Beyond Borders: Is our private data exposed to US surveillance? What the CLOUD Act and FISA mean for Canadian Data Sovereignty

September 4, 2025

*Created on 2025-04-06 18:01*

*Published on 2025-04-06 20:37*

*Inspired by my ongoing reflections on digital rights, public infrastructure, and responsible governance.*

In an age where digital services cross borders with ease, the question of who has access to our data is more than technical—it’s deeply political. For Canada, the growing influence of U.S. surveillance laws like the CLOUD Act and FISA Section 702 introduces new questions about privacy, trust, and sovereignty.

With the return of a Trump administration to the White House, those questions are becoming harder to ignore.

-—

## A Closer Look at the CLOUD Act and FISA

At the heart of this concern are two U.S. laws with global reach:

- **CLOUD Act (2018)** gives U.S. law enforcement the power to access data held by American tech companies—even if that data resides in another country. This includes emails, documents, and user communications stored on platforms like Microsoft, Amazon Web Services, or Google Cloud. Read more from the [U.S. Department of Justice](https://www.justice.gov/archives/opa/press-release/file/1153446/dl?inline)

- **FISA Section 702** authorizes U.S. intelligence agencies to collect the communications of foreign individuals located outside the U.S. without a traditional warrant, provided it relates to foreign intelligence. Further detail from the [Electronic Frontier Foundation](https://www.eff.org/702-spying)

The Canadian government acknowledges that these laws present a real challenge. A 2022 federal white paper on cloud data states plainly:

[“As long as a [cloud service provider] that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data.”](https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html)

Canada has been aware of these risks for years. In 2022, the government began formal negotiations with the U.S. on a possible CLOUD Act bilateral agreement to enable more transparent data-sharing while safeguarding civil liberties. [See joint statement via Public Safety Canada](https://www.canada.ca/en/public-safety-canada/news/2022/03/the-us-and-canada-reestablish-the-cross-border-crime-forum.html)

While publicly framed as a step toward greater cooperation, officials have also worked behind the scenes to limit exposure. The same white paper recommends that government departments store only “Protected B” data with public cloud providers and keep encryption keys in Canada.

The [Canadian Bar Association (CBA)](https://nationalmagazine.ca/en-ca/articles/cba-influence/submissions/2025/how-to-address-canada-s-digital-data-disclosures-with-the-u-s) has also urged the government to proceed carefully. In a 2025 submission, it called for continued use of existing treaty processes (like MLATs) to ensure Canadian court oversight of any data disclosures.

-—

## Why the Political Context Matters: Trump’s Return

Under President Trump’s current administration, concerns about how these surveillance tools could be used—or misused—are escalating. The administration’s transactional approach to foreign policy and previous criticisms of climate science, higher education, and dissenting voices raises the stakes for Canadian institutions.

**Citizen Lab**, a research group at the University of Toronto, has cautioned against rushing into a data-sharing deal:

[“These destabilizing events should give grave pause to any notion of entering into any such data-sharing agreement with the U.S. at this, of all, times.” — Citizen Lab Analysis, 2025](https://citizenlab.ca/2025/02/canada-us-cross-border-surveillance-cloud-act/)

Experts also warn that the legal thresholds for what constitutes “foreign intelligence” are vague and broad, meaning institutions that conduct research or advocacy—on climate, human rights, or migration—could theoretically be swept into U.S. surveillance. See National Magazine coverage.

-—

## What This Means for Cloud Users in Canada

For Canadian organizations using U.S.-based cloud platforms, the takeaway is simple but serious: if your encryption keys are not fully under your control, your data could be subject to foreign legal demands.

This includes universities, public health organizations, advocacy groups, and even small businesses using cloud-based tools to manage sensitive data.

-—

## The Implications for U.S.-Based Tech Support and Contractors

Legal exposure doesn’t stop at where the data is stored. It extends to who has access.

If your IT support, system administrators, or contractors are based in the U.S., or work for a U.S.-based company, they may fall under the CLOUD Act’s jurisdiction. In some cases, they may be legally required to provide access to your systems—and be barred from telling you.

This raises important questions for Canadian organizations about third-party risk, especially when outsourcing technical services.

-—

## Public Institutions: In the Spotlight

Universities and public organizations often host sensitive databases and research that may clash with the ideological leanings of certain administrations. Surveillance tools like FISA could theoretically be used to gather information on these institutions without consent or Canadian oversight.

These concerns aren’t just hypothetical. In past years, faculty associations—like those at [York University](https://www.yufa.ca/privacy_impact_assessment_re_migrating_to_microsoft_office_365) and [Lakehead University](https://www.cwilson.com/arbitrator-dismisses-google-related-grievance)—have raised alarms about data privacy when migrating to U.S.-based services.

-—

## What Canadian Institutions Can—and Should—Do Now

It’s not enough to acknowledge the risk. Institutions that handle sensitive data—universities, public agencies, health providers, nonprofits—have a responsibility to act. Here are four tangible steps that can help reduce exposure to unwanted foreign access and better align with Canadian privacy expectations.

### Choose Canadian-Based Cloud Providers Where Possible

This one’s straightforward: if the data is sensitive, keep it under Canadian law.

Working with Canadian-headquartered cloud providers ensures your data is governed by frameworks like PIPEDA, FIPPA, or PIPA—not by the CLOUD Act, the PATRIOT Act, or FISA 702. It also means clearer protections around consent, disclosure, and judicial oversight.

### Control Your Own Encryption—Always if possible

*If your data’s encrypted, but someone else holds the keys, you’re not in control.*

Client-side encryption—where data is encrypted before it ever leaves your environment—is crucially important. So, finding ways to manage the keys yourself using tools such as [cryptomator, cyberduck (integrated cryptomator)](https://cryptomator.org/), [gocryptfs](https://nuetzlich.net/gocryptfs/), [rclone (with Crypt remote)](https://www.maketecheasier.com/use-rclone-crypt-encrypt-files/), [Veracrypt](https://veracrypt.fr/en/Home.html) to protect your sensitive data yourself if your platforms are unable to provide client managed keys. For collaboration and fully cloud based e2ee data access [cryptpad](https://cryptpad.fr/) may help.

Other options are to use E2EE platforms such as:

- [Sync.com](http://Sync.com) — A Canadian E2EE provider with a solid reputation

- [Nextcloud](https://nextcloud.com/) — An open-source, self-hosted cloud platform that provides E2EE shares

- [Tresorit](https://tresorit.com/secure-box-alternative) — a Swiss-based cloud storage service that prioritizes security, offering end-to-end encrypted file sharing and collaboration tools

- [Seafile](https://help.seafile.com/security_and_encryption/use_encrypted_libraries/) — an open-source file syncing and sharing platform with E2EE encrypted vaults that can be self-hosted, offering flexibility and control over data

- [Icedrive](https://icedrive.net/encrypted-cloud-storage) — a relatively new cloud storage provider that emphasizes security and a user-friendly experience (being a newcomer—some caution is recommended)

- [pCloud](https://www.pcloud.com/) — a Swiss-based cloud storage service offering a blend of security, usability, and competitive pricing, including lifetime plans

This isn’t just good IT hygiene. It’s a legal defense. If a foreign government comes knocking, but the provider can’t decrypt the data, there’s nothing to hand over.

Some cloud platforms advertise “bring your own key” (BYOK) or “hold your own key” (HYOK) options but look closely—many still retain access. What matters is this: do you, and only you, have control? If not, caution is advised.

### Push for Canadian Subsidiaries That Operate with Real Legal Separation

Foreign cloud providers—especially those based in the U.S.—shouldn’t get a free pass to operate in Canada without adapting to our legal framework. If they want to host Canadian data, they should do it through Canadian-incorporated subsidiaries with localized infrastructure and Canadian-held keys.

This creates a legal and technical firewall. If the U.S. parent can’t access the data or the keys, it’s much harder—if not impossible—for them to comply with U.S. subpoenas.

### Support Legal Reform to Define Foreign Access Boundaries

Canada’s privacy laws weren’t built for this era of extraterritorial subpoenas and jurisdictional ambiguity. It’s time they caught up.

We need updates that:

- Clarify when and how foreign governments can access Canadian-held data

- Mandate disclosure of data storage locations and key custody arrangements

- Introduce transparency obligations, so providers must publicly report foreign access requests

Institutions shouldn’t wait passively for these changes. They should advocate for them—through public comments, policy engagement, and by supporting legislation that centers Canadian sovereignty and privacy.

-—

## Final Thoughts

Cross-border cooperation is essential. But so is sovereignty.

As I’ve written in previous reflections on surveillance, teaching, and civic engagement, we must recognize the tension between digital convenience and democratic accountability.

[See: “Are We Seeing the Rise of a New Dystopia?”](https://www.linkedin.com/pulse/we-seeing-rise-new-dystopia-our-own-creation-alex-dimarco-8iync/)

The CLOUD Act and FISA are powerful tools. In the right hands, they support justice. In the wrong hands, they enable overreach. As we move forward, our challenge is not only technical, but ethical and political.

Canada must act with care—and clarity—if we want to protect our institutions, our privacy, and ultimately, our democracy.