Canada

Overview

Canada is a Five Eyes founding member (joined the UKUSA Agreement in 1948). The Communications Security Establishment (CSE) intercepts foreign communications from transatlantic cables, operates the Levitation file-sharing surveillance programme, and has access to the NSA’s XKeyscore system. Under the Five Eyes division of responsibilities, Canada covers northern latitudes and Russian communications.^[1][2]

On the civilian side, Canada’s federal privacy framework operates on an ombudsman model where the Privacy Commissioner cannot issue binding orders or impose fines. PIPEDA (2000) governs private-sector data; the Privacy Act (1983) governs federal institutions. Bill C-27, which would have replaced PIPEDA and introduced federal AI regulation, died when Parliament prorogued in January 2025. Canada has no mandatory data retention, in contrast to all other Five Eyes members. A CLOUD Act agreement with the United States is under negotiation but facing domestic resistance.^[3][4]

Privacy Framework

The Office of the Privacy Commissioner (OPC), under Commissioner Philippe Dufresne (since June 2022), enforces both PIPEDA and the Privacy Act using an ombudsman model: investigations, recommendations, compliance agreements, and referrals to Federal Court, but no binding orders or fines. Three provinces (Quebec, British Columbia, Alberta) have enacted substantially similar private-sector privacy laws. Quebec’s Law 25 (fully implemented September 2024) is among the most GDPR-aligned statutes in North America, with penalties up to CAD 25 million or 4% of worldwide turnover. Unlike the federal OPC, Quebec’s CAI and the BC and Alberta commissioners have order-making powers.^[5][6]

PIPEDA (2000) applies to private-sector commercial activity crossing provincial or national borders, built on 10 fair information principles. The Privacy Act (1983) governs federal institutions but has been described by multiple reviews as requiring modernisation. The government signalled a new PIPEDA replacement bill in early 2026, finally granting the OPC fining powers.^[7][8]

Surveillance and Intelligence

CSIS Act (1984)

CSIS was created as a civilian intelligence agency separated from the RCMP following 1970s-80s intelligence scandals. Section 12 authorises security intelligence gathering; Section 12.1 (added by Bill C-51, 2015) authorises threat reduction measures; Section 16 authorises foreign intelligence collection within Canada. Intrusive collection requires Federal Court warrants with ministerial authorisation. CSIS has no law enforcement powers and cannot investigate lawful advocacy, protest, or dissent.^[9]

CSE Act (2019)

Gave Canada’s signals intelligence agency its first standalone statutory mandate with a five-part mandate: foreign intelligence, cyber security, defensive cyber operations, active cyber operations (degrade/disrupt foreign capabilities), and technical assistance to law enforcement. Ministerial authorisations are not valid until approved by the Intelligence Commissioner (a retired judge), providing a quasi-judicial “double lock.” Active cyber operations require dual ministerial authorisation (Defence + Foreign Affairs). CSE may not target Canadians or persons in Canada; incidental collection is handled under strict privacy protections.^[10]

Criminal Code Part VI – Wiretap Provisions

Third-party intercept requires superior court judge authorisation, limited to specified serious offences, with investigative necessity shown. Emergency provisions allow warrantless interception to prevent bodily harm or serious harm. Subjects must generally be notified within 90 days. Annual reporting to Parliament required.^[11]

Intelligence Structure

CSE: Signals intelligence (SIGINT) and cyber operations, reporting to Minister of National Defence. CSIS: Civilian domestic intelligence, reporting to Minister of Public Safety. RCMP: Federal law enforcement with intelligence capabilities; National Intelligence Coordination Centre (NICC) links CSIS, CSE, FINTRAC, and Five Eyes partners.^[12]

Oversight

NSIRA (National Security and Intelligence Review Agency, created by Bill C-59 in 2019): “whole-of-government” retrospective review of all national security activities, replacing the previous siloed approach. Intelligence Commissioner (also Bill C-59, 2019): Pre-authorisation oversight (retired judge), must approve CSE and CSIS authorisations before they take effect. NSICOP (National Security and Intelligence Committee of Parliamentarians): The earlier reform, established by Bill C-22 (2017), holds standing classified access across all departments (see below).^[13][14]

Bill C-22: The National Security and Intelligence Committee of Parliamentarians Act (2017)

Receiving Royal Assent on June 22, 2017, this Act created Canada’s first body of parliamentarians with standing classified access to review the full range of federal national security and intelligence activity, closing a long-standing gap relative to the other Five Eyes states. NSICOP seats up to nine members (as many as seven from the House of Commons and up to two senators), all security-cleared and permanently bound to secrecy under the Security of Information Act, and it reviews the legislative, regulatory, policy, expenditure, and administrative frameworks of the entire intelligence community.^[13][34]

Critically, NSICOP is a committee of parliamentarians, not a committee of Parliament. It sits inside the executive branch, its members are appointed by and report to the Prime Minister, and its reports go first to the PM, who has 30 sitting days to table them and the power to redact material before public release. Civil-liberties groups and senators criticised this design during passage as executive control over the watchdog, contrasting it with the United Kingdom’s Intelligence and Security Committee, which reports to Parliament directly. The committee’s landmark Special Report on Foreign Interference (tabled June 3, 2024) showed both its reach and the friction of the model: it found that some parliamentarians were “witting or semi-witting” participants in foreign-state interference, yet the names stayed classified under the redaction regime, fuelling debate over how much the public version could disclose. NSICOP has separately reviewed lawful access to communications by the intelligence agencies, a theme central to Canada’s recurring encryption disputes.^[34][35]

Commercial Surveillance Procurement

Palantir: The Department of National Defence signed a CAD $14.4 million contract for Palantir’s Gotham platform in March 2020, originally to test the software for the Canadian Special Operations Forces Command. Flagged internally as “not for public disclosure,” the deal surfaced only after a Conservative MP’s written question and was tabled in Parliament in September 2025, more than five years after signing; by then it had been quietly extended about a dozen times, raising the estimated value to CAD $44.4 million (March 2020–October 2025). An earlier CANSOFCOM Palantir contract dated to March 2019 (CAD $997,434). Processing Canadian defence data on Palantir’s US-controlled platform creates US CLOUD Act exposure. Public Safety Canada and the RCMP have declined to confirm whether they use Palantir’s products.^[15][37]

Clearview AI: RCMP, Toronto Police, and Calgary Police used Clearview AI before the Privacy Commissioner and provincial counterparts jointly determined it violated Canadian privacy law (February 2021), ordering it to stop offering services in Canada and delete all Canadian data.^[16]

Cellebrite: RCMP and provincial police procure Cellebrite for mobile device exploitation, raising questions about the necessity of additional lawful access legislation when commercial endpoint exploitation tools already exist.^[17]

When CSIS and CSE conduct surveillance, they face multi-layered oversight (NSIRA, Intelligence Commissioner, NSICOP). When the RCMP procures Cellebrite, or National Defence procures Palantir, those acquisitions are treated as standard equipment purchases with no equivalent judicial oversight, creating a regulatory asymmetry.

Encryption and Lawful Access

Canada has no compelled decryption law and no encryption backdoor mandate, distinguishing it from Australia (TOLA Act), the United Kingdom (IPA Technical Capability Notices), and France (judicial decryption orders). Canadian law enforcement cannot legally compel an individual to disclose an encryption key or password, and there is no statutory obligation for service providers to build lawful access capabilities into encrypted products.

However, the “lawful access” debate has been a recurring feature of Canadian policy. Bill C-30 (2012) would have required ISPs to provide subscriber information without a warrant; it was withdrawn after public backlash. Bill C-2 (2025) attempted to expand telecommunications interception powers; the encryption-relevant provisions were reversed in October 2025 after sustained criticism, echoing the C-30 defeat. The CLOUD Act negotiations with the United States could introduce new lawful access pathways for encrypted communications data held by US tech companies, with the Citizen Lab recommending Canada suspend negotiations over judicial oversight concerns.^[26][22]

The absence of a compelled decryption law means Canadian authorities rely on endpoint exploitation (Cellebrite, other forensic tools) and Five Eyes intelligence sharing to access encrypted communications content, pathways that circumvent the encryption itself rather than mandating backdoors. Whether this pragmatic approach will survive growing law enforcement pressure for formal lawful access authority remains an open question.

Cable Surveillance and CSE Interception

Canada’s geographic position between the US and Europe, with transatlantic cables landing on both coasts, makes it strategic for communications interception. Under the UKUSA Agreement, CSE is responsible for northern latitudes, Russian communications, and traffic passing through Canadian territory. CSE operates interception facilities tapping fibre-optic cables and shares intercepted traffic with the NSA, receiving global intelligence in return.^[1]

The Levitation Program

CSE’s Levitation programme (revealed 2015) monitored file-sharing sites, tracking 10–15 million uploads and downloads daily, collecting IP addresses, file metadata, and user activity. The programme intercepted traffic at internet exchange points and analysed HTTP requests in bulk, collecting data on foreign nationals and Canadians, filtering Canadian IPs after collection.^[2]

XKeyscore Access

CSE has access to the NSA’s XKeyscore system, allowing Canadian analysts to search intercepted emails, web browsing, searches, and social media collected in bulk by the Five Eyes alliance. CSE also contributes Canadian cable intercepts to the shared database, creating a pooled intelligence resource that transcends national boundaries and legal frameworks.^[18]

CSE’s targeting restrictions on Canadians provide limited protection: bulk cable collection means Canadian communications are swept up incidentally, scanned, and processed before being filtered. Ministerial authorisations are classified, and the public has no visibility into the scope of interception.

Data Retention

Canada has no mandatory data retention law, a significant distinction from all other Five Eyes members. Previous attempts failed: Bill C-30 (2012, withdrawn after public backlash) and Bill C-2 (2025, lawful access provisions reversed after criticism). The Supreme Court ruled in R. v. Spencer (2014) that police generally need a warrant for subscriber information. Bill C-13 (2014) introduced preservation demands (requiring providers to preserve specific data for 21–90 days upon notice) but not blanket retention. Law enforcement uses preservation demands, production orders, warrants, and MLATs.^[19]

International Data Sharing Agreements

Canada’s Extensive MLAT Network (40+ Countries)

Canada maintains bilateral Mutual Legal Assistance Treaties with over 40 countries, including: Antigua and Barbuda, Argentina, Australia, Austria, Bahamas, Barbados, Belgium, Brazil, China, Cuba, Czech Republic, France, Germany, Greece, Hong Kong, Hungary, India, Israel, Italy, Jamaica, Kazakhstan, Kenya, Luxembourg, Mexico, Netherlands, Norway, Peru, Poland, Portugal, Romania, Russia, South Africa, South Korea, Spain, Sweden, Switzerland, Thailand, Trinidad and Tobago, Ukraine, United Kingdom, United States, and Uruguay. The Department of Justice serves as Canada’s central authority.^[20]

CLOUD Act Negotiations

Following the UK (2022) and Australia (2024), Canada is in negotiations for a CLOUD Act agreement with the United States. The anticipated agreement would allow Canadian law enforcement to directly serve legal process on US tech companies, bypassing the 10-month MLAT process. Reciprocal access would allow US law enforcement to request data from Canadian companies without Canadian courts or Intelligence Commissioner oversight. The Citizen Lab has recommended Canada suspend negotiations, arguing the agreement would bypass Canadian judicial oversight.^[21][22]

Five Eyes Intelligence Sharing: Founding Member

CSE, CSIS, RCMP, and Canadian Forces Intelligence Command participate in Five Eyes. Intelligence sharing is by default: CSE provides SIGINT from northern latitudes, receiving global intelligence in return. The framework creates a reciprocal surveillance bypass: CSE can collect on Five Eyes partners’ persons and share back, while partner agencies can collect on Canadians and share with CSE, circumventing targeting restrictions.^[23]

Five Eyes Biometric and Criminal Data Sharing

M5 Fingerprint Sharing: Millions of fingerprints checked annually across Five Eyes databases for visa applications, refugee claims, and immigration. Proposals to expand to domestic criminal database queries for immigration purposes.^[24]

EU-Canada PNR Agreement

Concluded April 2025: every EU-Canada passenger has name, itinerary, seat, baggage, contact, and payment data transferred to CBSA and RCMP, regardless of suspicion. Retention extends for years.^[25]

Multilateral Frameworks

Interpol I-24/7: RCMP and provincial police use the 195-country network. Egmont Group: FINTRAC shares financial intelligence across 164+ FIUs. Europol: Cooperation agreement for criminal intelligence sharing.

The Privacy Backdoor Effect

Despite robust oversight (NSIRA, Intelligence Commissioner, NSICOP), international agreements create alternative access pathways:

• CLOUD Act (Anticipated): US authorities could directly request Canadian-held data without Intelligence Commissioner approval; Canadian authorities could directly access US tech company data without US judicial review
• Five Eyes Laundering: NSA collects on Canadians and shares with CSE, circumventing targeting restrictions; CSE collects on US persons and shares with NSA
• 40+ MLATs: Foreign requests may involve lower evidentiary standards than Federal Court warrants under the CSIS Act or Criminal Code
• PNR Dragnet: All EU-Canada travellers’ comprehensive personal data shared regardless of suspicion

Recent Developments

CLOUD Act Negotiations Facing Resistance: the CLOUD Act negotiations (detailed under International Data Sharing above) continue to face domestic resistance, with Citizen Lab urging Canada to suspend them over judicial-oversight concerns.^[22]

Bill C-2 Lawful Access Reversed (October 2025): the government reversed Bill C-2’s lawful-access provisions after sustained public backlash (see Encryption and Lawful Access above).^[26]

Bill C-22 (Lawful Access Act) Passes the House (June 18, 2026): the lawful-access provisions stripped from Bill C-2 returned in March 2026 as a standalone bill, the Lawful Access Act (Bill C-22 of the 45th Parliament, unrelated to the 2017 Bill C-22 that created NSICOP above). The Carney government’s bill would compel telecommunications providers to confirm without a warrant whether a person under reasonable suspicion is a subscriber, and would let the Public Safety Minister secretly order electronic service providers to retain user metadata and to build standing access capabilities into their systems. On June 18, 2026 the bill passed third reading in the House of Commons and was sent to the Senate; it has not yet received Royal Assent and is not yet law. Government amendments before passage shortened the maximum metadata-retention order from one year to six months, clarified that nothing compels providers to decrypt encrypted information, and required the National Security and Intelligence Review Agency to review each order within 30 days. Government House Leader Steven MacKinnon dismissed privacy concerns as “conspiracy theory, frankly paranoia,” while the Canadian Civil Liberties Association said “the fundamental flaws in this legislation are still intact” and the EFF called it a repackaging of the prior year’s lawful-access provisions. Signal reiterated it would leave the Canadian market rather than comply, Windscribe said it would relocate its headquarters out of Canada, and Apple and Meta raised encryption and cybersecurity objections.^[36]

Foreign Interference Registry: Bill C-70 (Countering Foreign Interference Act, Royal Assent 2024) progressing toward implementation with transparency registry expected operational by June 2025.^[27]

Bill C-8 (Critical Cyber Systems): Revives cybersecurity provisions from the defunct Bill C-26, mandating cyber incident reporting for critical infrastructure (telecoms, pipelines, nuclear, banking) with penalties up to $15 million per day.^[28]

Bill C-27 Dead; Reform Split into Two Streams (May 2026): Following the April 2025 snap election, the government confirmed PIPEDA replacement and AI regulation will proceed as separate legislative streams. Minister of AI and Digital Innovation Evan Solomon is now leading the new private-sector privacy bill, displacing Industry Minister Joly from that file. Bill C-15 (the budget implementation bill) introduced narrow data-mobility rights for open-banking purposes (Privacy Commissioner Dufresne testified to the Industry Committee on January 26, 2026), but is not the comprehensive reform. As of May 2026, no full PIPEDA replacement or standalone AI bill has been tabled; expected private-sector privacy penalties C$25M or 5% of global turnover. In his annual address to the IAPP Canada Symposium on May 4, 2026, Commissioner Dufresne set out seven provisions he argued the next comprehensive bill must contain, including authority to issue binding orders, levy administrative monetary penalties, and conduct proactive audits, alongside a deidentification framework and a right to deletion; he also released new OPC age-assurance guidance and a stakeholder-feedback report toward a proposed Children’s Privacy Code.^[4][30][31]

OpenAI / ChatGPT Joint Investigation (May 6, 2026): The OPC, together with Quebec’s CAI and the BC and Alberta commissioners, released PIPEDA Findings #2026-002, concluding that OpenAI overcollected personal information, failed to obtain valid consent and provide transparency for using personal data, including scraped data, to train ChatGPT, and lacked adequate accountability, accuracy, and access/correction/deletion mechanisms. The provincial outcomes diverged: the OPC deemed the complaint “well-founded and conditionally resolved,” while BC and Alberta found it well-founded but unresolved, holding that their statutes do not permit consent-free scraping. OpenAI made remedial changes during the investigation but the regulators have no power to fine, underscoring why reform advocates want order-making and penalty authority.^[32]

Age Verification and Minors Legislation (2026): Two federal bills are advancing. Bill S-209 (Protecting Young Persons from Exposure to Pornography Act) (a reintroduction of the former Bill S-210) would criminalise commercial provision of sexually explicit content to users under 18 absent an age-verification system, with the Governor in Council empowered to require ISP blocking of non-compliant sites. The bill cleared Senate committee review in February 2026 and is at third reading in the Senate; critics (OpenMedia, Michael Geist) warn the blocking and verification scheme could extend to social media and generalist services. Bill C-216 (Promotion of Safety in the Digital Age Act), a House private member’s bill, includes the Protection of Minors in the Digital Age Act imposing platform-side data-use restrictions. Separately, Heritage Minister statements in 2026 confirmed the federal government is “very seriously” considering social media and AI chatbot age restrictions but has not tabled a government bill.^[29]

Digital Safety Act / Online Harms Bill (June 2026): Government sources confirmed in early June 2026 that the Carney government would table a new online harms bill, expected to include a ban on social media for children under 16, measures addressing harms from AI chatbots, and a new digital safety regulator empowered to set platform safety standards. Culture Minister Marc Miller is to introduce the legislation in the House of Commons (reported for mid-June 2026). As of this writing the bill had not yet been formally introduced, and the verification mechanism is unspecified; if enacted, Canada would follow Australia, which became the first country to legislate an under-16 ban in December 2025. A March 2026 Angus Reid survey found 75% of Canadians supported a full under-16 social media ban.^[33]

Pending Legislation

• PIPEDA replacement (comprehensive privacy reform): Minister Evan Solomon is leading a private-sector privacy bill to replace PIPEDA and finally grant the OPC binding-order and fining powers (expected C$25M / 5%-of-turnover penalties); Commissioner Dufresne’s May 4, 2026 address set out seven provisions he wants included. No bill has yet been tabled.^[30][31]
• Standalone AI bill: proceeding as a separate stream after AIDA died with Bill C-27; not yet tabled.^[30]
• Bill S-209 (age verification): reintroduction of S-210; would criminalise commercial provision of sexually explicit content to under-18s without age verification and authorise Governor-in-Council ISP blocking; at Senate third reading; criticised (OpenMedia, Geist) for potential scope creep to general services.^[29]
• Bill C-216 (minors’ digital safety): House private member’s bill imposing platform-side data-use restrictions on minors; the government is also weighing a separate social-media / AI-chatbot age-restriction bill.^[29]
• Children’s Privacy Code: the OPC has consulted on, and wants statutory authority to develop, a code of practice for children’s privacy.^[31]
• Bill C-22 (Lawful Access Act): warrantless subscriber confirmation plus secret Public Safety Minister orders to retain metadata (max six months after amendment) and build access capabilities; passed the House of Commons at third reading June 18, 2026 and is now before the Senate; not yet law. Signal and Windscribe have threatened to exit Canada.^[36]
• Digital Safety Act / online harms bill: the Carney government is expected to table (mid-June 2026, via Culture Minister Marc Miller) an online harms bill including an under-16 social media ban, AI-chatbot harm measures, and a new digital safety regulator; not yet introduced as of this writing.^[33]

Sources