13,500+ CGI Staff in India Process Canadian Federal Data — and the U.S. CLOUD Act Reaches Them

The setup nobody wants to look at

When Canadians file their taxes, apply for citizenship, or get a federal benefits cheque, the underlying IT systems are not always run by people sitting in Canada. CGI Group — a Canadian-headquartered firm with global revenue of CA$14.68 billion in fiscal 2024 — operates one of the largest "offshore delivery" practices serving the Government of Canada. A meaningful share of that work is done by staff in Bangalore, Mumbai, and Chennai.

CGI's own corporate material is unambiguous: CGI India is "a vital part of our global delivery model" and the firm's purpose there is to deliver "with a focus on cost and timely execution." What that translates to, in practical terms, is that Canadian Personal Information — PII covered by PIPEDA — is routinely accessible to a workforce that sits in a jurisdiction Canadian privacy law cannot reach directly, and the U.S. CLOUD Act can.

We do not say this to scare you. We say it because the regulatory map is genuinely tangled, and the public answer to "whose law applies to my CRA file when a CGI India developer is debugging it on a Tuesday afternoon" is, at best, several at once, none of them ours.

The numbers, what's public

CGI's corporate disclosures put global headcount at "94,000 consultants and professionals" with a "global delivery network." The firm does not publish a single canonical India-headcount figure on its main corporate page, but its India career portal, third-party employment data, and recurring CGI India press releases place the India workforce at well above 13,000 — the most-cited public figure is 13,500+ across Bangalore, Mumbai, and Chennai. CGI India operations have been live since CGI's 2014 acquisition of Logica's India practice and have grown steadily since.

CGI's Government of Canada client list is also public, through Public Services and Procurement Canada's contract history database. CGI has held — and continues to hold — major contracts with the Canada Revenue Agency, Employment and Social Development Canada, Immigration Refugees and Citizenship Canada, the RCMP, and Shared Services Canada. Many of those contracts involve application development, infrastructure operations, and managed services on systems that contain — by their nature — Canadian taxpayer data, immigration files, employment records, and law-enforcement systems integrations.

In a global delivery model, those workloads can be (and frequently are) routed to offshore teams. CGI does not publish a per-contract residency map. It is reasonable inference, not speculation, that some portion of the federal Canadian workload sits with CGI India staff.

What PIPEDA actually covers — and what it doesn't

PIPEDA (R.S.C. 1985, c. P-8.6) is the federal private-sector privacy law. The Office of the Privacy Commissioner (OPC) has long held the view that "transferring personal information for processing" — including across borders — is governed by Principle 4.1.3 (accountability): the Canadian organization that collected the data remains accountable for it. The OPC's outsourcing guidance is explicit that this accountability does not transfer with the data.

Two important things follow:

• PIPEDA accountability ≠ PIPEDA jurisdiction. The OPC can investigate a Canadian company's failure to protect data sent abroad. It cannot directly subpoena, audit, or sanction the offshore processor. Its only enforcement lever is back through the Canadian organization.
• Federal government data isn't actually under PIPEDA in the first place. Federal departments are governed by the Privacy Act (R.S.C. 1985, c. P-21), not PIPEDA. When CGI processes data for the federal government, the government's contractual flow-downs are what bind CGI — not PIPEDA. The OPC has separate jurisdiction over federal institutions' Privacy-Act compliance, but again, only against the Canadian contracting authority.

Net effect: when something goes wrong on a CGI India developer's laptop, the operational accountability chain runs CGI India → CGI Canada → the federal department → the Privacy Commissioner. By the time a complaint reaches the OPC, the data may already have been read, copied, or disclosed under foreign legal compulsion — and the OPC has no direct recourse against the foreign actor.

How the U.S. CLOUD Act reaches CGI India staff

The Clarifying Lawful Overseas Use of Data Act (the U.S. CLOUD Act, 2018) gives U.S. law enforcement the power to compel U.S.-based service providers to produce data regardless of where the data is physically stored. Two facts make this load-bearing for CGI:

• CGI is publicly traded on both the TSX (GIB.A) and the NYSE (GIB). Its U.S. operating entities — CGI Federal, CGI Inc. U.S. — are full subjects of U.S. process.
• Under the CLOUD Act, a U.S. court can issue an order to a U.S. CGI entity to produce data the firm has "possession, custody, or control" over. "Control" has been read broadly: if CGI's global IT infrastructure — single-sign-on, source repositories, support tooling, ticketing systems — gives the U.S. entity technical access to data in India, that is "control."

The CLOUD Act has a "comity" provision allowing the affected provider to challenge the order if compliance would conflict with the law of a "qualifying foreign government." Canada has not concluded a CLOUD Act executive agreement with the United States. The U.K. and Australia have. Canada's negotiations have been quiet at best.

So the working assumption — until a CLOUD Act court order against a CGI U.S. entity for Canadian federal data is publicly tested and challenged — is that a U.S. court could compel that data, and the only Canadian counter-pressure is contractual (and, indirectly, the OPC complaining to the federal contracting authority after the fact).

India's DPDP Act 2023 — and its government-access carve-out

India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), and rules under it have been progressively notified through 2024–2025. The DPDP Act does establish data principal rights and a Data Protection Board of India. It is a real privacy law.

It also contains broad government-access exemptions. Section 17 of the DPDP Act permits the Central Government, by notification, to exempt any "instrumentality of the State" from substantially all of the Act's provisions in the interests of, among other things, "sovereignty and integrity of India" and "security of the State." Notification powers under Indian law have historically been used liberally.

What this means for a CGI India staffer working on a Canadian federal dataset: under Indian domestic law, a notified Indian state agency can demand access to that dataset, and the DPDP Act's protections may simply not apply. There is no Indian privacy commissioner with the equivalent independence and adjudicative posture of the OPC.

What CanadaGuards is — and is not — alleging

Not alleging: that CGI has improperly disclosed any specific Canadian's data; that any CLOUD Act order has been served on CGI's U.S. entity for Canadian federal data; that the Government of India has notified §17 exemptions specifically against CGI India operations.

Documenting: CGI India processes Canadian federal data; CLOUD Act jurisdiction reaches CGI U.S. entities; DPDP §17 lets the Indian state opt out of Indian privacy obligations; PIPEDA / Privacy Act enforcement runs only back through Canadian contracting authorities; these facts together describe simultaneous foreign-legal exposure that the public Canadian regulatory architecture does not currently address.

News · Daily Web · 2026-05-10

The lede

A Canadian-headquartered IT services firm with thirteen-thousand-plus staff in India — and ten-figure-revenue federal contracts including the Canada Revenue Agency, Immigration Refugees and Citizenship Canada, and Employment and Social Development Canada — sits at the intersection of two foreign legal regimes that the Privacy Commissioner of Canada cannot reach.

That firm is CGI Group (TSX: GIB.A · NYSE: GIB). FY2024 revenue: CA$14.68 billion. Global headcount: 94,000 across the firm's "global delivery network." Public figure across Bangalore, Mumbai, and Chennai: 13,500+.

Why the U.S. CLOUD Act applies

CGI's NYSE listing and U.S. operating entities make every CGI U.S. corporate subsidiary a full subject of U.S. process. The CLOUD Act compels production of data regardless of where it physically sits — including India — when the U.S. entity has "possession, custody, or control." Single-sign-on, ticketing, and shared dev infrastructure are "control."

Why India's DPDP §17 matters

India's DPDP Act 2023 has Section 17, which lets the Central Government notify any "instrumentality of the State" out of the Act's protections in the name of state sovereignty or security. There is no independent Indian privacy commissioner equivalent to the OPC. A Canadian's data on a CGI India developer's laptop is — under Indian domestic law — reachable by Indian state actors with §17 cover.

What this means for Canadians

If your CRA file, your immigration interview transcript, or your EI claim history is touched by a CGI India staffer at any point in the workflow — and it can be — then your data is simultaneously reachable by a U.S. court order and by a §17-notified Indian state agency. Neither order would tell you. The Privacy Commissioner of Canada would learn about it only if the Canadian contracting department filed a breach report. The Privacy Commissioner cannot order the U.S. court or the Indian state to stand down.

The Privacy Commissioner has stated publicly that cross-border data flows must respect Canadian standards "throughout the data lifecycle." That is the policy. The operational answer to who has effective jurisdiction over a Canadian CRA record being processed in Bangalore on a Tuesday is: at least three regimes simultaneously. Only one of them is Canadian. None of the three answer to Canadian voters.

Press Release · CanadaGuards Investigation Notice

CanadaGuards opens public investigation into offshore-processing of Canadian federal data

Ottawa-based advocacy initiative CanadaGuards is opening a structured public investigation into the offshore-processing of Canadian Personal Information by Government of Canada IT contractors, beginning with Canada's largest such contractor: CGI Group (TSX: GIB.A · NYSE: GIB).

The investigation does not allege wrongdoing. It is documenting publicly-known facts that CanadaGuards believes Canadian voters and Members of Parliament are owed plainer access to:

• CGI's India workforce of 13,500+ staff (Bangalore, Mumbai, Chennai) is a vital part of CGI's global delivery model, per CGI's own public material.
• CGI holds active and historical contracts with the Canada Revenue Agency, Employment and Social Development Canada, Immigration Refugees and Citizenship Canada, the RCMP, and Shared Services Canada — among others.
• Canadian Personal Information processed by CGI India staff is simultaneously reachable by (a) U.S. CLOUD Act orders served on CGI's U.S. entities, and (b) Indian DPDP Act §17 government-exemption notifications. Neither has a Canadian-counterpart adjudicator.
• The Privacy Commissioner of Canada's enforcement runs only back through the Canadian contracting authority — the OPC has no direct recourse against either foreign actor.

Filings now in motion

CanadaGuards is filing Access to Information Act requests with each of:

• Public Services and Procurement Canada — for the data-residency clauses in active CGI federal contracts and the verification regime applied to them.
• Canada Revenue Agency — for any internal record of offshore-processing approvals on CRA-touching CGI workloads.
• Immigration, Refugees and Citizenship Canada — same.
• Employment and Social Development Canada — same.
• Treasury Board Secretariat — for the Government of Canada's policy posture on the U.S. CLOUD Act and on a Canada–U.S. CLOUD Act executive agreement (which has not been concluded).

Responses, when received, will be published in full at canadaguards.ca.

Tip line for CGI staff and federal contract administrators

If you are a CGI Canada or CGI India staff member, a federal contract administrator, or a privacy professional who can speak to how data residency is verified on these contracts in practice — confidentially or on the record — write to tips@canadaguards.ca. PGP available on request. CanadaGuards does not publish source identities without consent.

Legal breakdown · The four regimes that meet on a Bangalore developer's laptop

Authority over a Canadian's CRA file processed in India, today

Regime Effective reach Adjudicator the Canadian can appeal to

Privacy Act (R.S.C. 1985 c. P-21) Binds the federal department; flows to CGI by contract. Yes — Privacy Commissioner can investigate the department.

PIPEDA (R.S.C. 1985 c. P-8.6) Does not directly cover federal-data processing; relevant only if KYC / commercial-data subset. Indirect — accountability runs back through the Canadian organization, not the offshore processor.

U.S. CLOUD Act (Pub. L. 115-141 div. V) Compels CGI's U.S. entities to produce data they "control" — explicitly extraterritorial. No Canadian channel. Canada has not concluded a CLOUD Act executive agreement; comity-challenge available but not Canadian-adjudicated.

India DPDP Act 2023 §17 Lets Central Government notify "instrumentalities of the State" out of DPDP obligations on grounds of sovereignty / security. No Canadian channel. The Data Protection Board of India is not independent in the Canadian sense; no extraterritorial appeal for non-Indian residents.

Treasury Board Contracting Policy (CGI federal contracts) Data-residency clauses exist in standard PSPC templates; verification regime not publicly documented. Indirect — only via departmental compliance complaints, not adjudicated rights.

The conflict of laws

If a U.S. CLOUD Act order and a Canadian Privacy Act flow-down clause point in opposite directions on the same dataset, the dispute resolves outside Canadian courts. The CLOUD Act provides for a comity motion in U.S. federal court. Canadian counter-pressure runs through the contracting authority — which has no standing in U.S. court. The Government of Canada's own legal recourse, absent an executive agreement, is diplomatic.

The doctrinal gap

Two doctrines that could apply but have not been publicly tested:

• Identification doctrine (R. v. Canadian Dredge & Dock Co., 1985 SCC) — Canadian corporate criminal liability for the acts of officers / agents. Not currently used to address foreign-legal-compulsion exposure.
• Wilful blindness as a knowledge substitute — pattern-flag for Canadian contracting authorities that approve offshore-processing arrangements without verifying foreign-legal-exposure mitigations.

Neither doctrine is currently asserted against any specific official or organization. Both are public-record analytical tools mapped here for reader literacy.

Disclaimer

This breakdown is intelligence reporting on the international-jurisdictional seam where Canadian federal data is processed offshore. It is not legal advice. CanadaGuards is not alleging that CGI Group, the Government of Canada, the Government of India, the Government of the United States, or any individual official has acted improperly or in violation of law. The doctrinal frames cited are public-record analytical tools.

Government relations · Open questions for parliamentarians

What CanadaGuards is asking Parliament to look at

The CanadaGuards investigation surfaces five questions that Members of Parliament — across party — can put on the public record through Order Paper, Committee, or Question Period. Each is fact-grounded and directly answerable by the named department.

1. To the Minister of Public Services and Procurement

What data-residency clauses are in active Government of Canada contracts with CGI Group, and how is compliance with those clauses verified on a per-contract, per-month basis at the developer-workstation level? Provide the standard PSPC contract template language and the audit regime.

2. To the Minister of National Revenue

How many active CGI workstreams are there on CRA-touching systems? What share of those workstreams is delivered out of CGI India, by headcount? What CRA approval document permits offshore-processing of Canadian taxpayer Personal Information, and is that document tabled in Parliament?

3. To the Minister of Immigration, Refugees and Citizenship

Same question, IRCC scope. Particular emphasis: refugee-claimant interview transcripts, Permanent Resident application files, and citizenship test data. Are any of these touched by CGI India infrastructure?

4. To the Minister of Justice / Attorney General of Canada

What is the Government of Canada's posture on a Canada–U.S. CLOUD Act Executive Agreement, of the kind concluded by the United Kingdom (2019, in force 2022) and Australia (2021)? Are negotiations active, paused, or unstarted? If unstarted, why?

5. To the Privacy Commissioner of Canada

Has the OPC formed an operational view on the simultaneous reach of (a) the U.S. CLOUD Act through CGI's U.S. corporate entities, and (b) India's DPDP Act §17 government-exemption notifications, against Canadian Personal Information held by CGI India? If yes, will that view be made public?

What the federal government can do without legislation

• PSPC can amend standard contracting templates to require U.S. CLOUD Act Executive Agreement compliance — or its absence — to be acknowledged in writing by the contractor.
• Treasury Board Secretariat can publish a CLOUD-Act-conscious procurement guidance bulletin within 90 days. No legislative process required.
• CRA / IRCC / ESDC can each conduct an internal audit of offshore-processing approvals on contracts containing Canadian Personal Information, and publish summaries.
• Privacy Commissioner of Canada can publish a Special Report under section 39 of the Privacy Act, summarizing the operational gap and recommending statutory amendments.
• Department of Global Affairs Canada can open or accelerate negotiations on a Canada–U.S. CLOUD Act Executive Agreement.

None of these requires a Parliamentary majority. All are within the existing authority of the named bodies. The constraint is political will, not legal capacity.