My Globe and Mail op-ed begins by noting that the Trump administration’s emphasis on tariffs continues to garner headlines, but a more consequential trade battle over data control is playing out with far less public attention. Last week, the U.S. released its annual report on trade barriers and for the first time, Canada was listed alongside dozens of other countries for seeking greater control over its own data. The message is clear: When countries enact laws that restrict where data is stored and who can access that information, the U.S. treats them as a trade threat.

The global battle over data has escalated rapidly. The 2025 report made no mention of Canada in connection with key data control issues, such as where data reside (cloud computing) or whose laws apply to that information (data sovereignty). Further, the term “sovereign cloud,” which refers to cloud infrastructure and services that operate under the legal jurisdiction and regulatory control of a specific nation, was not found anywhere in that report. One year later, the number of cloud and data localization references has grown by roughly 50 per cent, and Canada has been singled out for the first time.

The U.S. is employing a two-pronged strategy to enhance its control over global data flows. The first prong is the U.S. CLOUD Act, a 2018 law that grants U.S. authorities the power to compel any service provider subject to U.S. jurisdiction to hand over data, regardless of where the information is physically stored. For instance, such a company can be compelled to disclose data it holds in Canada, potentially overriding Canadian privacy protections. The second prong leverages trade policy by pressuring countries who respond to that vulnerability by building domestic alternatives challenging the applicability of the U.S. law. Countries that try to insulate themselves from the first prong are told the remedy itself is the barrier.

The U.S. concern with Canada involves a Shared Services Canada proposal concerning government purchases of cloud services. Those services would be required to ensure that all data are processed, transmitted and stored exclusively in Canada, under the control of providers that are not subject to foreign laws that permit access without Canada’s prior written consent. That corporate control requirement is a direct response to the U.S. CLOUD Act. It means even a Canadian subsidiary cannot satisfy the standard if it – or its parent company – is subject to U.S. law.

What makes the U.S. report so revealing is that Canada is not an outlier. South Korea’s cloud security certification program effectively excludes foreign providers from government contracts. France requires that cloud providers handling sensitive state data be majority EU-owned and immune to non-EU laws. Japan subsidizes domestic companies to build sovereign AI cloud infrastructure, while largely shutting out foreign firms. Turkey, India, Indonesia, Nigeria, Pakistan and dozens of other countries maintain their own variations.

The pattern is unmistakable: Countries are converging on laws that grant greater control over where their data lives and who has access. The mechanisms differ – certification walls, ownership thresholds, local storage mandates, outright bans – but many are moving in the same data policy direction. This alignment is not a coincidence. It reflects a growing recognition that data are critical infrastructure and that exclusive dependence on foreign cloud providers creates legal and geopolitical vulnerabilities. By legislating extraterritorial access to data, the U.S. opened the door for other countries to pursue alternatives.

Canada should take note of both the criticism and the company it keeps. Being grouped with more than 30 countries, including close allies such as France, Japan and South Korea, that pursue nearly identical policies, suggests Canada may be on to something. It also suggests that the objection from the U.S. is less about Canada specifically than about a global trend that threatens U.S. cloud dominance in government markets worldwide.

The Canadian policy challenge is to get the sovereign cloud initiative right. By targeting corporate control structures rather than just mandating that data be stored here, the Shared Services Canada proposal is premised on the view that infrastructure-based solutions alone are insufficient. Indeed, data localization without addressing gaps in Canadian privacy law and the legal authority of foreign governments over the providers is an incomplete solution. Getting it right means addressing where the data reside, as well as the laws governing that information and the companies involved.

The data sovereignty question is a structural challenge that goes to the heart of how governments protect sensitive information in a world where the most powerful cloud providers answer to another country’s laws. We are rightly worried about who gets trumped on tariffs. But it is who trumps on data that will shape the digital economy for decades to come.