Export controls apply to far more than weapons
Export controls don't stop at missiles and military-grade hardware. They also reach into research labs, software projects, data rooms, and any workflow where technical knowledge moves across borders.
If you share data, collaborate on R&D, or build AI systems, you're operating in a space where "exports" can be intangible. Transferring a technical document, a CAD file, or even enabling access to a proprietary dataset can trigger the same rules as shipping a physical item.
Canada's federal framework, in brief
Export and Import Permits Act (EIPA)
The EIPA is the core statute. It authorizes the Minister of Foreign Affairs to issue permits for exports and transfers of items on the Export Control List (ECL) and to destinations on the Area Control List. In practice, it regulates-and sometimes prohibits-the movement of critical goods and technologies outside Canada.
Export Control List (ECL)
The ECL (as described in the Guide to Canada's Export Control List, most recently amended in May 2025) covers military items, strategic goods, and dual-use technologies. It also includes categories like forest products, agricultural and food products, apparel, and vehicles. Canada's commitments under regimes such as the Wassenaar Arrangement, as well as bilateral and unilateral measures, drive these controls.
Sanctions statutes
Canada also enforces sanctions under the United Nations Act, the Special Economic Measures Act, and the Justice for Victims of Corrupt Foreign Officials Act. These measures can restrict or prohibit trade and financial dealings with listed countries, entities, and persons, and may freeze property located in Canada.
Controlled Goods Program (CGP)
Anyone transferring controlled goods from Canada generally must register under the CGP and obtain the required permits, unless an exemption applies. Skipping registration can itself be an offence.
Key concepts counsel should apply
- Dual-use: Goods or technologies created for civilian use that can also support military applications. They may be controlled even if they look harmless on the surface.
- Technology: Broadly includes technical data, technical assistance, and know-how required to develop, produce, or use ECL-listed items, as well as technologies restricted by regulations tied to the sanctions statutes above.
- Transfer: Includes disposing of or disclosing controlled technology "in any manner" from a place in Canada to a place outside Canada. Amendments to the EIPA expanded this to cover intangible transfers (e.g., emailing files, granting database access, enabling remote view-only access).
U.S. rules can bind Canadian companies
Expect friction where projects touch U.S. controls. ITAR protects defence articles and services; EAR covers dual-use items. Both can restrict "deemed exports," including disclosures to "foreign persons," even without moving data across a border.
This person-based focus can clash with Canadian approaches that centre on destinations and the location of activity. In Quebec, national origin is a protected ground under the Charter of Human Rights and Freedoms, which can put local employers in a bind when U.S. counterparties require ITAR/EAR-driven nationality-based screening.
AI creates new pathways for unlawful transfers
AI systems are a conduit for knowledge. If models are trained on restricted plans, technical specifications, or sensitive datasets-or if retrieval-augmented generation (RAG) can reach them-you can enable indirect access by sanctioned actors or destinations.
Risk points include where data is hosted and processed, who can query the model, how prompts and outputs are logged, and whether user access is restricted by geography or status. The same analysis applies to vector databases and embeddings that carry controlled technical content.
Design controls for AI and data workflows
- Classify training data, prompts, outputs, and embeddings against the ECL and any applicable sanctions measures.
- Segregate restricted datasets; enforce geo-fencing and attribute-based access (location, employer, clearance, nationality where lawful).
- Decouple model tiers: non-restricted base models; restricted fine-tunes or RAG indexes on controlled infrastructure with tight access.
- Pin hosting regions and backup locations; bar cross-region replication where it would trigger a "transfer."
- Scrub logs and analytics of controlled technical details, or store them inside the controlled environment.
Practical checklist for in-house and external counsel
- Map what's being shared: source files, code, datasets, model weights, embeddings, prompts, and outputs.
- Assess controls: ECL classification, sanctions screening (country, entity, person), and permit triggers.
- Restrict access: jurisdictional blocks, VPN limits, attribute-based controls, and approval workflows for exports/transfers.
- Contract for compliance: flow-down clauses, audit rights, nationality-based restrictions (where lawful), and change-control for data location.
- Vendor diligence: cloud regions, sub-processors, support access paths, and incident response commitments.
- Workforce controls: role scoping, training, and, where required by law, screening for ITAR/EAR touchpoints; document Quebec Charter considerations.
- Licensing: prepare permit applications early; track re-export obligations and "deemed export" risk.
- Governance: keep classification records, access logs, and legal sign-offs; audit regularly and remediate quickly.
Sanctions and penalties
Violations of the EIPA or its regulations can lead to fines and imprisonment. Failure to register with the CGP when required can also result in prosecution and significant penalties.
Where to focus next
Treat export controls as a product and data-governance problem, not just a shipping problem. Review official guidance, keep your control framework current, and get specialized advice before you enable new data flows or user groups.
Your membership also unlocks:
