ARTICLE
1 December 2025

The Privacy Advantage Of Canadian Data Centres

D
Dentons Canada LLP

Contributor

Dentons Canada LLP logo

Across over 80 countries, Dentons helps you grow, protect, operate and finance your organization by providing uniquely global and deeply local legal solutions. Polycentric, purpose-driven and committed to inclusion, diversity, equity and sustainability, we focus on what matters most to you.

Explore Firm Details
Lexpert Firm Profile
As the goal of data sovereignty gains in importance, the measures, legal and technological, to realize it come in focus.
Canada Privacy
Chantal Bernier and Todd Daubert
Your Author LinkedIn Connections
Dentons Canada LLP are most popular:
  • within Technology and Tax topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Accounting & Consultancy, Banking & Credit and Healthcare industries

As the goal of data sovereignty gains in importance, the measures, legal and technological, to realize it come in focus. The starting point is set by The Honourable Evan Solomon, Minister of Artificial Intelligence and Digital Innovation at the Montréal All-In Summit, on September 24, 2025:

"Sovereign compute, sovereign cloud, is not just a slogan. It is a mission. And it means Canadian data, not all Canadian data, the key sensitive data, stays under Canadian law, safeguarded in Canadian controlled data centres."

This article expands upon the privacy law implications of a Canadian controlled data centre, through three distinctive legal advantages:

  • Staying outside the scope of the US CLOUD Act;
  • Meeting data residency requirements of government and private procurement;
  • Benefiting from the authorized flow of personal data between Canada and the EU, EEA, UK and other countries with adequacy status from the EU Commission.

1. Staying outside the scope of the US CLOUD Act

The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) causes such concern that, as a first step, we must describe its scope. We refer to the essential parameters:

  • Territorial scope – covered entities:
    • The CLOUD Act applies exclusively to entities subject to US jurisdiction with possession, custody or control over data being sought, which could include US based companies, regardless of where the data is stored (inside or outside the US) and foreign companies established or that conduct significant business in the US or otherwise fall under US legal jurisdiction.
    • A foreign subsidiary of a US parent company, established outside the US is also caught where the parent exercises substantial control over the foreign company's operations, meaning that there are significant operational integrations between the parent company and the foreign based subsidiary's operations such that the parent has possession, custody or control over the data being sought.
  • Material scope – extraterritorial lawful access and bilateral access agreements:
    • The CLOUD Act brings two legislative changes. The first extends the territorial jurisdiction of US authorities:
      • It creates the right for US authorities to exercise lawful access requests to any data that is within the possession, custody or control of a covered entity, even if the physical location of the data is outside the United States.
      • Where the data is held in the US, the company may challenge the requests based on US laws. If the data is held abroad, the entity may, under certain circumstances, also challenge the request based on the laws of the country of storage.
    • The second change provides for the negotiation of bilateral executive agreements between the US and another country with robust privacy and civil liberties protections, whereby:
      • The parties grant each other reciprocal rights to request access to data, removing current jurisdictional barriers.
      • The company can only challenge the request based on the law of the issuing state.
      • The Mutual Legal Assistance Treaty process is not engaged.
      • The agreement must not require providers to be able to decrypt data, nor prevent them from doing so.

Only Australia and the UK have concluded an agreement with the US under the CLOUD Act. Canada entered negotiations in 2022, which are still ongoing.

The absence of an executive agreement between Canada and the US under the CLOUD Act means that a Canadian data centre, exclusively under Canadian control, is out of scope of the CLOUD Act. To access any data stored in an exclusively Canadian controlled data centre, the US must go through the Mutual Legal Assistance Treaty process.

That is the first privacy advantage of a Canadian controlled data centre: any personal data it stores is beyond the direct reach of US authorities, protected under Canadian sovereignty.

2. Meeting data residency requirements of government and private procurement

Canadian privacy laws generally do not require data residency of Canadian data, with narrow exceptions, such as the Nova Scotia Personal Information International Disclosure Protection Act applicable to personal data held by provincial public institutions and provisions in some provincial personal health information protection laws. The Québec Act respecting the protection of personal information in the private sector, while having always imposed the condition of assurance of data protection, was amended in 2021 to require a formal privacy impact assessment to establish whether the data would receive adequate protection through the transfer.

Governmental and corporate policies may impose "Canadian cloud first" requirements. Public procurement guidelines, such as the British Columbia Privacy and Cloud: Guidance for MPOs, the City of Toronto Information Management – Data Residency for Cloud Technology or Canada's Direction for Electronic Data Residency, and contractual clauses required in business service agreements show a growing assertion of data sovereignty through data residency requirements.

With the CLOUD Act, meeting the intent of such data residency requirements requires a Canadian controlled data centre.

That is the second privacy advantage of creating a Canadian data centre.

3. Benefitting from adequacy status from the EU Commission

The European Union (EU) General Data Protection Regulation (GDPR), applicable to the EU and the European Economic Area (EEA) and the UK GDPR prohibit cross-border transfer of personal data without authorization, unless the recipient state is deemed to have "adequacy status" by decision of the European Commission, for the EU, and the UK Secretary of State, for the UK. Canada enjoys adequacy status in relation to the Personal Information Protection and Electronic Documents Act. The United States and the EU have concluded the EU-US Data Privacy Framework under which US companies who adhere to the Framework can benefit from the authorized flow for personal data from the EU and the EEA. It only applies to those companies, however, and the legality of the Framework is currently challenged before the Court of Justice of the European Union. The UK also recognized the Framework to allow transfer of personal data to the US.

Countries enjoying EU adequacy status afford the same benefits to the other EU adequate countries.

Because the Personal Information Protection and Electronic Documents Act (PIPEDA) has been granted adequacy status, the transfer of personal data to Canada is allowed from the EU, EEA, UK and all other countries who recognize EU adequacy status to allow cross-border data transfers. The issue does not arise where the country generally allows the transfer of personal data across borders, the US being one of them.

This is the third privacy advantage of a Canadian controlled data centre: it can receive personal data from the main markets.

4. Creating a sovereign Canadian cloud data centre in relation to the US

Corporate structure is key to sovereignty of a data centre in relation to the US. This may be achieved with:

  • No corporate or contractual control by an entity subject to US jurisdiction: Control means that the entity subject to US jurisdiction has the right to access or direct production of corporate data whether through board-level policies, unilateral directives, shared credentials or "books and records" clauses that extend to tenant data. The point is to ensure that the entity subject to US jurisdiction does not, directly or indirectly, have possession, custody, or control of the Canadian held data. This also applies to affiliates and subsidiaries.
  • Operational segregation: Segregation means administration, identity and encryption key management reside entirely in Canada under the Canadian entity, with technical and organizational measures preventing the entity subject to US jurisdiction from accessing Canadian held data. If the entity subject to US jurisdiction can still compel the subsidiary to surrender keys, it may still have custody or control of the Canadian held data.
  • Limiting US contacts: The Canadian entity must have no US offices, agents for service or targeted US marketing, as the business model allows, so that the Canadian entity does not fall within US jurisdiction.

As the 2025 federal budget provides for Canada's investments in "the development of a Sovereign Canadian Cloud," significant opportunities appear for the creation of Canadian data centres.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.

[View Source]
Authors
Photo of Chantal Bernier
Chantal Bernier
Person photo placeholder
Todd Daubert
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More