Trump Wants to Tap Your Phone. Ottawa Might Let Him

T his month, the federal government is rushing surveillance law reform through parliamentary study, with committee hearings on Bill C-22 slated to conclude before the end of May. The legislation—called the Lawful Access Act—would give Ottawa broad new powers to compel technology providers to build surveillance tools into their systems.

Its scope could mean requiring companies to install spy tools into mobile devices, social media and messaging apps, cloud-storage services, video game platforms, smart home devices, live video camera networks, or health and fitness trackers—to name a few examples. The bill would also dilute privacy protections for other digital information, like the identity information behind anonymous social media accounts or IP addresses (often referred to as subscriber information).

The bill has drawn significant criticism, including on both constitutional and cybersecurity grounds. But amid the debate over privacy and state power, another issue has received far less attention: what the legislation could mean for data sharing with foreign law enforcement agencies.

It is widely known that, since 2022, Canada has been negotiating, behind closed doors, a cross-border data-sharing agreement with the United States under the US Clarifying Lawful Overseas Use of Data Act—or the CLOUD Act. The agreement is controversial. It would require Canada to change its laws to allow US law enforcement to directly issue demands for personal data held by Canadian technology providers.

As outlined last year by researchers at the University of Toronto’s Citizen Lab, the agreement could give US authorities like the Federal Bureau of Investigation or the Department of Homeland Security the power to carry out real-time surveillance, including wiretaps and phone hacking in Canada, or to issue demands for data that can be obtained from sources “such as cell phone tower dumps, reverse location and keyword warrants, or digital genetic databases, just to name a few examples.”

If the deal goes ahead, US surveillance activities covered by the agreement would no longer require oversight from Canadian authorities or judges, thus relinquishing a core element of Canada’s sovereignty under international law. At a moment when Ottawa says it is rethinking the country’s dependence on American infrastructure and institutions, Bill C-22 risks binding Canada even more tightly to Trump’s surveillance state.

H ere’s how it’s supposed to work. US law enforcement is required to send surveillance requests to Ottawa for screening by officials—who then obtain approval from a Canadian court judge. The same is true in reverse when Canadian authorities want to obtain information from US-based companies.

A CLOUD Act deal changes that. The basic premise is that, in the pursuit of expediency, both countries decide to trust the other to wield surveillance powers on each other’s territory without oversight from the country’s own courts.

However, since Canada began negotiations in 2022, the legal and political landscape in the US has fundamentally changed, and the US rule of law is under serious threat. When it comes to its justice system, perhaps the most consequential recent development was the US Supreme Court’s presidential immunity ruling in 2024, which decided that the president has “exclusive authority over the investigative and prosecutorial functions of the Justice Department and its officials.” As explained by US scholar Jack Goldsmith, the ruling’s conclusion that the president wields power over criminal law investigations “that neither Congress nor the courts can touch” signals yet another major structural shift in the balance of power between the White House, Congress, and the courts.

The court’s interpretation that the president carries unreviewable “discretion” to direct US law enforcement activities only adds to a growing list of fundamental constitutional differences between Canada and the US when it comes to digital surveillance. In Canada, we still uphold the core principle that the justice system must remain free of political interference from the executive branch.

In the US, the dominoes from the Supreme Court’s ruling are toppling. The justice system is embroiled in criminal prosecutions waged based on Trump’s personal vendettas, including against a former FBI director; the administration’s weaponization of the Department of Justice alongside both mass firings and protest resignations; the FBI arrest of a sitting US court judge; the launch of a reported criminal investigation into a journalist who had covered the FBI director’s alleged use of alcohol; the laying of “baseless” charges against a legacy civil rights organization; and, as summarized in recent investigative reporting, rampant instances of the administration’s non-compliance with court orders.

Taken together with reforms designed to strip the Department of Justice of professional expertise and proposing to block accountability for misconduct by department lawyers, the changes point to a structural deterioration that will persist long after Trump leaves office.

This matters a lot when it comes to the possibility of a CLOUD Act agreement with the US. Striking a deal with the Americans would now require entrusting the US justice system—helmed by unreviewable presidential power—with authority to exercise surveillance powers on Canadian territory despite mounting warning signs. Canada will now need to reckon with the problem that the US is no longer a sound treaty partner—if it ever was one.

U nsurprisingly, Canadian public sentiment toward the US is in steep decline as relations between the two countries have markedly deteriorated. But despite the turmoil south of the border, the Canadian government has not yet signalled any reluctance to strike a deal.

To the contrary, a letter about Bill C-22 this month from Republican US congressional leaders to Canada’s minister of public safety describes CLOUD Act discussions between Canada and the US as still “ongoing.” The letter was reported elsewhere for having criticized the cybersecurity dangers of some of Bill C-22’s new proposed spy tools, but it is also notable for being one of the first public remarks from US government representatives on CLOUD Act negotiations since the US election in 2024. The letter expressed concern that an agreement had not yet been reached and put the matter in the form of a directive: “We look forward to your prompt collaboration” on the issue.

The US interest in an agreement with Canada is not surprising. Inking a CLOUD Act deal would further expand the reach of US law enforcement jurisdiction over foreign telecom operators and other foreign tech and AI companies. The deal would also further entrench US influence over international standards on transnational investigations by moving more countries to align with US surveillance laws. Canada would be the third country to sign on to a US CLOUD Act deal after the United Kingdom and Australia.

Since last summer, the US administration’s desire for the surveillance law reform now found in Bill C-22 has not been a well-kept secret. An unnamed Canadian government official—reported to have direct knowledge of trade negotiations between the US and Canada—informed Politico that the US wanted Canada to pass Bill C-22’s predecessor (Bill C-2) in order to deepen cross-border law enforcement co-operation by aligning Canada with the same surveillance “toolkit” used in the US, including intercept powers authorized under the Foreign Intelligence Surveillance Act and the Patriot Act.

According to the official at that time, the surveillance law reforms in Bill C-2 (now C-22) were one of three top issues for the US in trade negotiations. But the federal government has not provided the public or parliamentarians with an explanation about why the US is pressuring Canada to pass the surveillance reforms—reforms that have now been carried over into Bill C-22 almost a year later.

In the absence of public transparency, observers are left to read between the lines. And in those lines are signs that the US pressure and interest in seeing Bill C-22 pass very likely arises from the fact that one of the consequences of passing the legislation is that it would lay the necessary groundwork for concluding a CLOUD Act agreement between Canada and the US.

For example, as previously forecast, to enter a CLOUD Act agreement, Canada will need to expand the authority of Canadian judges issuing production orders (a court-ordered demand for information) to digital information stored outside Canada’s borders. This type of reform is now being proposed in Bill C-22.

Similarly, Bill C-22’s new proposal to create a court order that can compel subscriber information through watered-down privacy protections would also move the ball up the field toward a CLOUD Act agreement. Canadian law currently affords stronger privacy safeguards toward subscriber information than US law does. While only government officials can tell us what a CLOUD Act agreement between Canada and the US would entail, CLOUD Act agreements are generally about lifting legal restrictions that would prevent companies from disclosing data to law enforcement on the other side of the border. For example, the UK–US CLOUD Act agreement includes targeted and expedited access to subscriber information with fewer protections compared to other types of information. Other parts of Bill C-22 also overlap with additional areas where Canadian protections are stronger than those afforded under the US constitution.

In all likelihood, these areas of overlap are not incidental but part of a broader effort to harmonize Canadian law with American surveillance expectations ahead of a potential Canada–US CLOUD Act agreement. This would explain why—as noted above—government officials on both sides of the border have discussed Canada’s lawful access reforms in the context of Canada–US co-operation.

The potential for a CLOUD Act agreement with the US is a significant loose end to be hanging over the parliamentarians who are now tasked with studying Bill C-22. For example, a central criticism that scholars have raised is that the bill lowers privacy protections for law enforcement access to subscriber information. Parliamentarians may be less tuned in, however, to the fact that if Bill C-22 passes, US authorities would also become able to access subscriber information in Canada through this same lower standard—and potentially without even Canadian judicial oversight if a CLOUD Act agreement goes ahead.

Far from a theoretical concern, there are already reports of an alarming pattern of abuse of powers by US authorities to seize subscriber information behind anonymous online speech that is critical of the current US administration. Earlier this month, Wired reported that the Department of Homeland Security demanded that Google disclose the subscriber and location data of a Canadian—located in Canada—who expressed opinions against Immigration and Customs Enforcement online.

The government defends the changes in Bill C-22 on the grounds that access to subscriber information by Canadian or foreign law enforcement authorities will still be supervised by Canadian court judges. But that may no longer be the case if a CLOUD Act deal goes ahead. Moreover, inappropriate demands for subscriber information may be challenging to detect, even for the courts. For example, in the case involving the Canadian who had publicly condemned ICE killings of civilians earlier this year, the US demand for subscriber information was obscured into an investigation of a purported customs law violation.

Obscuring controversial methods is, unfortunately, not an isolated occurrence. Two weeks ago, a US court issued a ruling regarding the Department of Justice’s attempt to force a US hospital to disclose transgender youth health records under the guise of an investigation for fraud-related charges. The court expressed significant concern, noting that the department wields “immense prosecutorial authority and discretion” but that it had “proven unworthy of this trust at every point in this case.”

The department had misrepresented and withheld information from multiple courts “in an obvious effort to shield its recent investigative tactics,” had engaged in forum shopping to move to a court “that DOJ deems friendly to its political positions,” and its representatives were found to have misrepresented salient facts while under oath.

Keep in mind that these are precisely the kinds of powers Bill C-22 claims will be used responsibly.

• Trump Is Thirsty for Canada’s Water, but Our Own Gluttony Is the Bigger Threat
• Canada Is Already at War with the US—We Just Don’t Know It Yet
• Trump’s Golden Dome Is a Fantasy. Canada Could Still Be Dragged into It

A s important as the potential deal with the US would be for constitutional rights and the rule of law in Canada, a CLOUD Act agreement is also not the only issue.

When the predecessor to Bill C-22—Bill C-2, the Strong Borders Act—was introduced almost a year ago, officials from Canada’s Department of Justice had quietly acknowledged that the intent of certain provisions was to enable Canada to implement an entirely separate law enforcement data-sharing treaty from the CLOUD Act agreement—known as the “Second Additional Protocol” to the Budapest Convention on Cybercrime (or “2AP”).

Unlike the CLOUD Act’s bilateral model (Canada and the US), the 2AP is a multilateral data-sharing treaty which also attempts to expedite the speed and volume of data sharing between law enforcement agencies from any country that signs on. The 2AP has been the subject of significant criticism by human rights organizations around the world for prioritizing speed over human rights. Instead of maintaining high human rights standards, “the protocol prioritizes law enforcement access at almost every turn.”

In addition to the 2AP, Department of Justice Canada staff at the briefing on Bill C-2 also acknowledged that other cross-border “co-operation” mechanisms were foreseeable. However, the government did not provide the general public or Parliament with information about the 2AP, or any other new co-operation tools, at that time. Now that the federal government is considering Bill C-22 one year later, it has again declined to provide Parliament with clarity.

Officially, parliamentary policy requires the federal government to provide Parliament with notice and a published explanation before it can table legislation that is part of the implementation of a treaty with a foreign country. The policy is laudable for trying to better democratize Canada’s treaty-making processes. Without a clear explanation, the public and parliamentarians are left with an incomplete picture about legislation being studied—despite international treaties often carrying far-reaching consequences for the security, constitutional rights, and human rights of people in Canada and around the world.

The policy should be applied—both in full and in spirit—to Bill C-22, and both the 2AP and CLOUD Act negotiations.

According to government records obtained by Citizen Lab researchers, Canada’s Department of Justice has been aware, at least since as far back as 2022, that the Canadian government must comply with the policy in respect of a CLOUD Act deal with the US. While Canadian officials might argue that they want the law reforms in Bill C-22 regardless—either with or without a CLOUD Act deal—that doesn’t negate the need for transparency to explain the bill’s potential implications.

In other words, even if implementing foreign data-sharing treaties is only part of the purpose of the legislation, the public and parliamentarians should still have the right to know. Otherwise, Bill C-22’s “lawful access” reform will act as a means of policy laundering, which insulates controversial data-sharing frameworks from necessary public scrutiny.

At the very least, the public and parliamentarians should have the ability to understand transparently whether CLOUD Act negotiations are still moving forward and what the agreement will include. Only then can parliamentarians and the public meaningfully grapple with the consequences for the powers at issue in Bill C-22, including whether those very powers might end up in the hands of the US president and “his lawyers.”