Timeline — The Legislative Architecture of Surveillance
01 The Surveillance State Framework
Between 2022 and 2024, the federal government tabled a legislative program that, taken together, constructs the most comprehensive surveillance and content-control architecture in Canadian history. No single bill does it all — that would be too obvious. Instead, each bill addresses a narrow domain while the cumulative effect is an interlocking system of monitoring, censorship, and pre-emptive control that would make the men who liberated Holland weep.
Bill C-26 — Critical Cyber Systems Protection Act
Introduced in June 2022, C-26 grants the Governor in Council and the Minister of Public Safety extraordinary powers over designated operators — telecommunications providers, banking systems, energy infrastructure, and transportation networks. Under Part 2 of the Act, the government may secretly order any designated operator to "do anything, or refrain from doing anything" that the government considers necessary for the security of Canada's critical cyber systems.
- Secret orders: The government can issue confidential directions to ISPs and telecoms — including orders to install backdoors, block content, or redirect traffic — with no requirement to make the order public. Recipients are prohibited from disclosing the order's existence. (C-26, Part 2, ss. 15.1–15.4)
- No judicial pre-authorization: Many orders under C-26 do not require prior judicial approval. The Federal Court review process is available only after the fact, and may be conducted in closed proceedings. (C-26, ss. 15.7–15.8; Senate Committee testimony, 2024)
- Broad scope: "Designated operators" can be expanded by regulation, meaning the government can bring virtually any digital infrastructure under its control without returning to Parliament. (C-26, s. 6; Schedule)
- Information sharing: C-26 authorizes sharing of intercepted data with Five Eyes partners and other agencies, with limited safeguards on how that data is subsequently used. (C-26, s. 10; CSE Act cross-reference)
The Dieppe test: When 907 Canadians died at Dieppe in 1942, partly because of intelligence failures and operational secrecy run amok, the lesson should have been that unchecked government power — even exercised with good intentions — kills. C-26 gives Cabinet the power to secretly rewrite the rules of Canada's digital infrastructure with no warrant, no Parliamentary debate, and no public disclosure. The boys at Dieppe died under orders they couldn't question. Canadians online will live under orders they'll never even know exist.
Source: Bill C-26, 44th Parliament; Senate Standing Committee on National Security, Defence and Veterans Affairs hearings, 2023–2024; Canadian Civil Liberties Association brief on C-26
Bill C-11 — Online Streaming Act
Royal Assent April 27, 2023. C-11 amends the Broadcasting Act to bring online streaming services — and critically, user-generated content — under CRTC regulatory authority. While the government repeatedly claimed C-11 would not regulate individual users, the Act's text tells a different story.
- User-generated content: Section 4.2 exempts users from being considered "broadcasters," but Section 4.1(2) grants the CRTC authority to regulate the platforms' treatment of user content — including algorithmic amplification, discoverability, and prioritization. The effect on individual creators is indirect but real. (Broadcasting Act, as amended by C-11, ss. 4.1–4.2)
- Discoverability mandates: The CRTC is empowered to order platforms to promote Canadian content, which necessarily means demoting non-Canadian or non-compliant content. This is algorithmic censorship by regulation. (Broadcasting Act, s. 9.1; CRTC regulatory framework consultation, 2023)
- Heritage Minister's authority: The Act grants the Heritage Minister power to issue binding policy directions to the CRTC — meaning political priorities can directly shape what Canadians see online. (Broadcasting Act, s. 7; C-11 amendments)
Bill C-63 — Online Harms Act
Tabled February 26, 2024, C-63 is perhaps the most constitutionally alarming legislation in modern Canadian history. It proposes to create a Digital Safety Commission with quasi-judicial enforcement powers, and amends the Criminal Code in ways that would make "pre-crime" a feature of Canadian law.
- Fear of future offence: C-63 adds a new peace-bond provision allowing a court to impose conditions on a person if there are "reasonable grounds to fear" they will commit a hate propaganda offence — not that they have committed one, but that they might. Conditions can include house arrest and electronic monitoring. (C-63, amending Criminal Code, proposed s. 810.012)
- Life imprisonment for hate speech: C-63 proposes increasing the maximum sentence for advocating genocide from five years to life imprisonment, and raises penalties for other hate propaganda offences. Combined with retroactive application provisions, this creates a chilling effect on all public discourse. (C-63, amending Criminal Code, s. 318–319)
- Digital Safety Commission: The proposed Commission would operate as a quasi-judicial body with the power to order content removal, impose administrative monetary penalties on platforms, and compel production of user data — all without the procedural protections of a court. (C-63, Part 1, proposed Digital Safety Commission framework)
- Complaints process: Any member of the public could file a complaint about online content. Platforms would face monetary penalties for failure to act within prescribed timelines, creating powerful incentives to over-remove content rather than risk fines. (C-63, Part 1, complaint and enforcement provisions)
The Kapyong precedent: In April 1951, 700 Canadians of 2 PPCLI held Hill 677 at Kapyong against thousands of Chinese troops — buying time for the entire UN line. They fought for the right of free peoples to speak, think, and dissent without fear of the state. C-63's "fear of future offence" provisions would let a government punish a Canadian for words they haven't spoken, based on what a bureaucrat thinks they might say. The men of Kapyong would not recognize the country that produced this bill.
Source: Bill C-63, 44th Parliament, 1st Session; Canadian Bar Association submission on C-63; Canadian Constitution Foundation analysis
Five Eyes and CSE
Canada has been a member of the Five Eyes intelligence-sharing alliance (with the US, UK, Australia, and New Zealand) since the UKUSA Agreement of 1946, building on wartime SIGINT cooperation dating to 1941. The Communications Security Establishment (CSE), Canada's signals intelligence agency, operates under the CSE Act (Part 3 of the National Security Act, 2017).
- Mandate expansion: The CSE Act formalized and expanded CSE's mandate to include active and defensive cyber operations — meaning CSE can now conduct offensive operations in foreign cyberspace on ministerial authorization, without judicial oversight. (CSE Act, ss. 18–20, 27–31)
- Incidental collection: CSE is prohibited from directing activities at Canadians, but "incidentally" collected Canadian data through Five Eyes sharing is subject to weaker protections. NSIRA has flagged concerns about the adequacy of safeguards. (NSIRA Annual Report 2022, s. 4.3; CSE Act, s. 24)
- Metadata programs: CSE collects and analyzes metadata (who contacted whom, when, from where) on a mass scale. A 2014 Federal Court ruling confirmed CSE's metadata collection is lawful but required stronger privacy protections. The Privacy Commissioner has noted that metadata can be more revealing than content. (Federal Court, 2014; OPC submission to ETHI Committee, 2016)
Acts of Parliament
- Bill C-26, Critical Cyber Systems Protection Act, 44th Parliament
- Bill C-11, Online Streaming Act, S.C. 2023, c. 8
- Bill C-63, Online Harms Act, 44th Parliament, 1st Session
- CSE Act (National Security Act, 2017, Part 3)
- Anti-Terrorism Act, 2015 (C-51) and National Security Act, 2017 (C-59)
Committee & Oversight Records
- Senate Standing Committee on National Security, Defence and Veterans Affairs — C-26 hearings, 2023–2024
- CRTC Regulatory Framework consultation on C-11 implementation, 2023
- NSIRA Annual Report 2022 — CSE metadata collection review
- Canadian Civil Liberties Association — C-26 brief (2023)
- Canadian Bar Association — C-63 submission (2024)
02 CSIS and Security Intelligence Oversight
The Canadian Security Intelligence Service has, since its creation in 1984, operated in a space of minimal public accountability. Oversight reforms have been promised, partially delivered, and consistently undermined by institutional resistance and legal ambiguity. The Federal Court has repeatedly rebuked CSIS for unlawful conduct — and CSIS has repeatedly demonstrated that judicial rebukes are not, by themselves, sufficient to change behaviour.
NSIRA — The New Watchdog
The National Security and Intelligence Review Agency replaced the Security Intelligence Review Committee (SIRC) in 2019 under C-59. NSIRA has a broader mandate — it can review any national security activity across the federal government, not just CSIS. But mandate breadth does not equal enforcement power.
- No enforcement authority: NSIRA can investigate, report, and recommend — but it cannot compel compliance. Its findings are advisory. If CSIS or CSE disagrees, there is no mechanism to force corrective action short of ministerial intervention or public pressure. (NSIRA Act, ss. 8–11; NSIRA Annual Report 2023)
- Classification barriers: NSIRA reports are subject to classification review before public release. Critical findings may be redacted, delayed, or suppressed on national security grounds — the very grounds NSIRA is supposed to be scrutinizing. (NSIRA Annual Report 2022, Foreword)
- Staffing and capacity: NSIRA has flagged persistent challenges in recruiting and retaining staff with appropriate security clearances, creating review backlogs. (NSIRA Annual Report 2023, Organizational Capacity section)
Federal Court Rebukes of CSIS
2016 — Illegal Data Retention
Justice Noël ruled that CSIS had illegally retained metadata and associated data it had collected under warrant for over a decade — data it was legally required to destroy once it was no longer strictly necessary. CSIS had been warehousing Canadians' data in a program known internally as the Operational Data Analysis Centre (ODAC). The Court found CSIS had breached its duty of candour to the Court and violated Section 8 of the Charter.
Source: CSIS Act, Federal Court ruling, 2016 FC 1105; Re Section 12 CSIS Act
2020 — Continued Unlawful Practices
Justice Gleeson found that CSIS had again failed to be candid with the Federal Court regarding the scope of its data collection and retention activities. The Court noted that despite the 2016 rebuke, institutional practices had not fundamentally changed. CSIS's "duty of candour" failures were characterized as systemic rather than isolated.
Source: Federal Court ruling, 2020 FC 616; NSIRA review of CSIS compliance
Section 12 vs. Section 16 — The Domestic/Foreign Divide
The CSIS Act draws a critical distinction: Section 12 authorizes investigation of threats to the security of Canada (terrorism, espionage, sabotage, subversion); Section 16 authorizes collection of foreign intelligence within Canada at the request of the Minister of Foreign Affairs or the Minister of National Defence. Section 16 activities are explicitly prohibited from being directed at Canadian citizens or permanent residents. But the line between "domestic threat investigation" and "foreign intelligence" is porous, and NSIRA has noted the difficulty of maintaining clean separations in practice.
- Dataset regime: C-59 introduced a new regime for CSIS to collect and retain "datasets" (bulk data) — including Canadian datasets with authorization from the Intelligence Commissioner, and foreign datasets with ministerial approval. NSIRA's first review of this regime flagged concerns about compliance timelines and handling. (CSIS Act, as amended by C-59, ss. 11.01–11.25; NSIRA Annual Report 2022)
- Auditor General findings: The AG has noted that intelligence oversight operates in a fragmented landscape — NSIRA reviews CSIS and CSE, the Intelligence Commissioner approves authorizations, the National Security and Intelligence Committee of Parliamentarians (NSICOP) provides political oversight, but no single body has a complete picture. (AG Report on National Security, 2021; NSICOP Annual Report 2022)
Federal Court Decisions
- 2016 FC 1105 — CSIS illegal data retention (Justice Noël)
- 2020 FC 616 — CSIS duty of candour failures (Justice Gleeson)
- Re Section 12 CSIS Act — ongoing Federal Court warrant proceedings (various)
Oversight Reports
- NSIRA Annual Reports 2020, 2021, 2022, 2023
- NSICOP Annual Reports 2020, 2021, 2022
- Auditor General — Report on National Security Activities, 2021
- Intelligence Commissioner Annual Reports 2020–2023
03 Lawful Access and Warrantless Surveillance
Every year, Canadian law enforcement agencies make hundreds of thousands of requests to telecommunications companies for subscriber information — often without a warrant. The scale of this data harvesting was largely invisible to the public until telecom transparency reports and investigative journalism began to reveal its true scope.
Telecom Transparency — The Numbers
In 2014, following revelations prompted by the Snowden disclosures and increased public scrutiny, Canada's major telecommunications providers began publishing transparency reports. The numbers stunned even seasoned privacy advocates.
Figures from carrier transparency reports (2014). Total estimated requests across all carriers exceed 1.2 million per year. Source: Rogers Transparency Report 2014; Telus Transparency Report 2014; Christopher Parsons / Citizen Lab analysis.
- Pre-Spencer practice: Before the Supreme Court's 2014 ruling in R. v. Spencer, police routinely requested subscriber information (name, address, IP address associations) from ISPs without any judicial authorization. ISPs voluntarily complied in the vast majority of cases, treating the data as business records rather than private information. (R. v. Spencer, 2014 SCC 43; Citizen Lab, "Transparent Skies" report)
- R. v. Spencer (2014 SCC 43): The Supreme Court unanimously held that internet subscriber information attracts a reasonable expectation of privacy because it can reveal intimate details of a person's online activities. Police generally need judicial authorization to obtain it. However, the decision left open several exceptions, and enforcement has been inconsistent across jurisdictions. (R. v. Spencer, 2014 SCC 43, paras. 47–68)
- Post-Spencer gaps: Despite the ruling, subsequent transparency reports show that warrantless requests continued in significant volume — partly because Spencer addressed subscriber info specifically, not all forms of metadata, and partly because institutional practices change slowly. Several police services maintained that "exigent circumstances" justified continued warrantless access in many cases. (OPC Report on law enforcement access, 2017; Citizen Lab follow-up analysis)
IMSI Catchers — The Invisible Dragnet
IMSI catchers (also known as "Stingrays" or cell-site simulators) are devices that mimic cellular towers, forcing all mobile phones in range to connect and reveal their unique identifiers, location data, and in some configurations, call content. Their use by Canadian law enforcement has been largely unregulated.
- RCMP acknowledgment: In 2017, the RCMP confirmed for the first time that it uses IMSI catchers, after years of neither confirming nor denying. The RCMP stated it obtains judicial authorization before deployment — but the authorization framework for these devices has never been specifically addressed by Parliament. (RCMP media statement, 2017; House of Commons ETHI Committee hearings)
- Municipal police use: Access to Information requests have confirmed that several municipal police forces, including Vancouver, Edmonton, and others, have acquired or used IMSI catcher technology. Deployment policies vary widely and are largely opaque. (ATIP disclosures; Citizen Lab / University of Toronto investigations)
- Bystander surveillance: By design, IMSI catchers capture data from all phones in range — not just the target's device. Every deployment is a mass surveillance event affecting potentially thousands of bystanders, none of whom are named on any warrant. (Privacy Commissioner submission to ETHI, 2017; technical analysis, Citizen Lab)
Border Surveillance — The Constitution-Free Zone
At the Canadian border, the Charter's protections are at their weakest. The Canada Border Services Agency (CBSA) exercises powers that would be unconstitutional in any other context.
- Warrantless device searches: Under the Customs Act, CBSA officers may examine any goods — including electronic devices — at the border without a warrant. While courts have imposed some limits (R. v. Canfield, 2020 ABCA 383), there is no comprehensive statutory framework governing device searches. Travellers' phones, laptops, and tablets can be searched without reasonable suspicion at the primary inspection level. (Customs Act, s. 99; R. v. Canfield, 2020 ABCA 383)
- No independent oversight: CBSA is the only major federal law enforcement agency that has historically lacked independent civilian oversight. Bill C-20 (the Public Complaints and Review Commission Act) was introduced to address this gap but had not been passed as of the dissolution of the 44th Parliament. (Bill C-20, 44th Parliament; OPC Annual Report 2023)
- Biometric data: CBSA collects fingerprints and photographs from foreign nationals at ports of entry and shares this biometric data with Five Eyes partners through established intelligence-sharing frameworks. (CBSA Biometric Program; Five Eyes biometric data sharing agreements)
What Ortona was for: In December 1943, Canadians fought house-to-house through Ortona — "Little Stalingrad" — losing over 2,300 casualties in a single month to liberate a town where the Gestapo had catalogued, tracked, and monitored the civilian population. Eighty years later, CBSA can search your phone without a warrant, IMSI catchers harvest your location without your knowledge, and over a million data requests per year flow from police to telecoms. The Canadians at Ortona would ask: who exactly are you protecting, and from whom?
Source: Customs Act, s. 99; Telecom Transparency Reports 2014; RCMP IMSI catcher confirmation 2017; R. v. Spencer, 2014 SCC 43
Supreme Court of Canada
- R. v. Spencer, 2014 SCC 43 — subscriber information privacy
- R. v. Marakah, 2017 SCC 59 — text message privacy
- R. v. Jones, 2017 SCC 60 — text message interception
Transparency & Research
- Rogers Communications Transparency Report, 2014–2023
- Telus Transparency Report, 2014–2023
- Citizen Lab (University of Toronto) — IMSI catcher and telecom surveillance research
- Christopher Parsons — "Transparent Skies" and related publications
Legislation & Court Decisions
- Customs Act, R.S.C. 1985, c. 1 (2nd Supp.), s. 99
- R. v. Canfield, 2020 ABCA 383 — border device search limits
- Bill C-20, Public Complaints and Review Commission Act
04 Online Censorship and Content Control
Content control in Canada is not exercised through a single censorship office — it's distributed across regulatory bodies, platform compliance regimes, and legislative mandates that collectively shape what Canadians can see, say, and share online. The architecture is more subtle than a firewall, and more dangerous precisely because it's harder to identify and oppose.
CRTC's Expanded Powers Under C-11
The Canadian Radio-television and Telecommunications Commission, originally created to regulate broadcasting spectrum, now holds authority over the algorithmic recommendations of global platforms. Under C-11, the CRTC can:
- Mandate discoverability: Order platforms to ensure Canadian content is "discoverable" — meaning algorithmically promoted. This necessarily means other content is algorithmically demoted. The CRTC's own consultation documents acknowledge the trade-off. (Broadcasting Act, s. 9.1(1)(e); CRTC 2023-138 consultation)
- Impose registration requirements: Online streaming services must register with the CRTC and may be subject to conditions of service, including content spending requirements and reporting obligations. (Broadcasting Act, as amended, ss. 4.1–4.2; CRTC registration framework)
- Define "Canadian content": The CRTC and Heritage Canada are developing updated definitions of "Canadian content" for the digital age — definitions that will determine which creators are promoted and which are suppressed by law. (CRTC 2023 consultation on Canadian content in a digital world)
Platform Regulation as Indirect Censorship
The government's approach is to regulate platforms rather than users — a distinction without a meaningful difference. When a platform is threatened with fines for hosting content the government deems harmful, the platform will always over-remove rather than risk penalties. This is censorship by proxy.
ArriveCAN — The Compliance Precedent
ArriveCAN, the mandatory border application used during COVID-19, established the principle that Canadians could be compelled to use a government digital platform as a condition of exercising fundamental rights — in this case, the right to re-enter their own country. Location tracking, health data collection, and quarantine compliance monitoring were all bundled into a single mandatory app. The AG found the $59.5M cost was poorly documented and that the app's necessity was never adequately justified.
Source: AG Report on ArriveCAN, February 2024; Quarantine Act enforcement records
Digital ID Initiatives
Multiple federal and provincial initiatives are advancing digital identity systems. The Pan-Canadian Trust Framework (PCTF) developed by the Digital Governance Standards Institute provides the technical blueprint. Alberta, British Columbia, and Ontario have active digital ID pilot programs. While proponents cite convenience, the privacy implications of a centralized digital identity — combinable with facial recognition, location data, and financial information — are profound.
Source: DIACC Pan-Canadian Trust Framework; Provincial digital ID program announcements, 2022–2024
Canada vs. International Standards
| Dimension | Canada | European Union (GDPR/DSA) | Assessment |
|---|---|---|---|
| Content regulation model | Government-directed (Heritage Minister → CRTC) | Independent regulator (DSA Coordinators) | Canada's political chain of command raises independence concerns |
| Pre-crime provisions | C-63 fear-of-future-offence peace bonds | No equivalent in DSA | Canada uniquely aggressive |
| Platform transparency | Limited requirements under C-11 | Extensive algorithmic auditing under DSA Art. 40 | EU far more transparent |
| User appeal rights | Minimal under current proposals | Mandatory internal complaint + out-of-court dispute resolution (DSA Art. 20–21) | EU protects user recourse; Canada does not |
| Government secret orders to ISPs | Yes — C-26 allows confidential orders | No equivalent | Canada stands alone among democracies |
Sources: Bill C-11 (S.C. 2023, c. 8); Bill C-63; EU Digital Services Act (Regulation 2022/2065); EU General Data Protection Regulation (Regulation 2016/679); Bill C-26.
Legislation
- Broadcasting Act, as amended by C-11 (S.C. 2023, c. 8)
- Bill C-63, Online Harms Act, 44th Parliament
- EU Digital Services Act, Regulation (EU) 2022/2065
- EU GDPR, Regulation (EU) 2016/679
Regulatory Records
- CRTC 2023-138 — consultation on the Online Streaming Act regulatory framework
- AG Report on ArriveCAN (February 2024)
- DIACC Pan-Canadian Trust Framework documentation
- Provincial digital ID program documentation (AB, BC, ON)
05 Privacy Commissioner Findings
The Office of the Privacy Commissioner of Canada (OPC) is the closest thing Canadians have to an institutional champion of their privacy rights. Commissioner after commissioner has warned that Canada's privacy framework is outdated, underpowered, and increasingly inadequate for the digital age. Parliament has consistently ignored them.
Key OPC Investigations (2019–2024)
Clearview AI (2021)
Joint investigation with provincial counterparts found Clearview AI scraped billions of images from social media to build a facial recognition database used by law enforcement — including Canadian police forces. The OPC ruled this constituted mass surveillance and violated PIPEDA. Clearview ceased offering services in Canada but the scraped data persists in its global database.
Source: OPC Joint Investigation Report — Clearview AI, February 2021
Tim Hortons App (2022)
The OPC found Tim Hortons' mobile app tracked users' location continuously — even when the app was closed — collecting "a large amount of sensitive location data" in violation of PIPEDA. The app recorded every significant location a user visited: home, workplace, hospitals, places of worship. Tim Hortons agreed to delete the data and reform practices, but no monetary penalty was imposed — because PIPEDA doesn't give the OPC that power.
Source: OPC Investigation Report — Tim Hortons, June 2022
RCMP Facial Recognition (2021)
The OPC investigated the RCMP's use of Clearview AI's facial recognition technology and found the RCMP had used the service on multiple occasions without adequate legal authority or privacy assessment. The RCMP's position that a third party's collection of data absolved the RCMP of privacy obligations was rejected by the Commissioner.
Source: OPC Investigation Report — RCMP use of Clearview AI, June 2021
The Privacy Act — Decades Overdue for Reform
Canada's Privacy Act — governing how federal institutions handle personal information — was enacted in 1983 and has not been comprehensively updated since. It predates the internet, social media, smartphones, cloud computing, artificial intelligence, and mass data analytics. Every Privacy Commissioner since the early 2000s has called for fundamental reform. Parliament has not delivered.
- No order-making power: The Privacy Commissioner can investigate and recommend but cannot order a government institution to change its practices. This "ombudsman" model is increasingly recognized as inadequate. (Privacy Act, ss. 29–35; OPC Annual Report 2023)
- No penalty regime: There are no administrative monetary penalties for Privacy Act violations. Federal institutions that breach Canadians' privacy face no financial consequence. (OPC submission to ETHI Committee, 2023)
- Weak transparency: The Privacy Act's transparency requirements are minimal compared to modern standards. There is no proactive publication requirement for privacy impact assessments, and no mandatory breach notification for government institutions (unlike PIPEDA, which added breach notification for the private sector in 2018). (Privacy Act; PIPEDA breach notification provisions, 2018)
Canada vs. GDPR — A Privacy Gap
| Feature | Canada (PIPEDA / Privacy Act) | European Union (GDPR) |
|---|---|---|
| Maximum penalty | $100,000 (PIPEDA); $0 (Privacy Act) | €20M or 4% of global annual turnover |
| Right to erasure | Limited (no explicit right) | Yes (Art. 17) |
| Data portability | Not in current law | Yes (Art. 20) |
| Mandatory breach notification | PIPEDA yes (2018); Privacy Act no | Yes, 72 hours (Art. 33) |
| Commissioner enforcement power | Recommendations only (ombudsman model) | Binding decisions, fines, orders |
| Adequacy for digital age | Privacy Act: 1983 framework, un-reformed | 2018 framework, regularly updated |
Sources: PIPEDA (S.C. 2000, c. 5); Privacy Act (R.S.C. 1985, c. P-21); EU GDPR (Regulation 2016/679); OPC comparative analysis submissions to ETHI Committee.
OPC Investigation Reports
- Clearview AI Joint Investigation (February 2021)
- Tim Hortons App Investigation (June 2022)
- RCMP use of Clearview AI (June 2021)
- OPC Annual Reports 2019, 2020, 2021, 2022, 2023
Reform Proposals & Legislation
- Privacy Act (R.S.C. 1985, c. P-21) — full text
- PIPEDA (S.C. 2000, c. 5) — breach notification amendments 2018
- OPC submissions to ETHI Committee on Privacy Act reform, 2019–2024
- EU GDPR (Regulation 2016/679) — comparative framework
06 The Cost of Silence
Surveillance doesn't have to catch everyone to control everyone. It just has to make enough people afraid enough to stay quiet. The chilling effect is not a bug — it's the feature. When journalists won't pursue stories, when academics won't publish findings, when whistleblowers won't come forward, the surveillance state has won without ever prosecuting a single case.
Chilling Effects on Journalism
- Source protection gaps: Canada has no federal shield law protecting journalists' sources. The Journalistic Sources Protection Act (S.C. 2017, c. 22) creates a qualified privilege but can be overridden when a judge determines disclosure is in the public interest — a standard that leaves sources vulnerable. (Journalistic Sources Protection Act, S.C. 2017, c. 22)
- Metadata surveillance of journalists: In 2016, it was revealed that Sûreté du Québec had obtained warrants to surveil the metadata (phone records) of six journalists — Patrick Lagacé of La Presse among them — to identify confidential sources. The warrants were issued under the Criminal Code's general warrant provisions. (SQ surveillance revelations, 2016; Quebec public inquiry, Chamberland Commission)
- Self-censorship: Canadian Journalists for Free Expression (CJFE) surveys have consistently found that journalists report increased self-censorship in the post-C-51 era, particularly when covering national security, immigration, and indigenous affairs. (CJFE annual press freedom reports, 2016–2023)
Whistleblower Protection — The Broken Promise
Canada's federal whistleblower protection regime, the Public Servants Disclosure Protection Act (PSDPA), is widely regarded as one of the weakest in the developed world.
- Near-zero findings: Since its creation in 2007, the Public Sector Integrity Commissioner has made remarkably few findings of wrongdoing relative to the size of the federal public service (~300,000+ employees). Critics argue the system is designed to discourage rather than protect disclosure. (PSIC Annual Reports 2007–2023; Government Operations Committee testimony)
- Reprisal protection failures: The PSDPA's reprisal protections require complainants to file with the same Commissioner whose office investigates disclosures — a structural conflict that deters reporting. Multiple federal employees have testified to Parliamentary committees about retaliation they experienced after disclosure. (PSDPA, ss. 19–21; Government Operations Committee hearings, 2017, 2022)
- National security exclusion: Intelligence agencies (CSIS, CSE) and the military intelligence community are excluded from the PSDPA's protections entirely. There is no safe channel for intelligence community whistleblowers in Canada. (PSDPA, s. 2 definitions; excluded agencies schedule)
Academic Freedom and Self-Censorship
- Research chill: Academics studying national security, surveillance, and intelligence have reported difficulties obtaining research ethics approval, access to information delays of years, and institutional reluctance to support politically sensitive research. The combination of surveillance awareness and institutional timidity produces self-censorship across the academy. (Canadian Association of University Teachers reports on academic freedom, 2019–2023)
- Funding leverage: Federal research funding agencies (SSHRC, NSERC, CIHR) are crown agencies subject to ministerial direction. While academic freedom is formally protected, the dependence of Canadian universities on federal funding creates structural incentives to avoid research topics that might embarrass the government of the day. (CAUT policy statements; Tri-Council funding framework)
The Broader Pattern — Surveillance Enables Control
Surveillance does not exist in isolation. It is the infrastructure upon which other forms of state control are built. The same digital identity systems proposed for "convenience" can be used to enforce compliance with any government mandate. The same metadata collection that tracks suspected terrorists also tracks political organizers, journalists, and dissidents. The same algorithmic regulation that "promotes Canadian content" can suppress content the government finds inconvenient.
The Scheldt lesson: In October 1944, the First Canadian Army spent five brutal weeks clearing the Scheldt Estuary — 12,873 Canadian casualties to open the port of Antwerp and liberate the Netherlands from a regime that had perfected the use of population registries, identity papers, and surveillance to control and ultimately destroy communities. The Dutch, who lived under that system, have never forgotten the lesson. Canada seems determined to relearn it. Every population registry, every digital ID, every metadata database is only as benign as the government that controls it. And governments change.
Source: Historical — First Canadian Army operations, Scheldt Estuary, October–November 1944; Dutch population registry and Holocaust scholarship
Journalism & Press Freedom
- Journalistic Sources Protection Act, S.C. 2017, c. 22
- Chamberland Commission (Quebec) — police surveillance of journalists inquiry
- Canadian Journalists for Free Expression — annual press freedom reports
- SQ journalist surveillance revelations, 2016 (Lagacé and others)
Whistleblower Protection
- Public Servants Disclosure Protection Act (S.C. 2005, c. 46)
- Public Sector Integrity Commissioner Annual Reports, 2007–2023
- House of Commons Government Operations Committee — PSDPA review hearings
- International comparison: Government Accountability Project; Whistleblower Network News
Academic Freedom
- Canadian Association of University Teachers — academic freedom policy statements
- SSHRC, NSERC, CIHR — Tri-Council policy framework
- ATIP request processing time data — Treasury Board annual reports
07 What Must Be Done
This isn't about left or right. Every party that has held power in Canada has expanded surveillance authority — the Conservatives with C-51, the Liberals with C-26, C-11, and C-63. The architecture is bipartisan because the incentive is institutional: governments of all stripes prefer more information about their citizens and fewer constraints on how they use it. Breaking this pattern requires structural reform, not just electoral change.
Modernize the Privacy Act
Give the Privacy Commissioner order-making power and the authority to impose administrative monetary penalties on federal institutions that violate privacy rights. Require mandatory breach notification for government data breaches. Establish a meaningful right to erasure and data portability.
Basis: OPC reform proposals, 2019–2024; GDPR comparative framework
Judicial Oversight for C-26
Require prior judicial authorization for all government orders to ISPs and telecoms under C-26. No secret orders without a warrant. Mandatory sunset clauses on all emergency directives. Independent review of all classified orders within 90 days.
Basis: CCLA brief on C-26; Federal Court warrant jurisprudence
Repeal C-63 Pre-Crime Provisions
The "fear of future offence" peace-bond provisions are incompatible with fundamental justice. Punishing people for speech they haven't uttered violates Section 2(b) (freedom of expression) and Section 7 (life, liberty, security of the person) of the Charter. These provisions must be repealed, not reformed.
Basis: Canadian Bar Association C-63 submission; Charter of Rights, ss. 2(b), 7
Real Whistleblower Protection
Replace the PSDPA with legislation modeled on best international practices. Remove the intelligence community exclusion. Create an independent whistleblower protection agency separate from the investigation function. Reverse the burden of proof in reprisal cases.
Basis: PSDPA review; international best practices (UK, US, Australia)
IMSI Catcher Regulation
Parliament must pass legislation specifically governing the use of cell-site simulators by all levels of law enforcement. Require individual warrants, mandatory notification of bystanders after the fact, destruction timelines for incidentally collected data, and annual public reporting on deployment frequency.
Basis: ETHI Committee recommendations; Citizen Lab research
Strengthen NSIRA
Give NSIRA binding order-making power. When NSIRA finds unlawful conduct by CSIS, CSE, or any national security agency, it should be able to compel corrective action — not just publish a report that gets classified and ignored. Increase staffing and budget to eliminate review backlogs.
Basis: NSIRA Annual Reports 2020–2023; SIRC predecessor limitations
⊕ Master Source Index
Acts of Parliament
- CSIS Act, R.S.C. 1985, c. C-23
- Privacy Act, R.S.C. 1985, c. P-21
- PIPEDA, S.C. 2000, c. 5
- Anti-Terrorism Act, 2001 (C-36)
- Anti-Terrorism Act, 2015 (C-51)
- National Security Act, 2017 (C-59)
- CSE Act (Part 3, National Security Act, 2017)
- Journalistic Sources Protection Act, S.C. 2017, c. 22
- Public Servants Disclosure Protection Act, S.C. 2005, c. 46
- Online Streaming Act (C-11), S.C. 2023, c. 8
- Critical Cyber Systems Protection Act (C-26), 44th Parliament
- Online Harms Act (C-63), 44th Parliament, 1st Session
- Customs Act, R.S.C. 1985, c. 1 (2nd Supp.)
Supreme Court of Canada
- R. v. Spencer, 2014 SCC 43
- R. v. Marakah, 2017 SCC 59
- R. v. Jones, 2017 SCC 60
Federal Court Decisions
- 2016 FC 1105 — CSIS illegal data retention
- 2020 FC 616 — CSIS duty of candour
- R. v. Canfield, 2020 ABCA 383
Oversight & Commissioner Reports
- NSIRA Annual Reports, 2020–2023
- NSICOP Annual Reports, 2020–2022
- Intelligence Commissioner Annual Reports, 2020–2023
- OPC Annual Reports, 2019–2023
- OPC Investigation: Clearview AI (February 2021)
- OPC Investigation: Tim Hortons (June 2022)
- OPC Investigation: RCMP/Clearview AI (June 2021)
- Public Sector Integrity Commissioner Annual Reports, 2007–2023
- Auditor General — Report on National Security Activities (2021)
- Auditor General — Report on ArriveCAN (February 2024)
- CSE Annual Reports, 2020–2023
Parliamentary Records
- Senate Standing Committee on National Security — C-26 hearings (2023–2024)
- House of Commons ETHI Committee — privacy and surveillance hearings
- House of Commons Government Operations Committee — PSDPA review
- CRTC 2023-138 — Online Streaming Act regulatory framework consultation
- Chamberland Commission (Quebec) — police surveillance of journalists
Research & Civil Society
- Citizen Lab (University of Toronto) — surveillance technology research
- Canadian Civil Liberties Association — legislative briefs
- Canadian Bar Association — C-63 submission (2024)
- Canadian Constitution Foundation — C-63 analysis
- Canadian Journalists for Free Expression — press freedom reports
- Canadian Association of University Teachers — academic freedom reports
- Christopher Parsons — telecom transparency research
- Rogers, Telus, Bell — Transparency Reports (2014–2023)