Clarifying The Law On Digital And AI Sovereignty

As the race for AI development and adoption accelerates, claims for data sovereignty and concerns about extraterritorial legal reach rise.¹ The pursuit of digital sovereignty is rightfully put in doubt² while it has also become “the watchword driving Canada’s digital policy agenda.”³ The statement by the Treasury Board of Canada Secretariat that “it is impossible for the GC to obtain a state of complete digital sovereignty … due to the absolute interconnected nature of the digital world,”⁴ applies to both government and business. Yet, the necessity for both states and industry to protect their data remains critical. We examine here the law applicable to digital and AI sovereignty to identify the legal measures available to block or, more realistically, manage foreign access to data.

The push for digital sovereignty is global in view of the risk created by the convergence of AI’s powerful data outputs and the centralization of AI development in a few companies and countries. In the European Union (EU), France and Germany have made European digital sovereignty an element of their Franco-German Economic Agenda, including a summit on European digital sovereignty.⁵ The private sector is also engaged, notably through Jolt Capital V, which announced a first closing of €600 million to finance European deep tech companies in fields including semiconductors, applied artificial intelligence and technical software.⁶ In the UK, the government has launched a £500 million Sovereign AI initiative to back homegrown AI companies.⁷ Japan’s allocation of US$9.9 billion toward chip research and development, plus US$3.1 billion for domestic advanced chip production, reflects the same policy direction.⁸ China’s pursuit of “cyber sovereignty,” positing cyberspace sovereignty as an extension of national sovereignty, is well established.⁹

On December 17, 2025, the Government of Canada announced the signing of a memorandum of understanding (MOU) with Coveo Solutions Inc., a Québec-based Canadian applied-AI company specializing in AI-search and AI-relevance technology. Under the MOU, Coveo will assist Shared Services Canada (SSC) and Innovation, Science and Economic Development Canada (ISED) in exploring “the deployment of Canadian-developed, AI-powered enterprise solutions across the Government of Canada.” This agreement implements the government’s commitment in Budget 2025: Canada Strong to procure “made-in-Canada sovereign AI tools for the public service.” The objective is AI sovereignty, with Coveo providing local technological capacity as part of the Government of Canada’s sovereign AI procurement strategy.¹⁰

Digital and AI sovereignty is not merely a matter of investments, capacity building or policy direction. It is also a matter of law, dictating technological specifications, corporate governance structures and protective contractual measures. It engages public international law (defining state sovereignty), conflict of laws rules (governing the exercise of national jurisdiction) and privacy law (regulating cross-border data flows).

For governments, data sovereignty means preserving decision-making power over their data and protecting it from extraterritorial access. For businesses, data sovereignty rules determine their rights and obligations when facing foreign government access requests. Our objective here is to identify the legal requirements of digital and AI sovereignty and the legal measures available to assert it.

1. The notion of “sovereignty”

Public international law defines sovereignty as a state’s exclusive competence over its territory, including land, corresponding subsoil, territorial sea (defined in nautical miles from the shore) and airspace (delimited by vertical extension of land and sea borders).¹¹ Sovereignty thus rests on a spatial legal regime where location is legally determinative. However, in the virtual world of information and communications technology (ICT) and artificial intelligence, delineating sovereignty becomes difficult. Physical digital infrastructure (servers, wireless networks, databases) may be located in one state’s territory, but data processing activities may occur in, or relate to individuals in another state’s territory. Cyberspace has no definite borders. When multiple states have concurrent sovereignty claims over ICT, conflict of laws rules come into play to define the scope of each state’s jurisdiction.

Relevant to data sovereignty, public international law imposes a duty on states to protect their citizens’ human rights.¹² The GDPR provisions governing transfers of personal data outside the European Union, designed “to ensure that the level of protection of natural persons guaranteed by [the GDPR] is not undermined,”¹³ align with this fundamental principle of international law.

2. Rules of conflict of laws governing the scope of jurisdiction

a. Context

While state sovereignty protects a state’s exclusive decision-making powers over its territory, jurisdiction refers to the specific rights, liberties and powers inherent to sovereignty.¹⁴ Some states, such as the UK, US and Australia, apply a presumption against extraterritoriality, meaning that a statute is presumed not to apply extraterritorially unless it explicitly says so or does so by necessary implication. Other states, such as Canada and EU member states, rely on the territorial nexus doctrine, meaning any substantial connection with a state’s territory may bring a matter under that state’s jurisdiction. In the data context, one recurring common factor is whether an entity subject to the forum’s jurisdiction has possession, custody, or control of the data. The doctrines can diverge, however, when data is held in another state.

b. The evolution of jurisdiction over data

Data sovereignty claims in the borderless realm of cyberspace inevitably raise concerns about extraterritorial jurisdictional reach. The first major tension arose with the adoption of the General Data Protection Regulation (GDPR) in 2016, which applies the territorial nexus doctrine. The GDPR asserts jurisdiction over organizations not established in the EU where the processing activities relate to offering goods or services to data subjects in the EU or monitoring their behaviour in the EU.¹⁵

The debate intensified in 2018 when the US adopted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which amended the Stored Communications Act (SCA) to require covered providers of electronic communication service or remote computing service to preserve, back up or disclose data within their possession, custody or control in response to valid US legal process, regardless of whether the data is located inside or outside the US.¹⁶

The latest development raising concern is the September 19, 2025, decision of the Ontario Court of Justice in The King v. OVH,17 which confirmed the application of a production order issued under Canadian law over data held in France. The decision is currently under appeal, but given the urgency surrounding digital and AI sovereignty, the trial court’s reasoning remains highly relevant.

c. The Ontario Court of Justice decision in The King v. OVH

Under Canadian law, jurisdiction extends to any matter with a “meaningful connection” to Canada-including a virtual connection, or in other words, a “real and substantial link.” In Society of Composers, Authors and Music Publishers of Canada v. Canadian Assn. of Internet Providers¹⁸, the Supreme Court of Canada established that a “real and substantial link” does not require a foreign organization to have a physical presence in Canada “because telecommunications occur ‘both here and there’.”¹⁹ The Court identified the key connecting factors of jurisdiction as “the location of the content provider, the end user and the intermediaries, in particular the host server,” noting that “[t]he location of the end user is a particularly important factor.”²⁰ Jurisdiction over internet activities therefore extends beyond territorial borders, with rules on conflict of laws governing its scope.

In The King v. OVH, the Court asserted Canadian jurisdiction over a Criminal Code production order (issued under s. 487.014) requiring subscriber and account data linked to four IP addresses associated with OVH Groupe SA (OVH Parent) and Hébergement OVH Inc. (OVH Canada). The data was held on OVH servers in France, the United Kingdom and Australia. OVH Parent, headquartered in France, has subsidiaries in France, the UK and Australia. The production order was issued in the context of a national security investigation.

OVH Parent operates data centres in Québec and Ontario through OVH Canada, and OVH Canada has technological access to data held by OVH Parent. The validity of the production order turned on three issues: (i) does OVH Canada have “possession or control” over the requested data?; (ii) does the Canadian court have jurisdiction over OVH Parent?; and (iii) do any limitations apply to the extraterritorial application of Canadian law?

Footnotes

1. For purposes of this article, “data sovereignty” refers to legal and operational control over access to data, including foreign-state access; “digital sovereignty” refers more broadly to control over digital infrastructure and capabilities; and “AI sovereignty” refers to the legal, operational and technological capacity to develop, deploy and govern AI systems and related data. Jurisdiction specific statutory terms such as “personal data,” “personal information,” and “bulk US sensitive personal data” are used where the applicable legal regime requires them.

2. Joshua Van Es, Can Canada ever have true digital sovereignty? Globe and Mail, March 25, 2026

3. Michael Geist, The catch-22 of Canadian digital sovereignty, Globe and Mail, December 10, 2025.

4. Digital Sovereignty: A Framework to improve digital readiness of the Government of Canada.

5. Franco-German Economic Agenda, ÉLYSÉE (September 1, 2025), https://www.elysee.fr/en/emmanuel-macron/2025/09/01/ franco-german-economic-agenda.

6. First closing of Jolt Capital V at €600m, JOLT CAPITAL (Nov. 27, 2025), https://www.jolt-capital.com/news/first-closing-of-jolt capital-v-at-600m.

7. AI firms pioneering drug discovery, cheaper supercomputing and more get first backing through UK’s Sovereign AI, GOV.UK (Apr. 16, 2026), https://www.gov.uk/government/news/ai-firms-pioneering-drug-discovery-cheaper-supercomputing-and-more-get first-backing-through-uks-sovereign-ai.

8. Japan Earmarks Extra $9.9 Billion for Chips and AI This Year, Bloomberg

9. Sovereignty in Cyberspace: Theory and Practice (Version 2.0), CYBERSPACE ADMIN. OF CHINA (Nov. 25, 2020), https://www.cac. gov.cn/2020-11/25/c_1607869925296336.htm.

10. La Presse, Coveo aura la tâche de moderniser l’appareil fédéral, December 17, 2025

11. Ian Brownlie Principles of Public International Law at page 109.

12. See, e.g., Guiding Principles on Business and Human Rights, U.N. HUM. RTS. OFF. OF THE COMM’R (2011), https://www.ohchr.org/ sites/default/files/documents/publications/guidingprinciplesbusinesshr_en.pdf

13. Regulation 2016/679 of the European Parliament and of the Council of Apr. 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation, art. 44, 2016bO.J. (L 119) 33 [hereinafter GDPR].

14. Id., at page 110.

15. GDPR, Article 3(2).

16. 18 U.S.C. § 2713.

17. COURT FILE No: 24-000659

18. Society of Composers, Authors and Music Publishers of Canada v. Canadian Assn. of Internet Providers, 2004 SCC 45 (CanLII), [2004] 2 SCR 427

19. Id., at para. 59

20. Id., at para. 37

To read this article in full, please click here.