In a world of declining internet freedoms, a bill advancing through Canada’s parliament explicitly authorizes the government to “direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” Under the guise of national security and protecting vital federal infrastructure, Bill C-8 is creating directives that, if misused, could impact Canadian internet privacy rights. These new authorities could allow the government to issue unchecked and secret orders to force telecom providers to share private data or weaken encryption. Moreover, it creates backdoors for the government to share collected Canadian data with foreign governments and entities.

From Bill C-26 to Bill C-8

On the eve of Parliament’s prorogation, instead of fixing the controversial cybersecurity legislation Bill-C26 that could have been used to reshape the Telecommunications Act and compromise Canadian privacy, the Liberal government decided to rebrand it under Bill C-8, ignoring various previous calls for essential safeguards. Now thousands are raising the alarm again.

Bill C-8 is almost identical to Bill C-26, which was tabled in 2022 but failed to pass only due to prorogation of Parliament. The original bill received powerful criticism from Canadian civil society organizations and researchers for the sweeping powers it provides the government. 

Similar warnings have now been issued for the new Bill C-8. In a formal submission to the Standing Committee on Public Safety and National Security of Bill C-8, interdisciplinary research laboratory Citizen Lab at the University of Toronto highlighted how the new legislation still lacks the necessary safeguards despite previous assurances from government officials. The Office of the Privacy Commissioner of Canada has also called for improvements to the bill due to its lack of privacy protections.

Vague language and sweeping powers

Critics agree that one of the bill’s primary flaws is its vague language, creating loopholes that can effectively allow the government to spy on Canadians. Perhaps one of the clearest examples of how such language can be abused is in the bill’s summary, where it states the government’s extremely broad power. The bill allows the government to surpass judicial processes and force telecommunications service providers “to do anything” to “secure the Canadian telecommunication system.” 

As vaguely mentioned in another section in the bill, “The Minister may require any person to provide to the Minister or any person designated by the Minister, within any time and subject to any conditions that the Minister may specify, any information that the Minister believes on reasonable grounds is relevant for the purpose of making, amending or revoking an order.”

One of the reasons Bill C-26 was even more problematic was due to clauses allowing the government to withhold disclosures or not allow those receiving them from acknowledging them. This issue remains with Bill C-8 as it “may also include a provision prohibiting the disclosure of its existence, or some or all of its contents,” effectively enabling gag orders. 

In such cases, orders made by the government to telecommunications service providers can be secretive, thus harder for the public, media or even parliamentary oversight. Furthermore, it denies those affected the right to know how their services have been changed and removes accountability. The legislation says the government is only required to notify the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the National Security and Intelligence Review Agency (NSIRA).

Moreover, the bill creates additional breaches of privacy as it enables the exchange of information collected with other entities. It lists 10 sides that “may collect information from and disclose information to each other, including confidential information” that includes domestic sides like the minister and the minister of national defence. Yet, it also added a vague “any other prescribed person or entity” at the bottom of the list. 

In fact, another section raised more concern about the possible sharing of “any information collected or obtained under this Act by the Minister” with “a foreign state” or “an international organization.” While the Bill C-8 requires such action to be under an agreement in writing between the Canadian government and such foreign state or organization, this requirement still does not prevent Canadian metadata from reaching foreign sides. These are points that Privacy Commissioner of Canada Philippe Dufresne raised the alarm about in Parliament, recommending that his office be informed about such decisions to create some of the oversight that this bill lacks.

Picture a worst-case, yet legal, scenario: The government uses its new powers to force telecom giants Bell, Rogers and TELUS — the main holders of our digital lives — to “do anything” they deem as necessary for national security, such as intentionally weakening end-to-end encryption to collect internet metadata to monitor specific people. 

In parallel, the government issues a non-disclosure for its order to these providers. While it is unknown to the public or Parliament that such an order has been issued, data collected is then shared with a foreign ally such as the United States, or a controversial international Big Data company like Palantir. This is the very type of outcome civil society groups and experts fear.

Following a global trend

Predicting the possible grave impacts of Bill C-8 requires no imagination. We can simply look at the real-world impacts of similar laws in Australia and the UK from similar legislation. Years ago, Australia’s similar Telecommunications (Assistance and Access) Act, deemed an anti-encryption law, was used by its federal police to raid media organizations and access journalists’ data following their work on leaked documents. 

In the UK, the amended 2016 Investigatory Powers Act has been used to spy on and access private phone records of investigative journalists to identify their sources. As recently as August 2025, the UK government used this law to ask Apple to access highly encrypted user data.

Even without malicious intent, the bill’s sweeping powers could have serious unintended consequences. Privacy protection in Canada faced concerns about vulnerabilities even before the bill, when it was revealed that Canada’s Communication Security Establishment “shared some information with international partners without properly removing Canadian information that had been acquired incidentally.”

Overall, and in addition to its clear violations of Canadians’ right to privacy, the bill worsens the current digital environment, normalizing and legalizing invisible surveillance. As citizens and users become aware of the possibility of legal government surveillance, self-censorship may spread out of fear that private communications are monitored, thus creating a chilling effect that undermines freedom of expression in the country.

Members of Parliament are now aware of the bill’s flaws and of the various recommendations by experts to improve it now on record. It is now a matter of political will to ensure these safeguards and protect Canadian digital lives and privacy.

Abde Amr is a disinformation researcher specializing in the global circulation of misinformation and digital propaganda. His work focuses on the intersection of technology, human rights, and information integrity. Previously, he was a researcher with Simon Fraser University’s Disinformation Project. 

© National Observer