A Canadian court has ordered French cloud provider OVHcloud to hand over customer data stored in Europe, potentially undermining the provider's claims about digital sovereignty protections.
According to documents seen by The Register, the Royal Canadian Mounted Police (RCMP) issued a Production Order in April 2024 demanding subscriber and account data linked to four IP addresses on OVH servers in France, the UK, and Australia as part of a criminal investigation.
OVH has a Canadian arm, which was the jumping-off point for the courts, but OVH Group is a French company, so the data in France should be protected from prying eyes. Or perhaps not.
Rather than using established Mutual Legal Assistance Treaties (MLAT) between Canada and France, the RCMP sought direct disclosure through OVH's Canadian subsidiary.
This puts OVH in an impossible position. French law prohibits such data sharing outside official treaties, with penalties up to €90,000 and six months imprisonment. But refusing the Canadian order risks contempt of court charges.
- NATO taps Google for air-gapped sovereign cloud
- Microsoft-SAP pact aims to keep Euro cloud running in a crisis
- Europe's IT spend to surge 11% as cloud sovereignty fever takes hold
- Geopolitics push European CIOs to think local on cloud
On September 25, a decision on the production order by Justice Heather Perkins-McVey was released, rejecting an application to have it revoked. Justice Perkins-McVey said: "The Court must balance the interests of the state and the respondent." In this instance, the national security nature of the investigation trumped other concerns.
Unsurprisingly, not least because Justice Perkins-McVey set a deadline of October 27 for data disclosure, an application for judicial review was filed. It states that OVH "will be forced to choose between the risks of criminal liability in Canada and/or France, including imprisonment and fines" and the "urgency flows directly from the compliance deadline imposed by the Review Decision."
Under Trump 2.0, economic and geopolitical relations between Europe and the US have become increasingly volatile, something Microsoft acknowledged in April.
Against this backdrop, concerns about the US CLOUD Act are growing. Through the legislation, US authorities can request - via warrant or subpoena - access to data hosted by US corporations regardless of where in the world that data is stored. Hyperscalers claim they have received no such requests with respect to European customers, but the risk remains and European cloud providers have used this as a sales tactic by insisting digital information they hold is protected.
In the OVH case, if Canadian authorities are able to force access to data held on European servers rather than navigate official channels (for example, international treaties), the implications could be severe.
Mark Boost, CEO of Civo, told The Register: "We are watching this case very closely because it has the potential to set a major precedent.
"If courts decide that a foreign government can reach into data stored inside another country simply because a provider has a commercial presence there, it changes the entire meaning of sovereignty. It would raise real doubts about whether local storage is enough, or whether customers need stronger guarantees around who actually owns and controls the infrastructure behind the scenes.
He added: "If the Canadian position is upheld, it will force the industry to rethink how sovereignty is protected in practice. Customers may need to look beyond data location and start asking hard questions about corporate structure, legal separation, and how providers shield users from overseas claims."
Earlier this week, GrapheneOS announced it no longer had active servers in France and was in the process of leaving OVH.
The privacy-focused mobile outfit said, "France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries."
In August, an OVH legal representative crowed over the admission by Microsoft that it could not guarantee data sovereignty.
It would be deeply ironic if OVH were unable to guarantee the same thing because the company has a subsidiary in Canada.
The Register asked OVH to comment and a spokesperson told us a response was incoming, though it had not arrived at the time of publication. ®