ARTICLE
4 February 2026

Navigating Export Controls In The Clouds: Canada Clarifies Rules On Cloud Storage And Transfers

MT
McCarthy Tétrault LLP

Contributor

McCarthy Tétrault LLP logo
McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in New York City, US and London, UK.
Explore Firm Details
Canada's authority for administering export and technology transfer controls, Global Affairs Canada ("GAC"), has released Notice to Exporters No. 1159 – Guidance on the Movement to and Storage...
Canada International Law
Terms Of Trade,John Boscariol, and Oksana Migitko
Your Author LinkedIn Connections
Terms Of Trade’s articles from McCarthy Tétrault LLP are most popular:
  • with Inhouse Counsel
  • in Canada
  • with readers working within the Construction & Engineering industries

Canada's authority for administering export and technology transfer controls, Global Affairs Canada ("GAC"), has released Notice to Exporters No. 1159 – Guidance on the Movement to and Storage of Controlled Technology in the Cloud ("Guidance"), shedding light on a key question for businesses and academic researchers engaged in electronic transfers of controlled technology: When does using Canadian or foreign-based cloud services to store or transmit controlled technology trigger an "export" or "transfer" under Canadian export controls?

This long-awaited Guidance offers some important clarifications of GAC's position on these issues and how companies, researchers, and cloud service providers can approach compliance when leveraging cloud structures for sensitive technologies. With data routinely stored on servers located around the globe, determining when the use of cloud services results in the export or "transfer" of controlled technology, and therefore might require an export permit under Canadian law, remains a complex issue. For organizations handling sensitive technology, understanding when a Canadian export permit may be required is critical for avoiding inadvertent violations and maintaining access to global cloud solutions.

What Is A Transfer?

An export or "transfer" occurs when the content of controlled technology is disclosed from a place inside Canada to a place outside of Canada. Transfers of controlled technology within Canada (for instance, transfers between computers or servers located within the country) do not constitute such a "transfer" for purposes of Canadian export controls. This historic approach is rooted in the language of the Export and Import Permits Act ("EIPA"), which defines technology "transfer" as "to dispose of it or disclose its content in any manner from a place in Canada to a place outside Canada."

GAC's Guidance clarifies that, in the case of technology, a transfer occurs specifically through disclosure. In this context, "disclosure" refers to making the content of controlled technology available from a place inside Canada to a place outside of Canada. This means that not all technology sent or stored abroad will automatically constitute an export. If the technology, even though sent or stored abroad, cannot be accessed or examined by a person outside Canada, it would not be considered "transferred" within the meaning of the EIPA.

GAC emphasizes that the key factor in the "disclosure" analysis is whether there is a reasonable possibility that someone outside Canada could access or examine the technology. If no such possibility exists, then a "transfer" is not considered to have occurred.

Notably, the Guidance highlights that the mere fact that some of the Canadian entity's servers are located in foreign jurisdictions may increase the possibility of unauthorized access; however, this alone is not sufficient to establish a reasonable possibility of disclosure. The presence of servers abroad must be considered alongside other factors, which will be discussed in more detail in the section below.

While, in our experience, the above approach to "disclosure" analysis has been followed by GAC in practice, the Guidance appears to mark the first time GAC has expressly articulated its position in written guidance and introduced the "reasonable possibility" test as the new standard for determining when a transfer has occurred.

The "Reasonable Possibility" Standard

Under this standard, GAC considers a transfer to occur if there is "more than a mere possibility, but less than the standard of more likely than not" that someone outside Canada could access or examine the technology. If there is more than a remote possibility that controlled technology could be examined by a person outside Canada in any usable form - whether through possession of decryption keys, access rights, or any other means that creates more than a remote possibility of access - the movement and storage of that technology outside Canada may be considered a "transfer" and may require an export permit. The same logic appears to apply when someone located outside Canada has a possibility of accessing controlled technology located in Canada, such as a Canadian employee who may access servers in Canada while travelling abroad. GAC emphasized in the Guidance that such assessment does not require absolute certainty or definitive proof that the technology has been or will be accessed outside Canada; it is sufficient if there is a reasonable possibility that such access could occur.

This means that that it is not necessary that access be likely or certain for a transfer of controlled data to have occurred; it is sufficient if the circumstances create a realistic chance of disclosure, such as when foreign individuals hold decryption keys or access rights.

GAC further notes that the mere fact a cloud service provider operates in a jurisdiction where laws might compel access to stored technology does not, on its own, create a reasonable possibility of disclosure. The presence of robust technical and organizational safeguards implemented by the cloud service provider, as well as meaningful legal protections, such as notification requirements and the ability to challenge or appeal government access requests, can negate the conclusion that a reasonable possibility of disclosure exists.

In this regard, GAC references the Canadian Centre for Cyber Security's Guidance on cloud security assessment and authorization, and states that when technology holders implement safeguards consistent with it, or other similar security frameworks that offer the same level of protection, GAC will generally considers that there is not a reasonable possibility of access to controlled technology.

Examples of Transfers and Non-Transfers

GAC's Guidance provides practical examples to help organizations assess when the use of cloud services may constitute a transfer of controlled technology under Canadian law.

In general, a transfer is considered to occur when:

  • Individuals located outside Canada (including Canadian employees of a Canadian company) are able to access and review the controlled technology stored in Canada from abroad;
  • Controlled data is moved or stored outside Canada without adequate security measures, such as industry-standard strong encryption and effective access controls;
  • A cloud service provider creates an unencrypted disaster recovery snapshot containing controlled technology, which is then stored on servers outside Canada, making it accessible to foreign administrators.

In contrast, a transfer is not considered to occur when:

  • A Canadian company moves controlled technology from a server in Canada to a server in another country using strong, industry-standard encryption, and manages the encryption keys so that there is only a remote possibility of access by individuals outside Canada;
  • A foreign company stores its own controlled technology, encrypted to industry standards, on a Canadian server and accesses it only from outside Canada, with no access by anyone in Canada (including the Canadian cloud service provider);
  • Controlled technology, stored in a sufficiently encrypted format on a server outside Canada, is temporarily decrypted by automated, non-human processes (such as for software functions, artificial‑intelligence or machine‑learning functions (AI/ML), or graphics‑processing‑unit (GPU)‑based workloads) on a closed system, provided that no human access is possible, all unencrypted copies are destroyed, and there is no disclosure or further use.

New Emphasis on the Role of Cloud Service Providers

Another important aspect of GAC's approach is its emphasis on the role of the cloud service providers ("CSPs"). Recognizing the role CSPs play in administering and managing the underlying cloud infrastructure, GAC highlights that responsibility for safeguarding controlled technology is not borne by technology owners alone.

Instead, GAC sets out a shared responsibility model between technology owners and CSPs. While technology owners remain ultimately responsible for complying with export control requirements and ensuring that their use of cloud services does not result in a transfer within the meaning of the EIPA, they must rely on CSPs to accurately disclose and truthfully represent their security practices.

Technology owners are expected to exercise due diligence when selecting CSPs with appropriate safeguards, and to properly configure and manage services - such as encryption keys, access controls, and data placement - to prevent unintended disclosure. For their part, CSPs are expected to implement and maintain robust security measures, operate their platforms consistently with their stated security practices, and promptly notify technology owners of any actual or potential disclosures.

Key Takeaways

GAC's introduction of the "reasonable possibility" test places a practical burden on Canadian businesses to carefully assess their cloud storage arrangements, access controls, and encryption practices. If there is any more‑than‑remote chance that controlled data, whether stored in Canada or abroad, is accessible in a manner that constitutes a "transfer" under the EIPA, an export permit may be required. Organizations should therefore review their data management and security protocols to ensure compliance with these nuanced requirements.

Importantly, the storage of controlled information outside Canada should generally not be considered an export if only Canadian persons located in Canada have access to it. However, businesses must remain vigilant and confirm with their cloud service providers what specific measures are in place to prevent unauthorized foreign access. This includes verifying the provider's security practices, encryption standards, and access controls, as well as understanding the legal and regulatory environment in which the provider operates.

Ultimately, compliance with Canadian export controls in the cloud environment requires a collaborative approach between technology owners and CSPs, with both parties playing a critical role in safeguarding sensitive information and ensuring that all legal obligations are met.

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Terms Of Trade
Terms Of Trade
Photo of John Boscariol
John Boscariol
Photo of Oksana Migitko
Oksana Migitko
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More