Image created with Gemini
This article by Alexander Rudolph originally appeared on cyberincontext.ca. Opinions expressed by contributors are their own.
On June 10, 2025, France’s Senate held a hearing as part of its study on the role of procurement in promoting data sovereignty. Microsoft France’s Director of Public and Legal Affairs, Mr. Anton Carniaux, was invited to provide testimony and answer questions from Senators. During the hearing, Mr. Carniaux was asked if he could guarantee that data from French citizens could not be transmitted to United States authorities without the explicit authorization of French authorities.
Mr. Carniaux said that he could not guarantee this.
In other words, if the United States were to issue a legal request to Microsoft for the data of a French citizen hosted in the EU, Microsoft would comply regardless of French or EU law.
We can assume that this is irrespective of country, as France and the EU have some of the strictest data protection laws in the world and the U.S. law they are talking about is the United States CLOUD Act.
As a result, the data of Canadians who use Microsoft or other products from USbased corporations could have their data provided to the United States government, and there is nothing they nor the Government of Canada can do.
Microsoft France’s response has been that they have strong, rigid legal processes to contest unfounded or potentially illegal or unconstitutional requests by the United States government.
However, this response to France’s concern amounts to little more than, “Trust us.” This removes the autonomy and sovereignty of France, Canada, and all other countries, allowing them to control the data used in their respective countries according to their practices and laws.
The Government of Canada defines data sovereignty as “Canada’s right to control access to and disclosure of its digital information subject only to Canadian laws.”
Broadly, data sovereignty concerns all data in Canada and from Canadians should be first subject to Canadian law first and foremost, not another country’s.
Microsoft’s statement means that if they receive a valid legal request from the United States government for data on a Canadian residing on a Microsoft server or infrastructure in Canada, Microsoft will respond to the request without receiving permission from Canadian authorities.
Why is this a concern?
U.S.based tech companies, such as Microsoft, Amazon, and Google, and their products play a role in nearly every aspect of our daily lives, whether through software, hardware, Internet hosting, or other means.
Under the United States CLOUD Act, the United States government can compel U.S.based companies to provide data to the government regardless of where the data is stored. The testimony from Microsoft France’s representative has confirmed that this supersedes all other international and domestic laws.
In short: Microsoft will listen to the U.S. government regardless of Canada or and other country’s domestic laws.
Previously, Canada and others have adopted data residency requirements, which require certain data to be hosted in Canada. There was a belief that this was enough to protect Canada’s sovereignty and our people, but with the United States CLOUD Act and an adversarial United States administration, the conditions have changed.
Despite these efforts, there have always been concerns that Microsoft and others would ignore data residency. Microsoft has now confirmed that it does not care about data residency or other countries’ sovereignty.
Does this affect the federal government and military?
Yes.
It appears that it does not matter if the target is an individual, organization, or government. As long as the legal request is considered valid in the United States, the target or location of the data does not matter.
As an example, the Department of National Defence and Canadian Armed Forces make significant use of Microsoft 365. They have their own defencetailored instance called Defence 365, which serves as a common cloud infrastructure for collaboration across DND/CAF, with stakeholders and other government departments.
In theory, any data on or using Microsoft or a U.S.based organization’s products and infrastructure which is not isolated from the Internet could be subpoenaed by the United States government.
The current United States administration has shown to base a significant amount of its foreign and economic policy on dubious or false pretenses with little basis in rational, informed evidence or reality. As a result, we cannot expect that all legal requests received by Microsoft or other tech giants will be evidencebased or rational.
Thus, this revelation represents a significant risk to the Government of Canada and its military.
Can Canada and others say no?
In theory, yes. But there are a few problems with this.
Canada could say no, but if the information is hosted on Microsoft servers, then Microsoft would likely be able to retrieve this information without the Canadian government knowing. So the user and government will not know unless the United States government or Microsoft informs them.
Even in such a case where the user or Canadian government/authorities were informed, it would more or less be, “This is happening, and there’s nothing you can do. Your issue is with the United States government, not us.”
In more controlled, secure data environments, it would be more difficult for Microsoft to retrieve this data without some indication informing the user. The best case would be to have your data encrypted, which is required for the Canadian military and most of the government. If your data is encrypted, then the United States government would have to attempt to crack the encryption to access the data forcefully.
Sufficiently strong encryption can make cracking almost impossible, but the risk is that even nonTrump United States administrations have gone to extraordinary lengths to access encrypted data. In such a scenario, the United States government would not simply stop if it found that the data it wants is encrypted.
Ultimately, the only likely way to avoid the risk of U.S. legal requests superseding Canadian or other international law is not to use the products of USbased organizations or to keep them disconnected entirely from the Internet.
Takeaway
This admission from Microsoft France has reaffirmed the importance of data sovereignty and renews concerns about Canada’s ability to trust Microsoft or other nonCanadian companies to provide reliable and secure cloud services.
This is likely to add to the growing calls for Canada to develop a sovereign cloud capability, reducing its reliance on major cloud hosts, the majority of which are USbased.
I have not heard anything related to the government’s actual interest concerning investment in a sovereign cloud capability, but this news and an understanding that data residency will only get Canada so far and must motivate a change in approach.
