Canada

Overview

Canada is a Five Eyes intelligence alliance member alongside the United States, the United Kingdom, Australia, and New Zealand. The Canadian Security Intelligence Service (CSIS) and Communications Security Establishment (CSE) participate in extensive signals intelligence sharing with partner agencies. On the civilian side, Canada’s federal privacy framework operates on an ombudsman enforcement model where the Privacy Commissioner of Canada cannot issue binding orders or impose fines, an approach described by multiple reviews as requiring modernization.^[1]

Canada’s privacy regime is split between PIPEDA (2000) for the private sector and the Privacy Act (1983) for federal government institutions. Three provinces (Quebec, British Columbia, and Alberta) have enacted their own substantially similar private-sector privacy laws, with Quebec’s Law 25 widely characterized as among the most GDPR-aligned privacy statutes in North America. On the surveillance side, CSIS and CSE operate under distinct statutory mandates with layered oversight from the National Security and Intelligence Review Agency (NSIRA) and the Intelligence Commissioner.

The most notable recent development is the death of Bill C-27, which would have replaced PIPEDA with the Consumer Privacy Protection Act (CPPA) and introduced Canada’s first federal AI regulation. Parliament was prorogued on January 6, 2025, killing the bill.^[2] Canada continues to operate under a 25-year-old federal privacy law with no fining power, no private right of action, and no federal AI governance framework.

Data Protection Authorities

Office of the Privacy Commissioner of Canada (OPC)

Current Commissioner: Philippe Dufresne, appointed June 27, 2022, the ninth Privacy Commissioner of Canada.^[1]

Statutory basis: Established under both PIPEDA and the Privacy Act, the OPC oversees federal private-sector and public-sector privacy compliance.

Enforcement model: The OPC operates under an ombudsman model, not an order-making model. This is a critical distinction. The Privacy Commissioner cannot issue binding orders and cannot impose fines. Instead, the Commissioner investigates complaints and makes recommendations, which are not legally enforceable. If an organization refuses to comply, the Commissioner must apply to the Federal Court of Canada, which has broad order-making powers. The Commissioner can also enter into compliance agreements with organizations and publicly name non-compliant entities.^[3]

Tools available: Investigations, audits, reports of findings, compliance agreements, referrals to Federal Court, and public naming of non-compliant organizations.

Recent enforcement: In 2025, the OPC commenced an enforcement application in Federal Court against Aylo (operator of Pornhub) for alleged PIPEDA contraventions, seeking binding court orders including deletion of information and implementation of stronger safeguards around meaningful consent for sensitive personal information.^[3]

Strategic priorities (2025): In January 2025, Commissioner Dufresne unveiled a transformation plan for a modernized OPC, with priorities including maximizing office impact, addressing the privacy implications of artificial intelligence, and championing children’s privacy.^[3]

Provincial Privacy Commissioners

Quebec: Lise Girard, President of the Commission d’accès à l’information du Québec (CAI). The CAI oversees Quebec’s private-sector and public-sector privacy laws, including Law 25. Unlike the federal OPC, the CAI can impose administrative monetary penalties.^[4]

British Columbia: Michael Harvey, Information and Privacy Commissioner for British Columbia. Oversees BC’s Personal Information Protection Act (PIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA). The BC Commissioner has order-making powers.^[5]

Alberta: The Information and Privacy Commissioner of Alberta (OIPC Alberta) oversees Alberta’s PIPA and the Freedom of Information and Protection of Privacy Act (FOIP Act). Like BC, the Alberta Commissioner has order-making powers, a capability the federal OPC lacks.^[5]

PIPEDA (Personal Information Protection and Electronic Documents Act, 2000)

In force: January 1, 2001 (phased; fully in force January 1, 2004)  |  Amended: Multiple times, including by the Digital Privacy Act (2015)

PIPEDA is Canada’s primary federal law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. It applies to all businesses handling personal information that crosses provincial or national borders, regardless of which province they operate in. Organizations in provinces with “substantially similar” legislation are exempt from PIPEDA for intra-provincial commercial activity. PIPEDA always applies to federally regulated organizations (banks, airlines, and telecommunications companies) nationwide.^[6]

The 10 Fair Information Principles (Schedule 1)

PIPEDA is built on ten fair information principles derived from the Canadian Standards Association’s Model Code for the Protection of Personal Information:^[7]

1. Accountability: An organization is responsible for personal information under its control and shall designate an individual accountable for compliance.

2. Identifying Purposes: The purposes for collection must be identified at or before the time of collection.

3. Consent: Knowledge and consent are required for collection, use, or disclosure, with limited exceptions.

4. Limiting Collection: Collection shall be limited to what is necessary for identified purposes.

5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those identified, except with consent; it shall be retained only as long as necessary.

6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.

7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness: An organization shall make its policies and practices regarding the management of personal information readily available.

9. Individual Access: Upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and given access to that information.

10. Challenging Compliance: An individual shall be able to challenge an organization’s compliance with these principles by addressing a challenge to the designated accountable individual.

Substantially Similar Provincial Laws

Three provinces have enacted private-sector privacy legislation deemed substantially similar to PIPEDA by the Governor in Council, exempting organizations from PIPEDA for intra-provincial commercial activity:^[8]

Alberta: Personal Information Protection Act (PIPA) – since January 1, 2004
British Columbia: Personal Information Protection Act (PIPA) – since January 1, 2004
Quebec: An Act respecting the protection of personal information in the private sector (as amended by Law 25) – since 1994

Additionally, Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have adopted substantially similar legislation for personal health information specifically.^[8]

Privacy Act (1983)

In force: July 1, 1983

The Privacy Act governs how federal government institutions collect, use, disclose, retain, and dispose of personal information. It does not apply to political parties, members of Parliament, senators, courts, or private-sector organizations.^[9]

Key provisions: Section 4 prohibits government institutions from collecting personal information unless it relates directly to an operating program or activity. Section 12 grants every Canadian citizen or permanent resident the right to access personal information about themselves held by government institutions and request correction of inaccuracies. Sections 19 through 28 provide exemptions for national defence, law enforcement investigations, solicitor-client privilege, and third-party personal information.^[9]

Enforcement: The Privacy Commissioner of Canada oversees the Privacy Act under the same ombudsman model as PIPEDA.^[10]

Criticism: The Privacy Act has been described by multiple reviews as requiring modernization. Enacted in 1983 and largely unchanged since, multiple reports have called for updates, particularly regarding order-making powers, broader scope, and stronger privacy protections appropriate for the digital age. The Act predates the commercial internet, cloud computing, artificial intelligence, and modern mass surveillance capabilities.^[10]

Provincial Privacy Laws

Quebec Law 25 (An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information)

Passed: September 22, 2021  |  Full title: An Act to modernize legislative provisions as regards the protection of personal information (Bill 64)

Quebec Law 25 has been characterized by legal commentators as among the most GDPR-like privacy laws in North America, with what commentators describe as broader reach than US state omnibus privacy laws. It was implemented in three phases:^[11]

Phase 1 (September 22, 2022): Designation of a privacy officer; mandatory breach reporting to the CAI; disclosure requirements for biometric data.

Phase 2 (September 22, 2023): Privacy policies; mandatory privacy impact assessments (PIAs); transparency and consent systems; anonymization requirements; right to erasure (de-indexation).

Phase 3 (September 22, 2024): Right to data portability, marking the full implementation of all Law 25 provisions.^[12]

GDPR-like provisions: Right to be informed, right of access, rectification, erasure and de-identification, restriction of processing, withdrawal of consent, data portability, mandatory privacy impact assessments for new systems and international transfers, enhanced consent mechanisms, breach notification registers, and privacy-by-default requirements.^[11]

Penalties:

Administrative Monetary Penalties (AMPs): Up to CAD 10 million or 2% of worldwide turnover, whichever is higher. For individuals, maximum CAD 50,000.^[13]

Penal Fines: Up to CAD 25 million or 4% of worldwide turnover, whichever is higher. Minimum fine of CAD 15,000 for corporations. Fines double for subsequent offences. The CAI can initiate penal proceedings within five years of an offence.^[13]

Alberta PIPA

Full name: Personal Information Protection Act (SA 2003, c P-6.5)  |  In force: January 1, 2004

Applies to provincially regulated private-sector organizations, businesses, and in some instances non-profit organizations in Alberta. Provides individuals with the right to access their personal information and provides organizations with a framework for collection, use, and disclosure. Notably covers employee information held by provincially regulated organizations. Overseen by the OIPC Alberta, which, unlike the federal OPC, has order-making powers.^[14]

BC PIPA

Full name: Personal Information Protection Act (SBC 2003, c 63)  |  In force: January 1, 2004

Applies to provincially regulated private-sector organizations in British Columbia. Similar to Alberta’s PIPA in scope and structure: rights of access, a framework for collection, use, and disclosure. Overseen by the BC Information and Privacy Commissioner, who also has order-making powers. Both provincial PIPAs have been declared substantially similar to PIPEDA, exempting organizations from federal jurisdiction for intra-provincial commercial activity.^[15]

Bill C-27 / Consumer Privacy Protection Act (CPPA)

Status as of 2026: DEAD

Bill C-27, the Digital Charter Implementation Act, 2022, was introduced in the House of Commons to enact three new statutes: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). It underwent extensive clause-by-clause review in the Standing Committee on Industry and Technology before being killed when Parliament was prorogued on January 6, 2025.^[2]

Following the April 2025 snap federal election, Minister Evan Solomon confirmed in June 2025 that C-27 will not return in its original form and that AIDA is off the table as drafted.^[16]

What the CPPA Would Have Changed

The bill would have replaced PIPEDA’s ombudsman model with order-making powers for the Privacy Commissioner. It would have created an independent Personal Information and Data Protection Tribunal to hear appeals. It proposed administrative monetary penalties of up to 3% of global revenue or CAD 10 million, and penal fines of up to 5% of global revenue or CAD 25 million for serious offences. Other provisions included a private right of action for individuals, strengthened consent requirements, new protections for minors’ data and de-identified data, and algorithmic transparency requirements.^[2]

Current situation: Canada continues to operate under PIPEDA (2000) with no federal AI framework. Privacy reform will need re-examination. Core themes (valid consent, stronger enforcement, AI accountability) are expected to shape whatever legislation comes next.^[16]

CASL (Canada’s Anti-Spam Legislation, 2014)

In force: July 1, 2014

CASL regulates the sending of commercial electronic messages (CEMs), including email, text messages, and social media messages, to or from Canada. Its full legal name is An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities.^[17]

Consent Requirements

Express consent: Must be obtained before sending CEMs. Express consent does not expire, but recipients can withdraw at any time. Can be obtained in writing or orally.

Implied consent: Exists in certain circumstances, such as an existing business relationship within the past two years, an existing non-business relationship within the past six months, or where an email address is conspicuously published.^[17]

Identification requirements: CEMs must include sender identification information.

Unsubscribe mechanism: Every CEM must include a functioning unsubscribe mechanism, and organizations must honor opt-out requests within 10 business days.^[18]

Penalties

Individuals: Up to CAD 1 million per violation.
Companies: Up to CAD 10 million per violation.
Directors and officers can be held personally liable. Both administrative monetary penalties (by CRTC) and private right of action provisions apply.^[18]

Enforcement: Shared among the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the OPC for PIPEDA-related aspects. Canadians can report spam to the Spam Reporting Centre.^[17]

Surveillance and Intelligence Laws

CSIS Act (1984) – Canadian Security Intelligence Service Act

Royal Assent: June 1984; proclaimed July 16, 1984  |  Citation: R.S.C. 1985, c. C-23

CSIS was created as a civilian intelligence agency, separated from the RCMP following the McDonald Commission recommendations in the wake of RCMP intelligence scandals in the 1970s and 1980s.^[19]

Section 12 (Security Intelligence): Authorizes CSIS to gather information pertaining to individuals or organizations suspected of engaging in activities threatening the security of Canada, including espionage and sabotage, foreign-influenced activities detrimental to Canada’s interests, political violence and terrorism, and activities directed toward undermining the constitutionally established system of government.^[20]

Section 12.1 (Threat Reduction Measures): Added by the Anti-terrorism Act, 2015 (Bill C-51). Authorizes CSIS to take measures, within or outside Canada, to reduce threats to national security, subject to defined legal requirements and ministerial direction.^[20]

Section 16 (Foreign Intelligence): Authorizes CSIS to collect foreign intelligence within Canada at the request of the Minister of Foreign Affairs or Minister of National Defence.

Section 21 (Warrants): When collection is more than minimally intrusive, CSIS must obtain warrants from the Federal Court. The Minister of Public Safety must authorize the application before it is submitted.^[20]

Key limitations: Section 2 explicitly prohibits CSIS from investigating acts of lawful advocacy, protest, or dissent. CSIS has no law enforcement powers and cannot arrest or charge anyone.^[19]

CSE Act (2019) – Communications Security Establishment Act

Royal Assent: June 21, 2019 (Part of the National Security Act, 2017 / Bill C-59)  |  Replaced: CSE’s prior authority under the National Defence Act

The CSE Act gave Canada’s signals intelligence agency its first standalone statutory mandate, significantly expanding its authorities and providing an explicit legal basis for cyber operations.^[21]

Five-part mandate:

1. Foreign Intelligence: Acquire information from or through the global information infrastructure, including by engaging with foreign entities outside Canada. Must be directed at foreign entities and relate to international affairs, defence, or security.

2. Cyber Security and Information Assurance: Protect federal government electronic information and information infrastructures. Provide advice and services to other levels of government and critical infrastructure operators.

3. Defensive Cyber Operations: Carry out activities on or through the global information infrastructure to protect federal electronic information and critical infrastructure from cyber threats.

4. Active Cyber Operations: Carry out activities to degrade, disrupt, influence, respond to, or interfere with the capabilities of foreign individuals, states, organizations, or terrorist groups.

5. Technical and Operational Assistance: Provide technical and operational support to federal law enforcement and security agencies, the Canadian Armed Forces, and the Department of National Defence.^[22]

Authorization and oversight: Foreign intelligence and cybersecurity authorizations must be issued by the Minister of National Defence. Ministerial authorizations are not valid until approved by the Intelligence Commissioner, a retired superior court judge, providing quasi-judicial oversight. Active cyber operations require authorization by both the Minister of National Defence and the Minister of Foreign Affairs.^[21]

Restrictions: CSE may not direct its activities at Canadians or persons in Canada. Information incidentally collected about Canadians must be handled under strict privacy protections.^[22]

Criminal Code Part VI – Wiretap Provisions (ss. 183–196.1)

Part VI of the Criminal Code governs the interception of private communications by law enforcement for criminal investigations. Courts have described these provisions as “the most exacting pre-trial investigative proceeding known to our criminal law.”^[23]

Third-party intercept authorization (ss. 185 & 186): The most common form. Can only be authorized by a judge of a superior court. Requires showing investigative necessity, that other procedures have been tried and failed or are impractical, and that interception is necessary for specified serious offences including terrorism, weapons trafficking, drug trafficking, and organized crime.^[23]

One-party consent intercept (s. 184.2): Where one party to the communication consents. Requires judicial authorization.

Emergency provisions: Section 184.1 allows one-party consent interception without judicial authorization where there are reasonable grounds to believe interception is necessary to prevent bodily harm. Section 184.4 allows third-party interception without warrant where immediate interception is necessary to prevent an unlawful act that would cause serious harm.^[24]

Safeguards: Subjects must generally be notified within 90 days that they were the subject of interception. Annual reporting to Parliament on the use of electronic surveillance is required.^[24]

Intelligence Structure

Key Agencies

CSIS: Civilian domestic intelligence agency focused on threats to national security. Reports to the Minister of Public Safety. Operates primarily through human intelligence (HUMINT), surveillance, and Federal Court warrants. Has no law enforcement powers.^[19]

CSE: Canada’s signals intelligence (SIGINT) and cyber operations agency. Reports to the Minister of National Defence. Authorized for foreign intelligence collection, defensive and active cyber operations, and technical assistance, subject to its targeting restrictions on Canadians.^[22]

RCMP (Royal Canadian Mounted Police): Federal law enforcement with intelligence collection capabilities. The RCMP’s National Intelligence Coordination Centre (NICC) serves as a central information-sharing hub between CSIS, CSE, FINTRAC, Five Eyes partners, and RCMP leadership. The key distinction: the RCMP has law enforcement powers (arrest, charge) that CSIS lacks; the RCMP conducts criminal investigations whereas CSIS conducts intelligence investigations.^[25]

Five Eyes Membership

As a Five Eyes member since 1948, when it joined the UKUSA Agreement, Canada has four agencies that participate directly in the alliance: CSE, CSIS, RCMP, and Canadian Forces Intelligence Command. Intelligence sharing is by default: members share intelligence obtained with all other members. CSE provides signals intelligence, with particular emphasis on Arctic region collection, an area of growing strategic importance due to climate change.^[26]

Oversight Bodies

NSIRA (National Security and Intelligence Review Agency): Established in June 2019 under the National Security Act, 2017 (Bill C-59). NSIRA replaced the Security Intelligence Review Committee (SIRC, which only reviewed CSIS) and the Office of the CSE Commissioner (OCSEC). Its mandate covers all national security and intelligence activities across the entire Government of Canada, a “whole-of-government” mandate replacing the previous siloed approach. NSIRA conducts after-the-fact reviews, investigates complaints, and provides annual reports to Parliament. It is arms-length from government, with members appointed by the Governor in Council on recommendation of the Prime Minister after consultation with opposition leaders.^[27]

Intelligence Commissioner: Provides pre-authorization oversight (before activities occur), as opposed to NSIRA’s after-the-fact review. Must be a retired judge of a superior court. Must approve ministerial authorizations for CSE foreign intelligence and cybersecurity activities, and CSIS dataset authorizations, before they take effect, providing a quasi-judicial “double lock.” Appointed by the Governor in Council on recommendation of the Prime Minister.^[28]

NSICOP (National Security and Intelligence Committee of Parliamentarians): A parliamentary oversight committee with access to classified information that complements NSIRA’s review function.^[29]

Commercial Surveillance Procurement

Despite Canada’s robust oversight structure for intelligence activities (including NSIRA, the Intelligence Commissioner, and NSICOP), Canadian law enforcement and security agencies have supplemented their capabilities through commercial surveillance technology procurement. These contracts operate outside the intelligence authorization framework governing CSIS and CSE.

Palantir Technologies

The Royal Canadian Mounted Police (RCMP) procured Palantir analytics platforms under contracts valued at CAD $14.4 million. The system provides pattern-matching, link-analysis, and intelligence fusion capabilities across criminal investigations and national security cases.^[33]

Palantir’s integration into Canadian law enforcement creates potential US CLOUD Act exposure. As a US company, Palantir can be compelled by American law enforcement and intelligence agencies to produce data held on its systems, regardless of where that data is stored or which government collected it. Canadian criminal investigation data processed through Palantir could thus become subject to US legal process, creating a pathway for American access that bypasses the mutual legal assistance treaty (MLAT) framework Canada negotiated with the United States.

Clearview AI: Banned After Privacy Violations

Multiple Canadian law enforcement agencies, including the RCMP, Toronto Police, and Calgary Police, used Clearview AI’s facial recognition technology, which matches faces against a database of over 10 billion images scraped from social media and public websites. In February 2021, the Privacy Commissioner of Canada, together with provincial counterparts in Quebec, BC, and Alberta, jointly determined that Clearview AI’s business model violated Canadian privacy law.^[34]

The commissioners found that Clearview AI collected Canadians’ biometric information without consent, used it for purposes individuals did not consent to, and provided insufficient transparency about its practices. Clearview AI was ordered to stop offering its services in Canada and delete all data it had collected on Canadians. While Clearview AI initially challenged the determination, Canadian law enforcement agencies ceased using the service following the privacy commissioners’ findings.

The Clearview AI episode demonstrates both the strength and the limitation of the OPC’s ombudsman model. The federal and provincial privacy commissioners successfully identified a privacy violation and ordered remediation. However, given the OPC’s limited enforcement powers, the enforcement relied on public pressure and voluntary compliance, and the violation had already occurred, with Canadian biometric data scraped and shared with foreign law enforcement agencies for years before the investigation concluded.

Cellebrite: Digital Forensics and Device Exploitation

The RCMP and provincial police forces have procured Cellebrite systems for digital forensics and mobile device exploitation. These tools extract data from smartphones, bypass device encryption, recover deleted messages, and access encrypted messaging applications.^[35]

The deployment of Cellebrite raises questions about the necessity of additional lawful access legislation. Canadian law enforcement already possesses commercial tools capable of accessing encrypted communications through endpoint exploitation, This raises questions about the relationship between commercially available endpoint exploitation tools and legislative proposals for mandatory encryption backdoors.

The Oversight Gap

When CSIS conducts surveillance under the CSIS Act, it must obtain Federal Court warrants for minimally intrusive collection, and all activities are subject to NSIRA review and Intelligence Commissioner approval. When CSE conducts foreign intelligence collection or active cyber operations under the CSE Act, ministerial authorizations must be approved by the Intelligence Commissioner before they take effect.

But when the RCMP or provincial police forces purchase analytics platforms, facial recognition systems, or device exploitation tools from commercial vendors, those procurements are treated as standard equipment purchases subject to normal administrative procurement rules. There is no equivalent requirement for NSIRA review of commercial surveillance technology acquisition, no Intelligence Commissioner approval for deploying Palantir analytics or Cellebrite exploitation tools, and no independent assessment of whether these capabilities comply with the same necessity and proportionality standards that apply to CSIS and CSE.

This creates a regulatory asymmetry: intelligence agencies operating under the CSIS Act and CSE Act face multi-layered oversight through NSIRA, the Intelligence Commissioner, and NSICOP, while law enforcement agencies deploying commercially procured surveillance capabilities face only the general constraints of criminal procedure and the OPC’s ombudsman oversight with its limited enforcement powers.

Cable Surveillance: CSE and Transatlantic Interception

As a Five Eyes member, Canada plays a critical role in the interception of global communications through CSE. Canada’s geographic position, sitting between the United States and Europe with transatlantic cables landing on both coasts, makes it a strategic location for monitoring internet and telecommunications traffic passing between North America and Europe.

CSE’s Role in Five Eyes SIGINT Collection

Under the UKUSA Agreement (formalized in 1946 and expanded over subsequent decades), CSE is responsible for signals intelligence collection in its assigned geographic area and shares intercepted intelligence with the NSA, GCHQ, ASD, and GCSB. The agreement divides the world into zones of responsibility, with Canada focusing on northern latitudes, Russian communications, and traffic passing through Canadian territory.^[45]

CSE’s signals intelligence activities are governed by the Communications Security Establishment Act (2019), which authorizes the agency to intercept foreign communications, conduct cybersecurity operations, and provide technical assistance to federal law enforcement and security agencies. CSE’s targeting restrictions apply, but they do not prevent the incidental collection of Canadian communications that pass through infrastructure CSE monitors.

Transatlantic Cable Access

Canada is a landing point for multiple transatlantic submarine cables connecting North America to Europe, including major systems that carry vast volumes of internet traffic. These cables pass through Canadian territory, giving CSE access to communications between the United States, Canada, Europe, and beyond.^[46]

While the specific cables and access points remain classified, the Snowden disclosures revealed that CSE operates interception facilities that tap into fiber-optic cables, copying data flows for analysis. CSE shares this intercepted traffic with the NSA under the Five Eyes framework, and the NSA reciprocates by providing CSE with access to intelligence collected from other parts of the world.

The Levitation Program: Tracking File Downloads

In 2015, leaked documents revealed that CSE had conducted a program code-named “Levitation,” which monitored file-sharing sites and tracked users who downloaded files. The program analyzed up to 10 to 15 million uploads and downloads daily, collecting IP addresses, file metadata, and user activity to identify intelligence targets.^[47]

Levitation operated by intercepting traffic at internet exchange points and analyzing HTTP requests to file-sharing platforms. The program collected data on both foreign nationals and Canadians, with CSE claiming that it filtered out Canadian IP addresses after collection. However, the program demonstrated CSE’s capability to monitor internet activity in bulk, collecting vast amounts of data and applying filters after interception rather than targeting specific individuals before collection.

CSE Access to NSA Systems and Data Sharing

Documents from the Snowden disclosures showed that CSE has access to the NSA’s XKeyscore system, allowing Canadian analysts to search intercepted communications collected by the Five Eyes alliance. XKeyscore provides a searchable database of emails, web browsing activity, searches, and social media interactions, collected in bulk from cables, satellites, and other sources.^[48]

CSE also contributes data to the NSA’s collection infrastructure. Under the Five Eyes framework, CSE provides the NSA with access to communications intercepted from Canadian cables and facilities, and the NSA shares intelligence from its own global collection programs. This reciprocal arrangement means that communications intercepted by CSE in Canada may be searched by NSA analysts in the United States, and vice versa, creating a pooled intelligence database that transcends national boundaries and legal frameworks.

Legal Framework and Oversight

CSE’s foreign intelligence collection is conducted under ministerial authorizations issued by the Minister of National Defence and approved by the Intelligence Commissioner. These authorizations must specify the types of information to be collected, the foreign entities or threats targeted, and the techniques to be used. The authorizations are classified, and the public has no visibility into what is authorized or how broadly CSE’s interception mandate extends.^[24]

The National Security and Intelligence Review Agency (NSIRA) reviews CSE’s activities retrospectively, examining whether the agency complied with its legal mandate and ministerial authorizations. NSIRA can access classified information and interview CSE personnel, but its reviews are conducted in secret, and only sanitized summaries are published publicly. Individuals whose communications are intercepted have no notification mechanism, no right to challenge their inclusion in CSE’s collection, and no access to NSIRA’s findings.^[25]

The Intelligence Commissioner provides pre-authorization review, assessing whether proposed ministerial authorizations comply with the law and the Canadian Charter of Rights and Freedoms. This “double lock” mechanism (ministerial approval + independent judicial review) is designed to prevent abuse. However, the Intelligence Commissioner reviews authorizations in secret, based on classified briefings from CSE, and has no mechanism to hear from affected individuals or civil society organizations. The Commissioner’s decisions are not published, and there is no public record of how many authorizations have been approved or denied.

Implications for Privacy and Jurisdiction

CSE’s cable interception creates a fundamental jurisdictional problem: Communications passing through Canadian cables are intercepted in bulk, regardless of the nationality or location of the communicating parties. A French user emailing a German colleague may have their communication intercepted by CSE if the message routes through a Canadian cable, subjecting European communications to Canadian intelligence collection without any Canadian nexus beyond the routing path.

For Canadians, CSE’s targeting restrictions provide limited protection. The agency’s bulk collection from cables means that Canadian communications are swept up incidentally. CSE claims to filter and minimize Canadian data, but the filtering occurs after collection, not before, meaning Canadian communications are intercepted, scanned, and processed before being discarded (or retained, if they match intelligence criteria).

The result is that jurisdictional privacy, the expectation that being in Canada or communicating with Canadians provides legal protection, is, as privacy scholars have argued, largely illusory. Traffic passing through Canadian infrastructure is subject to CSE collection, and oversight occurs in secret through mechanisms that provide no transparency, no notification, and no individual recourse.

International Data Sharing Agreements

Canada maintains an extensive network of data sharing agreements, complementing its domestic surveillance framework under the CSIS Act, CSE Act, and Criminal Code. These agreements allow Canadian law enforcement and intelligence agencies to access data held abroad, while providing foreign agencies with pathways to obtain Canadian person data, often through processes that operate outside the multi-layered oversight framework of NSIRA, the Intelligence Commissioner, and NSICOP.

Canada’s Extensive MLAT Network

Canada is co-signatory of Mutual Legal Assistance Treaties with over 40 countries, including: Antigua and Barbuda, Argentina, Australia, Austria, Bahamas, Barbados, Belgium, Brazil, China, Cuba, Czech Republic, France, Germany, Greece, Hong Kong, Hungary, India, Israel, Italy, Jamaica, Kazakhstan, Kenya, Luxembourg, Mexico, Netherlands, Norway, Peru, Poland, Portugal, Romania, Russia, South Africa, South Korea, Spain, Sweden, Switzerland, Thailand, Trinidad and Tobago, Ukraine, United Kingdom, United States, and Uruguay.^[49]

The Canada-US MLAT, created in the 1980s-1990s between Five Eyes partners, allows Canadian law enforcement to request data on US persons, and US law enforcement to request data on Canadian persons, through diplomatic channels. The Department of Justice serves as Canada’s central authority for processing MLAT requests, with average processing times of 10 months for complex cases involving electronic evidence.

CLOUD Act Negotiations: Anticipated Agreement

Following the United Kingdom (2022) and Australia (2024), Canada is in negotiations for a CLOUD Act executive agreement with the United States. The anticipated Canada-US CLOUD Act agreement would follow the UK/Australia model, allowing Canadian law enforcement (RCMP, provincial police, CSIS) to directly serve legal process on US technology companies to obtain communications data, bypassing the traditional MLAT process and reducing access time from months to days.^[50]

The agreement would be reciprocal, allowing US law enforcement to directly request data from Canadian companies without going through Canadian courts, the Intelligence Commissioner, or NSIRA oversight. This creates a potential bypass of Canada’s rigorous intelligence oversight framework for data held by Canadian companies.

Five Eyes Intelligence Sharing: Founding Member

Through the Five Eyes alliance, CSE shares all signals intelligence (SIGINT), human intelligence (HUMINT), military intelligence (MILINT), and geospatial intelligence (GEOINT) with the NSA, GCHQ, ASD, and GCSB by default.^[51]

Under the Five Eyes division of responsibilities, CSE is responsible for signals intelligence collection in northern latitudes, Russian communications, and traffic passing through Canadian territory. This intelligence is shared automatically with Five Eyes partners, who reciprocate by providing CSE with access to intelligence collected globally.

The Five Eyes framework creates a reciprocal surveillance bypass: CSE can collect data on US, UK, Australian, or New Zealand persons and share it with those countries’ intelligence agencies, circumventing restrictions on domestic surveillance. Conversely, the NSA, GCHQ, ASD, and GCSB can collect on Canadian persons and share with CSE, bypassing CSE’s targeting restrictions.

According to Privacy International, data collected via Five Eyes programs can be shared with law enforcement, bypassing warrant requirements. The Levitation program and other CSE operations revealed in the Snowden disclosures demonstrate that CSE provides the NSA with cable intercept data and receives NSA intelligence in return, with information flowing by default between agencies.

Five Eyes Expansion: Biometric and Criminal Data Sharing

M5 Fingerprint Sharing: Canada participates in the Five Eyes fingerprint sharing program for visa applications, refugee claims, and immigration processing. Millions of fingerprints are checked annually across Five Eyes databases, allowing Canadian border authorities to query US, UK, Australian, and New Zealand criminal and immigration records.

Criminal Database Sharing Proposal: Canada is considering participation in an expanded Five Eyes proposal to query domestic criminal databases of partner countries for immigration purposes. This would allow Canadian authorities to check US, UK, Australian, and New Zealand criminal records when processing visa applications, representing a significant expansion beyond intelligence and border control.^[52]

Competition Enforcement Cooperation: Canada entered a cooperation framework with Five Eyes competition enforcement agencies, enabling data sharing for antitrust and competition investigations across borders.

Passenger Name Record Agreement with the European Union

In April 2025, Canada concluded a PNR agreement with the European Union, enabling transfer of passenger data from EU air carriers to Canadian authorities. Every passenger on EU-Canada flights has their name, travel dates, itinerary, seat assignment, baggage information, contact details, and payment method transferred to the Canada Border Services Agency and RCMP.^[53]

The data is ostensibly for counterterrorism, serious organized crime, drug trafficking, and child exploitation, but retention periods extend for years, and all passengers are subject to data sharing regardless of suspicion. The EU-Canada PNR agreement was negotiated alongside similar EU agreements with the US and Australia.

Interpol and Multilateral Frameworks

Interpol I-24/7 System: Canada participates in Interpol’s secure global communications network, processing over 100,000 messages daily across 195 member countries. The RCMP and provincial police forces use the system for real-time sharing of Red/Blue notices, biometric data, lost documents, and stolen vehicle/weapons information.

Egmont Group (Financial Intelligence Units): The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) participates in the Egmont Group, a network of 164+ Financial Intelligence Units that share financial intelligence on money laundering, terrorist financing, and financial crimes under bilateral and multilateral agreements.

The Privacy Backdoor Effect

Despite Canada’s robust oversight structure (NSIRA retrospective review, Intelligence Commissioner pre-authorization, NSICOP parliamentary oversight), international data sharing agreements create pathways for accessing Canadian person data that operate outside this framework:

• CLOUD Act Bypass (Anticipated): Once implemented, US authorities could directly request data from Canadian companies without Intelligence Commissioner approval or NSIRA oversight; Canadian authorities could directly request data from US companies without US judicial review
• Five Eyes Laundering: NSA can collect on Canadian persons and share with CSE, circumventing CSE’s targeting restrictions; CSE can collect on US persons and share with NSA, circumventing US constitutional protections
• MLAT Lower Standards: Foreign MLAT requests (40+ countries) may involve lower evidentiary standards than the Federal Court warrant requirements under the CSIS Act or Criminal Code
• PNR Dragnet: All international travelers to/from EU have comprehensive personal data shared with EU authorities regardless of suspicion

For Canadian persons, this means data nominally protected by the Privacy Act, CSIS Act, CSE Act, and PIPEDA can be accessed through MLAT channels (with foreign evidentiary standards), anticipated CLOUD Act requests (bypassing Intelligence Commissioner approval), Five Eyes intelligence sharing (default exchange with no notification), or PNR agreements (bulk passenger data collection).

The result is a gap between domestic protections and international data sharing frameworks: While Canada’s domestic oversight framework provides rigorous safeguards through NSIRA, the Intelligence Commissioner, and NSICOP, international data sharing agreements create pathways for foreign access that operate outside these frameworks, undermining the expectation that Canadian law protects Canadian persons’ data.

Data Retention

Canada has no mandatory data retention law requiring telecommunications providers to retain customer communications data for a specified period. This is a significant distinction from the United Kingdom, the European Union, and Australia. There is no Canadian equivalent to the UK’s Investigatory Powers Act Part 4 retention notices or Australia’s mandatory two-year data retention regime.^[30]

The Lawful Access Debate

The question of mandatory data retention and “lawful access” has been contentious in Canada for over a decade:

Bill C-30 (2012): The Protecting Children from Internet Predators Act would have required ISPs to give police subscriber information without a warrant. It was withdrawn after public backlash. Then-Public Safety Minister Vic Toews infamously told critics they could “either stand with us or with the child pornographers.”^[30]

Bill C-13 (2014): The Protecting Canadians from Online Crime Act enacted provisions for preservation demands and orders, requiring providers to preserve (not retain) specific data once notified, but did not mandate blanket data retention.^[30]

R. v. Spencer (2014, SCC): The Supreme Court of Canada ruled that police generally need a warrant to obtain subscriber information from ISPs, significantly strengthening privacy protections for internet users.^[30]

Current Legal Framework

Law enforcement can use: preservation demands (requiring providers to preserve specific data for 21 to 90 days upon notice); production orders (court orders to compel disclosure of specific data); warrants (judicial authorization for access to content); and mutual legal assistance treaties for cross-border requests.^[31]

Recent Developments (2024–2026)

Bill C-27 confirmed dead (January 2025): Parliament’s prorogation on January 6, 2025, killed all bills on the Order Paper. Following the April 2025 snap federal election, the government confirmed C-27 will not return in its original form. Canada remains without modern federal privacy reform or AI legislation.^[2]

Quebec Law 25 fully implemented (September 2024): Phase 3 (data portability) came into effect September 22, 2024, completing the full implementation of all Law 25 provisions. The CAI has published its General Framework on Monetary Administrative Penalties, enabling enforcement of the law’s penalty provisions.^[12]

OPC TikTok investigation (September 2025): The OPC and provincial counterparts in Quebec, BC, and Alberta published a joint investigation into TikTok, highlighting privacy concerns related to the collection and use of children’s personal information.^[32]

Aylo (Pornhub) enforcement (2025): The OPC commenced an enforcement application in Federal Court against Aylo, seeking binding court orders regarding consent for sensitive personal information, a notable test of the ombudsman model’s enforcement capacity.^[3]

Cybersecurity legislation: Bill C-26 (the government’s cybersecurity bill) died on the Order Paper but was reintroduced as Bill C-8, which updates the Telecommunications Act and introduces the Critical Cyber Systems Protection Act to secure vital infrastructure. This includes mandatory incident reporting and critical system obligations, but not data retention.^[33]

2026 privacy priorities: Canada’s priorities for 2026 are expected to focus on data sovereignty, open banking implementation, AI governance (without AIDA), and potential new federal privacy reform legislation.^[34]

Federal Leadership and Legislative Reset (May–December 2025)

New Minister of AI and Digital Innovation (May 2025): Following the April 2025 snap federal election, Evan Solomon was appointed as Canada’s first Minister of AI and Digital Innovation. Solomon confirmed that Bill C-27 and its AI component (AIDA) are dead and will not return in their original form. The government announced that privacy reform and AI governance would proceed as separate legislative streams, abandoning the omnibus approach that stalled C-27.^[54]

Federal privacy reform expected early 2026: The government signaled it would introduce a new PIPEDA replacement bill in early 2026, featuring a penalty-based enforcement tribunal separate from AI legislation. The new framework is expected to finally give the Privacy Commissioner order-making and fining powers, address consent modernization, and create a standalone data protection tribunal—key elements from the failed C-27 repackaged without the contentious AIDA provisions.^[55]

Bill C-8 (Critical Cyber Systems Protection Act): Tabled on June 18, 2025, Bill C-8 revives the cybersecurity provisions from the defunct Bill C-26. Currently at second reading, the bill amends the Telecommunications Act and introduces the Critical Cyber Systems Protection Act, designating vital services including telecommunications, pipelines, nuclear energy, and banking as critical infrastructure subject to mandatory cyber incident reporting. Penalties reach up to $15 million per day for non-compliance. The bill grants the government broad directive powers over designated operators during cyber emergencies.^[56][57]

Consumer-Driven Banking Act (Bill C-15, November 30, 2025): Canada introduced its first open banking framework through Bill C-15, designating the Bank of Canada as the regulator for consumer-driven banking. Phase I (read-only data access) is expected to launch in early 2026, with Phase II (write access and payment initiation) targeted for mid-2027. The framework requires banks to share customer financial data with authorized third parties upon consumer consent, raising significant privacy and data security implications for how Canadians’ financial information is collected, shared, and protected.^[58]

Bill C-16 (Protecting Victims Act, December 2025): The government introduced sweeping Criminal Code amendments targeting technology-facilitated harms. Bill C-16 criminalizes the non-consensual creation and distribution of deepfakes, tightens child-luring provisions, and increases maximum penalties for intimate image offences from 5 to 10 years imprisonment. The bill represents Canada’s first direct legislative response to AI-generated intimate imagery.^[59]

OPC Investigations and Enforcement (2025–2026)

OPC expanded X Corp./Grok investigation (January 15, 2026): The Office of the Privacy Commissioner expanded its existing investigation into X Corp. (formerly Twitter) to cover AI-generated deepfakes produced via the Grok AI system. The OPC also launched a related investigation into xAI, the company behind Grok, examining whether the use of Canadian users’ data to train and generate AI content complies with PIPEDA’s consent and purpose limitation requirements.^[60]

OPC/UK ICO joint 23andMe investigation (June 17, 2025): The Privacy Commissioner of Canada and the UK Information Commissioner’s Office launched a joint investigation into 23andMe following the company’s data breach that affected approximately 320,000 Canadians. The investigation examines the adequacy of 23andMe’s security safeguards for highly sensitive genetic data and whether the company’s data handling practices comply with PIPEDA.^[61]

Aylo/Pornhub—LEAF granted intervener status (October 24, 2025): The Women’s Legal Education and Action Fund (LEAF) was granted intervener status in the OPC’s Federal Court enforcement action against Aylo (operator of Pornhub). LEAF’s intervention strengthens the case by introducing gender equality and human rights arguments, marking a significant development in the test of the ombudsman model’s enforcement capacity.^[62]

OPC 2024–25 Annual Report: The Privacy Commissioner’s annual report revealed that formal complaints increased by 11% year-over-year. A public opinion survey commissioned by the OPC found that 83% of Canadians expressed concern about the privacy implications of artificial intelligence, underscoring public demand for stronger AI governance and reinforcing the Commissioner’s strategic priority of addressing AI-related privacy risks.^[3]

OPC Children’s Privacy Code consultation (May–August 2025): The OPC conducted a public consultation on a proposed Children’s Privacy Code, building on Commissioner Dufresne’s identified strategic priority of championing children’s privacy. The code is expected to be finalized in early 2026 and would establish enforceable standards for how organizations collect, use, and disclose children’s personal information, drawing on international models including the UK’s Age Appropriate Design Code.^[63]

Provincial Developments (2025)

Alberta POPA in force (June 11, 2025): Alberta’s new Public Sector Privacy and Access Act (POPA) came into force, representing a comprehensive overhaul of public-sector privacy governance in the province. POPA introduces mandatory breach notification requirements for Alberta public bodies, modernizes access-to-information processes, and aligns public-sector privacy standards more closely with contemporary data protection principles.^[64]

Clearview AI v. Alberta (May 8, 2025): In a significant constitutional ruling, a court found that parts of Alberta’s PIPA were unconstitutional in the context of Clearview AI’s challenge to the provincial privacy commissioner’s jurisdiction. The decision has implications for provincial commissioners’ ability to regulate out-of-province and international companies that process Albertans’ personal information.^[65]

Ontario first PHIPA administrative penalty (August 2025): Ontario’s Information and Privacy Commissioner issued the province’s first administrative monetary penalties under the Personal Health Information Protection Act (PHIPA), fining a physician $5,000 and the associated clinic $7,500 for unauthorized access to patient records. The enforcement action signals a new era of active penalty-based enforcement for health information privacy in Ontario.^[66]

Alberta PIPA modernization consultation (closing February 17, 2026): The Government of Alberta launched a formal consultation on modernizing its Personal Information Protection Act (PIPA), with the comment period closing on February 17, 2026. The consultation examines whether PIPA remains adequate to address modern data practices, AI, and cross-border data flows.^[67]

National Security and Emerging Policy (2025–2026)

Bill C-2 lawful access controversy (June–October 2025): The government introduced lawful access provisions in Bill C-2 that would have expanded law enforcement’s ability to compel telecommunications providers to assist with interception. The provisions drew intense criticism from civil liberties organizations and privacy advocates. After sustained public backlash, the government reversed the controversial provisions in October 2025, a reversal reminiscent of the Bill C-30 defeat in 2012.^[68]

Bill C-70 (Foreign Interference) implementation: The Countering Foreign Interference Act (Bill C-70), which received Royal Assent in 2024, progressed toward implementation with the foreign influence transparency registry expected to become operational by June 2025. The registry requires individuals acting on behalf of foreign principals to register their activities, with implications for privacy, free expression, and community organizations.^[69]

AI Strategy Task Force (October 2025): The government established a refreshed AI strategy task force to develop Canada’s approach to artificial intelligence governance in the post-AIDA environment. A refreshed national AI strategy is expected in Q1 2026, informed by the task force’s consultations with industry, civil society, and international partners.^[70]

Data sovereignty elevated as federal policy priority: Data sovereignty has been elevated as a core federal policy priority, reflecting growing concerns about Canadian data flowing to foreign jurisdictions and the implications of US-based cloud service providers hosting Canadian government and personal data. The policy direction aligns with broader international trends toward data localization and digital sovereignty.^[55]

CLOUD Act negotiations ongoing, facing resistance: Canada’s negotiations with the United States for a CLOUD Act executive agreement continue, but face growing domestic resistance. The Citizen Lab at the University of Toronto has recommended that Canada suspend negotiations, arguing that the agreement would allow US law enforcement to bypass Canadian judicial oversight when requesting data from Canadian companies. The debate highlights the tension between law enforcement efficiency and sovereignty over Canadian data.^[71]

Sources