In April 2026, Borden Ladner Gervais published a legal analysis that sharpens a question a lot of Canadian organisations have been asking: if our website data sits on servers in Canada, is it actually protected from foreign legal access?
BLG’s answer comes back to one point. What determines sovereignty is who controls the data, not where it sits. A server in Canada does not, on its own, keep the data out of reach of foreign legal orders. What matters more is who owns and operates the company that controls that server.
For anyone running a WordPress site in a regulated sector, or any business holding customer personal information, that distinction is worth taking seriously. Here is what it means in practice for your hosting choice.
What the CLOUD Act actually does
The U.S. Clarifying Lawful Overseas Use of Data Act, signed into law in March 2018, lets U.S. federal authorities compel a U.S.-based company to produce data the company controls, no matter where in the world that data is stored. It applies to U.S. parent companies and to their foreign subsidiaries where the parent exercises meaningful operational control.
A CLOUD Act order is served on the parent company in the United States, and the parent is obliged to comply by accessing data held anywhere in its corporate group. Orders can include a gag provision that prevents the company from notifying the customer whose data was accessed.
This is active law, not a theoretical power. Canada and the United States have been negotiating a bilateral CLOUD Act agreement since 2022, and as of early 2026 no agreement is in place.
Why corporate structure beats physical location
The part most business owners miss is that a data centre in Montreal or Toronto does not, on its own, put your data outside the reach of a CLOUD Act order. What matters is who owns and operates the company that controls the data.
BLG makes the point bluntly. A Canadian company that is wholly owned and managed in Canada generally falls outside the CLOUD Act. A Canadian subsidiary operating under U.S. parent control, with integrated systems or shared management, generally does not, even when the physical servers are in Canada.
The big hyperscale cloud providers, including AWS Canada (Central), Microsoft Azure Canada Central, and Google Cloud northamerica-northeast, all operate data centres on Canadian soil. All three are subsidiaries of U.S. parent companies. That does not make them bad products. It does mean that the “data residency” marketing attached to their Canadian regions is answering a different question than the one Canadian privacy regulators and Canadian courts are now asking.
Osler’s November 2025 analysis reaches the same conclusion. Using a Canadian-owned service provider with no U.S. operations is one of the more effective structural mitigations available. Customer-managed encryption keys help, but they do not cover metadata, account information, or activity logs, all of which can be compelled under a CLOUD Act order.
What Canadian regulators have been saying
Canadian privacy regulators have been consistent on this for years. Data localisation is a useful control, but it is not sufficient on its own. The Office of the Privacy Commissioner of Canada, and the provincial commissioners in Quebec, British Columbia, Alberta, and Ontario, have all emphasised a risk-based approach. That means looking at the corporate structure of the service provider, the legal jurisdictions it is subject to, and the technical safeguards in place.
Quebec’s Law 25 was the first Canadian statute to make this explicit. Organisations transferring personal information outside the province must conduct a privacy impact assessment that evaluates whether the destination jurisdiction provides adequate legal protection. The Commission d’accès à l’information du Québec issued C$2.3 million in fines under Law 25 in the first quarter of 2026 alone.
PHIPA in Ontario, HIA in Alberta, and FIPPA in British Columbia each contain provisions that a CLOUD Act exposure cannot satisfy through contractual assurances alone. The Office of the Superintendent of Financial Institutions has signalled, under Guideline B-10, that cloud infrastructure decisions will be scrutinised during technology risk assessments, with particular attention to data sovereignty implications.
If your business is in healthcare, legal services, financial services, or any sector holding Canadian personal information subject to provincial privacy statutes, your hosting choice is no longer just an IT decision.
A practical checklist
Before you renew your hosting contract, or move a regulated workload into the Canadian region of a hyperscale provider, work through the following:
- Where is your hosting provider incorporated? Canadian incorporation is the starting point, not the end point.
- Who owns the company? A Canadian-incorporated subsidiary of a U.S. parent is in a different legal position than a Canadian company with no foreign ownership.
- Where does the operational control sit? If the engineers with production access sit in the United States, or if the company’s systems are integrated with a U.S. parent, the physical server location matters less than you would hope.
- Where is the data stored and backed up? Ask for the specific data centre locations, primary and secondary. Confirm backup copies do not leave Canada.
- Who holds the keys? If the provider holds the decryption keys, the provider can be compelled to decrypt. Customer-held keys narrow the exposure, though not completely.
- What happens if a foreign legal order arrives? Ask directly. A Canadian-owned provider with no U.S. operations can answer this question differently than a subsidiary of a U.S. firm.
- Can the provider show Canadian ownership in writing? Corporate registry documents, not marketing pages.
None of this eliminates risk. The point is to understand the risk you are actually carrying, document it in a way a regulator will accept, and make an informed decision about whether the trade-off is acceptable for the specific data involved.
Where WPCloud fits
WPCloud has been operating as a Canadian-incorporated WordPress hosting company since 2013. The company is Canadian owned. There is no U.S. parent and no U.S. subsidiary. The team is based in Canada, and our infrastructure sits in three Canadian facilities: OVH’s BHS data centre near Montreal as our primary, GTHost in Toronto as our secondary, and a facility in Coquitlam for clients with a B.C. residency requirement.
Backups run through JetBackup with 90-day retention, stored off-server but within Canada. DNS runs through Constellix for most clients and DNS Made Easy for some legacy ones. Transactional email runs through MailChannels. Our SOC function, our Imunify360 security stack, and our 24/7 support operation are under our direct control.
We are not the only Canadian-owned WordPress host, and this post is not an argument that hyperscale clouds are unusable. They are not. For a great many workloads the CLOUD Act exposure is acceptable, well understood, and properly documented in a PIA. The point is that the structural option BLG and Osler identify, a Canadian-owned provider with no U.S. operations, exists in the Canadian market, and it has existed for twelve years.
If you are working through a Law 25 PIA, a PHIPA transfer assessment, or an OSFI B-10 technology risk review, and you want to talk through whether managed WordPress hosting with a Canadian-owned provider fits your risk profile, get in touch.
Further reading
- Data sovereignty and the CLOUD Act: What Canadian organizations should know, Borden Ladner Gervais, April 2026
- Data sovereignty in light of the CLOUD Act: back to the future?, Osler, Hoskin & Harcourt, November 2025
- Whose Law Governs Canadian Data?, Balsillie Papers, March 2026
None of the above is legal advice, and the specific answer for your organisation depends on the data you hold, the sector you operate in, and the jurisdictions you serve. If your exposure is material, talk to your own counsel.
