By Cameron A. Axford and Martin U. Wissmath

As Canadian charities and not-for-profits (NFPs) increasingly adopt AI and cloud-based technologies, a critical question emerges: where is our data located, and who controls it? Recent shifts in U.S. political dynamics, especially under the second presidency of Donald Trump, have reignited concerns about civil society surveillance, politicization of data access, and cross-border data transfers. For organizations that steward sensitive donor, volunteer, and program participant information, these developments demand a sober re-examination of compliance, sovereignty, and trust.

Data sovereignty refers to the principle that data is subject to the laws and governance structures of the country in which it is collected or stored. In Canada, this is primarily shaped by the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates private-sector data use, as well as provincial statutes like Quebec’s Law 25 (formerly Bill 64), Alberta’s Personal Information Protection Act (PIPA), and British Columbia’s Personal Information Protection Act (BC PIPA).

These laws require transparency, consent, and accountability in handling personal information, but also allow for international data transfers, provided adequate protections are in place. However, what is “adequate” becomes murkier when foreign governments may assert jurisdictional claims over cloud-stored or algorithmically processed data, particularly under extraterritorial legislation like the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”).

Canada’s reliance on U.S.-based cloud providers means that much of the country’s data is hosted across the border or subject to U.S. jurisdiction. Under the CLOUD Act, U.S. authorities may compel disclosure of data from American companies – even if the data is physically stored in Canada – raising legitimate worries about state surveillance, especially of organizations engaged in advocacy, immigration, or human rights work.

It is becoming increasingly critical to consider what AI-enabled surveillance could mean for donor anonymity, freedom of association, and protection from political profiling. With AI models trained on massive datasets, including those harvested through partnerships with U.S. platforms, there is a risk of inadvertent exposure of personal data, even when explicit identifiers are removed. To address this risk, organizations should have a comprehensive AI policy, as discussed in the October 2024 Charity & NFP Law AI Update.

The Canadian federal government has recognized the urgency of establishing “AI sovereignty” through its Canadian Sovereign AI Compute Strategy and related Sovereign Compute Infrastructure Program. These initiatives aim to invest in domestic AI infrastructure that aligns with Canadian values, privacy protections, and democratic accountability. These programs underscore the growing philosophical shift in Canada from “data privacy” to “data sovereignty” – a recognition that control, not just protection, is at the heart of ethical data governance.

For Canadian organizations navigating this new landscape, several steps can help ensure data remains sovereign and privacy-compliant:

Review Cross-Border Data Flows

• Conduct a data mapping exercise to identify where donor and constituent data is stored and processed.
• Work with IT providers to ensure that data residency options (e.g., Canadian-based data centres) are enabled and documented.

Scrutinize AI Vendors and Tools

• Examine whether any AI-based fundraising, outreach, or analytics tools use U.S. or third-country infrastructure.
• Seek out Canadian or open-source alternatives when possible, or demand contractual guarantees regarding data localization and non-use for secondary purposes, though the latter option may still lead to the possibility of the data being accessed by the U.S. government via the CLOUD Act, if the vendor is an American based company.

Update Privacy Policies and Contracts

• Revise consent language to reflect transparency about AI use and potential international transfers.
• Review vendor agreements to ensure compliance with PIPEDA or provincial law.

Implement Role-Based Access and Encryption

• Limit access to sensitive donor or beneficiary data to personnel with a direct need to know.
• Encrypt data in transit and at rest, especially where data is stored on servers outside of Canada.

Train Staff on AI Risks

• Provide regular training on ethical AI usage and privacy compliance.
• Emphasize the heightened risks of using free or opaque tools that may scrape or profile donor behavior.

In this time of geopolitical volatility and rapid technological evolution, data governance is no longer just a back-office function, but a board-level issue that intersects with mission integrity, public trust, and compliance. Canadian charities and NFPs must affirm their role not only as stewards of donations but as guardians of privacy.

By making sovereignty-conscious choices about where and how data is stored and analyzed, organizations can protect their communities, maintain donor confidence, and stand firm in the values that underpin the sector.

​Read the April 2025 Charity & NFP Law Update