I have been in technology and compliance long enough to know when something is not right. And the situation with video conferencing platforms in Canada? It is not right.

Every day, Canadian law firms discuss privileged client matters on Zoom. Healthcare providers consult with patients on Microsoft Teams. Government officials hold sensitive meetings on WebEx. Indigenous councils discuss sovereignty matters on Google Meet.

And every single one of these conversations is potentially accessible to a foreign government.

This is not fear-mongering. This is the law. Let me explain.

What is the US CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act — US CLOUD Act for short — was passed in 2018. Most Canadians have never heard of it. But it affects them every day.

The law is simple: it gives United States law enforcement the authority to demand data from any US-headquartered company. And here is the critical part — regardless of where that data is physically stored.

So when your Canadian law firm uses Zoom for client calls, and Zoom stores data in a Canadian data centre, it does not matter. Zoom is American company. The data can be requested by US authorities.

When your hospital uses Microsoft Teams for physician consultations, and Microsoft promises “Canadian data residency,” it does not matter. Microsoft is American company. US authorities can compel access.

This is not theoretical. This is how the law works.

Why Should Canadian Businesses Care?

I hear this question often: “Why would US government care about my meetings?”

Maybe they do not care about yours specifically. But consider:

If you are a law firm: Attorney-client privilege is fundamental to Canadian legal system. Your clients trust that their communications with you are confidential. But if you use American video platform, that confidentiality can be compromised by foreign government request. You may never even know it happened.

If you are in healthcare: Patient confidentiality is protected by PHIPA in Ontario, PIPA in Alberta and BC, and similar legislation across provinces. But these Canadian laws cannot protect data that is accessible to foreign government through US CLOUD Act.

If you work with government: Federal and provincial governments handle sensitive information — policy discussions, procurement decisions, security matters. Using American platforms creates vulnerability that foreign actors could potentially exploit.

If you serve Indigenous communities: First Nations, Métis, and Inuit organisations often discuss matters of sovereignty, land rights, and community governance. These conversations should not be accessible to any foreign government.

If you are any Canadian business: Your competitive information, strategic discussions, personnel matters, financial planning — all of it passes through your video calls. Do you want foreign government to potentially have access?

“But They Have Canadian Data Centres”

This is the most common misunderstanding I encounter.

Microsoft, Google, Amazon, Zoom — they all advertise Canadian data centres. They market “data residency” features. They promise your data “stays in Canada.”

Here is what they do not tell you clearly: the physical location of data does not matter under US CLOUD Act.

The law applies to the company, not the server. If the company is American, the data is subject to American law. Full stop.

A Canadian data centre operated by American company is like a Canadian bank vault with American company holding the keys. The vault is in Canada. But the keys are subject to American law.

This is not something these companies like to advertise. But it is the legal reality.

The Canadian Privacy Law Conflict

Here is where it gets complicated for Canadian businesses.

PIPEDA — Canada’s federal privacy law — requires organisations to protect personal information with appropriate security safeguards. Quebec’s Law 25 goes even further, with strict requirements for data protection and significant penalties for violations.

But if you use American platform, you cannot fully guarantee this protection. Your data is subject to foreign law that conflicts with your Canadian obligations.

This creates genuine compliance risk. If US authorities access your data through CLOUD Act, have you violated PIPEDA? Have you breached your obligations under Law 25? The legal situation is unclear — and “unclear” is not where you want to be with privacy compliance.

Some Canadian privacy commissioners have started asking questions about this. It is only matter of time before this becomes enforcement priority.

What Makes a Platform “Canadian”?

This is important question, and the answer is more complicated than you might think.

Not enough: Canadian data centre

Having servers in Canada is good start, but as I explained, it does not protect you from US CLOUD Act if the company is American.

Not enough: Canadian office or subsidiary

Many American companies have Canadian subsidiaries. But the parent company is still American, and US law still applies.

Not enough: Canadian-sounding name

Marketing can be deceiving. Always check the actual corporate structure.

What actually matters:

1. Canadian or non-US ownership: The company that controls your data must not be subject to US jurisdiction. This means Canadian-owned, or owned by company in jurisdiction that does not have equivalent to CLOUD Act (like European Union).
2. Canadian infrastructure: Not just Canadian data centres, but Canadian-owned infrastructure providers. AWS Canada and Azure Canada are still subject to US parent company jurisdiction.
3. No US sub-processors: Even if main company is Canadian, if they use American sub-processors for critical functions, your data may still be exposed.
4. End-to-end encryption: Proper encryption means even if someone accesses the servers, they cannot read your communications.
   
   

The Real Risk Assessment

Let me be honest about the risks here.

Is US government going to request your specific meeting recordings? Probably not, unless you are involved in something that interests them.

But consider:

Mass surveillance: We know from Snowden revelations that US intelligence agencies conduct broad surveillance. CLOUD Act makes this easier, not harder.

Economic espionage: Canadian businesses compete with American businesses. Trade negotiations, resource extraction, technology development — there are many areas where Canadian commercial interests diverge from American interests.

Political considerations: Relations between countries change. What is friendly cooperation today might be adversarial tomorrow. Do you want your historical communications accessible to foreign government regardless of future political situation?

Legal discovery: In US litigation, lawyers can seek broad discovery. If American company has your data, it could potentially be drawn into American legal proceedings that have nothing to do with you.

Data breaches: American companies are frequent targets for hackers. The more data they hold, the bigger the target. If your data is mixed with millions of other users on American platform, you inherit their security risk.

Who Should Care Most?

Based on my experience, these Canadian organisations should prioritise moving to Canadian platforms:

Tier 1 — Move immediately:

• Law firms (attorney-client privilege at stake)
• Healthcare providers (patient confidentiality)
• Indigenous organisations (sovereignty concerns)
• Defence contractors (national security)
• Government agencies (all levels)

Tier 2 — Move soon:

• Financial services (regulatory compliance)
• Unions and labour organisations (negotiation confidentiality)
• Technology companies (intellectual property)
• Professional services (client confidentiality)
• Educational institutions (student privacy)

Tier 3 — Evaluate carefully:

• Any organisation handling sensitive personal information
• Any organisation with competitive information to protect
• Any organisation subject to Quebec Law 25
• Any organisation serving government clients

What Canadian Alternatives Exist?

The challenge is that video conferencing market is dominated by American players. Zoom, Microsoft Teams, Google Meet, WebEx, GoToMeeting — all American.

There are some Canadian alternatives, though most are smaller and less feature-rich. When evaluating them, ask these questions:

1. Where is the company legally incorporated?
2. Who owns the company? (Check for American parent companies or investors with control rights)
3. Where is the infrastructure hosted? (And who owns that infrastructure?)
4. Who are the sub-processors? (Request the complete list)
5. Is there end-to-end encryption?
6. Can they contractually commit that data will not leave Canada?
7. Can they confirm they are not subject to US CLOUD Act or similar foreign laws?

If they cannot clearly answer these questions, they are not truly Canadian sovereign platform.

Why We Are Building Eyre Canada

I should be transparent — I am co-founder of Eyre and eyreACT AI compliance platform, and we built Eyre Canada specifically to address these concerns.

We are not American company with Canadian data centre. We are genuinely sovereign platform:

• Canadian operations under AI Systems Consulting Ltd, Canadian Division
• Canadian infrastructure hosted in Canada on Canadian-owned servers
• No US sub-processors in our critical data chain
• Not subject to US CLOUD Act or similar foreign government access laws
• End-to-end encryption so even we cannot access your meeting content
• PIPEDA compliant and Law 25 ready

When you use Eyre Canada, your video calls stay in Canada, protected by Canadian law only. No foreign government can compel access to your communications.

This is what “Canadian” should actually mean for video conferencing platform.

The Canadian Sovereignty Question

I want to end with bigger picture.

Canada has always valued its independence from United States. We have our own foreign policy, our own trade relationships, our own values. We are allies, yes, but we are not same country.

Digital sovereignty is extension of this independence. When Canadian businesses rely entirely on American digital infrastructure, we create dependency that has real consequences.

Every sensitive conversation held on American platform is conversation that could potentially be accessed by foreign government. Every piece of Canadian business data stored with American company is data subject to foreign law.

This is not anti-American sentiment. I have great respect for American innovation and American companies. But Canadian data should be subject to Canadian law. Canadian businesses should have Canadian options.

The US CLOUD Act made this choice clear. American platforms cannot guarantee the privacy that Canadian law requires. Canadian businesses need Canadian alternatives.

What Should You Do?

If this article has made you think about your video conferencing situation, here is what I recommend:

Step 1: Audit your current usage. What platforms do you use? What sensitive information passes through them?

Step 2: Assess your risk. Are you in high-risk category (legal, healthcare, government, Indigenous)? What would be consequence if foreign government accessed your communications?

Step 3: Research alternatives. Look for genuinely Canadian platforms. Ask the hard questions about ownership and infrastructure.

Step 4: Make transition plan. You do not have to switch overnight, but you should have plan.

Step 5: Update your policies. Your privacy policy and security policy should reflect where your data actually goes.

Try Eyre Canada

If you are looking for Canadian sovereign video conferencing, we invite you to try Eyre Canada.

We offer free tier so you can evaluate whether it meets your needs. Our platform has the features you expect — HD video, screen sharing, recording, calendar integration — but with genuine Canadian data sovereignty.

Your calls stay in Canada. Protected by Canadian law. Not accessible to foreign government.

That is how it should be.

Questions about Canadian video conferencing sovereignty? Contact us canada@eyre.ai