Since the 2024 U.S. Presidential election, Canada-U.S. relations have become increasingly strained and the subject of public concern. It should thus be of further concern to the public that, since 2022, the Canadian government has been quietly negotiating a bilateral law enforcement data-sharing agreement with the U.S. under a piece of U.S. legislation called the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”).
These negotiations are ongoing, despite the fact that the U.S. does not recognize human rights obligations beyond its own borders, let alone issues such as the new President openly antagonizing Canada, while minions of tech billionaire Elon Musk have been running amok through sensitive government data. Media reports are also surfacing that the CIA will “use espionage to give Trump extra leverage in his trade negotiations”. These destabilizing events should give grave pause to any notion of entering into any such data-sharing agreement with the U.S. at this, of all, times—especially one with as many issues as the CLOUD Act.
Introduction to Canada-U.S. CLOUD Act agreement
A Canada-U.S. CLOUD agreement would extend the reach of U.S. law enforcement into Canada’s digital terrain to an unprecedented extent. This agreement, if signed, would effectively allow U.S. police to demand personal data directly from any provider of an “electronic communication service” or “remote computing service” in Canada, so long as it had some ties to the U.S. (such as serving U.S. users). No judicial oversight whatsoever would be involved north of the border. The new system would expose personal data stored in Canada directly to U.S. police surveillance, bypassing Canadian court oversight, and in so doing, could violate our own constitutional privacy laws, among other alarming consequences.
The purpose of this agreement is ostensibly to streamline cross-border data requests currently governed by mutual legal assistance treaties, which public officials have said are now too cumbersome in the digital age. The arrangement is thus meant to grant reciprocal powers to Canadian police seeking data from U.S. technology companies. However, a closer look reveals that any such agreement would be reciprocal in name only, where our constitutional and human rights are concerned.
Canadian and U.S. constitutional law diverge on digital surveillance
Canada and the U.S. have already long diverged from each other when it comes to our respective legal frameworks addressing surveillance and digital privacy, such that a CLOUD Act agreement can only degrade Canada’s well-established constitutional standards. One would be hard pressed to find two democracies that are more incompatible when it comes to trying to align digital surveillance laws. Since the 1970s, U.S. courts have said that individuals are disentitled from constitutional privacy protections for information that they voluntarily share with a third party—this is known as the “third-party doctrine”. Information caught up in this longstanding doctrine is exposed to warrantless seizures by U.S. law enforcement.
The U.S. approach has not aged well. Fifty years later, smartphones are now ubiquitous, each loaded to the hilt with third-party apps hoovering up reams of private data about the most intimate and sensitive aspects of our daily lives. Amidst a sprawling data broker market that includes selling targeted ad data to law enforcement and government agencies, U.S. lawmakers and civil society have been trying to close part of this third-party-doctrine-enabled loophole, such as through the aptly titled The Fourth Amendment Is Not For Sale Act. While a 2018 U.S. Supreme Court decision marked an important shift towards a new approach, it is still far from clear if (or how far) the U.S. courts will go down this path.
In contrast, that potential seedling of a new path in the U.S. is already Canada’s well-trodden, constitutionally settled road. Since the early 1990s, Canada’s top courts have repeatedly rejected the United States’ approach to limiting privacy rights through the third-party doctrine. In a landmark judgment, Canada’s Supreme Court decided that it would not follow the U.S. jurisprudence that has ultimately pushed swaths of government surveillance outside the oversight of U.S. judges. The Court foresaw that if electronic surveillance were to be left unregulated, it would have the potential “to annihilate any expectation that our communications will remain private”. Thus, in many cases, the same types of personal data that are considered fair game in the U.S., are constitutionally protected from warrantless search and seizure in Canada.
CLOUD Act agreement risks subordinating Canadian constitution to U.S. law
This longstanding schism running alongside the 49th parallel is why Canada submitting to a CLOUD Act agreement would be so disturbing. The move would deeply undermine a key pillar of Canadian privacy law, blocking Canadian court judges from supervising warrantless U.S. law enforcement surveillance, even in circumstances where a Canadian police service would be required to get a Canadian judge to authorize seizure of the exact same data.
This fundamental shift in our privacy law landscape would strike a major blow for Canada’s sovereignty over its own constitutional guarantees. In Bykovets, a recent Supreme Court of Canada ruling again underscoring the critical role of judicial supervision over electronic surveillance, the majority opinion described how the concentration of a “mass of information” in the hands of private corporations has “fundamentally altered the the topography of informational privacy.” In an overwhelmingly digital world, even our IP addresses can betray deeply personal information. There are countless examples of information and data in the hands of technology companies, telecommunications providers, banks, universities, or other entities where law enforcement access is supervised by Canadian courts, given the potential that this information might otherwise be “compiled, dissected and analyzed to lend new insights into who we are as individuals or populations.”
U.S. experts themselves have warned potential CLOUD Act signatories of weaknesses in U.S. surveillance laws, given concerns that the CLOUD Act potentially expands cross-border law enforcement powers to issue orders for real-time surveillance, such as wiretapping. That is the difference between police asking your cell phone provider to send them a block of your chat history from a specific past time period, and asking your cell phone provider to start forwarding to them all of your texts that you send or receive in real-time, going forward. A former U.S. judge noted that the language of the CLOUD Act is vague enough that it may authorize additional cross-border real-time surveillance powers, such as remote location tracking or remotely hacking into a person’s device (to the extent a technology company’s cooperation is involved). On top of all of that, nothing would prevent U.S. authorities from sharing and repurposing personal data collected from Canada for matters that have nothing to do with the CLOUD Act or criminal investigations.
As a base proposition, it would be surprising—to say the least—if the Canadian government were to countenance an agreement that would tolerate hacking by the FBI into Canadian-based phones or computers as a part of routine criminal investigations in the U.S. This is not even to mention potential U.S. demands for data that can be obtained from sources such as cell phone tower dumps, reverse location and keyword warrants, or digital genetic databases, just to name a few examples.
U.S. fails to protect human rights domestically and internationally
Even supposing subordinating ourselves to U.S. police surveillance were acceptable to our idea of a free and democratic society, it is worth considering what crimes, exactly, these cross-border data-access powers would be used for. A Canada-U.S. CLOUD Act agreement could make the Canadian government and technology sector complicit in the data-fuelled criminalization and persecution of historically marginalized groups in the U.S.—groups whose equality and human rights, if they were in Canada, would be constitutionally guaranteed under the Canadian Charter of Rights and Freedoms.
The expanded powers granted by CLOUD Act agreements are only supposed to apply to “serious crimes”, which existing agreements with the U.K. and Australia define as an offense with a maximum prison term of three years or more. By that definition, the following activities are considered “serious crimes” according to the U.S.: providing or attempting to provide an abortion in Mississippi (up to 10 years in prison); terminating a pregnancy in Florida (up to 5 years in prison); being a parent in Idaho seeking gender-affirming health care for their trans child (life in prison); and performing in a drag show in Arizona (up to 10 years in prison when the bill was first introduced). Legal developments such as the U.S. Supreme Court eliminating federal protection for abortion in Dobbs v. Jackson Women’s Health Organization have only widened the gap between our countries’ incommensurate constitutional landscapes.
Technology companies such as social media platforms, targeted ad businesses, and data brokers have already been aiding in the criminal and social targeting of groups besieged by efforts to legislate away their civil rights. These violations include, for instance, Facebook giving police private messages between a mother and daughter discussing the latter’s abortion, resulting in their imprisonment; data brokers selling location data tracking people going to and from abortion clinics; outing someone’s sexual orientation; and the use of healthcare data and student surveillance tech to criminalize transgender kids and their families. Under a CLOUD Act agreement, Canada’s burgeoning so-called “femtech” startup sector, among others, may find itself subjected to U.S. requests to do likewise. Even if the Canadian agreement follows the U.K. and Australia in providing a carve-out against using CLOUD powers for discriminatory targeting, companies may provide limited resistance if faced with any such requests on the ground, and as detailed below, no remedies are available for any rights infringements that nonetheless occur.
The Canadian Supreme Court has repeatedly established in numerous contexts that the law under Canada’s Charter deviates from U.S. law when it comes to human rights—stating as recently as last year that “[o]ur approach is distinct from the United States” when it comes to privacy rights. This begs the question: in the face of such explicit statements and fundamental constitutional differences, why would the federal government entertain an agreement that would bind Canada to a more integrated law enforcement system with a country that does not acknowledge responsibility to respect the rights of either Canadians or other non-U.S. persons? Unlike the Canadian government, the United States and its courts have made it clear that they do not accept responsibility for safeguarding the human rights of non-U.S. citizens when U.S. law enforcement engages in foreign surveillance—contrary to established international consensus under treaties including the International Covenant on Civil and Political Rights. This alone should be an unequivocal dealbreaker for the Canadian government.
Nor can the Canadian government claim ignorance: international human rights bodies have historically and ongoingly criticized the U.S. for its foreign surveillance practices in respect of non-U.S. citizens, and for other human rights violations. U.S. officials have touted CLOUD Act agreements as an opportunity to raise relevant legal standards in potential signatory countries, but recent political developments have debased any assumptions that the U.S. will use its influence for the betterment of human rights or civil liberties.
No recourse or remedy if people’s rights violated by U.S. police surveillance
Even assuming the Canadian government could insist and enforce that all U.S. surveillance requests were at least authorized by a judge, this would likely not meaningfully uphold Canadian constitutional standards or protect the people they govern. It seems a contradiction in terms to task a U.S. judge with the vital responsibility of protecting the rights of people whom U.S. courts are simply not bound to protect, according to the U.S.’s own laws. CLOUD Act agreements with both the U.K. and Australia have explicitly refused to establish any rights or remedies for individuals or companies whose data is subject to seizure under each agreement.
The net effect of the U.S. rejecting extraterritorial human rights obligations means that by blocking Canadian courts from supervising U.S. law enforcement surveillance demands, Canadian residents and other non-U.S. persons would be relegated to a remedial no-man’s land, unable to access any recourse in cases of overbroad or inappropriate U.S. requests for data. Given Canada’s courts have previously struck down surveillance laws that failed to be accompanied by meaningful accountability mechanisms, a remedial vacuum in a potential CLOUD agreement would likely prove fatal.
Under existing CLOUD agreements, only companies who are the recipients of such data requests—whether TD Bank, TELUS, Amazon, or Meta, for instance—may challenge such orders under the CLOUD Act, despite lack of aligned incentives with the rights of those targeted by U.S. surveillance or, indeed, the broader public interest. Canadian courts declined to follow U.S. constitutional doctrine when establishing that such third-party entities do not have the constitutional authority to consent to data disclosures on behalf of their customers. Yet, they will be put in this position in Canada and moreover may be bound to confidentiality about the U.S. police requests they comply with, as Australian companies are poised to be under the Australia-U.S. CLOUD agreement.
Canadian government should reject CLOUD Act agreement to uphold Canada’s constitutional and human rights
In signing a CLOUD Act agreement, Canada would furthermore make itself vulnerable to additional privacy and national security threats arising from any future bestowing of even broader powers on U.S. law enforcement authorities, by the current or future administrations. This lesson is already being learned painfully by, in fact, the U.S. itself. The Washington Post reported this month that the U.K. government secretly demanded Apple create a way to decrypt its users’ data worldwide for the U.K. government to access. This demand reportedly relied on the U.K.’s Investigatory Powers Act, a law amended in 2024—a few short years after the U.S. and U.K. reached their own CLOUD Act agreement in 2019. In response to these revelations, U.S. Senator Ron Wyden circulated a draft bill to address major deficiencies in the CLOUD Act—which is cause for sober second thought by any countries considering an agreement under the Act, such as Canada.
To be sure, some of the assessment we provide in this article is drawn from educated guesses and existing CLOUD Act agreements the U.S. has struck with the U.K. and Australia. Much will depend on the actual text of Canada’s own agreement, which has yet to be made public. However, the broad scope of the CLOUD Act means that any agreement is almost certainly to put our fundamental rights at risk, unless and perhaps even if the Canadian government were somehow able to navigate a veritable minefield of incompatibilities and contradictions between Canada’s constitutional and human rights frameworks, and those of the U.S. Wrangling surveillance standards into theoretical compliance with Canada’s Charter would also still provide no answer to the concerns regarding types of crimes investigated, the U.S.’s lack of extraterritorial human rights obligations, potential repurposing of Canadian data after the fact, and the lack of any recourse for individuals whose rights are violated.
Absent more compelling evidence and justification than it has demonstrated so far, the Canadian government must reconsider and carefully assess its potential bilateral and international data-sharing obligations with foreign partners, such as the United States. Given all of the above, it seems that Canada cannot in good conscience enter into a far-reaching agreement that could result in sharing even more data to help an increasingly rogue administration persecute vulnerable individuals—among other potential consequences— on grounds that would be illegal here and which fly against principles enshrined in our constitutional and human rights laws. Particularly at a time when democratic institutions and courts are struggling to retain integrity and public legitimacy, especially in the U.S., it is more critical than ever that Canada protectively and unwaveringly holds its own constitutional lines.
Acknowledgements
Thank you to our colleagues Lex Gill, Tamir Israel, and Leah West for their valuable peer review of this article, which is published under the supervision of Ronald Deibert.