Microsoft Admits: US Law Supersedes Canadian Sovereignty
Microsoft representative says US Cloud Act comes before other country's sovereignty
Canadian Cyber in Context is sponsored by
All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.
On June 10, 2025, France’s Senate held a hearing as part of its study on the role of procurement in promoting data sovereignty. Microsoft France’s Director of Public and Legal Affairs, Mr. Anton Carniaux, was invited to provide testimony and answer questions from Senators. During the hearing, Mr. Carniaux was asked if he could guarantee that data from French citizens could not be transmitted to United States authorities without the explicit authorization of French authorities.
Mr. Carniaux said that he could not guarantee this.
In other words, if the United States were to issue a legal request to Microsoft for the data of a French citizen hosted in the EU, Microsoft would comply regardless of French or EU law. We can assume that this is irrespective of country, as France and the EU have some of the strictest data protection laws in the world and the US law they are talking about is the United States Cloud Act. As a result, the data of Canadians who use Microsoft or other products from US-based corporations could have their data provided to the United States government and there is nothing they nor the Government of Canada can do.
Microsoft France’s response has been that they have strong, rigid legal proccesses to contest unfounded or potentially illegal or unconstitutional requests by the United States government. However, this response to France’s concern amount to little more than, “Trust us.” This removes France, Canada, and all other country’s autonomy and sovereignty to control the data it uses in their respective countrys according to their practices and laws.
The Government of Canada defines data sovereignty as “Canada’s right to control access to and disclosure of its digital information subject only to Canadian laws.” Broadly, data sovereignty concerns all data in Canada and from Canadians should be first subject to Canadian law first and foremost, not another country’s.
Microsoft’s statement means that if they receive a valid legal request from the United States government for data on a Canadian, residing on a Microsoft server in Canada, Microsoft will respond to the request without receiving permission from Canadian authorities.
Why is this a concern?
United States-based tech companies, such as Microsoft, Amazon, and Google, and their products play a role in nearly every aspect of our daily lives, whether through software, hardware, Internet hosting, or other means. Under the United States Cloud Act, the United States government can compel US-based companies to provide data to the government regardless of where the data is stored. The testimony from Microsoft France’s representative has confirmed that this supercedes all other international and domestic laws.
In short: Microsoft will listen to the United States government regardless of Canada or and other country’s domestic laws.
Previously, Canada and others have adopted data residency requirements, which requires certain data to be hosted in Canada. There was a believe that this was enough to protect Canada’s sovereignty and our people, but with the United States Cloud Act and an adversarial United States administration, the conditions have changed. Despite these efforts, there have always been concerns that Microsoft and others would ignore data residency. Microsoft has now confirmed that it does not care about data residency or other country’s sovereignty.
Does this affect the Federal Government and Military?
Yes.
It appears that it does not matter if the target is an individual, organization, or government. As long as the legal request is considered valid in the United States, the target or location of the data does not matter. As an example, the Department of National Defence and Canadian Armed Forces make significant use of Microsoft 365. They have their own defence-tailored instance called Defence 365, which serves as a common cloud infrastructure for collaboration across DND/CAF, with stakeholders and other government departments. In theory, any data on or using Microsoft or a US-based organization’s products and infrastructure which is not isolated from the Internet could be subponeaed by the United States government.
The current United States administration has shown to base a significant amount of its foreign and economic policy on dubious or false pretenses with little basis in rational, informed evidence or reality. As a result, we cannot expect that all legal requests received by Microsoft or other tech giants will be evidence-based or rational. Thus, this revelation represents a significant risk to the Government of Canada and its military.
Can Canada and Others Say No?
In theory, yes. But there are a few problems with this.
Canada could say no, but if the information is hosted on Microsoft servers then Microsoft would be able to retrieve this information without the Canadian government knowing. So the user and government will not know unless the United States government or Microsoft informs them. Even in such a case where the user or Canadian government/authorities were informed, it would more or less be, “This is happening and there’s nothing you can do. Your issue is with the United States government, not us.”
In more controlled, secure data environments, it would be more difficult for Microsoft to retrieve this data without some indication informing the user. However, the only likely way to avoid the risk of US legal requests superceding Canadian or other international law is to not use the products of US-based organizations or to keep them disconnected entirely from the Internet.
Takeaway
This admission from Microsoft France has reaffirmed the importance of data sovereignty and renews concerns about Canada’s ability to trust Microsoft or other non-Canadian companies to provide reliable and secure cloud services. This is likely to add to the growing calls for Canada to develop a sovereign cloud capability, reducing its reliance on major cloud hosts, the majority of which are US-based.
I have not heard anything related to the government’s actual interest concerning investment in a sovereign cloud capability, but this news and an understanding that data residency will only get Canada so far and must motivate a change in approach.
I have assumed this to be the case - thank you for verifying it. Data sovereignty is now a major issue - as I have been saying for six months at least.
I believe a similar risk is associated to foreign satellite networks such as Starlink and Oneweb.
Starlink, which is U.S.-owned, may be compelled to provide Canadian user data to U.S. authorities under FISA Section 702 and Section 2713 of the U.S. CLOUD Act —even if the data is transmitted or stored in Canada.
OneWeb is subject to UK laws that could impact Government of Canada data sovereignty, particularly the Investigatory Powers Act 2016 (IPA) and the UK-U.S. Data Access Agreement under the U.S. CLOUD Act
Telesat Lightspeed on the contrary is Canadian-owned and operated, and supports Government of Canada data security, residency and sovereignty. Telesat is a Canadian company, ensuring that the satellite network is governed by Canadian laws, policies, and oversight