Crossing Borders, Guarding Trust: AI, Data Sovereignty, and Donor Privacy in Uncertain Times
By Cameron A. Axford and Martin U. Wissmath Apr 2025 Charity & NFP Law Update
Published on April 30, 2025
As Canadian charities and not-for-profits (NFPs) increasingly adopt AI and cloud-based technologies, a critical question emerges: where is our data located, and who controls it? Recent shifts in U.S. political dynamics, especially under the second presidency of Donald Trump, have reignited concerns about civil society surveillance, politicization of data access, and cross-border data transfers. For organizations that steward sensitive donor, volunteer, and program participant information, these developments demand a sober re-examination of compliance, sovereignty, and trust. Data sovereignty refers to the principle that data is subject to the laws and governance structures of the country in which it is collected or stored. In Canada, this is primarily shaped by the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates private-sector data use, as well as provincial statutes like Quebec’s Law 25 (formerly Bill 64), Alberta’s Personal Information Protection Act (PIPA), and British Columbia’s Personal Information Protection Act (BC PIPA). These laws require transparency, consent, and accountability in handling personal information, but also allow for international data transfers, provided adequate protections are in place. However, what is “adequate” becomes murkier when foreign governments may assert jurisdictional claims over cloud-stored or algorithmically processed data, particularly under extraterritorial legislation like the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”). Canada’s reliance on U.S.-based cloud providers means that much of the country’s data is hosted across the border or subject to U.S. jurisdiction. Under the CLOUD Act, U.S. authorities may compel disclosure of data from American companies – even if the data is physically stored in Canada – raising legitimate worries about state surveillance, especially of organizations engaged in advocacy, immigration, or human rights work. It is becoming increasingly critical to consider what AI-enabled surveillance could mean for donor anonymity, freedom of association, and protection from political profiling. With AI models trained on massive datasets, including those harvested through partnerships with U.S. platforms, there is a risk of inadvertent exposure of personal data, even when explicit identifiers are removed. To address this risk, organizations should have a comprehensive AI policy, as discussed in the October 2024 Charity & NFP Law AI Update. The Canadian federal government has recognized the urgency of establishing “AI sovereignty” through its Canadian Sovereign AI Compute Strategy and related Sovereign Compute Infrastructure Program. These initiatives aim to invest in domestic AI infrastructure that aligns with Canadian values, privacy protections, and democratic accountability. These programs underscore the growing philosophical shift in Canada from “data privacy” to “data sovereignty” – a recognition that control, not just protection, is at the heart of ethical data governance. For Canadian organizations navigating this new landscape, several steps can help ensure data remains sovereign and privacy-compliant: Review Cross-Border Data Flows
Scrutinize AI Vendors and Tools
Update Privacy Policies and Contracts
Implement Role-Based Access and Encryption
Train Staff on AI Risks
In this time of geopolitical volatility and rapid technological evolution, data governance is no longer just a back-office function, but a board-level issue that intersects with mission integrity, public trust, and compliance. Canadian charities and NFPs must affirm their role not only as stewards of donations but as guardians of privacy. By making sovereignty-conscious choices about where and how data is stored and analyzed, organizations can protect their communities, maintain donor confidence, and stand firm in the values that underpin the sector. |