Canada’s new cyber-security law gives a cabinet minister the power to order any telecom provider to cut off service to a named person, without a warrant, without prior judicial approval, and under a gag order that can prohibit the provider from explaining why.
That power is now live.
The law also creates warrantless data-collection authorities broad enough to scoop up subscriber information, metadata, location data, and browsing history. It was supposedly written to protect critical infrastructure but what it built is a surveillance machine with almost no independent checks on how it gets used.
We obtained a copy of the bill for you here.
What the Law Is
C-8 carries the formal title An Act Respecting Cyber Security. It replaces Bill C-26, which died on the order paper when the previous Parliament was prorogued, and was reintroduced in substantially the same form.
The bill ran two parts through Parliament. The first rewrites the Telecommunications Act so that security is an explicit policy objective and gives the government direct authority over carriers. The second creates the Critical Cyber Systems Protection Act, imposing mandatory cybersecurity obligations on operators in banking, energy, transportation, and the nuclear sector. The telecom powers are already in force and the critical-infrastructure regime will roll out in phases.
The Power to Disconnect
Under the amended Telecommunications Act, the Minister of Industry can “prohibit a telecommunications service provider from providing any service to any specified person,” or direct a provider to suspend service for a set period. The order takes effect once the minister signs it, after consultation with the Minister of Public Safety. No court reviews it beforehand.
These orders bypass the normal regulatory publication path because the Statutory Instruments Act does not apply to them. An order can include a provision “prohibiting the disclosure of its existence,” so a person can lose phone and internet access while the provider is legally forbidden from telling them why. And the Act states that “No one is entitled to any compensation” for financial losses an order causes.
The government added a carve-out for individuals, barring orders that suspend an individual’s service unless the measure is necessary against “any speciļ¬ed threat of a technical nature.” That limit covers only the suspension power. The broader prohibition authority reaches “any specified person,” with no such restriction.
OpenMedia’s executive director Matt Hatfield said before the bill passed: “There is no such thing as a private intercepted message, and no backdoor that exists only for law enforcement. Our government knows it, yet their draft cybersecurity legislation Bill C-8 can be abused to surveil Canadians in secret, well beyond its legitimate purpose.”
Warrantless data collection
Section 15.4 of the amended Telecommunications Act gives the minister an open-ended power to compel “any person” to hand over information the minister considers necessary, with no requirement for a warrant or prior judicial authorization.
The Citizen Lab’s Senate brief called this “an unprecedented, warrantless power to collect telecommunications data, and to share this information widely across the federal government,” including with CSIS and the Communications Security Establishment.
As a matter of constitutional law, Citizen Lab argued, the power is “presumptively contrary to section 8 of the Charter, because it would authorize the collection of information that is subject to a reasonable expectation of privacy without prior independent judicial authorization.”
The Privacy Commissioner warned during testimony that the law could result in the collection and sharing of subscriber account information, communication data, website visits, metadata, location data, and financial data.
The Intelligence Commissioner of Canada also weighed in. “The glaring absentee in this bill is the Canadian public,” he said. “The information that is collected is Canadians’ personal information.” He characterized warrantless seizure of private information as a constitutional issue the bill had failed to resolve.
The bill’s minimal safeguards, including a requirement that the minister weigh “potential impacts on the privacy of Canadians” before issuing orders, do not even apply to these collection powers.
Encryption and Backdoors
C-8’s order-making powers are broad enough to force telecom companies to weaken or bypass encryption. The minister can order a provider “to do anything or refrain from doing anything” deemed necessary to secure the telecom system, language that does not exclude orders to install surveillance capabilities or degrade encryption standards.
Writing in The Globe and Mail, Citizen Lab’s Kate Robertson and Ron Deibert warned that the bill’s “secretive, encryption-breaking powers” would “threaten the online security of everyone in Canada” and that it “empowers government officials to secretly order telecommunications companies to install backdoors inside encrypted elements in Canada’s networks.”
The government did introduce amendments stating the minister “must not order the decoding of an encrypted private communication.” That language prohibits one specific action, decoding, while leaving the broader order-making power intact. The Canadian Civil Liberties Association’s Tamir Israel said the fix was insufficient: “By failing to guarantee critical end-to-end encryption protocols will not be undermined, Bill C-8 risks doing more harm than good to cybersecurity.”
Secrecy by Design
Operators receiving a cybersecurity direction are prohibited from disclosing its existence or content. The minister can keep orders out of the Canada Gazette. Judicial review proceedings operate under rules that let the government present evidence the target never sees. Committee amendments that would have required prior judicial authorization for orders and transferred non-disclosure decisions to the courts were adopted, then removed by a Speaker’s ruling before final passage.
Israel called this a “secrecy by default approach” that “pose[s] an additional threat to privacy and other civil liberties.” Citizen Lab argued the secrecy provisions restrict public and media scrutiny and raise freedom-of-expression concerns under section 2(b) of the Charter.
For orders that include a gag, the minister must notify two intelligence-review bodies within 90 days, and the Act requires an annual report to Parliament. That is the total extent of the transparency obligation.
Who the Bill Actually Affects
The government’s own Charter analysis argued that privacy interests are “diminished in regulatory and administrative contexts.” Citizen Lab disputed this directly, arguing that the bill “is reforming Canada’s national security laws and powers, and will impact the privacy interests of people across Canada,” who are not regulated companies.
Telecom providers carry Canadians’ most private communications. The people whose data flows through those networks are not regulatory subjects and their privacy interests are not diminished because the company carrying their data is.
The critical-infrastructure part applies to designated operators in telecom, banking, energy, transportation, and the nuclear sector. Those operators must build formal cybersecurity programs within 90 days, manage supply-chain risk, and report incidents to the Communications Security Establishment within 72 hours. Penalties run as high as 15 million dollars per violation for a corporation.
The Act also opens channels for personal and confidential information to flow to provincial governments, foreign states, and international organizations under written arrangements. The Privacy Commissioner urged safeguards on foreign sharing and called for a mandatory process to notify the office of breaches and incidents involving internationally shared information. The final law does not include that process.
What Did Not Survive
Parliament considered and rejected or stripped out most of the stronger protections proposed during the committee study. Amendments requiring prior judicial authorization for security orders were removed. Amendments transferring non-disclosure authority to the courts were removed. The Privacy Commissioner’s call for mandatory breach notification to the OPC was not adopted. No whistleblower protections were added, a gap the Canadian Cyber Threat Exchange warned would discourage organizations from disclosing breaches or vulnerabilities.
A mandatory five-year review of the law’s provisions made it into the final text. The question is what happens in the years before that review, when the regulations filling out the Act’s operational details are drafted without any of the oversight mechanisms that were proposed and discarded.
