🇨🇦 Encryption, Accountability, and the Cliff Edge: Why Canada Must Rethink Bill C-2

I grew up in Canada. I’m a proud citizen, and still carry with me that deep, cultural belief that our country – at its best – strives to balance security with fairness, innovation with public interest, and privacy with pragmatism. But right now, Canada is poised to pass legislation that threatens to undermine all three.

Bill C-2, and in particular Part 15, contains powers that give government officials the authority to issue secret ministerial orders to electronic service providers – orders that could compel access to encrypted data or communications, all while offering little in the way of public transparency or civil oversight.

Since its introduction to Parliament in June of this year, experts and civil society organisations have continued to sound the alarm. In addition to Part 15’s surveillance powers, Part 14 would allow “information demands” from virtually any service provider – including telcos, hotels, hospitals, and even law firms – with minimal thresholds and just five days to respond or challenge. That’s not a safeguard. That’s a trap door.

At a recent Public Safety Canada webinar, attendees pressed officials to explain how these powers might be applied in practice. Could they compel backdoor access to encrypted services? Could they mandate surveillance tools to be embedded in private platforms? Officials declined to answer, dismissing these very real concerns as “hypotheticals.”

And here’s the kicker: the Bill includes a clause that prohibits demands which would introduce a “systemic vulnerability.” That sounds reassuring – until you realise the term is completely undefined. Worse, the government has explicitly reserved the right to define it later via regulation, after the Bill becomes law.

This is the legal equivalent of the government saying: “We’ll tell you where the cliff edge is – after you’ve already started driving.”

Bill C-2 is not compatible with Canada’s global ambitions.

While this Bill advances, Canada is also trying to retain its EU GDPR adequacy status – a designation that enables Canadian organisations to process European data without additional restrictions. It’s a major economic advantage – and one that requires real alignment with EU-style privacy protections, including strong limits on government surveillance.

You cannot achieve that alignment while passing legislation that grants sweeping, secret powers with minimal accountability. You cannot claim to protect encryption while leaving the door open to undermining it. And you certainly cannot build a rights-based digital economy if people no longer trust the systems that hold their most personal information.

To put it plainly: you can’t claim to be a privacy-respecting democracy while giving ministers the power to quietly demand decryption at will.

This isn’t just a technical issue – it’s a constitutional one.

Legal scholars and civil society groups across Canada have warned that C-2 risks violating Charter rights to liberty and protection from unreasonable search. The Democracy Fund has publicly called for the removal of the lawful access provisions. Others have raised alarms about the cross-border implications of the Bill’s proposed “global production orders,” which could enable U.S. agencies to access Canadian data via a bilateral agreement – effectively dragging Canada into the orbit of the U.S. CLOUD Act.

One of the most cogent voices in this space is Jiří Fiala, CEO of the privacy-preserving company PrivID, Inc. . In a recent Substack series, he described Bill C-2 as a “Trojan horse” – a border-security bill on the surface, but a digital surveillance law underneath. His analysis makes clear that the legislation’s structure mirrors troubling elements of both the UK’s Online Safety Act and the U.S. FISA system.

So, dear Ottawa…

If Canada wants to stand alongside the EU – not just as a trade partner, but as a trusted steward of democratic digital infrastructure – then it needs to act like it.

That means:

• Defining “systemic vulnerability” before enforcement begins
• Building in strong, independent oversight – not just ministerial discretion
• Protecting end-to-end encryption without quiet carve-outs
• Engaging civil society and technical experts early, not as an afterthought

And yes – this also means resisting the temptation to follow Five Eyes partners down the path of secretive surveillance mandates and backdoor demands.

Canada is better than this.

A word to Prime Minister Carney

As a former Governor of both the Bank of Canada and the Bank of England, you understand how essential trust, transparency, and system integrity are to any functioning market – digital or otherwise. These same principles apply to encryption and privacy. Canadians, and the international community, will be watching to see whether your leadership brings clarity and courage to this conversation – or simply carries on quietly.

Because here’s the truth: you cannot weaken encryption “just a little.” Once you introduce a backdoor, you’ve compromised the entire system.

And when public trust in digital systems collapses, rebuilding it is far harder than simply passing a better Bill in the first place.

So let’s not wait for a crash to find out where the cliff was.

We are Canadians. We can do better than this. And we must

About the Author:

Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.