On November 5, 2025, Global Affairs Canada (GAC) released Notice to Exporters No. 1159 (the Guidance), clarifying when the use of cloud services constitutes an export of controlled technology under the Export and Import Permits Act (EIPA) and therefore requires an export permit.
The Guidance responds to growing uncertainty among businesses that use cloud computing to house controlled technology. The Guidance outlines specific security standards that can mitigate the risk of triggering export permit obligations and highlights common situations that are likely to constitute an export.
Background: Disclosure of Technology Abroad
Cloud computing enables organizations to store and access technology remotely, often on servers distributed globally.
The EIPA controls the export of controlled “technology.” This includes technical data, assistance or other information used in the development, production or use of items listed on Canada’s Export Control List. This can include not only original files, but also telemetry or derived data (e.g., metadata, logs and disaster recovery snapshots) when they include controlled information.
A “transfer” occurs when such technology is disposed of or “disclosed” in any manner from a place in Canada to a place outside Canada. The Guidance addresses what constitutes a “disclosure” and therefore a transfer or export outside Canada.
Key Elements of the Guidance
1. A Transfer Occurs Where There is a Disclosure or “Reasonable Possibility” of Disclosure
The Guidance specifies that controlled technology is “disclosed” if it is sent from Canada and stored in a foreign location in a way that creates a reasonable possibility that a person outside Canada would be in a position to examine that technology.
There is no requirement for evidence that the technology has been or will be viewed for there to be a reasonable possibility. Further, there will still be a “disclosure” if access or examination by a person outside Canada occurs, even if no reasonable possibility was foreseen.
This means that a transfer is not likely to occur when a controlled technology is stored in a foreign location if there is not a reasonable possibility that a person would be able to access or examine that technology, and where no such access or examination in fact occurs.
2. When Use of Foreign Cloud Services Does Not Constitute a Transfer
The use of foreign cloud services is not likely to constitute a transfer or disclosure where:
- Technology is stored abroad using industry-standard strong encryption, with encryption keys held exclusively in Canada
- Cloud services providers (CSPs) adopt safeguards consistent with the Canadian Centre for Cyber Security’s Guidance on cloud security assessment and authorization
- Technology is temporarily decrypted by automated processes (e.g., translation or formatting functions) within a closed system where all unencrypted copies are immediately destroyed
3. When Use of Cloud Services Likely Constitutes a Transfer
The use of cloud services is likely to constitute a transfer where:
- An individual outside Canada accesses controlled technology stored on Canadian cloud servers while abroad
- A person located outside of Canada, such as an information technology administrator, holds decryption keys or routine access rights to controlled technology
- Controlled technology is moved or backed up to servers located outside of Canada without adequate safeguards on those servers, such as strong encryption or access controls
- Unencrypted disaster recovery files are stored on servers located outside of Canada that are accessible by personnel outside Canada
4. Server Location and Risk Assessment
Server location is relevant only if it affects the reasonable possibility of disclosure. The existence of foreign legal regimes that compel access to information on cloud servers does not itself create a “reasonable possibility” of disclosure, provided there are adequate technical protection and/or legal safeguards that allow an owner to be notified and/or oppose the disclosure.
5. Shared Responsibility Between Technology Owners and CSPs
Technology owners are responsible for ensuring cloud use does not trigger a transfer. This includes selecting secure providers and managing encryption, access controls and data placement. CSPs are required to operate according to their security commitments and notify clients of potential disclosures.
6. Export Permit Requirements
An export permit is required before any controlled technology is made accessible outside Canada. GAC encourages parties to apply for a permit when in doubt.
Export permits do not authorize unintended disclosures or security breaches. In such cases, companies should submit a Disclosure of Non-Compliance in accordance with the Export and Brokering Controls Handbook.
Key Considerations
Canadian businesses that store, process or share controlled technology in the cloud are encouraged to review the Guidance and assess their cloud security arrangements and contracts with CSPs and their third-party service providers that use CSPs. Seek legal advice if you are unsure whether an export is likely to occur.
For more information, please contact the authors or any other member of our International Trade group.
More insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2025 Blake, Cassels & Graydon LLP
