When student data is hacked & stolen: Regulators’ lessons from the PowerSchool data breach

You may recall hearing about a significant cybersecurity breach affecting school boards from the end of last year and the beginning of this year: the PowerSchool cybersecurity incident. In the past little while, the Information and Privacy Commissioners of Ontario and Alberta have released their reports of findings into the incident. (Ontario, Alberta) There is some interesting stuff in there that I think is worth chatting about. I’ll note that the Information and Privacy Commissioner of Saskatchewan also released a report of findings in August of this year.

This incident affected millions of students, parents, and educators across the country, involved sensitive personal information, and raised questions about outsourcing, cybersecurity, and accountability in the public sector. But many of these issues will be relevant for the private sector. You simply can’t outsource accountability for protecting data. 

One thing to be sensitive to is that school boards are chronically under-resourced and have a very hard time meeting their privacy and security obligations under existing budgets. Personally, I think the provinces should take a much more active role in working with school boards and their contractors to ensure the highest levels of cybersecurity. We’re seeing that with health information systems, and should expect it for student information systems.

Before I get into the main point of this episode, one digression … At least in Canada, we always have to ask “what privacy law applies?” When the incident came to light, it was completely clear that at least in Canada, public school boards and their students were affected. Every school board is subject to a provincial public sector privacy law. So there’d be no doubt that a provincial Information and Privacy Commissioner would have jurisdiction to investigate the incident. 

It was interesting that the federal commissioner jumped in there. The federal commissioner has jurisdiction under the federal Personal Information Protection and Electronic Documents Act – or PIPEDA – where there is a collection, use and disclosure of personal information in the course of commercial activity. 

In this case, the collection, use and disclosure of personal information was in the course of the school boards’ non-commercial activities. Just because the contractor – in this case PowerSchool is doing this for commercial purposes – should not give the federal commissioner jurisdiction. While both public and private sector privacy laws contain obligations to safeguard data, they work in very different ways. If a public sector privacy law applies to the school board, while the private sector law applies to the contractor with respect to the same information, it is unworkable. The two categories of laws are simply not compatible.

Regardless, the federal Office of the Privacy Commissioner of Canada also started making inquiries with PowerSchool, first announced on January 20. On February 11, the federal Commissioner announced they had launched an investigation and noted that they’d remain in close contact with provincial and territorial counterparts on the incident. There was no mention on the basis of his jurisdiction to investigate.

In July, the federal Commissioner announced that they’d negotiated a number of commitments from PowerSchool regarding cybersecurity upgrades, certification and monitoring. It’s worth noting that the letter of commitment specifically says that the Commissioner was of the view that PIPEDA applied in this case, PowerSchool did not agree, and reserves all future rights. And rightly so. At some point, we really need a court to step in to clearly lay down the lines between privacy laws in Canada. 

Thanks for indulging me for this digression. Now onto the main part of this episode, where I plan to cover four things:

1. The background to PowerSchool and how schools use it

2. What happened in the cyberattack

3. What the Ontario and Alberta regulators investigated and concluded

4. Where their findings align — and where they differ

PowerSchool is a major education technology provider. Across Canada, school boards use PowerSchool’s Student Information System, or SIS, to manage day-to-day education operations. That includes:

• Student enrollment and attendance

• Grades and academic records

• Contact information for students and parents

• Medical alerts, accommodations, and special needs

• Staff and educator information

In many provinces, PowerSchool hosts this data in cloud-based environments that are largely operated and managed by PowerSchool itself, not the school boards. Of course, it’s done on the school boards’ behalf. 

Crucially, under Canadian privacy laws, school boards remain legally responsible for the personal information — even when a third-party service provider is handling it. That legal principle becomes very important once something goes wrong.

THE INCIDENT: WHAT HAPPENED?

The cyberattack was discovered in late December 2024.

Here’s what investigators from Ontario and Alberta determined happened. A threat actor obtained valid credentials belonging to a PowerSchool support contractor. These credentials had elevated privileges, meaning they could access PowerSchool’s internal support portal called PowerSource. PowerSource exists so that PowerSchool staff can provide remote technical support to customer school boards.

Once inside PowerSource with these credentials, the attacker was able to access multiple school boards’ Student Information System environments — effectively stepping through the front door.

From there, the attacker accessed student and educator databases, exfiltrated large volumes of personal information and copied data rather than encrypting systems. This was data theft, not ransomware in the traditional “systems locked” sense that we often see.

The compromised data included:

• Names, dates of birth, and contact details

• Student ID numbers

• Medical alert fields and accommodations

• Guardianship or custody indicators

• Educator contact and employment details

In Alberta, some school boards reported that social insurance numbers were also involved.

After the breach was discovered, PowerSchool paid a ransom, reportedly believing that the data would be deleted. Months later, a second extortion attempt occurred involving the same stolen data — a reminder that once data is taken, control is largely lost.

Paying the ransom might have been a very sensible thing to do in the circumstances, but it’s no guarantee that the data’s been deleted and will never re-surface.

THE REGULATORY RESPONSE

Because public bodies were involved, this triggered investigations by provincial privacy regulators.

• In Ontario, the Information and Privacy Commissioner investigated 20 school boards and the Ministry of Education.

• In Alberta, the Information and Privacy Commissioner investigated 33 school boards, charter schools, and a francophone authority.

In both provinces, the regulators focused on a central legal question: Did the public bodies take reasonable measures to protect personal information, as required by their respective privacy statutes?

ONTARIO FINDINGS

The Ontario Commissioner concluded that, as a group, the institutions did not meet their statutory obligations under FIPPA and MFIPPA. That’s the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act. 

There were three major themes in the Ontario findings: (1) Inadequate Security Safeguards, (2) Weak Contracts and Oversight, and (3) Data Minimization and Retention Failures.  

1. Inadequate Security Safeguards

The Commissioner identified multiple weaknesses with Security Safeguards

• PowerSchool accounts with excessive privileges - The rationale for the principle of least privilege is to reduce security and privacy risk by limiting the damage that can result from human error, malicious insiders, or compromised accounts. It should be implemented by granting users, systems, and applications only the specific permissions required to perform defined tasks, using restrictive defaults, role-based or task-based access controls, time-limited elevation of privileges, and regular access reviews to remove unnecessary or outdated permissions.

• No mandatory multi-factor authentication for PowerSource access - This is one of the most important and effective measures for preventing unauthorized use of purloined credentials. 

• “Always-on” remote maintenance access - This meant that a bad guy with the credentials could get access to the maintenance tools, rather than only at the invitation of individual school boards.

• Short log-retention periods, which limited detection of earlier suspicious activity

While PowerSchool operated the systems, Ontario emphasized that the school boards were still responsible for ensuring reasonable protections were in place.

2. Weak Contracts and Oversight

Ontario was particularly critical of how school boards managed their contracts with PowerSchool.

Many agreements:

• Lacked meaningful audit rights

• Did not require detailed security reporting

• Had limited enforcement mechanisms

• Did not clearly address subcontractors

Even more importantly from the OIPC’s point of view, the boards did not actively monitor PowerSchool’s compliance with those contracts. In other words, contractual promises existed — but verification did not.

3. Data Minimization and Retention Failures

The Ontario Commissioner also focused on data minimization and retention failures. The Commissioner found that many institutions simply collected more data than necessary and retained data far longer than required.

That significantly amplified the harm when the breach occurred. If you don’t need it, don’t collect it. If you no longer need it, don’t retain it. If you fail on either one of those – or both! – you  have more data that you have to protect and more data that’s affected if things go wrong. 

The Ontario Commissioner also found that breach response planning was inconsistent and, in some cases, inadequate.

ALBERTA FINDINGS

Alberta reached a similar conclusion, but approached the analysis somewhat differently.

The Alberta Commissioner found that the educational bodies failed to comply with section 38 of the FOIP Act, which requires reasonable security arrangements.

Key aspects of Alberta’s findings included (1) A lack of internal policies and guidance, (2) treating PowerSchool as an “employee”, and (3) an emphasis on the sensitivity of children’s data.

1. Lack of Internal Policies and Governance

Alberta placed strong emphasis on the fact that many educational bodies did not have adequate privacy or vendor-management policies, they could not point to documented procedures for assessing or monitoring service providers and they simply relied heavily on PowerSchool’s assurances.

From the Alberta OIPC’s perspective, privacy compliance begins with governance.

2. PowerSchool Treated as an “Employee”

One notable legal point in Alberta’s report is that, under FOIP, a service provider performing services for a public body is legally treated as an “employee”. That meant PowerSchool’s actions were attributed directly to the school boards themselves. This reinforces the idea that outsourcing does not reduce accountability.

3. Strong Emphasis on Sensitivity of Children’s Data

Alberta was particularly explicit in recognizing that children’s personal information is inherently highly sensitive, especially medical and accommodation data.

That sensitivity raised the expected standard of protection — and Alberta concluded that PowerSchool’s safeguards fell below that standard.

KEY DIFFERENCES BETWEEN ONTARIO AND ALBERTA 

The conclusions in Ontario and Alberta were broadly aligned, but there are some differences in emphasis.

1. Governance vs. Contracting Focus

• Ontario focused heavily on contracts, oversight, and vendor management failures.

• Alberta focused more on internal policies, governance frameworks, and statutory accountability.

2. Sensitivity of Information

• Alberta placed stronger, more explicit weight on the heightened sensitivity of children’s data.

• Ontario addressed sensitivity, but framed much of the analysis around risk amplification through retention and over-collection.

Despite these differences, both regulators reached the same core conclusion: The public bodies did not meet their legal obligations, and outsourcing did not excuse that failure.

BROADER LESSONS

There are several broader takeaways from these investigations.

First, outsourcing does not outsource accountability. Public bodies remain legally responsible for personal information, regardless of who hosts it. This is the same in the private sector for outsourcing. Accountability does not shift under Canadian privacy laws. 

Second, contracts alone are not enough: Oversight, auditing, and verification matter.

Third, data minimization is a security control: Retaining unnecessary data simply increases breach impact.

And finally, children’s data demands higher standards. Regulators are very clear on that point.

CONCLUSION 

The PowerSchool incident may be just another cybersecurity story, but like most such stories there are lessons to be learned or reminders of things we should already know.

It’s a case study in public-sector procurement, privacy governance, and risk management.

Ontario and Alberta both sent a clear message: If you rely on third-party platforms to manage sensitive data — especially data about children — you must actively govern those relationships, not simply trust them.

In the backdrop to all of this is the simple fact that most school boards are chronically under-resourced and have a very hard time meeting their privacy and security obligations under existing budgets. This is particularly the case for smaller – often rural – school boards. The same can be said for smaller municipalities. Personally, I think the provinces should take a much more active role in working with school boards and their contractors to ensure the highest levels of cybersecurity. For a system as widely used as PowerSchool, provincial departments of education should enter into master services agreements with all the appropriate security terms, and the provincial departments of education should actively oversee at least the security and audit portions of the delivery of services. 

One final thing to note – just because school boards are 100% accountable to their students for personal information they collect, use and disclose doesn’t mean that PowerSchool is necessarily off the hook. PowerSchool – and any contractor for that matter – can be liable to their customers for any contractual failings when it comes to safeguarding personal information. And depending on the contract terms, the contractor may be liable for the cost of any lawsuits that students and parents might bring against the school boards. And I can imagine some more extreme cases where students, parents and teachers could have a viable claim directly against PowerSchool. I understand there is one putative class action pending, started by a Calgary law firm. And this would be in addition to the at least 55 class action lawsuits filed in the United States by American plaintiffs. 

What digital sovereignty? How a Canadian Court is forcing a French company to break French law

Just recently, I heard about a very significant new decision from the Ontario Court ofJustice, where a judge in Ottawa ordered OVHcloud in France and its Canadian subsidiary to hand over user data stored in France, the UK, and Australia. While Canada is focusing a lot of attention on “data sovereignty”, this decision should get a lot more attention, particularly because the Canadian court is ordering the French company to violate a French law that is designed to protect France’s data sovereignty.

I regularly deal with situations like this in my law practice, where I assist companies in responding to police demands for user data. But rarely does it get to this point, and I’m afraid this sets a very negative precedent.

This case touches on jurisdiction, cross-border data, foreign blocking statutes, and the limits of Canadian investigative powers. It also relies heavily on the controversial Brecknell decision from British Columbia — and I have some things to say about that.

Let’s walk through the case, and then I’ll explain why I think the analysis in the decision goes off the rails.

This case arises out of a national security investigation. The RCMP obtained a Production Order under the Criminal Code s. 487.014, requiring two companies to produce customer information linked to four IP addresses. The two companies are OVH Group SA (a French company that provides cloud computing services globally, OVH’s Canadian subsidiary, Hebergement OVH Inc.

All of the IP addresses were hosted outside Canada — in France, the UK, and Australia. The data sought included subscriber information and metadata, but not the content of any communications.

They argued that they did not have the data. It was held by the French parent company. They are the operating company in Canada that apparently runs servers here for the global business. They don’t manage global accounts or have access to the records that the police were looking for. OVH Canada did not oppose the order as it applied to OVH Canada on any jurisdictional basis. They are a company that has offices, employees and facilities that operates within Canada.

The real issue was the attempt to compel the French parent company — a company with no physical presence in Canada — to produce data stored entirely abroad, and that is subject to foreign laws.

The parent company said:

●      “We don’t operate in Canada.

●      We don’t store this data in Canada.

●      OVH Canada doesn’t control this data.

●      French law — specifically the French blocking statute — prohibits us from producing it. (more about that blocking statute later)

OVH also pointed out that the proper, internationally-recognized channel for this type of request is through Mutual Legal Assistance — the MLAT process — which France said it would expedite. Yes, Canada and France have a treaty under which both countries have agreed to manage situations like this. It’s slower because it contains checks and balances. First Canada has to determine if the request is appropriate, and then France reviews the request before getting a French order to provide the data.

The Crown responded that:

●        OVH Parent has a “virtual presence” in Canada, and based on the Brecknell case from BC, and cases following that, a “virtual presence” is enough.

●        The company “presents itself” as a unified global enterprise on its website

●        OVH Canada has previously responded to production orders about foreign IP addresses

●        The French blocking law is rarely enforced

With those facts on the table, the Court had to decide: Does a Canadian criminal court have jurisdiction over OVH’s French parent? And even if it does, should the order be revoked because of conflicting French law or because MLAT is the proper mechanism?

The Court framed five issues:

1. Did OVH Canada have “possession or control” of the data?
2. Did the Court have jurisdiction over OVH Parent?
3. Would French law prohibit disclosure, triggering s. 487.0193(4)(b) - which justifies varying or revoking a production order where the data is “otherwise protected from disclosure by law”?
4. Should MLAT be required in these circumstances?
5. If French law applies, should the Court exercise its discretion to revoke or vary the order?

The first Question is whether OVH Canada has “Possession or Control” of the data

With respect to possession or control, the Court found that OVH Canada had enough of a connection to the information — including prior instances where it assisted police, and the ability to preserve data — to justify the authorizing judge’s conclusion that it had “possession or control.”

The second question was whether there was jurisdiction over OVH Parent

Regarding jurisdiction over OVH Parent, relying heavily on the Brecknell, Love, and textPlus decisions, the Court held that:

●      A company may be subject to Canadian jurisdiction without physical presence

●      A “virtual presence” or “real and substantial connection” can be enough

●      OVH operates data centres in Canada

●      OVH’s website presents itself as a unified global business

●      Therefore, the French parent was sufficiently connected to Canada

The third question was about the effect of the French Blocking Law

The Court accepted French government statements that the French blocking law applied, but it found it could be largely disregarded because (a) The law has been rarely enforced, (b) There is no “real risk” of prosecution, and (c) Courts in other countries have treated it as an “empty vessel”. Yup. It’s a law but let’s largely ignore it.

The next question was whether the police should go through the mutual legal assistance process instead of a production order. The judge held that the MLAT is not mandatory, it can be slow and it is not mutually exclusive with domestic orders. The police can choose door A or door B. Their call.

In the final step, about discretion, the judge upheld the production order against both OVH Canada and the French parent, concluding that: (a) OVH Parent has a real and substantial presence through its “virtual presence” in Canada; (b) The risk under French law is minimal, and (c) The national security interest outweighs comity concerns.

In a nutshell, that’s what the court decided. And I think it’s deeply flawed.

There are, in my humble opinion, major problems with this decision. And they don’t just affect OVH Parent. It will have a big impact on Canada’s own attempts to assert data sovereignty.

The first problem is following the BC Court of Appeal decision called Brecknell

The Court relies on Brecknell as though it stands for a broad doctrine that Canadian courts can compel any foreign service provider operating online to disclose foreign-hosted data as long as the company is “virtually present” in Canada.

Brecknell is a 2018 case from the British Columbia Court of Appeal. In that case, the police wanted some data from Craigslist. They contacted Craigslist, who said “come back with a production order and we’ll happily give you the data.” So the police go to the court to get their production order and the court says that it can’t issue a production order directed at a company outside of Canada. So the police go to another court and get the same answer. So the police appeal that, and end up in the British Columbia court of appeal. The British Columbia Court of Appeal said that Canadian courts can issue production orders naming companies outside of Canada, as long as they have a “virtual presence in Canada.”

But in the Brecknell case, Craigslist — the target of the order — had already agreed it would comply with Canadian court orders. Through counsel, Craigslist said: “If we get an order, we will respond.”

This is not a small detail. This is the very foundation of jurisdiction in that case.

In other words: Craigslist voluntarily accepted Canadian jurisdiction.

With that fact, jurisdiction really should not have been an issue. Craigslist said “we have the data, just bring us a production order.”

This is not the situation with OVHcloud. OVH France explicitly said:

●      We do not accept jurisdiction

●      And we are prohibited by foreign law from producing it

OVH Cloud also said, we have the data and we will preserve it for you so you can get it through the established, diplomatic, country-to-country channels.

I am of the view that Brecknell was wrongly decided and this entire line of cases is problematic. We’ve gotten here, I think, they are largely “ex parte” appeals. Craigslist was not at the hearing for the production order. They were not at any level of court. Until the court of appeal, it was just the cops and the prosecution arguing for jurisdiction. At the court of appeal, an amicus was appointed who did a commendable job.

This line of cases also reaches the conclusion that this is the sort of situation that production orders are designed to address. And they are partially right, but again they suffer from generally only hearing from prosecutors on these questions.

The idea behind a production order is that the court can order someone to hand over data or produce data. It is distinct from a search warrant, where the court clearly has to have jurisdiction over the place to be searched and the police need authority as police officers to search the place. Places are physical. There is no way under recognized international law for a judge in Ontario to give the RCMP in Ontario a warrant to search premises in France for these records. If they were to show up in Paris with their warrant, they’d likely be arrested by French police for trespassing. And we’d have an international incident. It would be the same as sending the RCMP to France to arrest someone without the cooperation of the French government. It’s just not done.

Production orders were created so that a person or entity within the court’s jurisdiction can be ordered to produce a record that is under that person’s control. And that generally operates regardless of where the record is. But this depends on the person being within the court’s jurisdiction. It’s a great alternative to a search warrant because it’s not based on the police searching for something, but telling a person to provide data that they control.

A key principle of international law as applied in Canada is that Canadian law does not operate extraterritorially unless Parliament explicitly provides for it. The B.C. Court of Appeal in Brecknell did note this at paragraph 23, but failed to identify any parliamentary signal indicating that production orders were intended to have effect on persons wholly, physically outside of Canada. 

[23]        The need to interpret the section in light of restrictions placed on extraterritorial effects is uncontroversial. The fundamental principles were canvassed in R. v. Hape, 2007 SCC 26. There, Justice LeBel identified a number of settled but important principles. First, customary international law, which has been adopted domestically, limits the actions a state may legitimately take outside its borders. Customary international law is based on respect for the sovereignty and equality of foreign states. Sovereign equality commands non‑intervention and respect for the territorial sovereignty of foreign states. Nonetheless, Parliament may legislate “extraterritorially” in violation of those principles provided it does so expressly: see paras. 35‑46.

...

[30]        The section is silent on issues to do with extraterritoriality, and it is silent on any question dealing with the location of the documents. Section 487.019(2) may offer some assistance by stipulating that, unlike search warrants, the order has effect throughout Canada without requiring endorsement if executed in another jurisdiction. The section reads:

487.019(2) The order has effect throughout Canada and, for greater certainty, no endorsement is needed for the order to be effective in a territorial division that is not the one in which the order is made.

It appears to me that this section is addressing a difference between search warrants and production orders. It does not directly deal with extraterritorial issues.

The only mention of territoriality in the Criminal Code production order provisions is confined to saying that they operate throughout Canada. That seems to me to be a signal in the other direction. That’s parliament saying this is confined to Canada.

The notion of a "virtual presence" was an invention of the Court of Appeal and is contrary to existing principles of international law. Even under the more flexible civil rules, the Supreme Court of Canada has cautioned that "carrying on business" requires some form of actual, not only virtual, presence in the jurisdiction. And public international law - such as criminal jurisdiction - is different from private international law such as determining where a plaintiff can bring a lawsuit.

The Brecknell court wrongly disregarded the inability to enforce the order against a company like Craigslist. The issuance of a production order extending outside Canada is an exercise of enforcement jurisdiction, which violates international law and Canadian domestic law absent clear authority from Parliament. The difference between an “order” and a “request” is the ability to put someone in the defendant’s dock for not following it. A Canadian production order directed at a non-Canadian company has a real potential to offend comity and the other country’s sovereignty.

So what about Mutual Legal Assistance Treaties (called MLATs)? These are the existing, agreed-upon mechanism for Canadian police to obtain data from non-Canadian companies. In circumstances where an order might offend comity and sovereignty, MLATs are how countries decide to deal with the issue.

The effect of privacy laws or blocking laws were not at issue and were not considered – but probably should have been – by the Brecknell court.

In the OVH case, the court refers to the case of The Queen and Love from the Alberta Court of Appeal (R v Love, 2022 ABCA 269), which was a case dealing with the admissibility of data that had been produced by Facebook from the US pursuant to a production order. It was not an application to vary or revoke an active production order. The Love court followed Brecknell. Again, what’s missing is the fact that Facebook provided the data pursuant to that order. Their policy – like most big US tech companies – is that they will follow Canadian legal processes voluntarily where they can do so consistent with their obligations under US law. By and large, Facebook’s voluntary cooperation should have made jurisdiction a non-issue in that case.

The OVH judge also refers to a case involving TD Bank from Quebec (Banque Toronto Dominion c. Cour du Québec, 2025 QCCS 2094). In that case, a big issue was whether TD Bank in Canada could be ordered to produce records held by one of its foreign subsidiaries. The Court concluded it had sufficient control over the subsidiary to require the production of the records. That’s the inverse of the relationship between OVH Canada and OVH Parent. A subsidiary does not control the parent company.

So to use Brecknell as if it resolved this question is — frankly — a misreading of the case.

Problem 2 — The Court Treats Ordinary Corporate Structure as a Legal Fiction

In addition, the decision disregards the fundamentals of second year law school “Business Associations” to treat OVH as effectively one entity, leaning heavily on:

●      OVH’s branding

●      The fact “it” has data centres in Canada

●      The “collaborative language” on its website

●      Shared legal services

●      The appearance of a global enterprise

But this misunderstands how multinational cloud companies operate and how corporate law applies.

I sometimes think that some practitioners who spend all their time focused on criminal law forget the fundamentals of corporate law.

Corporations are separate legal persons. Subsidiaries are not automatically global agents of the parent company. And cloud marketing — “our global infrastructure,” “our data centers around the world” — is not a legal admission of control. It’s marketing.

Corporations are separate legal persons and this corporate separateness is generally only disregarded where there is actual fraud going on.

If courts treat branding copy as determinative of “control,” then:

●      Any cloud provider operating in Canada

●      With foreign infrastructure

●      Could be compelled to produce foreign data

●      Regardless of its actual legal authority to do so

This collapses corporate separateness in a way that is deeply inconsistent with both Canadian corporate law and international norms. Which leads directly to the next problem.

The Court points to a previous investigation where OVH Canada provided subscriber information for a German-hosted IP address to suggest that OVH Canada effectively has access and control over it.

But OVH explained — and this is common across the industry — that:

●      The Canadian subsidiary assisted because doing so was legally safe

●      There was no blocking law that stood in the way

●      The foreign affiliate voluntarily cooperated

This demonstrates cooperation, not control.

Access that is permitted by a foreign affiliate is not evidence of legal authority to compel access.

If you need a particular tool for a project, and I don’t have one but my parents do, I may facilitate YOUR borrowing it from MY parents. That doesn’t mean I have control over that tool.

OVH Canada receives a production order for data that is under the control of its parent company. Rather than say “go to France”, OVH Canada facilitates the parent company producing the data in circumstances where it is lawfully able to do so. It’s called being helpful, and should not lead to the conclusion that the subsidiary has any possession or control of data that’s entirely in the possession and control of the parent company.

By treating occasional past cooperation as proof of control, the Court dramatically expands what “possession or control” means. After this, it would be prudent for the Canadian subsidiary of a foreign corporation to tell Canadian police to just go pound sand, rather than facilitate matters through internal channels.

This is perhaps the most troubling aspect of the decision: The Court Minimizes Foreign Law Because It’s “Not Enforced”

The Court acknowledges that the French blocking law applies. The French government — through the “Service de l’information stratégique et de la sécurité économiques” (SISSE) — which administers and enforces this French law explicitly said so.

But the judge concluded it doesn’t really matter because the French law is apparently rarely enforced, the Canadian prosecutors said there’s no “real risk” of prosecution and other courts have treated it as an “empty vessel”.

I think this approach is dangerous.

The rule of law depends on courts respecting what the law is, not how often a prosecutor decides to enforce it. A foreign state’s policy choices about enforcement:

●      Do not change the meaning of the statute

●      Do not change OVH’s legal obligations under French law

●      Do not give Canadian courts authority to override foreign legislation

A law is a law. I know dozens of Canadian laws that are rarely enforced, but they still need to be followed. Remember, this is a Canadian court shrugging off a law duly enacted by an allied country, France.

If Canada wants foreign law to bend, the proper channel is MLAT — a mechanism built through mutual consent — not unilateral judicial action.

International comity is built on reciprocity. If Canada orders French companies to violate French law, then:

●      Other countries may order Canadian companies to violate Canadian law

●      Canada will have no principled basis to object

●      Global cloud providers will face impossible conflicts

●      And privacy for Canadians abroad will be weakened

Remember, this is happening at the exact time that the Canadian government is focused on Canadian “Digital Sovereignty”. We would find it incredibly offensive if a French or Chinese court were to order a Canadian company, in Toronto, to violate Canadian law.

MLAT exists precisely for situations where:

●      The data is located abroad

●      A foreign statute prohibits disclosure

●      And the foreign state must authorize or supervise the production

France explicitly told Canada it would expedite the MLAT request. Refusing to use MLAT because it might be slow is not a justification for disregarding foreign law. In this case, there is no doubt that the data exists, that France will provide it via the MLAT and will do so speedily. Ordering OVH in France to break French law is unnecessary, unreasonable and – in my view – gratuitous.

This decision is important, but in my view, it’s also misguided.

By stretching Brecknell beyond its facts, by treating global branding as evidence of legal control by a local subsidiary, by using past cooperation as proof of present authority, and by dismissing binding French law because it’s “not vigorously enforced,” the Court has weakened the principles of comity, corporate separateness, and legal certainty.

While Canada is getting excited about “digital sovereignty”, the RCMP, these prosecutors and the court are disregarding France’s explicit law about its own “digital sovereignty.” This is a dangerous precedent to set. After this, why would France give a toss about Canadian laws designed to protect Canadian data?

There is a lawful path — MLAT, letters rogatory, diplomatic channels — and international cooperation depends on states using those channels rather than overriding each other’s laws.

And one important thing to remember: OVH is not suspected of committing any crime. It simply has records about someone that may be relevant for a Canadian investigation. It is not hiding behind a veil of French law to shield itself from liability. It is an entirely innocent third party that is getting dragged into a Canadian investigation, and is now being ordered to violate the law in the country where they are based. And that order is entirely unnecessary, since France and Canada have already negotiated a clear path to get access to this data without violating anyone’s laws.

I understand the case is being appealed – and rightly so. I’ll be keeping an eye on it.