.

If we’re not governing the digital realm, then we can’t capture value to drive economic prosperity, and we can’t assert Canadian values to ensure that our citizens aren’t manipulated and exploited online.

The good news is that Canada isn’t alone on this path.

We know about the threat of the CLOUD Act in part because of our friends in France. Microsoft’s lawyer in France reportedly confirmed before French lawmakers that the company could not guarantee that data held in European data centres would never be transmitted to U.S. authorities. The legal architecture of the parent company matters more than the postal code of the server.

Other governments are starting to treat the cloud as critical public infrastructure rather than a boring IT line item. The Netherlands recently blocked Kyndryl’s proposed acquisition of Solvinity, the Dutch cloud provider behind DigiD, its national digital identity system, on public interest grounds. Kyndryl is a U.S.-based IBM spinoff. Solvinity is Dutch. The Dutch government looked at the ownership structure, looked at the function of the infrastructure, and decided the risk wasn’t worth it.

In subsequent chapters of Foundations of Digital Sovereignty, we’ll be delving into specific ideas about how Canada can build more secure cloud infrastructure.

The bottom line is that we cannot be satisfied with servers located on Canadian soil. We need to do the hard work of actually governing the digital realm, or else we’ll be spending a whole lot of money that will do nothing to make Canada more secure, or more prosperous.