Repatriating the Data Supply Chain with a Sovereign Cloud 

Our economic stability depends on the strength of our supply chains. As world politics and offshore trade routes become increasingly unstable, so does our supply of essential goods and services, making it a matter of national importance to foster and support homegrown solutions. 

Our government has invested billions to repatriate our supply chains, most recently, a $2.6 million investment under the National Trade Corridors Fund: “The digital project and study selected for investment intend to harness data and technological solutions to generate supply chain efficiencies along key Canadian trade corridors.”ⁱ  

As we prioritize a national data supply chain strategy, it’s crucial that we not lose focus on the risks that data may face. Protecting our data from foreign access must be paramount. 

Data sovereignty and the data supply chain 

In a digital world, data supply chains play a crucial role in protecting sovereignty. We don’t allow foreign interests to own or control Canadian utilities, municipalities, national defence, or other critical infrastructure because we can’t risk letting a foreign power control the systems we need to function as a sovereign nation. 

Data is part of our critical infrastructure, and whoever governs the cloud where it’s stored controls the data. Repatriating our data supply chain is imperative—especially when it comes to sensitive government and citizen information. Canadian data requires a Canadian-controlled sovereign cloud. 

Foreign owned = Foreign controlled 

The Government of Canada white paper on Data Sovereignty and Public Cloud states, “As long as a CSP that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data.”ⁱⁱ 

A CSP with offshore operations could be required to provide Canada’s sensitive data to a foreign government, exposing public service clients to a framework that doesn’t guarantee security and compliance. 

When major US players like Amazon, Microsoft, and Google dominate 61 percent of Canada’s cloud market, users face the very real possibility that their data supply chain is subject to foreign laws because their CSP operates outside Canadian jurisdiction. 

The true meaning of compliance 

While the hyperscalers will tell you that they store your data locally, the truth is, their supply chain includes third-party contractors who have access to your data and can be forced by foreign governments to hand it over. And since the winds of politics can change direction at any time, you never know when your data could be at risk of foreign seizure. 

The Government of Canada white paper on data sovereignty and public cloud states that, “Lack of full data sovereignty has the potential to damage the GC and third parties. Sensitive GC data could be subject to foreign laws and be disclosed to another government.”ⁱⁱⁱ 

For example, while your US-based CSP may have local offices in each country where they provide cloud services, as American companies they are subject to the US CLOUD Act. In its Data Law blog, Microsoft states, “The CLOUD Act amends US law to make clear that law enforcement may compel US-based service providers to disclose data that is in their ‘possession, custody, or control’ regardless of where the data is located.” ^iv 

This means that data stored on US platforms such as Azure, Google, and AWS can be subject to a warrant or subpoena by the US federal government.^v 

And it puts Canadian data privacy at risk. 

Here’s what a fully compliant CSP should provide: 

• Cloud services aligned with Canadian government regulations, reducing legal risks and ensuring seamless compliance. 
• Streamlined audits that ensure compliance with Canadian laws. 
• All data managed within Canadian boundaries. 

A true north strong solution: Protecting Canadian sovereignty  

Canadians should have confidence that their personal information will be safe when they access public services. Ensuring data privacy and compliance fosters public trust and builds a strong and free society, able to function efficiently without fear of foreign interference. As a Canadian-owned and -operated company, ThinkOn is an exclusive Canadian provider with the contractual capability to sell and deliver cloud-based data management services to support both Federal Government Sensitive (PBMM) workloads and workloads from other levels of public sector entities in Canada. 

Data sovereignty is our best defence against foreign interference 

To protect our freedoms and Canadian values, we need to keep our data in Canada, where local laws and regulations will restrict foreign access. 

ThinkOn’s true sovereign cloud is operated by domestic cloud providers who offer dedicated cloud storage that complies with Canadian privacy laws. Being local means that we can respond faster to security threats, data privacy rule changes, and shifts in the political landscape. 

Invest in homegrown talent to support domestic supply chains 

ThinkOn is 100 percent Canadian-owned. We hire Canadians to manage our public service clients’ data, ensuring secure access within our borders. Our customer service is provided by local compliance experts who understand changing Canadian laws and industry regulations. 

Here at ThinkOn, we understand the importance of homegrown solutions and technology advancements. As part of our mandate to support advanced research and development, and contribute to Canada’s skills development, ThinkOn has partnered with Canadore College in North Bay, Ontario, to open a Global Security Event Operations Centre (SOC) run by a Canadian research and response team. 

Our association with Canadore is an investment in developing home-grown talent, offering opportunities to skilled Canadian cybersecurity students and contributing to the future of the Canadian technology industry and Canadian data sovereignty. 

Paul’s full article, titled, “An investment in domestic data: Repatriating the Data Supply Chain with a Sovereign Cloud” was published in the February edition of Canadian Government Executive Magazine. Read it here.

1. Government of Canada. Transport Canada. 2024. “Government of Canada invests in projects in Quebec to improve supply chains.” https://www.canada.ca/en/transport-canada/news/2024/01/government-of-canada-invests-in-projects-in-quebec-to-improve-supply-chains.html
2. Treasury Board of Canada Secretariat. “Government of Canada White Paper: Data Sovereignty and Public Cloud” https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html
3. Ibid.
4. Microsoft. “About our practices and your data.” https://blogs.microsoft.com/datalaw/our-practices/#how-many-enterprise-cloud-impacted[1] The US Department of Justice. “The Purpose and Impact of the Cloud Act,” https://www.justice.gov/criminal-oia/page/file/1153466/download