Digital Sovereignty: Why Canada Needs Control Over Our Data and Networks

Canada’s lack of digital sovereignty is leaving our privacy and national security exposed. Now is the time to reclaim control over our data and networks.

Living in an increasingly digital world means that even if you’re not constantly on social media, much of your daily life still leaves an online footprint. Whether it’s your financial transactions, health information, or just a meme you send to your friends, every interaction involves data moving across the Internet.

A lot of us are mostly just happy things work, and don’t really sweat the details––like where does your data go, or who’s handling it along the way. But the US trade and annexation threats have many Canadians thinking about how our systems really work. There’s a  growing interest in understanding our own privacy and national interests in terms of digital sovereignty.

In this article, we mainly focus on unpacking digital sovereignty at two levels: (1) network sovereignty and (2) data sovereignty. We hope by the end of this, you will have a better idea why Canada needs control over its data and networks.

The hidden threats in your data’s detour

As abstract as the concept of the Internet may seem, it is actually a vast web of interconnected infrastructure—fibre-optic cables crisscrossing the land and ocean floors, massive data centres humming with activity, and key exchange points where networks connect. This system is operated by a mix of players, including big telecoms like Rogers, Telus and Bell. These Internet service providers (ISPs) you pay a hefty monthly bill to connect to other networks at different “switching centres”––known as Internet Exchange Points (IXPs)––to transfer your data in packets across these digital highways to reach their destination (and back)––a process known as routing.

Depending on which sites you’re visiting, so if you’re visiting sites hosted in the U.S. for instance, your data will naturally leave exclusive Canadian jurisdiction. And that will expose your data to the U.S. National Security Agency (NSA) surveillance according to laws like the USA Patriot Act. Not great, but part of the cost of engaging with a global Internet.

However, what’s more surprising (and unacceptable) is that even when you access Canadian sites (even those in your city!), your data often still flows through the U.S! Every single day, over 25% of Canada’s domestic Internet traffic takes a “boomerang” route through the U.S, instead of a more direct route. It’s a product of decades of Canada’s Internet infrastructure being deeply intertwined with the U.S., with major ISPs in Canada have networks that favour north-south connections.^1,2,3 This pushes thousands of Internet traffic that could have been domestic take an unnecessary detour through the U.S., before routing back to Canada. This exposes data of millions of Canadians to these threats:

• Unnecessary surveillance risk: American agencies like NSA can scan our southern traffic, potentially compromising our personal and confidential information. In an increasingly unstable and untrustworthy American intelligence system, this scanning risks our data leaking to foreign state adversaries.
• Legal vulnerability: Canadian data that crosses into U.S. territory becomes subject to U.S. laws and regulations, which no longer offer the same privacy protections as Canadian laws. Our own laws can’t help us manage this risk: since our current privacy laws were written two decades ago, they lack a single fine or enforced remedy against companies transferring personal data outside of Canada with insufficient protections.
• A deeply fragile Canadian Internet: Relying on infrastructure outside of Canada for domestic communications undermines Canada's control over our own digital assets and is a huge vulnerability in the critical infrastructure our country needs to function. As Trump’s America considers new ways to harass Canada, this risks a disruption of nationwide services if the U.S. weaponizes the critical role these Internet Exchange Points (IXPs) play in our domestic communications.

Data sovereignty in the age of cloud computing

While ensuring our data avoids unnecessary routing through foreign networks is a crucial step, true digital sovereignty extends beyond mere control of data pathways. It's about asserting our nation's autonomy over all aspects of our digital infrastructure and ecosystem––where our data is stored, who has access to it, and how it’s governed.

Now, in the era of cloud computing, that reliance has only grown. U.S. tech giants like Amazon, Google, and Microsoft dominate over 60% of the global cloud infrastructure market––in 2023, 48% of Canadian businesses, including 81% of those in the information and cultural industries sector—relied on cloud computing. Even the Canadian public service depends on the U.S.-based providers like Amazon, Microsoft, and Google. This means a vast amount of Canadian data is stored on foreign soil, making it subject to foreign laws. And when push comes to shove, those laws protect their government’s interests—not yours.

The shadow of the Trump administration's notably aggressive stance towards Canada, has thrust data sovereignty into the spotlight. More and more Canadians are concerned about foreign laws and regulations governing their data, and the potential for cross-border access by foreign governments or law enforcement agencies. To achieve true data sovereignty in Canada, several aspects must be considered:

• Localization of data storage: Imagine if all your personal files were stored in a neighbour's house across the border, under their house rules about who can peek inside. Not only would it be uncomfortable; you’d have none of the  control over your privacy and protection you would have had at your own home. Same goes for our data. We need to maximize and prioritize the volume of our data we keep within Canada, under our own roof, so we know it's being looked after properly. That way, our laws protect it, not someone else's. The more sensitive the data, the more important this data localization is.
• Metadata Privacy: While we often focus on the content of our communications, the metadata—the who, when, and where of our communications, not the text—that can reveal just as much, if not more, about our personal lives. Like those footprints in the snow, metadata can tell a detailed story. Plus, we need to make sure companies aren’t using those data further to train their AI model without asking us first, as seen in Canada’s Privacy Commissioner’s investigation to X this February.
• Regulation of data brokers: Imagine someone going through your garbage and selling a list of everything you bought to random strangers. Most of us would find that a tremendous violation– but that’s basically what data brokers do! They collect bits and pieces of your digital life, make a digital corkboard of things they think they know about us, and sell their sleuthing off to third parties––from shady private companies to authoritarian governments. We need to put a stop to that by implementing stringent regulations on these entities that can prevent unauthorized trading of our personal information, ensuring that Canadians have control over who knows what about them, and provide simple tools to review and delete the information they’ve collected.
• Cross-border data transfer regulation: When data crosses the border, it's like sending something through customs. We need to have rules in place to secure ongoing consent from Canadians for any transfer of data to entities outside of Canada, and minimize unnecessary transfer if we could. We can't just let it go without knowing where it's going or who's looking at it. Especially with the possibility of a new bilateral law enforcement data-sharing agreement with the U.S. under a framework likethe U.S. CLOUD Act, we have to be careful about letting other countries have too much access to Canadians’ data.

Why does digital sovereignty matter?

As Canada faces down threats to our existence as a country, sovereignty is important at every level. Today, these threats are economic and rhetorical; but if this situation escalates, we could see more disruptive measures taken—and that’s where our digital policy today becomes critical.

The Internet backbone is a vital infrastructure for us, but our current setup doesn’t give Canada enough control over our own digital assets. From the hardware that underpins the internet, to the data services that run on top of it, we need to take action today to guarantee a Canadian Internet can continue functioning no matter what any foreign adversary throws at us. We must work proactively to strengthen our national network’s security and resilience today, to create an Internet that Canadians can trust and rely on no matter what the future holds for us.

We have the tools to do it. It is entirely possible for our domestic Internet traffic to stay within Canada; we have Canadian IXPs available that are committed to routing security and reducing most common routing threats.^4,5

What’s uncertain is our will and focus to fix these issues and take charge of Canada’s Internet. To truly secure our digital sovereignty, we must initiate a national conversation on this critical issue, starting today. We must advocate for, and enforce, data localization policies for sensitive information. We need to strengthen our privacy laws, including robust regulation of data brokers. We need clear cross-border data transfer policies, enhanced transparency in data collection and usage, robust consent mechanisms, and regular independent audits of the data handling practices of companies to make sure they’re doing what they promise to. 

Let’s make sure our digital future remains firmly in Canadian hands. OpenMedia has already launched the first step; take action now to protect our network sovereignty!

Sources

1. 3 out of 6 Public Peering Exchange Points of TELUS Communications are located in the U.S., according to AS852 - TELUS Communications – PeeringDB
2. 4 out of 5 Public Peering Exchange Points of Rogers Cable are located in the U.S., according to AS812 - Rogers Cable – PeeringDB
3. 5 out of 5 Public Peering Exchange Points of Bell Canada are located in the U.S., according to AS577 - Bell Canada Backbone – PeeringDB
4. Notably, the Toronto Internet Exchange (TorIX) and the Calgary-based YYCIX were among the ten founding participants of the Mutually Agreed Norms for Routing Security (MANRS) IXP Program, a global initiative launched in 2018, according to Introducing a New MANRS IXP Programme for Routing Security – Internet Society
5. 5. As of November 2020, Canada had 12 network operator participants in the MANRS initiative, a global initiative that helps reduce the most common routing threats, according to MANRS Welcomes 500th Network Operator – Internet Society