From Sovereignty to Control: Rethinking Canadian Cloud Policy

Lawrence Zhang (ITIF’s Center for Canadian Innovation and Competitiveness) publishes a report arguing that control—technical, operational, legal, and structural—rather than domestic ownership or server location should guide Canadian cloud policy.

• Main announcement/action: The report recommends six concrete measures to deliver enforceable control: target real access risks, procurement rules requiring customer-held keys and audit rights, continuity through redundancy, portability/interoperability to prevent lock-in, a blocking statute requiring providers to challenge incompatible foreign disclosure orders, and reserving the strictest controls for defence, intelligence, and a narrow set of classified workloads. It cites Shared Services Canada’s sovereign cloud RFI and private-sector initiatives (Qu Data Centers, InfraRed Capital Partners; Bell Canada data center near Regina) as current policy and market actions.
• Background and details: The report frames sovereign-cloud proposals as conflating security and industrial policy, notes hyperscalers’ security spending “measured in the tens of billions” (as a comparative capacity point), documents recent Canadian cyber incidents and financial figures (fraud losses and ransom averages), and flags trade friction (U.S. objections) and legal complexity (CLOUD Act, GDPR Article 48, cross-border legal frameworks).