Published by Xenolink Data Solutions | Thunder Bay, Ontario
There’s a conversation happening at the highest levels of government, law, and corporate boardrooms right now — and most Canadian businesses have no idea it applies to them. It goes like this: where is your data stored, who owns the company storing it, and what law governs who can see it?
For the majority of Canadian organizations — law firms, health clinics, accounting practices, municipal governments, Indigenous organizations, and small businesses — the answer to that third question is quietly, uncomfortably: American law.
This isn’t a theory. It isn’t a marketing scare tactic. The receipts are public record.
The Law You’ve Never Heard Of (That Already Applies to Your Data)
In March 2018, the United States passed the Clarifying Lawful Overseas Use of Data Act — the CLOUD Act. It is widely understood to allow U.S. authorities to compel U.S.-based providers to produce data they control, even when that data is stored abroad [4].
That means if your business uses Microsoft 365, Amazon Web Services, Google Workspace, or virtually any other major cloud platform — even with servers located in Toronto or Montreal — your data is subject to U.S. legal jurisdiction. A Canadian server address does not make your data Canadian [1][3].
The Government of Canada’s own white paper on cloud and data sovereignty states this directly: “As long as a cloud service provider that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data.” [3]
That’s not Xenolink’s position. That’s Ottawa’s.
Senior counsel Barry Sookman of McCarthy Tétrault LLP put it even more plainly: “If your data is held by a U.S. company, it’s under U.S. law. Even if it’s stored in Toronto.” [2]
Microsoft Said the Quiet Part Out Loud — On the Record
In June 2025, Microsoft France’s Director of Public and Legal Affairs, Anton Carniaux, appeared before a formal French Senate inquiry specifically examining digital sovereignty in government procurement. The question put to him was direct: could he guarantee that data belonging to French citizens — even data covered by government contracts and stored in European data centres — would not be handed to U.S. authorities without French authorization?
His answer, given in testimony before that formal Senate inquiry: “Non, je ne peux pas le garantir.” — No. I cannot guarantee it. [4]
This was not a slip of the tongue. It was a statement from a senior legal official on the record before a formal state proceeding. The hearing reinforced the point that local hosting and contractual protections do not automatically remove the risk of foreign legal access [3].
Contractual assurances from a U.S.-owned provider may not be enough to shield your data if a U.S. court decides otherwise.
Canada Has Been Quietly Negotiating to Make This Worse
Since March 2022, the Canadian government has been in quiet negotiations with the United States over a bilateral CLOUD Act agreement — one that would formally extend U.S. law enforcement’s reach into Canadian digital infrastructure [5].
In February 2025, researchers Cynthia Khoo and Kate Robertson from the University of Toronto’s Citizen Lab published a comprehensive legal analysis warning that such an agreement would allow U.S. police to demand personal data directly from any Canadian provider of electronic communication or cloud services, so long as it had some ties to the U.S. — and that this would represent an unprecedented strike against Canada’s constitutional sovereignty [5].
The UK Showed Us Exactly How This Plays Out
In February 2025, reporting revealed that the UK had issued a Technical Capability Notice — a formal legal instrument under the Investigatory Powers Act — ordering Apple to provide access to encrypted user data [6].
Apple’s response: it withdrew its Advanced Data Protection feature from the UK entirely rather than comply [6].
This matters for Canada because the UK reached its own bilateral CLOUD Act agreement with the United States in 2019 — the same kind of agreement Canada is currently negotiating [5].
When Foreign Platforms Fail, Other Countries Pay the Price
The sovereignty argument is about legal jurisdiction. But the trust argument is also about what has already happened when foreign-controlled platforms fail and people in other countries get dragged into it.
23andMe is one example. In 2025, the Office of the Privacy Commissioner of Canada and the UK Information Commissioner’s Office publicly intervened in the company’s U.S. bankruptcy proceedings because the sale process could expose highly sensitive customer information — including DNA samples, genetic data, addresses, and payment details — to an unknown buyer under U.S. bankruptcy law [7]. The pressure from Canadian and UK regulators was significant enough that the U.S. court appointed a Consumer Privacy Ombudsman specifically to oversee the data handling process. A foreign court — not a Canadian one — was making the final call on what happened to the personal information of hundreds of thousands of Canadians.
And that came after the breach itself. Privacy regulators found that nearly 7 million customers were affected worldwide, including almost 320,000 people in Canada and more than 155,000 in the UK [8]. This is what cross-border data risk looks like in practice. A foreign platform fails, and people in other countries are left dealing with the fallout.
Europe has also shown that even government-level cloud infrastructure is not insulated. In March 2026, the European Commission disclosed that a cyberattack had affected the cloud infrastructure hosting its Europa web platform, with early findings suggesting data had been taken [9]. The lesson is the same: concentration creates exposure, and externalized infrastructure can still become the weak point.
“Canadian Servers” Is Not the Same as “Canadian Sovereignty”
The Sovereignty Gap
Data residency is about where the hard drive sits. Data sovereignty is about whose courts hold the keys to that drive. If the owner is American, the key is in Washington — regardless of where the drive is plugged in.
This is the most common and most dangerous misconception in Canadian cloud strategy today. Businesses see a “Canadian data centre” option on a U.S. cloud provider’s pricing page and assume they’ve solved the problem. They haven’t.
The distinction is between data residency — where data is physically stored — and data sovereignty — who has legal authority over it and under what law [2][3].
An Ontario court ruling from September 2024 illustrates this perfectly. The Ontario Court of Justice ordered OVHcloud’s Canadian subsidiary to hand over subscriber data stored on servers in France, the UK, and Australia — to the RCMP, as part of a criminal investigation. OVH argued its Canadian subsidiary had no access to data held by its foreign entities and that disclosure would violate French law. The court ruled anyway, asserting that jurisdiction follows presence and operation in Canada, not server location [10]. OVHcloud has since filed for judicial review to challenge the decision — placing the company in the difficult position of being caught between a Canadian production order and European privacy law. The legal battle is ongoing, but the precedent is already on the record.
The same logic applies in reverse: if a U.S. company operates and offers services in Canada, U.S. authorities can approach the parent company’s American headquarters and seek production through U.S. legal channels. The border doesn’t matter. Where you operate does [2][10].
What True Canadian Sovereignty Actually Requires
The Government of Canada’s own white paper on data sovereignty is clear: physical location alone is not sufficient protection. For Protected B data — information that, if compromised, could cause serious injury to individuals or organizations, and the classification that covers most healthcare records, legal files, financial information, and Indigenous community data — the risk of foreign extra-judicial access is identified as a primary concern. The paper identifies corporate ownership structure and legal jurisdiction as the critical factors, because a provider subject to foreign law can be compelled by foreign courts regardless of where the servers sit [3].
This creates a significant compliance challenge for local organizations. It means asking not just where your data is stored, but who owns the company storing it, and whether a foreign government could compel them to produce your data via a non-disclosure order — a legal instrument that prevents the provider from notifying the customer that a seizure has even occurred, often indefinitely [2][3][11].
That question has a clear answer when the provider is Canadian-owned, operates exclusively under Canadian law, and has no corporate structure subject to foreign jurisdiction. There is no foreign legal handle. There is no back door. There is no U.S. court that can issue a production order and expect compliance.
This is what Xenolink Data Solutions is built around.
Why Northwestern Ontario Needs This Now
The organizations that have the most to lose from data exposure in this region are exactly the ones that have been underserved by the infrastructure conversation: Indigenous communities and tribal councils holding membership data, land rights information, and health records. Law firms managing client privilege. Accounting practices holding financial records. Healthcare organizations under PHIPA obligations. Municipal governments serving residents.
For Indigenous organizations in particular, this is not only a privacy issue — it is a question of data self-determination. Membership records, land claim documentation, and community health data represent the digital expression of inherent rights that took generations to establish. That information belongs under Canadian law, held by a Canadian provider with no foreign legal exposure.
Much of what these organizations handle falls squarely into the Protected B category. Under the Government of Canada’s own framework, that data warrants a level of sovereignty protection that U.S.-based cloud providers cannot meet without complex, non-standard workarounds that introduce their own risks [3].
These organizations store data of real consequence. They deserve infrastructure that answers to Canadian law — not infrastructure that happens to sit on Canadian soil while answering to American courts.
Xenolink Data Solutions is a Thunder Bay-based, Canadian-owned and operated data centre and cloud hosting provider. We are not a subsidiary. We are not a reseller. We are not subject to U.S. CLOUD Act jurisdiction. Your data stays in Northwestern Ontario, governed by Canadian law, full stop. We will never use your data to train AI systems. We will never share it with foreign authorities. And unlike the major providers, we are structured so that your data is not subject to U.S. CLOUD Act jurisdiction.
The proof that this matters is already public record. The question is what you’re going to do with that information.
References
[1] Server Cloud Canada — “Canadian Cloud, American Control? Why Your Data Needs a Sovereign Home” (April 2025) https://www.servercloudcanada.com/2025/04/canadian-cloud-american-control-why-your-data-needs-a-sovereign-home/
[2] F12.net — “Canadian Cloud, American Control? Why Mid-Market Business Leaders Must Rethink Data Sovereignty in 2025” (April 2025) https://f12.net/blog/canadian-data-sovereignty-midmarket-guide/
[3] Government of Canada — “GC White Paper: Data Sovereignty and the Public Cloud” https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/digital-sovereignty/gc-white-paper-data-sovereignty-public-cloud.html
[4] Barry Appleton — “Whose Law Governs Canadian Data? The CLOUD Act, Executive Agreements, and Digital Sovereignty” (December 2025 / January 2026) https://barryappleton.substack.com/p/whose-law-governs-canadian-data-the
[5] Citizen Lab, University of Toronto — “Canada-U.S. Cross-Border Surveillance Negotiations Raise Constitutional and Human Rights Whirlwind under U.S. CLOUD Act” — Cynthia Khoo & Kate Robertson (February 2025) https://citizenlab.ca/2025/02/canada-us-cross-border-surveillance-cloud-act/
[6] Reuters — “Apple pulls data protection tool in UK after government demands backdoor” (February 2025) https://www.reuters.com/technology/apple-removes-advanced-data-protection-uk-2025-02-21/
[7] Office of the Privacy Commissioner of Canada / UK ICO — Joint intervention in 23andMe U.S. bankruptcy proceedings (May 2025) https://www.priv.gc.ca/en/opc-news/news-and-announcements/2025/nr-c_250501_uk/ https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/05/ico-calls-for-protections-for-23andme-customer-data/
[8] Office of the Privacy Commissioner of Canada — Summary of joint investigation into the 23andMe data breach (June 2025) https://www.priv.gc.ca/en/opc-news/news-and-announcements/2025/bg_23andme_250617/ https://www.priv.gc.ca/en/opc-news/news-and-announcements/2025/nr-c_250617/
[9] European Commission — Commission response to cyberattack on Europa web platform (March 2026) https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_26_748/IP_26_748_EN.pdf
[10] The Register — “Canadian court orders OVH to hand over data stored in Europe” (2025) https://www.theregister.com/2025/10/01/ovhcloud_canada_court_order/ heise online — “Kanadisches Gericht verpflichtet OVHcloud zur Herausgabe europäischer Kundendaten” (2025) https://www.heise.de/news/Kanadisches-Gericht-verpflichtet-OVHcloud-zur-Herausgabe-europaeischer-Kundendaten-10002234.html
[11] Osler, Hoskin & Harcourt LLP — “Data Sovereignty in Light of the CLOUD Act: Back to the Future?” (November 2025) https://www.osler.com/en/insights/updates/data-sovereignty-in-light-of-the-cloud-act-back-to-the-future/
Xenolink Data Solutions — Thunder Bay, Ontario. Canadian-sovereign cloud hosting, colocation, and managed IT services for Northwestern Ontario organizations. Contact us at xenolink.ca to start the conversation.
