The CLOUD Act: How Your Private Data Crosses Borders Without Your Knowledge

Understanding the controversial law enforcement data-sharing framework—and why Canada's pending agreement should concern every privacy-conscious citizen

In the age of global tech companies, your data doesn't respect borders. A Canadian using Facebook, an American on TikTok, a Brit checking Gmail—all generate data that might be stored on servers thousands of miles away. This reality has created a legal quagmire: how can law enforcement investigate crimes when critical evidence sits in another country's jurisdiction?

Enter the CLOUD Act—a 2018 U.S. law that promised to solve this problem. Instead, it may have created a surveillance superhighway with inadequate guardrails, especially for countries like Canada now negotiating to join it.

Free Speech Under Fire? Examining UK Arrests and Canada’s Controversial Internet Bills

A deep dive into the real story behind viral claims about mass arrests and internet censorship legislation Recent social media posts have set off alarm bells across the internet, claiming the UK has arrested 12,000 people for social media posts in the past year, while Canada is pursuing three

My Privacy BlogMy Privacy Blog

What Is the CLOUD Act?

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed in March 2018, represents one of the first major changes in decades to U.S. law governing cross-border access to electronic communications held by private companies.

The Act has two main components:

1. U.S. Government Access to Foreign Data

The CLOUD Act amended the Stored Communications Act to require that technology companies provide data in their possession, custody, or control in response to an SCA warrant—regardless of whether the data is located in the United States.

This resolved a long-running dispute with Microsoft, which had refused to hand over emails stored in Ireland, arguing U.S. warrants didn't apply overseas. The CLOUD Act made that argument moot: if a U.S. company controls the data anywhere in the world, U.S. law enforcement can compel its disclosure.

2. Foreign Government Access to U.S. Data

More controversially, the CLOUD Act authorizes the executive branch to conclude international agreements through which select foreign governments can seek data directly from U.S. technology companies without requiring the assistance of the U.S. government.

This bypasses the traditional Mutual Legal Assistance Treaty (MLAT) process, where foreign requests were reviewed by U.S. courts before disclosure. U.S. and foreign officials had criticized the MLAT processes as inefficient and unable to accommodate the increasing cross-border data demands in the digital era.

How CLOUD Act Agreements Work

Under CLOUD Act executive agreements, law enforcement in one country can directly request data from tech companies in another country, as long as certain conditions are met:

Countries entering into executive agreements with the United States would be able to make direct requests to U.S. providers for communications content relevant to the investigation of "serious crime."

The CLOUD Act also grants foreign governments the ability to request both stored communications and real-time communications—wiretaps—directly from private American corporations.

Requirements for Qualifying Countries

To enter a CLOUD Act agreement, qualifying foreign governments must have a legal system that institutes "robust substantive and procedural protections for privacy and civil liberties" regarding data collection by law enforcement agencies, including respect for the rule of law and internationally recognized human rights, particularly the right to protection from unlawful interference with privacy.

The agreements must include:

• Requirements that orders be targeted to specific individuals or accounts, have reasonable justification based on articulable and credible facts, and be subject to review by an independent authority such as a judge or magistrate
• Prohibitions on bulk data collection
• Encryption neutrality—the agreements do not create new authority for law enforcement to compel service providers to decrypt communications

Existing Agreements

The United States has concluded CLOUD Act agreements with the United Kingdom (entered into force October 3, 2022) and Australia (signed December 15, 2021).

Canada's CLOUD Act Negotiations

In March 2022, the United States and Canada announced they have entered into formal negotiations for a bilateral CLOUD Act agreement. The negotiation was commenced as a product of the Cross-Border Crime Forum, an initiative to foster collaboration in fighting cybercrime, violent extremism and gun violence.

Three years later, these negotiations continue—but under dramatically different geopolitical circumstances.

Since the 2024 U.S. Presidential election, Canada-U.S. relations have become increasingly strained. The Canadian government has been quietly negotiating this bilateral law enforcement data-sharing agreement despite the fact that the U.S. does not recognize human rights obligations beyond its own borders, and amid reports that the CIA will "use espionage to give Trump extra leverage in his trade negotiations."

What Would a Canada-US Agreement Mean?

If a US-Canada CLOUD Act Agreement enters into force, Canadian judicial authorities will be able to grant production orders for the surrender of targeted content and non-content data by US-based private technology companies like Meta and Microsoft for investigations and prosecutions of serious crime (defined as an offense punishable by a prison term of at least three years).

Reciprocally, U.S. law enforcement could demand data directly from Canadian tech companies and telecommunications providers.

The agreement would enable Canada to reclaim control monopolized by technology companies in deciding whether and to what extent direct voluntary assistance is provided, expand the scope of data coverage, and expedite the surrender of data by circumventing but not replacing the MLA regime.

The Privacy Concerns: Why Civil Liberties Groups Are Alarmed

Despite government assurances about "robust protections," privacy advocates have raised serious concerns about CLOUD Act agreements—concerns that intensify in the Canadian context.

1. Reduced Judicial Oversight

The process for judicial oversight of foreign nations' requests for data under the CLOUD Act differs from earlier international data sharing regimes. In both the MLAT and letters rogatory processes, a federal court reviews and approves a foreign government's request for information before issuing a warrant or court order. Such requests generally must satisfy U.S. legal standards and constitutional requirements, such as the Fourth Amendment probable cause standard.

Under CLOUD Act agreements, foreign law enforcement gets to use their own country's legal standards—which may be lower than U.S. constitutional protections.

2. Lack of User Notice

Civil society organizations have objected that CLOUD Act agreements permit cross-border access to personal data without judicial approval, allow for law enforcement investigations under lower standards than in the U.S., and lack notice to data subjects whose data is being accessed.

When U.S. authorities demand your Canadian data or Canadian authorities demand your U.S. data, you likely won't know until long after it happens—if ever.

3. The "Third-Party Doctrine" Problem

Canadian law, unlike U.S. jurisprudence that applies the "third-party doctrine" (where individuals typically have limited constitutional privacy for data voluntarily shared with third parties), has consistently rejected this approach since the early 1990s. Canadian courts emphasize the critical role of judicial supervision over electronic surveillance.

An agreement that bypasses Canadian judicial oversight would fundamentally degrade these established constitutional standards, effectively subordinating Canadian constitutional law to U.S. legal frameworks.

4. Scope Creep Concerns

Nothing would prevent U.S. authorities from sharing and repurposing personal data collected from Canada for matters that have nothing to do with the CLOUD Act or criminal investigations.

Technology companies such as social media platforms have already been aiding in the criminal and social targeting of groups. Examples include Facebook giving police private messages between a mother and daughter discussing abortion, resulting in their imprisonment; data brokers selling location data tracking people going to and from abortion clinics; and the use of healthcare data to criminalize transgender kids and their families.

5. Vague Surveillance Powers

The language of the CLOUD Act itself is considered vague, potentially authorizing broad cross-border real-time surveillance powers, including remote location tracking or even remotely hacking into a person's device.

As a base proposition, it would be surprising if the Canadian government were to countenance an agreement that would tolerate hacking by the FBI into Canadian-based phones or computers as a part of routine criminal investigations in the U.S. This is not even to mention potential U.S. demands for data that can be obtained from sources such as cell phone tower dumps, reverse location and keyword warrants, or digital genetic databases.

6. Coalition Opposition

The breadth of opposition to CLOUD Act agreements is striking. A coalition of 20 civil society organizations objected to the proposed U.S.-U.K. CLOUD Act Agreement, explaining the agreement "fails to adequately protect the privacy and due process rights of U.S. and U.K. citizens."

Organizations opposing the agreements include the Electronic Frontier Foundation, American Civil Liberties Union, Amnesty International, Human Rights Watch, and the Electronic Privacy Information Center (EPIC)—not typically aligned on many issues, yet united in concern over CLOUD Act privacy implications.

The UK-US Agreement: A Cautionary Tale

The first CLOUD Act agreement between the U.S. and UK provides lessons for Canada—and reasons for concern.

Civil society groups argued that since the CLOUD Act became law, they have stood in near-unilateral opposition to the Act and consistently noted the baseline protections afforded individuals under "executive agreements" fail to meet human rights standards.

While supporters claim the UK-US agreement contains "quite a few privacy and civil liberties safeguards that go beyond the text of the CLOUD Act," critics note fundamental problems remain:

• Lower evidentiary standards than traditional judicial review
• Limited transparency about how powers are used
• Potential for mission creep beyond "serious crime"
• No requirement that users be notified their data was accessed

The Broader Pattern: Surveillance Without Borders

The CLOUD Act fits into a global trend toward expanding law enforcement surveillance powers while reducing judicial oversight. This pattern includes:

• The EU's proposed E-Evidence framework, which aims to harmonize cross-border evidence gathering across Europe
• Canada's Bill C-2, which would expand domestic surveillance capabilities while facilitating CLOUD Act implementation
• The Budapest Convention's Second Additional Protocol, another data-sharing treaty Canada is being pushed to ratify

Justice Canada officials acknowledged at a technical briefing on Bill C-2 that the intent of certain provisions is to enable Canada to implement and ratify the "Second Additional Protocol" to the Budapest Convention.

These initiatives create overlapping frameworks that could allow your data to be accessed by multiple countries' law enforcement—each using their own legal standards, with limited oversight or transparency.

What About Data Sovereignty?

One of the most troubling aspects of the CLOUD Act is how it undermines data sovereignty—the principle that data should be governed by the laws of the country where it resides.

Even if a cloud provider operates data centers within Canada, if its parent company is a U.S.-owned entity, it remains subject to U.S. laws, including the CLOUD Act. This means Canadian data, despite residing within Canada, can still be accessed under U.S. legal authority.

This presents a paradox where a business might be fully compliant with Canadian privacy laws like PIPEDA, yet still be exposed to non-Canadian legal oversight due to the foreign ownership of its cloud provider.

The Case for and Against CLOUD Act Agreements

Arguments in Favor:

• Supporters assert that the CLOUD Act provides a practical remedy for problems related to the globalization of evidence and the increased demand for data stored overseas in criminal cases
• The MLAT and letters rogatory systems are "outdated and inefficient," sometimes taking months or years to process requests
• Major U.S. technology companies—including Apple, Facebook, Google, and Microsoft—support the legislation, believing it reduces potential conflicts of law

Arguments Against:

• Critics argue the CLOUD Act poses a threat to civil liberties and human rights by lowering the standards previously necessary to obtain evidence in cross-border criminal investigations and prosecutions
• The executive branch's decision to certify a country as satisfying the CLOUD Act's standards should be subject to judicial or other review, yet isn't
• Foreign governments' real-world operations may not comport with their domestic laws and may change over time

What This Means for Canadians

If Canada signs a CLOUD Act agreement with the United States:

1. Your Canadian data becomes accessible to U.S. law enforcement with fewer protections than traditional MLAT requests required
2. You likely won't be notified when your data is accessed
3. U.S. constitutional protections don't apply to non-U.S. persons—meaning Canadians get less protection than Americans under the same agreement
4. Canadian companies face conflicting obligations between Canadian privacy laws and U.S. data demands
5. There's no clear remedy if your data is misused or accessed inappropriately

Data disclosures under a CLOUD Act Agreement to the US cannot relate to a Canadian citizen, permanent resident, or a person located on Canadian soil. However, those involved in the disclosure may need to rely on assumptions, such as using an IP address as an indicator for a person's location and/or nationality, which is generally a weak proxy.

In practice, determining whether someone is a Canadian citizen or resident before accessing their data is extremely difficult—meaning protections meant to shield Canadians may be ineffective.

The Need for Transparency and Debate

Since 2022, the Canadian government has been quietly negotiating this bilateral law enforcement data-sharing agreement with the U.S. under the CLOUD Act.

"Quietly" is the operative word. There has been minimal public consultation, limited parliamentary debate, and scarce mainstream media coverage—despite the profound implications for Canadian privacy rights.

The Canadian Bar Association's Privacy and Access Section has offered guidance on the anticipated bilateral agreement, recommending that Canadian enabling legislation should include a mechanism whereby foreign orders are reviewed by a Canadian authority for compliance with the bilateral agreement, and that Canadian service providers should retain the right to seek review of requests in Canadian courts.

These recommendations point to a fundamental problem: the CLOUD Act framework prioritizes speed over rights—assuming that faster access to data is worth reduced judicial oversight.

What Can Be Done?

For concerned Canadians, several actions are possible:

1. Demand Transparency Contact your MP and demand:

• Full public release of negotiation details
• Parliamentary debate before any agreement is signed
• Independent assessment of constitutional implications

2. Support Strong Safeguards The CBA recommends amending the Criminal Code to create a special category of extraterritorial production orders applying only to requests from countries with reciprocal arrangements, provided a Canadian judge determines the criteria are met.

Any agreement should require:

• Canadian judicial authorization for all data requests
• User notification (with limited exceptions for active investigations)
• Strict limitations on data use and retention
• Transparent reporting on how powers are used
• Sunset clauses requiring periodic renewal

3. Consider Data Sovereignty For businesses and individuals handling sensitive data:

• Use Canadian-owned cloud providers where possible
• Understand where your data is stored and who controls it
• Implement strong encryption
• Review terms of service for data sharing provisions

4. Congressional Review Period The CLOUD Act expressly provides for a mandatory 180-day period of congressional review before a proposed data sharing agreement can enter into force, and defines procedures authorizing congressional consideration of a joint resolution of disapproval on an expedited process.

Similarly, the Canadian Parliament should assert its authority to scrutinize and potentially reject any agreement that inadequately protects Canadian privacy rights.

The Bottom Line

The CLOUD Act represents a fundamental shift in how law enforcement accesses data across borders. While proponents emphasize efficiency and crime-fighting capabilities, critics warn of a surveillance framework with inadequate safeguards, limited transparency, and potential for abuse.

For Canada, entering a CLOUD Act agreement with the United States at this particular moment—amid trade tensions, political instability, and documented U.S. intelligence overreach—seems particularly fraught.

Legal researchers warn that a Canada-U.S. CLOUD agreement would extend the reach of U.S. law enforcement into Canada's digital terrain to an unprecedented extent, effectively allowing U.S. police to demand personal data directly from any provider of an "electronic communication service" or "remote computing service" in Canada.

The question isn't whether law enforcement needs better tools to investigate transnational crime—they do. The question is whether we're willing to sacrifice fundamental privacy rights and constitutional protections in the name of efficiency.

Three years into negotiations, with minimal public debate and mounting privacy concerns, Canadians deserve answers about what their government is agreeing to—before it's too late to push back.

Your data crosses borders constantly. The rules governing who can access it, under what circumstances, and with what oversight will define the boundaries of privacy in the digital age. The CLOUD Act threatens to erase those boundaries—and once they're gone, they'll be nearly impossible to restore.

Stay informed. Stay vigilant. Your privacy may depend on it.

Related Reading:

• Free Speech Under Fire? UK Arrests and Canada's Internet Bills
• EU Chat Control Vote Postponed: A Temporary Victory for Privacy Rights
• UK Online Safety Act and EU Digital Services Act: Cross-Border Impact Analysis