Microsoft Admits: US Law Supersedes Canadian Sovereignty
Microsoft representative says US CLOUD Act comes before other country's sovereignty
Canadian Cyber in Context is sponsored by
All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.
On June 10, 2025, France’s Senate held a hearing as part of its study on the role of procurement in promoting data sovereignty. Microsoft France’s Director of Public and Legal Affairs, Mr. Anton Carniaux, was invited to provide testimony and answer questions from Senators. During the hearing, Mr. Carniaux was asked if he could guarantee that data from French citizens could not be transmitted to United States authorities without the explicit authorization of French authorities.
Mr. Carniaux said that he could not guarantee this.
In other words, if the United States were to issue a legal request to Microsoft for the data of a French citizen hosted in the EU, Microsoft would comply regardless of French or EU law. We can assume that this is irrespective of country, as France and the EU have some of the strictest data protection laws in the world and the US law they are talking about is the United States CLOUD Act. As a result, the data of Canadians who use Microsoft or other products from US-based corporations could have their data provided to the United States government, and there is nothing they nor the Government of Canada can do.
Microsoft France’s response has been that they have strong, rigid legal processes to contest unfounded or potentially illegal or unconstitutional requests by the United States government. However, this response to France’s concern amounts to little more than, “Trust us.” This removes the autonomy and sovereignty of France, Canada, and all other countries, allowing them to control the data used in their respective countries according to their practices and laws.
The Government of Canada defines data sovereignty as “Canada’s right to control access to and disclosure of its digital information subject only to Canadian laws.” Broadly, data sovereignty concerns all data in Canada and from Canadians should be first subject to Canadian law first and foremost, not another country’s.
Microsoft’s statement means that if they receive a valid legal request from the United States government for data on a Canadian residing on a Microsoft server or infrastructure in Canada, Microsoft will respond to the request without receiving permission from Canadian authorities.
Why is this a concern?
United States-based tech companies, such as Microsoft, Amazon, and Google, and their products play a role in nearly every aspect of our daily lives, whether through software, hardware, Internet hosting, or other means. Under the United States CLOUD Act, the United States government can compel US-based companies to provide data to the government regardless of where the data is stored. The testimony from Microsoft France’s representative has confirmed that this supersedes all other international and domestic laws.
In short: Microsoft will listen to the United States government regardless of Canada or and other country’s domestic laws.
Previously, Canada and others have adopted data residency requirements, which require certain data to be hosted in Canada. There was a belief that this was enough to protect Canada’s sovereignty and our people, but with the United States CLOUD Act and an adversarial United States administration, the conditions have changed. Despite these efforts, there have always been concerns that Microsoft and others would ignore data residency. Microsoft has now confirmed that it does not care about data residency or other countries’ sovereignty.
Does this affect the Federal Government and Military?
Yes.
It appears that it does not matter if the target is an individual, organization, or government. As long as the legal request is considered valid in the United States, the target or location of the data does not matter. As an example, the Department of National Defence and Canadian Armed Forces make significant use of Microsoft 365. They have their own defence-tailored instance called Defence 365, which serves as a common cloud infrastructure for collaboration across DND/CAF, with stakeholders and other government departments. In theory, any data on or using Microsoft or a US-based organization’s products and infrastructure which is not isolated from the Internet could be subpoenaed by the United States government.
The current United States administration has shown to base a significant amount of its foreign and economic policy on dubious or false pretenses with little basis in rational, informed evidence or reality. As a result, we cannot expect that all legal requests received by Microsoft or other tech giants will be evidence-based or rational. Thus, this revelation represents a significant risk to the Government of Canada and its military.
Can Canada and Others Say No?
In theory, yes. But there are a few problems with this.
Canada could say no, but if the information is hosted on Microsoft servers, then Microsoft would likely be able to retrieve this information without the Canadian government knowing. So the user and government will not know unless the United States government or Microsoft informs them. Even in such a case where the user or Canadian government/authorities were informed, it would more or less be, “This is happening, and there’s nothing you can do. Your issue is with the United States government, not us.”
In more controlled, secure data environments, it would be more difficult for Microsoft to retrieve this data without some indication informing the user. The best case would be to have your data encrypted, which is required for the Canadian military and most of the government. If your data is encrypted, then the United States government would have to attempt to crack the encryption to access the data forcefully. Sufficiently strong encryption can make cracking almost impossible, but the risk is that even non-Trump United States administrations have gone to extraordinary lengths to access encrypted data. In such a scenario, the United States government would not simply stop if it found that the data it wants is encrypted.
Ultimately, the only likely way to avoid the risk of US legal requests superceding Canadian or other international law is not to use the products of US-based organizations or to keep them disconnected entirely from the Internet.
Takeaway
This admission from Microsoft France has reaffirmed the importance of data sovereignty and renews concerns about Canada’s ability to trust Microsoft or other non-Canadian companies to provide reliable and secure cloud services. This is likely to add to the growing calls for Canada to develop a sovereign cloud capability, reducing its reliance on major cloud hosts, the majority of which are US-based.
I have not heard anything related to the government’s actual interest concerning investment in a sovereign cloud capability, but this news and an understanding that data residency will only get Canada so far and must motivate a change in approach.
August 15: This article was updated to include additional context on the importance of encryption.
I believe a similar risk is associated to foreign satellite networks such as Starlink and Oneweb.
Starlink, which is U.S.-owned, may be compelled to provide Canadian user data to U.S. authorities under FISA Section 702 and Section 2713 of the U.S. CLOUD Act —even if the data is transmitted or stored in Canada.
OneWeb is subject to UK laws that could impact Government of Canada data sovereignty, particularly the Investigatory Powers Act 2016 (IPA) and the UK-U.S. Data Access Agreement under the U.S. CLOUD Act
Telesat Lightspeed on the contrary is Canadian-owned and operated, and supports Government of Canada data security, residency and sovereignty. Telesat is a Canadian company, ensuring that the satellite network is governed by Canadian laws, policies, and oversight
This post raises an important issue, but it actually overstates the protection granted by encryption in this context.
Most Microsoft services (Outlook, Word, Excel, Teams, etc) do not offer full end-to-end encryption (E2EE) [0]. Instead, data is encrypted during storage ("at rest") and transmission ("in transit"), but ultimately Microsoft still controls the keys, meaning it could simply access the data if compelled under U.S. law - no cracking would be required. [1] [2]
Even if it was feasible to implement stronger models like "Hold Your Own Key," doing so for government systems could be incompatible with record-keeping legal requirements.
A system that truly splits control of infrastructure and encryption keys between two organizations doesn’t really exist for modern cloud-based productivity tools. As long as Microsoft either owns or effectively controls the keys, encryption is not a true barrier to access.
[0] https://www.cloudflare.com/learning/privacy/what-is-end-to-end-encryption
[1] https://learn.microsoft.com/en-us/purview/customer-key-overview
[2] https://learn.microsoft.com/en-us/purview/ome-faq