Microsoft and American Hyperscalers Refuse to Accept Reality About Canadian Digital Sovereignty
Microsoft and American information technology corporations have completely lost the plot on Canadian digital sovereignty
Support Canadian Cyber in Context through sponsorship/advertisement or upgrade to paid membership.
In late April 2026, Microsoft invited a group of 50+ Canadians to hear a briefing on Microsoft’s approach to protecting Canada’s digital/data sovereignty. This group included other researchers and academics, lawyers, industry leaders, thought leaders, and me. As a result of participating in this brief, this article will often speak directly to Microsoft, but much of it applies to other American hyperscalers, including Google and Amazon Web Services. For a more point-by-point breakdown, I recommend reading Brent Arnold’s, aka the Cyber Lawyer and the slides to Microsoft’s briefing are included at the end.
The goal of the session was to discuss and “clarify” the US CLOUD Act and how Microsoft handles Canadian data, particularly in the event of legal requests from law enforcement, the role of cybersecurity, and Microsoft’s efforts to advance Canadian digital sovereignty.
Microsoft stresses that these briefings are meant to clear up misunderstandings of how Microsoft protects Canadian data and clarify its response to the US CLOUD Act. However, these presentations are deliberately crafted and intended to increase trust in Microsoft. They are very careful with the data presented, focusing on how Microsoft wants you to understand the issue rather than addressing concerns about Canada’s digital sovereignty. However, a central misunderstanding in the briefing was the assumption that Canada’s relationship with the United States has remained unchanged since January 2025.
On the contrary, Canadians’ trust in the United States has steadily declined under the current US administration. Approximately 60% of Canadians believe Canada can never trust the United States again. The reality is that Canadians no longer trust the United States, and US corporations are caught in the middle. Canada’s ability to trust Microsoft and other hyperscalers is fundamentally linked to a decline in trust in the United States. A failure to recognize this new reality will mean American hyperscalers pose a risk to Canadian digital sovereignty.
What’s the Context?
Last year, Canada’s close relationship with the United States was forever broken by an unhinged United States administration. This new and unfriendly United States means that Canada must dramatically change its approach and come to terms with the new reality of an undemocratic, authoritarian United States. In June 2025, Microsoft France’s Director of Public and Legal Affairs, Mr. Anton Carniaux, was invited to provide testimony and answer questions from Senators. During the hearing, Mr. Carniaux was asked whether he could guarantee that data from French citizens would not be transmitted to United States authorities without the explicit authorization of the French authorities.
Mr. Carniaux said that he could not guarantee this. This also applies to Canada.
Although Canada and many other countries were already concerned about the United States’ extraterritoriality, which could supersede local laws, this hearing was a massive wake-up call for Canada and other countries that rely on US hyperscalers for their software, cloud, and broader information technology needs. Since then, Canada has increasingly pursued and investigated ways to increase its digital sovereignty and reduce reliance on United States corporations.
In September 2025, Prime Minister Carney even suggested that the Major Projects Office (MPO) may consider a sovereign cloud as a future project. Two months later, in November, the Prime Minister’s Office confirmed that sovereign cloud was indeed one of the projects it was to examine. However, no additional details have been released since this time. While Cabinet and Minister Evan Solomon continue to broker investments that do little to advance Canadian digital sovereignty and amount to platitudes, the bureaucracy is actually doing the hard work to figure out how the Government of Canada could advance digital sovereignty and sovereign cloud.
Shared Services Canada (SSC) and Public Services and Procurement Canada (PSPC) have been releasing a series of requests for information (RFIs) concerning sovereign public cloud capabilities. Increasingly, it is clear that the purpose of these RFIs is to determine and understand the current state of Canada’s cloud and data centre industry to support Canadian sovereign cloud. Thus far, much of the data and information is turning out exactly as many of us already anticipated. There is a lot of potential in Canadian cloud and data infrastructure for small- and medium-sized businesses, particularly in niche and specialized services, but none can provide such services at scale to the level of American hyperscalers like Microsoft, Google, and Amazon Web Services in Canada.
This means that Canada is unable to quickly adopt alternative products or services without considerable difficulty or reliance on other non-Canadian corporations. As a result, in the short term things will not change all too much, but long term strategic planning and investment is needed to reduce the risks of reliance on American corporations and increase domestic capacity and capabilities for information technology, particularly in cloud and data centre infrastructure.
Despite this, the growing frustration and declining trust have worried the hyperscalers, and for good reason. enough that Microsoft announced $19 billion work of investments
What is Digital Sovereignty?
A comprehensive definition and breakdown of digital sovereignty is outside the scope of this. For this, I recommend reading Chapter 1 of the Canadian Shield Institute’s Foundations of Digital Sovereignty.
But it is helpful to have an accepted understanding of what we are talking about. A state’s sovereignty is not a black-and-white concept but a complex instrument that is constantly negotiated and tested. A good analytical framework for understanding sovereignty is TRAC: Territory, Recognition, Authority, and Control.
For a country to have sovereignty, it needs:
Territory that is controlled by the country.
Recognition by its people, other countries, and international actors.
Authority to govern the territory.
Control over the country/territory
If you do not have these, then your country’s sovereignty is in question. However, sovereignty is not a checklist. Sovereignty, digital or otherwise, is constantly being redefined and given up in exchange for some benefit to the state. However, Canadians are no longer comfortable with the extent to which our digital sovereignty has been surrendered.
Digital Sovereignty is About Trust
Up until January 2025, Canadians were relatively comfortable with giving up some level of digital sovereignty for convenience and access to United States technologies and markets. In September 2025, 60% of Canadians reported believing that Canada can never trust the United States again. The trust continues to decline, and Canadians are no longer satisfied with the existing relationship. As Canadians’ trust in the United States continues to decline, many US corporations will be caught in the middle. This is a direct result of the actions of the current United States administration, which has been, in part, fueled by many corporations’ tacit support and endorsement.
I am in no way sympathetic to these multi-billion dollar corporations, but they need to recognize that they cannot have their cake and eat it too. If they want to truly support Canadian digital sovereignty, American hyperscalers must make the tough decisions to show concretely and without how they will support Canada in the face of US sanctions and or potential military aggression. Thus far, most have talked around the issue and stated they hope things do not come to that and they will work to ensure needs are met. This doesn’t address Canadian digital sovereignty or build trust. This specifically avoids the issue and shows that American hyperscalers refuse to accept the reality of the situation.
Since January 2025, the United States have taken many actions that we would never had expected prior and such events continue to happen. As a result, Canada must adjust its approach to these new risks and reality. Any American corporation which fails to understand this and tries to convince Canada otherwise is refusing to accept reality and cannot be trusted any more than the current United States administration.
Fortunately, sovereignty is not a static construct, and improving digital sovereignty is possible. However, it depends on which area you want to strengthen. For example, significant attention is currently being paid to improving Canada’s data sovereignty by increasing its domestic capacity for cloud software and data centre infrastructure. Although this would give Canada an increased amount of control over its data, there remain many layers of software and hardware, from operating systems to network switches, that mean a complete, clean Canadian digital stack is not possible. That doesn’t mean we can’t direct policy and investments to strengthen key areas of information technology and Canadian digital sovereignty.
At the end of the day, digital sovereignty concerns a country’s ability to use digital tools and technologies in accordance with the laws and customs of its country and place of residence. Canadians want to be able to trust the technology and services that they use
Will the US Target Canadians using Hyperscalers?
Since the first half of 2025, the Canadian policy and media landscape has been filled with article after article about the threat posed by United States corporations to Canadian digital sovereignty, including my very own, often focusing on the US CLOUD Act. Due to this focus on the US CLOUD Act, many American hyperscalers have focused on responding specifically to concerns about the US CLOUD Act. However, the root of the problem is not the US CLOUD Act, which is only a streamlining mechanism. The problem is the lack of trust in the United States using the law as it is meant, and concerns that Canada’s reliance on American information technology will be used against us.
This is not a future concern; this is already happening. On May 4, Wired broke news that the United States Department of Homeland Security is demanding that Google surrender data on a Canadian’s activity and location due to anti-ICE posts. The individual has not been to the United States in over 10 years and has not exported or imported anything from the United States during the periods being examined, but Homeland Security is attempting to compel Google to provide this data by citing the Tariff Act of 1930.
As a result, any claim by Microsoft or others which presumes that the socio-political and legal relationship between Canada and the United States is the same are completely out of their depth. Some, like Microsoft, will claim that Canada is “over-indexing” on concerns related to the United States, but this incident with Google instead shows that Microsoft is not addressing this enough. If anything, Microsoft is being willfully ignorant and shows it cannot be trusted by refusing to recognize the breakdown of democratic and legal norms in the United States.
What Hyperscalers Don’t Understand
There are many reasons not to trust Microsoft, but what Microsoft and many others fail to recognize is that the new issues of trust in American hyperscalers do not entirely lie with the corporations themselves. Canada’s trust in the United States changed in January 2025, and Microsoft happens to be caught in the middle. How many of these corporations have supported the current United States administration and continue to tacitly support American adversarial and aggressive behaviour, ultimately will determine if that corporation can be trusted. Thus far, American hyperscalers have not behaved in a way that would instill such trust.
Microsoft’s response so far suggests that everything is business as usual and that there has been little to no change in the United States. By failing to acknowledge that Canada cannot currently trust the United States as it did before January 2025, it digs itself into a hole and instills distrust among Canadians. Refusing to understand and adjusting accordingly suggests one of two things:
Microsoft believes that the United States is just as trustworthy and predictable, and can be trusted to act rationally.
Microsoft understands these changes but refuses to fully address them, attempting to gaslight Canadians into believing their data is safe to preserve its market share.
Neither of these is a good thing and suggests that Microsoft cannot be trusted with Canadian digital sovereignty.
In many ways, Microsoft and the other American hyperscalers are in a lose-lose situation, and trying to preserve the status quo will only hurt them. Further, Microsoft’s efforts to convince Canadian experts and leaders that nothing has changed and to trust in the status quo is potentially dangerous for Canada.
Technical Safeguards are a Last Resort
Amid discussion of digital sovereignty, too little attention is paid to technical controls and protections, for both good and bad reasons. Yes, we can have encryption, air-gaps, compartmentalization, and additional security controls that limit how much cloud corporations can access our data or disrupt them. This can help ensure that, if the United States were to undertake malicious legal action against Canada or a Canadian citizen, there would be some layers of protection in place. However, these are all one part of the equation with their own limits and downsides.
If technical safeguards were the only thing between us and malicious use or disruption, then Canada would have zero concerns about using Chinese-made equipment. The problems arise in the full use of the ecosystem, where concerns about governance and control can impact the overall system. While technical safeguards are certainly in place and are one part of the protections for Canadians, that does not negate the legal and political dimensions. Which, in some cases, could compromise the technical safeguards if a corporation is pressured to do so and complies. At worst, it would still mean disruption of technology in large parts of Canadian society.
We need the technical controls and safeguards. But what good are those safeguards if we cannot trust the corporation setting them up in the first place? Technical controls should be the last resort and do not resolve digital sovereignty concerns. Instead, they simply allow us to maintain a basic level of trust in the existing system’s integrity while giving Canada time to plan and invest in efforts to increase Canada’s digital sovereignty and reduce our risk exposure by transitioning to more trustworthy products and services, particularly Canadian.
TL;DR - Takeways
Canadian’s acceptance of reduced Canadian digital sovereignty has dramatically changed since January 2025. Canada is increasingly concerned with increasing its domestic control and autonomy over its digital products, particularly related to data. The source of this change is growing distrust of the United States administration due to its ongoing hostile behaviour.
By association, Microsoft and American hyperscalers are increasingly distrusted as well. Their insistence on treating current Canadian-United States relations as business as usual does not help prevent this either. Rather, by operating as if the social and political relationship has not changed, it only instills greater levels of distrust and gives the impression that the corporation is either lying to you or trying to trick you.
If American corporations want to rebuild trust with Canada despite the current United States administration, it will require more than promises of $19 billion dollars. Such massive investments do not mean the corporation is committed to Canadian digital sovereignty. All it suggests is that a corporation wants to preserve its market access and share, which are increasingly at risk. If anything, this potentially sends the message that they recognize they are a threat, but want to become so ingrained in Canadian digital society that Canada cannot do anything about it.
This is very much a pessimistic take, but it reflects the reality that Canada’s risk calculus has dramatically changed since January 2025. Canada has to adjust to those new risks from the United States, no matter how small they may be. Adjustments to these new risks seem so major only because Canadians have not had to consider them for over 100 years.
Investments do little to address the threats of the United States administration. To build trust with Canadians despite the current United States administration, it is necessary to take a social and political position siding with Canada over the United States. At the end of the day, will an American corporation support the United States or Canada?
Canadians know the answer when things get tough, and that is why American corporations are a risk, not the answer, to Canadian digital sovereignty.
Thank you for this article and I intend to follow your link on Digital Sovereignty. I infer Minister Solomon is addressing other matters but I am pleased the SSC and PSPC are generating RFI’s etcetera to undertake these subjects. Microsofts assertions to parliamentary committees of “protecting” Canadian data sovereignty ring very hollow.