Cloud storage of controlled technology: New guidance for Canadian exporters

As organizations increasingly rely on cloud computing, many face complex compliance obligations under Canada’s Export and Import Permits Act (EIPA) when storing or transmitting controlled technology.  Global Affairs Canada (GAC) recently issued guidance in the form of a notice to exporters: Notice to exporters no 1159 – Guidance on the movement to and storage of controlled technology in the Cloud (the Guidance), which clarifies when the use of cloud services constitutes an “export” requiring a permit and how cloud service users and cloud service providers can structure safeguards so that no permit is required.

When does cloud storage constitute an export?

The central question addressed in the Guidance is whether storing controlled technology in a cloud environment amounts to a “transfer” under the EIPA. The Guidance interprets a transfer as occurring when there is a “reasonable possibility” that a person outside Canada could examine the controlled technology. The physical location of servers is not determinative; it matters only insofar as it affects the likelihood that persons abroad could access or examine the technology.

In assessing ‘reasonable possibility’, the analysis must consider technical, organizational, and legal safeguards. While local laws in some jurisdictions may increase the risk of compelled or unauthorized access, a foreign government’s legal authority to compel disclosure does not, by itself, create a reasonable possibility of foreign disclosure if meaningful legal safeguards exist, including opportunities for notice and for challenge or appeal. The operative question is whether the combined safeguards reduce the likelihood of foreign disclosure to no more than a remote possibility.

Structuring safeguards to avoid an export under the EIPA

GAC indicates that an export permit will generally not be required where technology holders, owners, and any party in possession, including cloud service providers, implement safeguards that meet or exceed those set out in the Canadian Centre for Cyber Security’s Guidance on cloud security assessment and authorization. When applying this principle, the focus should be on end‑to‑end controls that prevent access outside Canada to usable, unencrypted data.

Risk factors that increase the likelihood of a transfer include storing unencrypted controlled technology on servers outside Canada, granting access or decryption keys to individuals located abroad, and deploying insufficient technical safeguards or weak access controls. By contrast, if strong encryption is applied and decryption keys are generated, stored, and managed exclusively in Canada, the movement or storage of technology outside Canada will generally not be considered a transfer under the EIPA and no export permit will be required. The Guidance provides practical examples of cloud configurations that are, and are not, likely to constitute a transfer requiring a permit.

Additional compliance considerations

The Guidance considers several related practical issues:

• Shared responsibility: Cloud security and EIPA compliance follow a shared-responsibility model: cloud service providers secure the underlying infrastructure and must accurately represent and maintain safeguards, while technology owners are responsible for configuring and managing access to ensure cloud use does not amount to a transfer. Because these responsibilities often overlap, both parties should collaborate to prevent unintended disclosure and embed appropriate safeguards in contractual agreements.


• Export permit applicant: The appropriate applicant for an export permit is typically the person or organization responsible for the transfer at issue. In most cases, that will be the cloud service user rather than the cloud service provider.


• Encryption key management practices: Customer-managed encryption keys that are stored and controlled in Canada can materially reduce risk, but only if implemented to ensure decryption cannot occur outside Canada without the technology owner’s authorization and if paired with complementary controls such as network segmentation, access management and monitoring.


• Reassessments: Any change that affects where or how controlled technology is stored, including migrating to a new cloud service provider, enabling new services, or altering key management, warrants reassessment to confirm the likelihood of foreign disclosure remains no more than a remote possibility.


• Travel abroad: Travel can trigger an export if a person outside Canada actually accesses a cloud environment containing controlled technology or if reasonable precautions to protect the controlled technology are not implemented.

Consequences of non-compliance under the EIPA

As a reminder, non‑compliance with the EIPA can attract significant criminal penalties. A contravention may be prosecuted either summarily (fine up to $250,000 and/or up to 12 months’ imprisonment) or by indictment (a fine in the court’s discretion and/or up to 10 years’ imprisonment). Where an organization commits an offense, any officer or director who directed, authorized, assented to, acquiesced in, or participated in the offense is personally liable and subject to the same penalties, whether or not the organization itself is prosecuted or convicted.

Practical takeaways for organizations using cloud computing and cloud service providers

Organizations using cloud solutions should:

• Review and strengthen security practices to align safeguards with the Canadian Centre for Cyber Security’s Guidance on cloud security assessment and authorization or an equivalent framework, with the objective of reducing the likelihood of foreign disclosure of controlled technology to no more than a remote possibility.


• Conduct risk assessments of cloud service providers’ security tools and practices, taking into account the legal environment in host jurisdictions, including whether meaningful safeguards exist, such as notice and challenge or appeal rights in the event of compelled disclosure.


• Coordinate with cloud service providers on shared controls, closing security gaps, implementing robust encryption and key management, and configuring identity, access, network, and logging controls to preclude more than a remote possibility of foreign access.


• Ensure contracts clearly allocate security responsibilities and document technical and operational safeguards.


• Adopt procedures to ensure that the information security controls continue to meet organizational needs on a present and ongoing basis.

Technology holders responsible for the movement and storage of controlled technology in the cloud should remain vigilant regarding export permitting requirements under the EIPA, and obtain a permit before any transfer where such a permit is required.