One of the major provisions of the trade deal between Canada and China is the opening of the Canadian market to tens of thousands of Chinese-built electric cars in a variety of price ranges.
There have been a number of concerns raised about this, particularly by Premier Doug Ford of Ontario, which is the home of Canada’s automotive industry. He has referred to the Chinese EVs as “spy cars” that would collect personal information and send it to the Chinese government.
The bigger problem, however, is that vehicle-based spying isn’t restricted to cars made in China.
Equipped with ever-growing digital technology, cars have for years been collecting all kinds of information about us, from vehicle dynamics to information recorded before a crash. It is already nearly 30 years since General Motors began equipping vehicles with OnStar microphones to communicate with call centres.
Cars have become more like cell phones as internet connections have arrived, and advanced- assistance technology — whose in-car cameras ensure the driver is paying attention — keeps us in our lane or applies the brakes if we follow another vehicle too closely.
This trend has only accelerated as car companies try to make money through subscription services (see BMW’s heated-seat subscription), and by using and selling the information collected by the vehicles they sell or lease.
The Chinese government, which already conducts extensive surveillance of its citizens, took an interest in these technological capabilities and now requires automakers to turn over all the vehicle data they collect. (Interestingly, one of the bigger software providers to Chinese automakers is a Canadian company, QNX.)
Why new EVs alone won’t deliver Canada’s biggest health gains
Chinese-made vehicles sold here would have to comply with the same Canadian privacy laws that apply to cars imported from any other country, but are these protections even working? Numerous studies and reports in Canada and elsewhere have highlighted the dangers that ever-more-connected vehicles pose to privacy rights.
In 2015 the B.C. Freedom of Information and Privacy Association released a groundbreaking study for the federal Privacy Commissioner, examining the privacy policies of major car companies selling vehicles in this country and how they fit with Canada’s private-sector privacy law, the Personal Information and Protection of Electronic Documents Act (PIPEDA).
The research raised serious doubts about whether automakers were complying with the law, and a follow-up study in 2019 found the situation had not improved.
In 2023, the Mozilla Foundation — an American non-profit dedicated to keeping the internet open and accessible — reviewed the privacy policies of 25 U.S. vehicle manufacturers. The study found that, “all new cars today are privacy nightmares on wheels that collect huge amounts of personal information.”
All 25 earned Mozilla’s *Privacy Not Included warning label, making cars “the official worst category of products for privacy that we have ever reviewed.”
The dangers are not just theoretical.
A 2024 New York Times investigation into GM’s OnStar service found that GM was selling data collected on millions of its customers without their consent. The data was sold to the global data and analytics company LexisNexis, which then sold it to insurance companies. As a result, some drivers saw their insurance premiums shoot up based on data provided by their own cars.
The U.S. Federal Trade Commission investigated and GM was hit with a five-year ban on sharing geolocation and driver-behavior information. GM also had to allow customers to opt out of various types of data collection or to disconnect the technology from their cars.
These privacy breaches triggered a number of class-action lawsuits, and in 2024, the State of Texas also filed a lawsuit against GM.
So, what has Canada been doing in light of these privacy problems?
Back in 2018, the Senate Standing Committee on Transportation and Communications looked into connected cars and issued a report with a number of recommendations related to privacy and cybersecurity. These included empowering the privacy commissioner to proactively investigate and enforce industry compliance with PIPEDA, and to “develop a connected-car framework with privacy protection as one of its key drivers.”
The government responded favourably to both recommendations, but progress has been glacial. In 2019, Transport Canada produced a safety framework, updated in 2025. It “encourages” the automotive sector to “research and innovate” regarding privacy and other issues, but does not mandate any regulatory reform.
Reform of PIPEDA has been slow in coming, with two bills (C-11 and C-27) proposing reforms but suffering a number of serious shortcomings. Both died on the order paper when Parliament was prorogued in January 2025.
Since then, no attempt at overall reform of the now quarter-century-old PIPEDA has been introduced in Parliament, and it does not look like it is a particular priority for this government.
The Liberals’ new national automotive strategy, announced last month, recognizes that the sector’s future lies with connected and autonomous vehicles, but makes no mention of privacy. The closest it comes is this line: “Canada will also be ensuring its regulatory frameworks — including vehicle safety regulations that encompass connected vehicle technologies — have been modernized to facilitate the entry of new vehicles and new investment.”
The government strategy announced a new task force to work with the auto industry in examining critical issues “such as the future of vehicle manufacturing, investment, workforce protection and electrification, as well as future strategic investments.” But again there is no mention of privacy, which apparently takes a back seat to vehicle manufacturing, investment, workforce protection and electrification.
Another factor working against any improvement in privacy protection is the upcoming renegotiation of the Canada-U.S.-Mexico trade agreement (CUSMA). We have already seen Washington reject any form of regulation over American tech companies, and Vice-President J.D. Vance was explicit about this in a speech at an AI conference in Paris last year.
Taken together, these indicators do not point to improvements in privacy protections for connected cars any time soon.
As a result of Ottawa’s failure to produce legislated protections, we can expect the incoming wave of Chinese electric cars to be just as privacy protective as the ones currently on sale in this country.
And that is not a comforting thought.
