You host your files in Canada. Your provider is an American company. In that setup, your clients' professional secrecy may be exposed to a 2018 U.S. federal law — the CLOUD Act.
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows American authorities to compel disclosure of data held by companies subject to U.S. law, regardless of where that data is physically stored.
What this means for a Quebec law firm
If your practice management software is provided by a U.S. company — even with servers in Canada — client data may remain accessible to U.S. authorities under certain conditions. For a firm holding files protected by professional secrecy, that is a risk to assess before choosing a tool.
The question is not theoretical: it arises with every IT subcontracting agreement.
Hosting in Canada: necessary, not sufficient
Hosting in Canada reduces direct exposure to U.S. law on Canadian soil. But if the provider is a U.S. entity, the CLOUD Act may apply to data it controls.
« Hosting in Canada reduces exposure, but is not enough if the entity controlling the data is American. »
The Barreau du Québec has published cloud computing guidance urging firms to examine the provider's jurisdiction, not just server location.
Questions to ask your provider
- Which legal entity controls the data — U.S., Canadian or other?
- Where are primary servers and backups located?
- Is there a Bill 25-compliant subcontracting agreement?
- Can the provider notify the firm before a compelled disclosure?
These four questions form the minimum due diligence before any adoption.
Connection to Bill 25
Bill 25 requires a privacy impact assessment before entrusting personal information to a processor. Choosing a host subject to the CLOUD Act is part of that analysis — not a technical detail for IT alone.
Documenting that assessment protects you as much as it protects your clients.