In March 2018, the United States passed the Clarifying Lawful Overseas Use of Data Act — the Cloud Act — and most Canadian business owners have never heard of it.
What the Cloud Act Does
Before the Cloud Act, cross-border data requests required a Mutual Legal Assistance Treaty (MLAT) process — slow, bilateral, and governed by diplomatic channels. The Cloud Act changed this. It allows US federal law enforcement to serve a warrant directly on a US-based technology company and compel that company to produce data stored anywhere in the world. No notification to the foreign government. No Canadian court order required.
Countries with CLOUD Act Executive Agreements (as of 2024-2025)
The United States has entered executive agreements with six countries:
- United Kingdom
- Canada
- Australia
- Ireland
- Mexico
- New Zealand
These agreements allow for reciprocal data access between the U.S. and these countries for investigations, subject to privacy and civil liberty safeguards.
Which Companies Does This Apply To?
- Amazon Web Services (AWS)
- Incorporation: Delaware, USA
- Operations in Canada: Yes (AWS Canada regions in Montréal and Calgary)
- Microsoft Azure (including OneDrive, Teams, and Office 365)
- Incorporation: Washington State, USA
- Operations in Canada: Yes (Canada Central and Canada East regions)
- Google Cloud (including Gmail, Google Drive, and YouTube)
- Incorporation: Delaware, USA
- Operations in Canada: Yes (Two Canadian regions)
- Dropbox
- Incorporation: California, USA
- Operations in Canada: Yes (Services accessible; data may be stored in U.S. or partner locations)
- Box
- Incorporation: California, USA
- Operations in Canada: Yes (Services accessible)
- Slack (owned by Salesforce)
- Incorporation: Delaware, USA (via Salesforce acquisition)
- Operations in Canada: Yes (Services accessible)
- HubSpot
- Incorporation: Massachusetts, USA
- Operations in Canada: Yes (Services accessible)
- Salesforce
- Incorporation: California, USA
- Operations in Canada: Yes (Data centers and offices in Toronto and Vancouver)
- Zoom Video Communications
- Incorporation: Delaware, USA
- Operations in Canada: Yes (Services accessible; data centers in North America)
- QuickBooks Online (Intuit)
- Incorporation: California, USA
- Operations in Canada: Yes (Services accessible to Canadian users)
Key Takeaway: All the companies listed above are incorporated in the United States. Therefore, under the CLOUD Act, they are legally obligated to comply with U.S. warrants and subpoenas for data they possess, control, or custody—even if that data is physically stored on servers located in Canada.
What the Cloud Act Doesn’t Require Providers to Tell You
Providers are often bound by gag orders. A request could be served, data produced, and you would never know it happened.
Does PIPEDA Block This?
No. PIPEDA governs Canadian organizations. It does not and cannot govern what a US court orders a US corporation to do.
What Actual Protection Looks Like
The only structural protection against Cloud Act reach is to store your data with a company not subject to US jurisdiction — incorporated under Canadian law, with no US parent company, subject exclusively to Canadian courts. When you ask a provider where their parent company is incorporated, you are asking the question that matters most.
