Canada

Overview

Canada is a Five Eyes founding member (joined the UKUSA Agreement in 1948). The Communications Security Establishment (CSE) intercepts foreign communications from transatlantic cables, operates the Levitation programme monitoring 10–15 million file-sharing uploads/downloads daily, and has access to the NSA’s XKeyscore system. Under the Five Eyes division of responsibilities, Canada covers northern latitudes and Russian communications.^[1][2]

On the civilian side, Canada’s federal privacy framework operates on an ombudsman model where the Privacy Commissioner cannot issue binding orders or impose fines. PIPEDA (2000) governs private-sector data; the Privacy Act (1983) governs federal institutions. Bill C-27, which would have replaced PIPEDA and introduced federal AI regulation, died when Parliament prorogued in January 2025. Canada has no mandatory data retention, in contrast to all other Five Eyes members. A CLOUD Act agreement with the United States is under negotiation but facing domestic resistance.^[3][4]

Privacy Framework

The Office of the Privacy Commissioner (OPC), under Commissioner Philippe Dufresne (since June 2022), enforces both PIPEDA and the Privacy Act using an ombudsman model: investigations, recommendations, compliance agreements, and referrals to Federal Court, but no binding orders or fines. Three provinces (Quebec, British Columbia, Alberta) have enacted substantially similar private-sector privacy laws. Quebec’s Law 25 (fully implemented September 2024) is among the most GDPR-aligned statutes in North America, with penalties up to CAD 25 million or 4% of worldwide turnover. Unlike the federal OPC, Quebec’s CAI and the BC and Alberta commissioners have order-making powers.^[5][6]

PIPEDA (2000) applies to private-sector commercial activity crossing provincial or national borders, built on 10 fair information principles. The Privacy Act (1983) governs federal institutions but has been described by multiple reviews as requiring modernisation. The government signalled a new PIPEDA replacement bill in early 2026, finally granting the OPC fining powers.^[7][8]

Surveillance and Intelligence

CSIS Act (1984)

CSIS was created as a civilian intelligence agency separated from the RCMP following 1970s-80s intelligence scandals. Section 12 authorises security intelligence gathering; Section 12.1 (added by Bill C-51, 2015) authorises threat reduction measures; Section 16 authorises foreign intelligence collection within Canada. Intrusive collection requires Federal Court warrants with ministerial authorisation. CSIS has no law enforcement powers and cannot investigate lawful advocacy, protest, or dissent.^[9]

CSE Act (2019)

Gave Canada’s signals intelligence agency its first standalone statutory mandate with a five-part mandate: foreign intelligence, cyber security, defensive cyber operations, active cyber operations (degrade/disrupt foreign capabilities), and technical assistance to law enforcement. Ministerial authorisations are not valid until approved by the Intelligence Commissioner (a retired judge), providing a quasi-judicial “double lock.” Active cyber operations require dual ministerial authorisation (Defence + Foreign Affairs). CSE may not target Canadians or persons in Canada; incidental collection is handled under strict privacy protections.^[10]

Criminal Code Part VI – Wiretap Provisions

Third-party intercept requires superior court judge authorisation, limited to specified serious offences, with investigative necessity shown. Emergency provisions allow warrantless interception to prevent bodily harm or serious harm. Subjects must generally be notified within 90 days. Annual reporting to Parliament required.^[11]

Intelligence Structure

CSE: Signals intelligence (SIGINT) and cyber operations, reporting to Minister of National Defence. CSIS: Civilian domestic intelligence, reporting to Minister of Public Safety. RCMP: Federal law enforcement with intelligence capabilities; National Intelligence Coordination Centre (NICC) links CSIS, CSE, FINTRAC, and Five Eyes partners.^[12]

Oversight

NSIRA (National Security and Intelligence Review Agency, 2019): “whole-of-government” retrospective review of all national security activities, replacing the previous siloed approach. Intelligence Commissioner: Pre-authorisation oversight (retired judge), must approve CSE and CSIS authorisations before they take effect. NSICOP: Parliamentary oversight committee with classified access.^[13][14]

Commercial Surveillance Procurement

Palantir: RCMP procured Palantir analytics under contracts worth CAD $14.4 million, creating US CLOUD Act exposure for Canadian criminal investigation data processed on Palantir’s US-controlled platform.^[15]

Clearview AI: RCMP, Toronto Police, and Calgary Police used Clearview AI before the Privacy Commissioner and provincial counterparts jointly determined it violated Canadian privacy law (February 2021), ordering it to stop offering services in Canada and delete all Canadian data.^[16]

Cellebrite: RCMP and provincial police procure Cellebrite for mobile device exploitation, raising questions about the necessity of additional lawful access legislation when commercial endpoint exploitation tools already exist.^[17]

When CSIS and CSE conduct surveillance, they face multi-layered oversight (NSIRA, Intelligence Commissioner, NSICOP). When the RCMP purchases Palantir or Cellebrite, those procurements are treated as standard equipment purchases with no equivalent judicial oversight, creating a regulatory asymmetry.

Encryption and Lawful Access

Canada has no compelled decryption law and no encryption backdoor mandate, distinguishing it from Australia (TOLA Act), the United Kingdom (IPA Technical Capability Notices), and France (judicial decryption orders). Canadian law enforcement cannot legally compel an individual to disclose an encryption key or password, and there is no statutory obligation for service providers to build lawful access capabilities into encrypted products.

However, the “lawful access” debate has been a recurring feature of Canadian policy. Bill C-30 (2012) would have required ISPs to provide subscriber information without a warrant; it was withdrawn after public backlash. Bill C-2 (2025) attempted to expand telecommunications interception powers; the encryption-relevant provisions were reversed in October 2025 after sustained criticism, echoing the C-30 defeat. The CLOUD Act negotiations with the United States could introduce new lawful access pathways for encrypted communications data held by US tech companies, with the Citizen Lab recommending Canada suspend negotiations over judicial oversight concerns.^[26][22]

The absence of a compelled decryption law means Canadian authorities rely on endpoint exploitation (Cellebrite, other forensic tools) and Five Eyes intelligence sharing to access encrypted communications content — pathways that circumvent the encryption itself rather than mandating backdoors. Whether this pragmatic approach will survive growing law enforcement pressure for formal lawful access authority remains an open question.

Cable Surveillance and CSE Interception

Canada’s geographic position between the US and Europe, with transatlantic cables landing on both coasts, makes it strategic for communications interception. Under the UKUSA Agreement, CSE is responsible for northern latitudes, Russian communications, and traffic passing through Canadian territory. CSE operates interception facilities tapping fibre-optic cables and shares intercepted traffic with the NSA, receiving global intelligence in return.^[1]

The Levitation Program

CSE’s Levitation programme (revealed 2015) monitored file-sharing sites, tracking 10–15 million uploads and downloads daily, collecting IP addresses, file metadata, and user activity. The programme intercepted traffic at internet exchange points and analysed HTTP requests in bulk, collecting data on foreign nationals and Canadians, filtering Canadian IPs after collection.^[2]

XKeyscore Access

CSE has access to the NSA’s XKeyscore system, allowing Canadian analysts to search intercepted emails, web browsing, searches, and social media collected in bulk by the Five Eyes alliance. CSE also contributes Canadian cable intercepts to the shared database, creating a pooled intelligence resource that transcends national boundaries and legal frameworks.^[18]

CSE’s targeting restrictions on Canadians provide limited protection: bulk cable collection means Canadian communications are swept up incidentally, scanned, and processed before being filtered. Ministerial authorisations are classified, and the public has no visibility into the scope of interception.

Data Retention

Canada has no mandatory data retention law, a significant distinction from all other Five Eyes members. Previous attempts failed: Bill C-30 (2012, withdrawn after public backlash) and Bill C-2 (2025, lawful access provisions reversed after criticism). The Supreme Court ruled in R. v. Spencer (2014) that police generally need a warrant for subscriber information. Bill C-13 (2014) introduced preservation demands (requiring providers to preserve specific data for 21–90 days upon notice) but not blanket retention. Law enforcement uses preservation demands, production orders, warrants, and MLATs.^[19]

International Data Sharing Agreements

Canada’s Extensive MLAT Network (40+ Countries)

Canada maintains bilateral Mutual Legal Assistance Treaties with over 40 countries, including: Antigua and Barbuda, Argentina, Australia, Austria, Bahamas, Barbados, Belgium, Brazil, China, Cuba, Czech Republic, France, Germany, Greece, Hong Kong, Hungary, India, Israel, Italy, Jamaica, Kazakhstan, Kenya, Luxembourg, Mexico, Netherlands, Norway, Peru, Poland, Portugal, Romania, Russia, South Africa, South Korea, Spain, Sweden, Switzerland, Thailand, Trinidad and Tobago, Ukraine, United Kingdom, United States, and Uruguay. The Department of Justice serves as Canada’s central authority.^[20]

CLOUD Act Negotiations

Following the UK (2022) and Australia (2024), Canada is in negotiations for a CLOUD Act agreement with the United States. The anticipated agreement would allow Canadian law enforcement to directly serve legal process on US tech companies, bypassing the 10-month MLAT process. Reciprocal access would allow US law enforcement to request data from Canadian companies without Canadian courts or Intelligence Commissioner oversight. The Citizen Lab has recommended Canada suspend negotiations, arguing the agreement would bypass Canadian judicial oversight.^[21][22]

Five Eyes Intelligence Sharing: Founding Member

CSE, CSIS, RCMP, and Canadian Forces Intelligence Command participate in Five Eyes. Intelligence sharing is by default: CSE provides SIGINT from northern latitudes, receiving global intelligence in return. The framework creates a reciprocal surveillance bypass: CSE can collect on Five Eyes partners’ persons and share back, while partner agencies can collect on Canadians and share with CSE, circumventing targeting restrictions.^[23]

Five Eyes Biometric and Criminal Data Sharing

M5 Fingerprint Sharing: Millions of fingerprints checked annually across Five Eyes databases for visa applications, refugee claims, and immigration. Proposals to expand to domestic criminal database queries for immigration purposes.^[24]

EU-Canada PNR Agreement

Concluded April 2025: every EU-Canada passenger has name, itinerary, seat, baggage, contact, and payment data transferred to CBSA and RCMP, regardless of suspicion. Retention extends for years.^[25]

Multilateral Frameworks

Interpol I-24/7: RCMP and provincial police use the 195-country network. Egmont Group: FINTRAC shares financial intelligence across 164+ FIUs. Europol: Cooperation agreement for criminal intelligence sharing.

The Privacy Backdoor Effect

Despite robust oversight (NSIRA, Intelligence Commissioner, NSICOP), international agreements create alternative access pathways:

• CLOUD Act (Anticipated): US authorities could directly request Canadian-held data without Intelligence Commissioner approval; Canadian authorities could directly access US tech company data without US judicial review
• Five Eyes Laundering: NSA collects on Canadians and shares with CSE, circumventing targeting restrictions; CSE collects on US persons and shares with NSA
• 40+ MLATs: Foreign requests may involve lower evidentiary standards than Federal Court warrants under the CSIS Act or Criminal Code
• PNR Dragnet: All EU-Canada travellers’ comprehensive personal data shared regardless of suspicion

Recent Developments

CLOUD Act Negotiations Facing Resistance: Citizen Lab recommended Canada suspend negotiations, arguing the agreement would allow US law enforcement to bypass Canadian judicial oversight when requesting data from Canadian companies.^[22]

Bill C-2 Lawful Access Reversed (October 2025): The government introduced lawful access provisions expanding law enforcement telecommunications interception powers, then reversed them after sustained public backlash, echoing the Bill C-30 defeat of 2012.^[26]

Foreign Interference Registry: Bill C-70 (Countering Foreign Interference Act, Royal Assent 2024) progressing toward implementation with transparency registry expected operational by June 2025.^[27]

Bill C-8 (Critical Cyber Systems): Revives cybersecurity provisions from the defunct Bill C-26, mandating cyber incident reporting for critical infrastructure (telecoms, pipelines, nuclear, banking) with penalties up to $15 million per day.^[28]

Bill C-27 Confirmed Dead: Following the April 2025 snap election, the government confirmed PIPEDA replacement and AI regulation will proceed as separate legislative streams. As of March 2026, no comprehensive privacy bill has been formally introduced despite repeated signals; expected penalties up to C$25M or 5% of global turnover. AI regulation will be a standalone bill.^[4]

Sources