Frontier AI, the CLOUD Act, and Why the Trade Review Is the Wrong Instrument for the Binding Problem
By Jen Evans, Principal, Pattern Pulse AI; co-founder, Tech Reset Canada; publisher, B2BNN
Paper 15 in the โWhose AI Runs the Government?โ series.
Canadian companies and public-sector bodies run their AI and cloud workloads on infrastructure that answers to United States law. The dependency is current, it is broad, and it operates today. Roughly two-thirds of the SaaS tools Canadian organizations use are US-owned and reachable under US legal process, and more than eighty percent of Canadian cloud services run on foreign infrastructure. The Department of National Defence operates on Microsoft 365. The frontier models Canadian enterprises reach for, served through Azure, AWS, and Google Cloud, sit inside the same jurisdictional envelope. This is the operating reality into which the CUSMA joint review opens on July 1.
Two recent papers in this series, Paper 13 on the Palantir call-up and the companion update on the maturation of the threat, both arrived at the CUSMA review as the structured opportunity to put Canadian AI sovereignty on the record. That holds for the trade-law position. It does not hold for the exposure described above, because the instrument that creates that exposure is United States domestic law, and the trade agreement neither reaches it nor, on completion of the review, would constrain it. Treating July 1 as the forcing moment for AI sovereignty mistakes the venue for the problem. The trade review is the venue for the trade position. The binding exposure lives somewhere the trade review cannot go.
The Statute That Travels
The Clarifying Lawful Overseas Use of Data Act, enacted in the United States in 2018, requires providers subject to US jurisdiction to produce data in their possession, custody, or control, regardless of where that data is physically stored. A US-headquartered company holding Canadian data in a Canadian data centre is reachable. The physical location of the server, marketed heavily as the guarantee of sovereignty, is not the controlling fact. The jurisdiction of the company is.
The Act operates along two distinct tracks, and the difference between them is the hinge of this paper. Section 103 authorizes unilateral extraterritorial compulsion: US authorities can compel a covered provider to produce data now, without notification to the affected person and without Canadian judicial review. This track is operational today and requires no agreement with Canada or any other country. Section 105 authorizes a separate mechanism, a bilateral executive agreement under which a partner countryโs orders can be served directly on US providers without routing each request through the slower mutual legal assistance process, on a reciprocal basis. The United States currently holds Section 105 agreements with the United Kingdom and Australia. Canada and the United States began negotiating one in spring 2022. More than three years later, no agreement is in place, and there is no published timeline for completing it.
The two tracks produce a counterintuitive result that the public conversation about the negotiation has mostly missed. The exposure Canadians face does not depend on the Section 105 agreement. It exists now, under Section 103, agreement or no agreement. The Section 105 agreement does not create the reach. It formalizes a faster channel for it and, depending on its terms, removes the review layer that the mutual legal assistance framework currently provides. The instrument framed as the fix is capable of deepening the exposure instead of closing it.
France Ran the Experiment Under Oath
The strongest available evidence that physical data location does not deliver sovereignty comes from a peer democracy that asked the question directly, under oath, and received an answer.
On June 10, 2025, the French Senate held a hearing on the role of public procurement in digital sovereignty. Anton Carniaux, Director of Public and Legal Affairs at Microsoft France, was asked whether he could guarantee that the data of French citizens stored in Microsoftโs cloud would never be transmitted to US authorities without the authorization of French authorities. His answer was direct: โNon, je ne peux pas le garantir.โ No, he could not guarantee it. Asked whether Microsoft would be obliged to transmit data in response to a properly framed request, he confirmed that it would, while noting that no European public-sector body had been affected in the companyโs transparency reporting to date.
The detail that makes the testimony decisive for Canada is the nature of the data at issue. The question concerned data stored in France, under a French-marketed sovereign offering. The answer was that the guarantee could not be given regardless. Data residency, the physical fact of keeping data in-country, was conceded by the vendor itself to be insufficient against US legal process. Sovereignty-minded observers across Europe read the moment as the end of the debate about whether the CLOUD Act reaches into Europe. The largest US cloud vendor, speaking under parliamentary oath, confirmed that it does.
The French hearing also surfaced the operational trap that follows. After Microsoft testified, the committee heard from officials about the Health Data Hub, the national health-data platform hosted on Microsoft Azure since 2019 despite a government commitment to repatriate it to a European platform by the end of 2022. The repatriation did not happen, because the ministry concluded no operational European alternative existed. A government that wanted out could not get out, because the sovereign alternative it would have moved to had not been built. The exposure was acknowledged, the intent to exit was on the record, and the capability to act on that intent was absent. That sequence is the one Canada is positioned to repeat.
What the Trade Agreement Actually Constrains
CUSMAโs digital trade chapter shapes what Canada can do about this, and the shape is more specific than the general impression that the agreement forbids data localization outright.
Article 19.11 provides that no party shall restrict the cross-border transfer of information by electronic means where the activity is for the conduct of the business of a covered person. Article 19.12 provides that no party shall require a covered person to use or locate computing facilities in its territory as a condition for conducting business there. The chapter defines a computing facility as a server or storage device for processing or storing information for commercial use. The localization discipline, in other words, is scoped to commercial activity and to covered persons. It binds Canadaโs ability to impose localization on private-sector business as a condition of operating in Canada.
Two qualifications follow, and both sharpen the analysis. First, the chapter carries a public-policy exception: a party may maintain a measure inconsistent with the free-flow rule where the measure is necessary to achieve a legitimate public policy objective, provided it is neither arbitrary nor a disguised trade restriction and restricts data transfer no more than necessary. The exception is real, and it is narrow. Any localization or sovereignty measure Canada might pursue for the private sector would have to survive a necessity test and a challenge, which is a constrained lane rather than a closed door.
Second, government data sits outside the commercial scope. The discipline addresses computing facilities for commercial use and the business of covered persons. A government requiring that its own data, or data held on its behalf, remain under Canadian-controlled hosting is not the situation 19.12 addresses. This means the public-sector exposure documented across this series, DND on Microsoft 365, the provincial health-records deployments, is not compelled by CUSMA. Canada is free to require sovereign hosting for government data. Where it has not done so, the constraint is not the trade agreement. The constraint is that the sovereign alternative does not operationally exist, which returns the analysis to Franceโs Health Data Hub.
Why CUSMA Is the Wrong Instrument
Assemble the three findings and the structural conclusion follows. The CLOUD Act reaches Canadian data held by US-domiciled providers, today, under Section 103, with no agreement required. Physical data location does not cure the reach, as France established under oath. And CUSMA constrains Canadaโs localization options for commercial data while leaving government data free to localize, which means the trade agreement is simultaneously a limit on one part of the response and irrelevant to the part that matters most.
A localization measure, even one that survived the CUSMA public-policy test, would not close the exposure, because data localized inside Canada under a US-domiciled provider remains reachable. The thing that closes the exposure is control by an entity not subject to US jurisdiction, which is a question of who operates the infrastructure, not where the infrastructure sits. That question is upstream of the trade agreement entirely. CUSMA can be renewed or amended without touching it, because the binding instrument is the CLOUD Act, and the CLOUD Act is US domestic law that the trade review does not open.
This is why the conclusion both Paper 13 and the maturation update reached, that the CUSMA review is the venue to put sovereignty on the record, needs the qualification this paper supplies. The review is the venue for the trade-law position, and that position matters for the commercial-data constraint and for the broader negotiating relationship. The AI-sovereignty exposure that frontier-model and cloud dependence creates is governed elsewhere, and a review that extends CUSMA for another sixteen years would lock in the trade-law constraints around a problem the trade law was never the source of.
The Argument for Completing the Agreement, and Its Limits
The strongest case against this paperโs position runs as follows. The Section 103 status quo is the worst of all worlds: unilateral US compulsion, no notification, no Canadian review. A Section 105 executive agreement, properly safeguarded, would replace unilateral reach with a negotiated, reciprocal, rule-bound channel. On this view, completing the agreement is the responsible path, because a governed process beats an ungoverned one.
A second line, advanced by some Canadian privacy practitioners, holds that the practical risk is low. There is limited public evidence of frequent US compulsion against Canadian commercial data, and a risk-based approach would price the exposure as real but rare and avoid heavy localization mandates that carry their own costs.
Both arguments answer to the same two facts. France shows that the guarantee is gone regardless of frequency: the vendor conceded under oath that it cannot promise non-disclosure, which makes the exposure a structural certainty rather than a probabilistic risk, whatever the observed rate. And the reach is not hypothetical in the Canadian case. As documented in Paper 13, a US agency has already pursued a Canadianโs data through a US-domiciled platform, by administrative summons, never reviewed by a court, against a person who had not entered the United States in a decade. The frequency argument describes the past. The capability describes the present, and the present is what a sixteen-year extension would entrench.
The completion argument is stronger, and it is the reason this paperโs recommendation is sequenced rather than absolute. A governed channel genuinely would beat unilateral compulsion, if the governance were adequate and the moment were right. The question is whether the agreement on offer, negotiated with the current US administration during an active trade confrontation and a documented pattern of administrative demands against critics, would deliver adequate governance. The evidence says the safeguards are not yet specified and the moment is adverse.
What Canada Should Do Before July 1
The recommendation has three layers, and the order is the substance.
Suspend the Section 105 negotiation now. The case for suspension rests on the present conduct of the counterparty and the structure of the instrument. An executive agreement creates a standing authorization for provider-to-foreign-state disclosure under the foreign stateโs legal process. Handing that standing authorization to an administration that is using administrative summonses to identify online critics, and conducting the trade review itself as a pressure instrument, formalizes a channel at the precise moment the channel is most likely to be misused. Suspension is the immediate, defensive act, and it costs Canada nothing it currently has, because the MLA framework remains available for legitimate cross-border requests in the interim.
Set the reconditioning bar before any future completion. The Canadian Bar Associationโs Privacy and Access Section has specified the floor. Retain the mutual legal assistance framework for investigations involving Canadian persons, so each request affecting a Canadian is reviewed by a Canadian authority. Exempt federal and provincial government institutions and public bodies from responding directly to foreign orders, and extend that exemption to private providers holding data on a governmentโs behalf. Amend the Criminal Code to create a special category of extraterritorial production orders available only to countries with reciprocal arrangements and only where a Canadian judge finds the criteria met. Amend privacy laws so the โrequired by lawโ disclosure exception applies only to foreign warrants under a bilateral agreement with Canada. Build in Canadian review of foreign orders for compliance with the agreement, and preserve providersโ right to seek review in Canadian courts. These are the conditions any agreement must satisfy before it is worth completing, and they exceed what the existing UK and Australia agreements contain.
Build the instruments that actually close the exposure, because the first two layers are stopgaps. Suspension prevents a deeper surrender. Reconditioning sets terms for a future one. Neither cures the Section 103 reach that operates today, and neither reduces the dependence that routes Canadian AI and cloud workloads through US-domiciled providers in the first place. The cure is domestic capability: sovereign compute under Canadian-controlled operation, and procurement rules that price jurisdictional exposure as a cost the way any other liability is priced, so that a Canadian logo on a US-operated stack stops counting as a resolution. As Paper 13 established, swapping a domestic label onto a contract changes neither the jurisdiction the data answers to nor the absence of an instrument to govern it. The government-data exemption the CBA proposes is available to legislate now and would address the public-sector exposure directly. The commercial exposure, constrained by CUSMAโs localization discipline and uncured by localization in any case, is the one that requires the longer build.
The Decision Already Being Made
The CUSMA review opens July 1, and Canada will form a trade position for it. That position should protect the narrow public-policy lane that 19.11 and 19.12 leave open, and it should be informed by the understanding that the lane does not reach the binding exposure. The exposure that frontier-model and cloud dependence creates will be governed by whether Canada suspends a negotiation, sets a standard, and builds a capability, none of which the trade review decides.
France asked the question under oath and learned that residency is not sovereignty. It also learned, through the Health Data Hub, that intent to repatriate means nothing without an alternative to repatriate to. Canada is in the same structural position, with DND on a US-operated platform and a frontier-model dependence spread across the economy, and it has not yet held the hearing France held. The dependence is operating now. The negotiation that would formalize part of it is paused only because it has not been finished, not because anyone has decided to pause it. Until Canada suspends the Section 105 track on purpose, sets the reconditioning bar, and funds the domestic capability that lets a future government act on a repatriation decision, the default is the policy. The data keeps answering to a jurisdiction that has already shown, in France under oath and in Canada by summons, exactly what that means.
Paper 15 in the โWhose AI Runs the Government?โ series. See Paper 8 on the coordination architecture, Paper 11 on capital and capability, Paper 12 on Bill C-22, and Paper 13 on the Palantir call-up and the live reach of US administrative demands. Full series index at PatternPulse.ai.