If you think Canada is a privacy-respecting, mild-mannered member of the global democratic order, you might need to reconsider, at least when it comes to digital sovereignty. With Bill C-2, a so-called “border security” law winding its way through Parliament, Canada is preparing to launch one of the most sweeping digital surveillance regimes in the democratic world.
And it’s not just Canadian tech firms or telcos in the crosshairs. This bill has direct consequences for any company that operates a digital service, period. That includes SaaS vendors, banks, health providers, hotels, and restaurants.
Not Just a Telecom Bill. Not Just a Canadian Problem.
At first glance, Bill C-2 looks like a modernization of Canada’s customs and border enforcement laws. But buried in the fine print is an extensive set of provisions targeting any "Electronic Service Provider" a term so broad it makes GDPR definitions look quaint.
According to digital law expert Michael Geist:
“Department of Justice officials... acknowledged that Bill C-2 extends far beyond just telecom companies to services such as financial institutions, car rental companies, and hotels. When asked about hospitals, physicians, and other health professionals, the officials affirmed that they were covered as well.”
Michael Geist, Lawful Access on Steroids
Translation: if your company delivers any kind of digital service in Canada, you could be compelled to:
-
Hand over customer data.
-
Run internal audits and send the results to the Canadian government.
-
Allow real-time inspection of your systems, including copying, scanning, and seizing data.
-
Comply with technical orders issued by “designated persons” with no judicial oversight.
C-2’s scope is huge, with very little to no oversight and transparency.
No Warrants. No Courts. No Limits.
Under Section 19, a “designated person” can show up at your office (anywhere that’s not a dwelling) and demand access to your systems. They can examine your data, make copies, or remove it entirely. They can compel employees to assist. They can bring outside “helpers.” And they can do it all without a warrant.
Refuse to comply? You could be fined up to CAD $500,000 per violation, per day.
Even more troubling, these same government agents can issue mandatory compliance orders if they believe you're likely to break the rules in the future. It’s pre-crime surveillance with administrative enforcement.
The bill also creates a legal safe harbour for companies to disclose information about clients or subscribers voluntarily, granting law enforcement or other government agents the right to freely use that data. The dark way to view this is that the threat of potentially disruptive demands could be used to compel silent and hidden compliance.
There doesn’t appear to be any limit on how many such requests can be made. Furthermore, the bill would allow any such peace of public officer to mandate that you stay quiet about it for a year.
Appeal rights? You can ask the minister to reconsider. That’s it.
(In)Security Mandates by Ministerial Fiat
Bill C-2 also hands the minister and their appointees the power to dictate where your infrastructure is located, who can work on it, and what encryption controls you use.
Yes, it appears to be that broad.
Want to run a data center outside Canada? You could be told to move it. Want to onboard an engineer in Berlin? They may need a Canadian government security clearance. Using end-to-end encryption? You might be forced to weaken it. The reason is that technical orders can require an ESP to stop or alter any activity deemed non-compliant and take “any measure necessary” to comply with technical orders.
And while the bill prohibits the need for organizations to comply with any requests that would introduce “systemic vulnerabilities,” unlike similar legislative language in the Australian 2018 Telecommunications and Other Legislation Amendment (TOLA) Act, this prohibition is fundamentally left undefined, only to be resolved via future regulation. So the promise not to force dangerous system backdoors carries no real weight in the bill as written.
Sadly, this is likely to create the kinds of national security vulnerabilities that led to the U.S. telecom sector being hacked in the Salt-Typhoon exploit.
Remember, this doesn’t just apply to telecoms. If you do business with a Canadian business as part of your supply chain, they could be compelled to create systemic vulnerabilities (especially if later regulations define those poorly) that you’d have to live with.
Furthermore, there is no protection given to organizations who want to report vulnerabilities, risks, privacy or security concerns introduced by government-mandated changes. This makes everyone less secure.
GDPR adequacy under threat?
If you’re in the EU, C-2 is a red flag, because it contradicts GDPR principles on:
While current Canadian privacy laws are considered adequate for GDPR, C-2 introduces a significant degree of legal ambiguity for data processors and controllers, and undermines privacy-by-default design, thus potentially invalidating Canada's adequacy status under GDPR.
Furthermore, this bill is seen as the groundwork for a Canadian tie-up with the U.S. Cloud Act, which is anathema to GDPR and EU data privacy laws in general.
Trojan Horse Policy Making
This is all being done under the guise of border security. CBSA (Canada Border Services Agency) is the public face of the bill. But make no mistake: the scope of changes hidden inside it amounts to a general-purpose digital surveillance law.
If you've ever watched a government pass sweeping powers during a crisis, only to keep them forever, perhaps this will feel familiar? And in this case, by burying it in a “border bill,” these measures are trying for enactment without public debate.
What EU IT and Security Leaders Should Do Now
If you operate digital services in Canada, utilize Canadian solutions in your digital supply chain, or collaborate with Canadian customers, it’s highly worth your while to start understanding the application of C-2 to your business:
-
Map exposure: Identify services, infrastructure, or vendors that fall under Canadian jurisdiction.
-
Review data transfer agreements, especially SCCs and adequacy-based mechanisms.
-
Talk to legal: Your DPO and privacy counsel need to assess whether Bill C-2 compliance is even compatible with GDPR.
-
Raise the alarm: Engage with industry groups and policymakers before this becomes the new normal.
Another Global Test Case for Data Privacy and Digital Sovereignty
Bill C-2 is the latest example of the broken way in which many Western governments have been approaching digital policy: hidden provisions, limitless powers, no checks, and little to no accountability.
Of course, C-2 goes against long-standing privacy law precedent in Canada and will certainly be challenged legally. Nonetheless, the fact that these sweeping powers are even being proposed is a troubling sign of the times.
Data sovereignty isn’t just about where your servers live. It’s about whether your users’ rights survive the next "national security" loophole.
As currently written, C-2 would punch a big one through the heart of digital privacy.
