This is a very geeky post, written for fellow activists responsible for the data their organization collects. For those who are just interested in whether the U.S. government is peeking in to their personal affairs, here’s a short summary of what we learned for this post:
Yes, the American government might be peeking into the personal affairs of Canadians. They’ve certainly got the laws to justify their actions, (1) (2) and they’re currently negotiating stronger powers that would have serious human rights implications (4) Many people don’t understand that any information hosted in or passing through the U.S. is vulnerable to surveillance, without notification to you or to the business/organization that is using your data (your emails, your web comments, your memberships, etc.). Not only that, but data hosted within Canada is also vulnerable if the owner of the hosting company you use is American.
So if you’re an “elbows up” kind of person, you should check to see your provider is Canadian, with servers located within Canada. Then it might be a good idea to call your MP to find out why there isn’t a law that requires (instead of suggests) that all Canadian services and organizations post disclaimers about the privacy of your data. (5)
THIS IS THE GEEKY PART:
Those of us who are responsible for communication and outreach for our organizations are having a confusing time of it these days. The laws are still evolving, and it’s all happening so fast. (4) We’re no experts, but we have posted our research on this page, in the hopes of starting a conversation that will help us all learn. Please contribute in the comments, or email us.
SUMMARY AND RESEARCH
The CLOUD Act allows U.S. law enforcement to access data stored by American companies, even if that data is stored outside the United States. Even Canadian data stored in Canadian data centres owned by U.S. firms (e.g., Microsoft, Google, Apple) is not exempt from U.S. government demands. (1). The CLOUD act agreement risks subordinating our constitution to U.S. law, and is currently being used in negotiations with the U.S. for a bilateral law enforcement data-sharing agreement that could have serious implications for human rights in Canada. (4)
The USA PATRIOT ACT grants U.S. intelligence agencies access to data stored on any U.S.-owned or U.S.-operated server, regardless of where the data is physically located. This means that Canadian data stored on servers owned by American companies can be accessed by U.S. authorities without the knowledge of Canadian individuals or businesses. (1)
Canadian privacy laws like PIPEDA (Personal Information Protection and Electronic Documents Act) do not require Canadian data to be stored exclusively in Canada. However, even when data is stored in Canada, if it is held by a U.S.-owned company, it falls under U.S. jurisdiction via the CLOUD Act and PATRIOT Act. (2)
According to Jacques Latour, Chief Technology Officer at CIRA, “Once your data is transmitted outside Canada’s borders, it is subject to local laws of the country where the data is stored. In the U.S., for example, Canadians have no right to privacy.” (3)
The Office of the Privacy Commissioner (OPC) of Canada has ruled that Canadian organizations can use foreign service providers as long as they inform individuals that their data may be subject to foreign laws and implement measures to protect it. (2)
REFERENCES
1. Office of the Privacy commissioner of Canada. PIPEDA requirements in brief.
2. Global Media & Internet Concentration Project. Canada’s Network Media Economy: Growth, Concentration and Upheaval, 1984-2023.
3. CanadiansInternet.com. Canadian Website Hosts and the Legal Reasons to Use Them
4. * Cynthia Khoo and Kate Robertson, The Citizen Lab (Munk School, University of Toronto), February 24, 2025. Canada-U.S. Cross-Border Surveillance Negotiations Raise Constitutional and Human Rights Whirlwind under US. CLOUD Act.
5. Findlaw.com. Canada’s Privacy Laws vs the USA Patriot Act.
6. https://citizenlab.ca/2025/02/canada-us-cross-border-surveillance-cloud-act/
7. Dean Beeby CBC News, September 8, 2017. Secret Government of Canada data stored on U.S. servers? Memo raises possibility.
8. Blackbaud.com. US Hosting in compliance with Canadian Privacy Laws
