The federal government’s Bill C-22, the Lawful Access Act, has been much criticized for its domestic privacy implications. Less widely discussed is that it could also present a serious threat to data privacy from foreign governments, especially the ever more aggressive Donald Trump administration in the United States.
Research by the Citizen Lab and the Canadian Civil Liberties Association (CCLA) on Bill C-22 and on its predecessor Bill C-2, the Strong Borders Act, which contained the same provisions concerning foreign data sharing, indicates the current legislation might quietly pave the way to giving U.S. law enforcement unprecedented access to personal data stored in Canada, even if held by Canadian companies.
This is especially concerning in light of recent news that the U.S. Department of Homeland Security sought detailed information from Google about a Canadian man living in Canada after he criticized the Trump administration and the U.S. Immigration and Customs Enforcement agency (ICE) on social media.
Canada’s sovereignty needs more than guns and steel
Canada’s digital sovereignty debate overlooks software risks
Such a degree of extraterritorial privacy invasion puts in an even more alarming light what were already disturbing implications associated with this bill.
Bill C-22 would provide expanded surveillance powers to Canadian law enforcement and the Canadian Security Intelligence Service, including the ability to order any business involving digital services to build new technical surveillance capabilities, mandatory one-year metadata retention and a lower legal threshold to obtain subscriber data.
Public Safety Minister Gary Anandasangaree has indicated he is open to amending the bill in response to vociferous opposition from human rights and civil liberties advocates, legal scholars, prominent technology companies and other businesses, the other federal parties and the non-profit encrypted messaging provider Signal.
However, the Liberals have pushed to conclude Commons committee study of the bill despite severe procedural deficiencies, such as committee members not receiving key witness briefs prior to the deadline for amendments.
The analysis by Citizen Lab — an interdisciplinary research laboratory at the University of Toronto, focused on the intersection of information and communication technologies, human rights and global security — suggests the legislation may be preparing the way for Canada to eventually implement one or both of two cross-border law enforcement data-access agreements.
One is a potential agreement under the U.S. CLOUD Act, whichwould allow U.S. law enforcement to request personal data directly from Canadian technology companies, bypassing authorization by Canadian courts. This would have detrimental impacts on human rights, in particular, privacy, equality and free expression, while potentially leading to subordination of Canadian constitutional law to the U.S.’s lower legal standards.
In view of the potential repercussions, the federal government should withdraw or amend — with human rights-protecting recommendations provided by the CCLA and Citizen Lab — Bill C-22’s provisions concerning sharing data with foreign states and should also decline to enter into a CLOUD Act agreement with the U.S.
In the meantime, it is worth examining and recognizing the full weight of what could happen to or be done with Canadian data and the personal information of Canadian residents if it gets further into the hands of U.S. government or private actors.
At the outset, U.S. government actors face many fewer constraints than their Canadian counterparts on their ability to collect and use personal data in ways that may be illegal, unconstitutional or would violate human-rights laws in Canada.
In its pursuit of indiscriminate detentions and mass deportations, including intimidating and retaliating against protestors in Minnesota, ICE accumulated surveillance data using technologies such as facial recognition and social media analytics.
ICE further contracts with surveillance companies such as Penlink for phone tracking software and Palantir to “streamline” the identification and deportation of immigrants.
Additionally, U.S. law enforcement has criminally charged, imprisoned or prosecuted people in relation to abortion — which is legal and a constitutionally protected medical procedure in Canada — using private Facebook messages, location data from data brokers, as well as text messages and search history.
You may think, if that is all happening in the U.S., what does it have to do with Canadian data?
First, while any CLOUD Act agreement might restrict the U.S. to targeting only U.S. citizens and residents, Canadian data might still be incidentally collected – for example, a Canadian user’s texts or private messages with someone investigated or charged in the U.S.
Or, if U.S. law enforcement issued to a Canadian service provider a keyword or geofence “reverse warrant” — where the request is for a list of all individuals who searched certain terms or all individuals who were at a specific location at a given time — it could also capture large swaths of personal data that is Canadian, even if the targeted person is not.
Second, invasive surveillance practices normalized in the U.S., such as a higher likelihood of being forced to turn over one’s social media history, can impact those trying to cross the Canada-U.S. border.
If there is already little to stop U.S. law enforcement from seizing people in Canada or demanding private details about those living in Canada with no substantial ties to the U.S., we should at least not encourage or sanction this level of encroachment within our own laws as well.
Third, more integrated cross-border data sharing between Canadian and U.S. police could all but eliminate any remaining possibility of true digital autonomy. There would be little meaningful shield against U.S. law enforcement requesting that data under a CLOUD Act agreement, even if it were stored by a Canadian company in Canada.
This may result in enabling an increasingly rogue Trump administration to more powerfully target critics and travellers from Canada at any point and, at minimum, risks making the Canadian legal system and technology industry (further) complicit in human rights violations perpetrated by U.S. law enforcement.
Even if one were to trust U.S. law enforcement and government agencies with private data, however, there is no guarantee it would not fall into the hands of American private actors.
For example, Elon Musk and his acolytes in the Department of Government Efficiency obtained access to a breathtaking range of sensitive data in 2025 on tens of millions of government employees and individuals throughout the U.S.
This included:
- Social Security and Medicare data;
- financial and personal information of anyone ever paid by the U.S. federal government;
- contract details of business competitors;
- intimate employee data from invasive “bossware” surveillance; and
- other highly sensitive information such as tax filings, biometric data, private health and medical records, personal housing information and detailed location data of children.
Such unfettered access matters because what were once sequestered databases of personal information collected for purely administrative purposes can now, through contracts with ethically compromised companies such as Palantir, be transformed into a detailed government-wide surveillance structure for monitoring, profiling and targeting people and marginalized communities.
This goes beyond the scope of Palantir’s existing contracts in Canada, which are themselves questionable, given the government’s lack of candour, as well as other ethical and human rights concerns with the company.
Moreover, once in the hands of the private sector, there is no telling where collected Canadian data could end up.
This includes being used to train algorithmic decision-making systems that exacerbate discrimination; being potentially ingested by LLMs to be regurgitated in response to user prompts; or combined with existing datasets to engage in detailed profiling and social sorting that eventually form the basis of unjust business practices; or even sold back to government agencies, merging intelligence and commercial surveillance.
A more integrated data-sharing system with the U.S. would further expose Canadian data to these kinds of risks and objectionable uses.
Existing CLOUD Act agreements between the U.S. and the United Kingdom and Australia mention but do not specify data-retention limits, raising questions about cases of incidental collection. Collected personal data is protected only according to U.S. domestic laws, at best, under these agreements, with no legal recourse for those whose rights have been violated as a result of data shared under a CLOUD Act agreement.
This means that Canadian data, if ever in the hands of U.S. law enforcement, would theoretically be protected only by the U.S.’s weaker privacy laws. Further, U.S. law has historically accorded foreigners’ privacy and human rights less protection than its own citizens, if any protection at all.
Even less reassuringly, the U.S. already treats its citizens’ personal data with constitutional disregard when incidentally collected in the context of foreign intelligence, by retaining it in a database for future search queries.
If Bill C-22 passes as is, it could put in place one piece of a bigger cross-border law enforcement data-sharing system, as envisioned in the CLOUD Act and other international data-sharing treaties.
Once completed, this system could further expose Canadian residents and our human rights to U.S. government and corporate surveillance apparatuses and their well-documented abuses of power. This is the last thing Canada needs in an era of destabilized relations with an increasingly authoritarian Trump administration.
Therefore, the federal government should withdraw Bill C-22’s provisions involving sharing data with foreign states, among other provisions, or otherwise suspend the bill’s progress through Parliament until and unless the government has provided opportunities for full public and parliamentary debate.
At a minimum, the government should amend the bill to implement recommendations that the CCLA and Citizen Lab have put forward, which are necessary to mitigating the negative human rights impacts of cross-border law enforcement data sharing.
The government should also simply decline to enter into a CLOUD Act agreement with the U.S. Failing that, it must ensure that any prospective agreement includes hardline protections maintaining Canadian constitutional standards of privacy, equality, and other human rights and fundamental freedoms under the Canadian Charter of Rights and Freedoms.
Prime Minister Mark Carney’s stance toward the post-2024 U.S. administration has been erratic. One day, Canada’s ties with the U.S. are “weaknesses,” then another day he calls for a new Canada-U.S. partnership, with rhetoric that plays into Trump’s crass demagoguery.
Carney should follow through on his initial position — the one central to his election — and avoid deepening the very ties that threaten to put cornerstone Canadian constitutional rights and legal principles at risk at a time when upholding them is more crucial than ever to the future of a country that purports to actualize and safeguard democratic ideals.
