Originally published by Lucy Hargreaves @lucyhargreaves4 on X.
View original article
· View original post
· 2026-06-16T15:18:35.000Z
Something is happening. Hidden in plain sight.
Between March and June 2026, the Carney government introduced five interlocking digital bills in roughly 100 days. Each one is framed around something hard to argue with: protecting kids, catching criminals, modernizing privacy law.
But taken together, they build the legal architecture for something Canadians have never voted for… a country where you must prove your identity to access ordinary websites, where the government can secretly order companies to build surveillance tools, and where a single Cabinet-appointed body holds sweeping power over what you can say, see, and do online.
No single bill does all of this. That’s part of what makes it so hard to see.
The Five Bills
Bill C-22: The Surveillance Bill is the most urgent and least discussed. It mandates that every telecom and internet company retain metadata on all Canadians for up to one year. This is not the content of your messages, but who you contacted, when, for how long, and where you were. Law professor Michael Geist calls this “a surveillance map of virtually every Canadian.” The bill also allows the Public Safety Minister to issue secret orders compelling companies to build interception infrastructure, while legally barring those companies from ever telling you. Signal, NordVPN, Windscribe, DuckDuckGo, Apple, and Meta have all formally opposed it. Signal has threatened to leave Canada entirely rather than comply.
Bill C-34: The Children’s Safety Bill That Applies to Everyone. The government’s social media ban for under-16s is genuinely popular, with 75% of Canadians supporting it in polling. The problem is what it requires in practice. To stop anyone under 16 from creating an account, platforms need to know how old everyone is. There is no way to identify who is under 16 without identifying everyone who isn’t. This means every Canadian adult would need to submit government ID or a face scan to a third-party verification company before posting a photo, using cloud storage, or playing an online game. The bill also creates a new Digital Safety Commission with sweeping powers to set the rules, decide which platforms must comply, and approve or deny exemptions — with almost no criteria written into the law itself.
Bill C-36 — The Privacy Reform That Removes the Privacy Watchdog. Introduced the same week, this bill claims to enshrine privacy as a “fundamental right.” What it actually does is strip the Privacy Commissioner of Canada — an independent Agent of Parliament — of all authority over private-sector privacy law, handing that power to the same Cabinet-appointed Digital Safety Commission just created by C-34. The Commissioner is the officer who has spent years publicly challenging government overreach on exactly these issues. Under C-36, that independent voice is removed from the private-sector oversight file entirely.
Bill C-8 gives the government broad secret-order powers over telecoms, banks, and energy companies under the banner of cybersecurity. Bill S-209 seeds an age-verification requirement for adult content that C-34 then scales to the entire internet.
What Other Countries Found Out
Australia introduced the same social media ban in December 2025. Six months later, the eSafety Commissioner told Parliament she was “not really keen” on it from the start and called it a “blunt force approach” drafted too quickly. 70% of young Australians reported the ban had little effect on their social media use. It didn’t reduce cyberbullying. What it did produce was a surge in VPN use… pushing young people to darker, less-monitored platforms.
The UK implemented age verification under its Online Safety Act in mid-2025. Within one month, VPN downloads hit over two million — the highest ever recorded — and monthly downloads stayed above one million for a year as users raced to bypass the requirement.
The EU considered its own version of mandatory message scanning (dubbed “Chat Control”) and its own Parliament voted it down in March 2026, with the EU’s legal service concluding that indiscriminate scanning of private communications is incompatible with fundamental rights.
The government’s core justification for C-22 is that Canada is the “only Five Eyes country” without a lawful access framework. But the United States has no federal mandatory metadata retention law. The EU’s highest court has struck down blanket retention twice as incompatible with human rights. When the Public Safety Minister claimed Canada’s provisions would be “in line with U.S. counterparts,” he was forced to walk back the statement within hours.
What the Government Has to Gain
The most straightforward motivation is political. Protecting children online is broadly popular, and the Carney government finally has a majority. These bills are also tied to Canada’s new AI strategy in which the government frames a powerful new regulator as the institutional foundation of a trustworthy digital economy.
There is also genuine intelligence pressure. CSIS and the RCMP have wanted lawful access legislation for twenty years, and Canada’s absence from allied surveillance infrastructure creates real operational friction within the Five Eyes network.
But the uncomfortable structural question is this: a government that controls the regulator deciding what counts as “harmful content” holds indirect leverage over political speech. A government holding a year of metadata on every Canadian’s digital life has intelligence value extending well beyond criminal investigations. A government that has removed the independent privacy watchdog from private-sector enforcement has removed the officer most likely to publicly challenge its own overreach.
This doesn’t require a conspiracy theory. Regulatory capture — where a regulator ends up serving the government that created it rather than the public it was meant to protect — is a predictable failure mode. The architecture being built has almost no safeguards against any government present or future, that would seek to weaponize these powers.
The Contradiction
It is reasonable to interrogate the inherent contradiction in these pieces of legislation. On June 15, the same week the government introduced privacy as a “fundamental right” in Bill C-36, it was simultaneously proposing to force all Canadians to hand identity data to third parties to access social media, mandate a year’s worth of surveillance data on everyone’s communications, and remove the only officer empowered to independently challenge how that data gets used.
When a Liberal MP was pressed in committee on C-22’s privacy implications, she responded that the bill “has nothing to do with the privacy of people and their information.” That was said after months of expert testimony about mandatory metadata retention, weakened encryption, and secret ministerial orders.
That gap between the stated values and the operational reality is the thing worth paying attention to.
These bills are not yet law. C-22 is the most advanced and the most urgent with it looking inevitable it will move to a House vote prior to summer recess. C-34 and C-36 enter serious study in fall 2026.
For Canadians who want to engage, I recommend checking out OpenMedia. They are running active campaigns with outreach and engagement tools to connect with lawmakers.
