Why AWS Canada Is Not Actually Sovereign (And Why It Matters for PHIPA)

When a healthcare IT director evaluates cloud AI vendors, the first question is usually: "Is the data in Canada?" If the answer is yes, many teams stop asking questions. That instinct is understandable — but legally, it is wrong. Data location and data sovereignty are not the same thing, and conflating them creates real PHIPA exposure.

This post explains exactly why "data in Canada" is insufficient for PHIPA compliance when your vendor is a US corporation, and what genuine sovereignty actually requires.

The CLOUD Act: What It Actually Says

The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713), enacted in 2018, requires US-based companies to preserve, backup, or disclose communications and records in their control — regardless of where those records are stored. The operative phrase is "regardless of where such data is located." There is no geographic carve-out for Canada.

This is not a theoretical risk. US government agencies can issue a warrant or court order to an AWS entity and compel production of data stored on AWS Canada servers in Toronto. AWS's legal obligation under US law supersedes any contractual commitment it makes to Canadian customers about data residency.

AWS Canada's Corporate Structure

Amazon Web Services operates its Canadian infrastructure through Amazon Web Services Canada, Inc. — a wholly-owned subsidiary of Amazon.com, Inc., a Delaware corporation. The subsidiary structure does not insulate AWS Canada from the CLOUD Act. US courts have consistently held that parent company control over a subsidiary's data means the parent is subject to US court orders requiring production, regardless of where the subsidiary stores data.

AWS's own documentation acknowledges this. The AWS Customer Agreement notes that AWS may disclose customer content "to comply with any applicable law or regulation." This carve-out is precisely what the CLOUD Act leverages.

What This Means Under PHIPA

Ontario's Personal Health Information Protection Act (PHIPA) places affirmative obligations on health information custodians (HICs) to protect personal health information from unauthorized disclosure. Section 55.7 requires custodians implementing information practices to ensure PHI is protected from unauthorized collection, use, disclosure, retention, and disposal.

Here is the problem: if a US government agency issues a CLOUD Act order to AWS requiring disclosure of PHI stored on AWS Canada, that disclosure was not authorized by the patient, the custodian, or Ontario law. Under PHIPA's framework, the custodian — your clinic, hospital, or health system — may have facilitated an unauthorized disclosure simply by using a US-controlled cloud provider.

The "AWS Canada Is HIPAA/PHIPA Compliant" Problem

AWS publishes a list of HIPAA-eligible services and offers a Business Associate Agreement (BAA) for US healthcare customers. Many Canadian vendors point to this and similar AWS compliance certifications as evidence of PHIPA suitability. This reasoning has a gap.

Compliance certifications (SOC 2, ISO 27001, HIPAA eligibility) describe AWS's internal security controls. They do not change AWS's legal obligations under US federal law. A company can be SOC 2 certified and still be required to comply with a CLOUD Act order. The two are entirely separate questions.

PHIPA compliance requires your vendor to be legally incapable of producing your data under foreign law — not merely contractually committed to not doing so.

What Genuine Sovereignty Requires

True legal sovereignty for Canadian health data requires the vendor to satisfy three conditions simultaneously:

• Canadian incorporation: The entity controlling the data must be incorporated and operating under Canadian law — specifically outside the jurisdictional reach of the CLOUD Act. An Ontario-incorporated Canadian-controlled private corporation (CCPC) is not a "provider" under US law.
• No US corporate parent: The vendor must not have a US parent company whose control over the subsidiary would bring the data within CLOUD Act reach.
• Physical data residency: Data must be processed and stored on hardware that physically does not transit US networks or data centers — not just contractually "designated" to Canada.

Sovereign AI Gateway is an Ontario CCPC with no US corporate parent. The CLOUD Act does not apply to us. When we say your data never leaves Ontario, we mean it is legally and architecturally impossible for us to be compelled to produce it under US law — because US law simply does not reach us.

The Audit Question You Should Be Asking

At your next vendor review, add one question to your checklist: "If the US Department of Justice issued a court order tomorrow requiring you to produce our patient data, what would happen?" For any US-controlled vendor — regardless of where they store your data — the honest answer is that they would have to comply. For a Canadian CCPC, the honest answer is that the order would have no legal force over us.

That difference is the gap between data residency and data sovereignty. For Ontario health information custodians with PHIPA obligations, it is not a minor distinction.