As the trend towards digital sovereignty continues, it is important to revisit whether measures such as data localization and sovereign cloud options are effective in preventing governments from demanding access to data stored abroad. In the US, if an entity has certain“minimum contacts,” then a government agency can likely enforce a data request on that entity in court. However, this principle is not unique to the U.S. Many countries around the world assert jurisdiction based on certain contacts or relationships (i.e. criminal or commercial). A new court case in Canada provides a recent example.
In April 2024, the Royal Canadian Mounted Police served a production order as part of a national security investigation. It was seeking subscriber and account data stored in France, the UK, and Australia from four OVH accounts. OVH is a cloud provider based in France, and has a subsidiary located in Canada (OVH Canada). OVH challenged the production order in court on several grounds:
Jurisdiction
First, OVH argued that Canada lacks jurisdiction over the parent company because it is a separate and distinct entity from its Canadian subsidiary. The Court found, however, that OVH has a sufficient connection to Canada based on the presence of its employees and data centers in the region, as well as its offering of services to Canadian customers. In particular, it found that OVH had a “virtual presence,” because it had a real and substantial connection to Canada and derived a commercial benefit from its operations in the region.
Possession or Control
Second, OVH argued that OVH Canada did not have possession or control of the data and could not access the data requested as a matter of corporate policy. However, based on Canadian case law and OVH Canada’s previous compliance with a different RCMP production order for an IP address hosted in Germany, the Court determined that OVH did have possession or control of the data. The case law cited in the Court’s decision considered whether Canadian entities could be compelled to produce data stored on foreign servers. That case held that the physical location of the data is not determinative. However, courts must assess whether the entity has “lawful and effective access to data in the ordinary course of business where it can be said to ‘possess or control’ the information.” Applying this reasoning to OVH Canada’s prior compliance with a production order for data located outside of Canada, the Court determined there was possession and control of the data requested.
Interestingly, these terms mirror the language in the CLOUD Act, which applies to U.S.-based providers who must respond to law enforcement requests for data so long as they have “possession, custody, or control,” regardless of where the data is stored.
Conflict of Law and MLAT Issue
OVH asserted that because the company was incorporated and resides in France, it must abide by French law, and that compliance with the data request would violate the blocking statute. The Court weighed several factors to determine whether compliance with the production order was prohibited under French law. It determined that the risk of prosecution under this law was low; in over 40 years, there was only one reported conviction under the statute. Separately, OVH maintained that the Canadian government can request this data through the Mutual Legal Assistance Treaty Process (MLAT). However, the Court stated that obtaining an MLAT is ”inherently slow” and lengthy, and because OVH’s clear ties to Canada, it weighed against utilizing the MLAT process.
This case affirms a longstanding practice, that even if data is located outside a country’s borders, as long as there is a jurisdictional hook, a country can request data to a provider operating within the country for data located outside of it. As described in Data Localization and Government Access to Data Stored Abroad, this principle is established in US law, domestic laws of countries around the world, and in cross-border legal instruments such as the Budapest Convention, MLATs, the CLOUD Act, and more. Although many companies are shifting towards providing sovereign cloud options, there are still “many avenues. . . for a [government]” to obtain data stored outside of its country.
