An OVHCloud data centre in Quebec in June, 2022. It doesn’t matter what country a data centre operates out of, but which jurisdiction it falls under, writes Joshua van Es.Xavier POPY/Supplied
Joshua van Es works in corporate law and writes on sovereignty and technology policy.
Since the early 2000s, we have been content to rely on major American companies for much of our technology needs, maintaining a conviction that the risk of doing so was low. But that same risk calculation no longer holds in the AI era and in the face of a hostile United States.
There is a greater recognition in Canada and around the world that data and compute are now strategic and productive assets – capable of being both a powerful driver of economic growth, but also a critical security vulnerability when outsourced to foreign providers. The idea that a foreign-controlled entity could “shut off the lights” on the digital systems that enable our country to function carries a little more bite in 2026 than it did even a few years ago.
Canadian companies have been quick to capitalize on this new recognition, most recently with BCE Inc.’s announcement of a $1.7-billion data centre in Saskatchewan earlier this week. The deal involves partnering with CoreWeave and Cerebras, both American companies, on the buildout, and was accompanied by a statement from BCE chief executive officer Mirko Bibic that the project would allow Canadians to have their data managed by Canadians under Canadian laws.
This project and others similar to it have been lauded for enabling and expanding Canada’s sovereign data capabilities. But sovereignty, in the case of data, is not measured by the location of a data centre, or even by the nationality of the company who owns it.
Microsoft vows to protect ‘digital sovereignty’ in $7.5-billion Canadian data-centre expansion
It follows the jurisdictional exposure of the company that controls and operates that data centre. This principle is reflected in the 2018 U.S. court case Plixer International, Inc. v. Scrutinizer GmbH, which held that a German software company with no U.S. offices or employees was subject to U.S. jurisdiction – and thus subject to U.S. laws – simply because it advertised to American customers and accepted their payments.
Similarly, if a Canadian company makes a deliberate choice to do business in the United States, that company falls under the jurisdiction of U.S. authorities. That then opens these same companies up to the CLOUD Act, which allows the U.S. to compel companies to produce data within their “possession, custody, or control,” regardless of where that data is located.
The U.S. hyperscalers are the first to point this out. In defending their position, they now distribute material that highlights the fact that major Canadian companies are also likely subject to the U.S. CLOUD Act. They correctly point out that Bell, for example, maintains significant U.S. operations, trades on the NYSE and has expanded into the American market through acquisitions such as Ziply Fiber.
They also point out that the CLOUD Act has been rarely invoked to access Canadian data. But if sovereignty is the name of the game, then it must be understood by Canadians that when data is handled by a company with significant U.S. operations, that data is exposed to U.S. legal processes, however rare that may be.
Opinion: The catch-22 of Canadian digital sovereignty
For Canadian businesses and institutions, this information can be disconcerting. The increasing and imprecise use of the term sovereignty as a marketing label has added to the confusion. The problem is compounded by the fact that technology companies frequently change ownership through acquisitions or private equity investment. Faced with that complexity, some organizations may simply give up on trying to understand where their data is actually exposed.
In my own research of more than 750 technology companies offering their services to Canadians, I’ve found that conceptualizing sovereignty as a simple yes-or-no binary is not always useful. Instead, ask yourself what your goal is.
If you don’t handle sensitive data and don’t care who may access it or if that access could be shut off in a worst case scenario, the major hyperscalers will do just fine. If you’re content with the notion of a rare but still possible exposure to U.S. legal processes, but want to reduce your chance of the data being shut off on the orders of a foreign capital, the clouds that Canadian telecom companies are building may be right up your alley.
If you’re in health care, defence or other sensitive fields, seek out a Canadian company that only operates in Canada. That’s as close to true sovereignty as you can get.
When in doubt, remember that sovereignty is determined by which court can compel the access of data, not where that data is ultimately stored.