Byron Holland is the president and chief executive of the Canadian Internet Registration Authority, which manages the .CA domain.
Most Canadians never think about how their internet traffic moves. We assume that a message sent from Vancouver to Toronto stays in Canada. Too often it doesn’t. “Domestic” internet traffic can detour through the United States before returning home. That matters far more now in the current context of trade friction and geopolitical competition.
In early December, Microsoft Corp. announced $7.5-billion in new artificial-intelligence investments in Canada, pairing it with a plan said to help “promote and protect” Canadian digital sovereignty. The announcement was welcome. But the sovereignty claim deserves scrutiny.
Just months ago, Microsoft told a French Senate committee it could not guarantee European Union data would never be disclosed to U.S. authorities. Under the U.S. CLOUD Act, American authorities can seek access to data held by U.S.-based service providers even when the data are stored abroad, including where local privacy laws would otherwise apply. The lesson for Canada is simple: Data in Canada are not insulated from foreign jurisdiction.
Now put that reality in the frame of what’s coming next. This year, Canada, the U.S. and Mexico will begin the mandatory USMCA joint review, including the free-trade agreement’s digital trade rules such as cross-border data flows, cloud services and the wider digital economy. The outcome will shape how much room Canada has to reduce avoidable U.S. exposure in the infrastructure our communications rely on.
This is not an argument for data localization or to block cross-border data flows. Rather, it’s a call to ensure that Canadian-to-Canadian internet traffic doesn’t needlessly detour through the U.S., when there are technical alternatives that can keep it in the country.
This is not theoretical. Researchers at the University of Toronto and York University found that 25 per cent of Canada-to-Canada routes in their dataset transited the U.S., which is called “boomerang routing.” In plain terms, a connection between two Canadian points can take a U.S. detour before coming back, potentially increasing exposure to foreign legal reach and creating an unnecessary point of failure for everything from emergency co-ordination to day-to-day business traffic.
Ottawa’s 2025 digital sovereignty framework acknowledges the challenge but offers limited practical direction. Here are three steps Canada should take now.
First, governments should tie public broadband funding, spectrum licences and government connectivity contracts to a basic expectation: Keep Canadian internet traffic on in-Canada paths whenever technically feasible. That means funding not only new lines, but also independent Canadian Internet Exchange Points (IXPs) – shared facilities where networks exchange traffic locally instead of internationally.
Second, Ottawa and the Canadian Radio-television and Telecommunications Commission should set baseline interconnection and transparency obligations for major carriers. Canada-to-Canada traffic should be exchanged in Canada only, with carriers publishing verifiable routing and interconnection metrics. Expanded IXPs can reduce latency and improve resilience, but only if carriers and publicly funded networks actually use them.
Third, Ottawa should introduce routing and redundancy standards for networks that carry critical Canadian traffic so domestic traffic prefers in-Canada paths by default with clear, limited exceptions for outages. Canada should also accelerate east-west capacity, including new domestic fibre backbones, to reduce reliance on U.S. transit during disruptions.
Reducing boomerang routing addresses one kind of exposure, but Canada also needs safeguards for sensitive data because they may be compelled if controlled by a foreign provider. Infrastructure and procurement policies should work together: Keep critical traffic domestic where possible, and ensure sensitive workloads are governed by clear standards that match Canada’s risk tolerance.
Some will object that this is heavy-handed or that markets will sort it out. But the current political and economic climate makes digital sovereignty too important to leave entirely to market incentives. Others will worry this risks isolating Canada from the global internet, yet key allies are already taking sovereignty-oriented steps in targeted ways: South Korea enforces strict cloud standards for parts of its public sector, and France’s SecNumCloud sets national requirements for certain cloud services. If allies are acting to reduce risk, Canada should not treat basic domestic routing resilience as off-limits.
Digital sovereignty is not about putting up walls. It is about resilience. We need to reduce avoidable reliances so Canada can act independently when required. Delivering it will take co-ordination among governments, regulators, telecom providers and the technical community.
This is not a call for complete digital autonomy, which is something Ottawa rightly recognizes as impossible. “Sovereignty does not mean solitude,” AI Minister Evan Solomon has said. And it shouldn’t mean Canadians must accept avoidable dependence by default.
With the USMCA review approaching, Parliament should move beyond rhetoric and turn “digital sovereignty” into measurable, enforceable outcomes. Canada can either act now to reduce exposure or negotiate later from a position of deeper dependence.