The Sovereignty Paradox: How Canada’s Healthcare System Became Dependent on Foreign Technology It Doesn’t Control

Twenty years ago, I stood in a boardroom at Merck and made what seemed like a crazy pitch: sequence most of the human genome before the Human Genome Project finished, then publish everything immediately for free. My management thought I was nuts. But we did it. The Merck Gene Index characterized over 85% of expressed human genes and became the framework for the first human genome assembly. And we gave it all away because we understood something fundamental: who controls the data matters as much as what’s in it.

I’m thinking about that decision a lot lately as I watch Canada sleepwalk into a digital sovereignty crisis that makes those old genome wars look quaint.

Here’s the thing most people don’t realize: when Dr. Sarah Chen* opens an Epic chart at Toronto General Hospital, she’s accessing what appears to be a quintessentially Canadian asset. Her patient’s protected health information, stored on servers physically located in Canada. The EHR displays in both official languages. It complies with Ontario’s PHIPA. By every visible measure, this is Canadian healthcare data under Canadian control.

Except it isn’t. Not really.

The servers may sit on Canadian soil, but they answer to American law. And that legal reality is creating what privacy experts are now calling Canada’s healthcare sovereignty crisis — a fundamental challenge that most clinicians remain completely unaware of.

The Jurisdiction Problem Nobody Talks About

I’ve spent the last 35 years building data infrastructure for drug discovery and healthcare — first at Merck and Bayer, then at multiple startups, several non-profits, and now at EthioNexis where we’re trying to solve this exact problem. And here’s what I’ve learned: when your hospital “upgraded” to Epic or Cerner, you didn’t just get new software. You accepted a jurisdictional transfer that nobody explained to you.

In 2018, the United States passed the CLOUD Act (Clarifying Lawful Overseas Use of Data). This law grants American law enforcement the power to compel U.S.-based technology companies to produce data they control, regardless of where that data is physically stored.

Let me be brutally clear about what this means: if Canadian patient data resides on systems controlled by American companies, even if those systems are located entirely within Canada, those data can be legally accessed by U.S. authorities without notification to Canadian patients, hospitals, or government.

This isn’t me being paranoid. Microsoft literally admitted this to the French Senate in 2025. When pressed, they stated explicitly that they cannot guarantee French citizens’ data would be protected from U.S. authorities. The same applies to Canadian health data. They said it out loud.

The BC Government and Services Employees’ Union actually tried to fight this back in 2003 when BC announced plans to outsource health data to U.S. companies. The BC Supreme Court dismissed it, saying “reasonable steps” were being taken. But that was 2005 — before cloud computing dominated everything, before the CLOUD Act made this explicit, before we understood that data had become both an economic weapon and a national security issue.

The Numbers Are… Not Great

Three American companies; Epic, Oracle Health (formerly Cerner), and MEDITECH, essentially run hospital data management in Canada. The Epic Collaborative alone connects 31 hospitals in Ontario sharing over 13 million patient records. Another 60 institutions use Oracle’s Cerner platform. These systems process billions of clinical transactions annually.

And the infrastructure underneath? Almost entirely American hyperscalers: AWS, Azure, Google Cloud, Oracle Cloud.

Look, I’m not criticizing these systems’ clinical capabilities. Epic and Cerner became industry standards for good reasons, they work, they interoperate, they’ve achieved scale that would be nearly impossible for a Canadian vendor to match. I’ve worked with all of them. They’re good at what they do.

The problem isn’t technical. It’s jurisdictional.

What This Actually Means for Research (And Why It Matters More Than You Think)

Here’s where this gets really problematic, and it’s something I see every day in my work: Canada’s publicly funded healthcare system generates population-based health data that’s extraordinarily valuable for AI development. Unlike the fragmented American system, we capture comprehensive population health patterns. Universal healthcare means universal data coverage.

As Michael Geist and Kumanan Wilson wrote in their July 2025 CMAJ commentary: “We have population-based data because we have a public health system. The U.S. doesn’t have that. Our data is more valuable than their data.”

They’re absolutely right. I’ve built genomics databases, systems biology platforms, AI tools for drug discovery. I know what good training data looks like. Canadian health data is among the best in the world.

But here’s the paradox that keeps me up at night: that nationally generated asset can’t be freely used for Canadian AI development when it’s controlled by foreign entities. Think about the logic here. Canadian patients generate data through Canadian healthcare. Canadian taxpayers fund that healthcare. But when that data trains AI algorithms on U.S.-controlled infrastructure, the resulting intellectual property, and economic value, can accrue to American companies under American jurisdiction.

I see this playing out in real time. When pharmaceutical companies come to us at EthioNexis looking for diverse patient datasets to train their AI models, they’re constrained not just by privacy regulations (which we can work with), but by jurisdictional complications created by fragmented data control.

The Diversity Gap That Nobody’s Fixing

During my time at the Open Source Pharma Foundation working on neglected diseases, one thing became painfully obvious: clinical trial participation is severely skewed. The stats show roughly 83% of clinical trial participants are white. This creates AI systems that literally don’t work for the majority of the world’s population.

Canada’s multicultural demographics should be helping solve this global problem. We have the diversity. We have the healthcare system. We have the data. But we can’t properly leverage it when jurisdictional barriers fragment access and control.

At EthioNexis, we’re specifically building a federated Trusted Research Environment (TRE) architecture to address this, where analysis comes to the data rather than extracting sensitive information. But (and this is critical) this only works if the underlying infrastructure itself is sovereign. Otherwise you’re just shuffling deck chairs.

The False Promise of “Data Residency”

Here’s the critical misunderstanding that drives me crazy: data residency is not the same as data sovereignty. Not even close.

Canada’s Treasury Board laid this out pretty clearly in their 2020 white paper: “As long as a [cloud service provider] that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data.”

That’s about as unambiguous as government language gets. But nothing has changed.

Storing data within Canada’s borders on U.S.-owned infrastructure provides a false sense of security, what I call “sovereignty theater.” The U.S. CLOUD Act’s jurisdiction follows the company, not the data. As long as the cloud provider is a U.S.-domiciled entity, American authorities can compel them to produce data regardless of physical location.

This is exactly why Shared Services Canada (SSC) established their sovereignty criteria: to qualify as truly sovereign, a provider must offer immunity from foreign laws and be majority Canadian-controlled (minimum 66% Canadian board control). Those aren’t arbitrary numbers, they’re trying to create actual structural independence.