Who Will Inherit These Tools? Canada's Architecture of Digital and Financial Control

By Mimi Lee

Canada is quietly building the legal and technical foundations of a managed internet — not through the blunt instruments of traditional censorship, but through a constellation of "safety," "modernization," and "security" bills that collectively expand state power over data, infrastructure, money, culture, and news. Each bill, taken alone, can be defended as a response to a real policy problem. But together, they form a pattern: a democratic system accumulating the tools of digital and financial control that future governments could easily weaponize. The question is no longer whether today's leaders intend to abuse these powers. It's whether any government should ever possess them.

The shift began with cultural regulation. Bill C‑11, the Online Streaming Act, gave the Canadian Radio‑television and Telecommunications Commission (CRTC) authority to shape what Canadians see by requiring platforms to promote "Canadian content" — a category defined by bureaucratic criteria rather than audience interest. Bill C‑18, the Online News Act, attempted to force platforms to pay Canadian news outlets for linking to their content. When Meta responded by blocking news entirely, the result wasn't a stronger press ecosystem but a fragmented information landscape where the state's regulatory reach collided with platform realities. These bills were framed as cultural protectionism, but their effect was to insert the federal government deeper into the mechanics of online visibility and distribution.

Then came the data layer. Bill C‑27 — a sweeping privacy, data, and AI reform package — would have centralized control over how personal information is collected, processed, and governed, and would have given the federal government broad discretion to define what constitutes "high‑impact" AI systems and how they must be regulated. The bill died on the Order Paper when Parliament was prorogued in January 2025 and was not revived in the new Parliament. Its stated goals were reasonable: protect privacy, ensure responsible AI, modernize outdated laws. But the architecture it would have created, in which the state becomes the ultimate arbiter of data flows and algorithmic governance, remains a live possibility if similar legislation returns.

Bill C‑26 died on the Order Paper when Parliament was prorogued in January 2025. The government reintroduced the same cybersecurity framework as Bill C‑8, which has since received Royal Assent, and deepens this trajectory. As a Centre for International Governance Innovation (CIGI) analysis noted of the original C‑26 proposal, the Critical Cyber Systems Protection Act allows the government to issue secret cybersecurity directives to private infrastructure operators, who may be legally prohibited from disclosing that such orders exist. The article argued that this "opts for secrecy over security," creating broad, undefined powers with no independent oversight. These measures may be justified as necessary for national security, but they also normalize a model where essential infrastructure can be quietly directed by the state. When directives are secret and unreviewable, the public cannot assess whether they enhance security or simply expand executive control. Separately, several VPN providers, including NordVPN and Windscribe, have publicly warned that Bill C‑22, the Lawful Access Act introduced in March 2026, could force them to leave the Canadian market if it compels them to weaken encryption or retain user data.

Financial systems are being reshaped as well. The government's 2026 Spring Economic Update announced a ban on crypto ATMs, citing fraud and money laundering concerns. As of writing, implementing legislation has been promised but not yet tabled. Separately, Bill C‑25 would ban political parties and candidates from accepting cryptocurrency donations. Combined with broader anti‑money‑laundering reforms, these measures are pushing more financial activity back into bank‑mediated channels where every transaction is monitored, logged, and reportable. These measures are often justified as tools to combat fraud, terrorism financing, or foreign interference. Yet they also consolidate financial visibility and control in the hands of institutions that are tightly integrated with federal regulatory frameworks. When cashless systems become the norm and alternative rails are constrained, financial privacy becomes a historical artifact.

The national security layer completes the picture. Bill C‑70, passed in 2024, strengthens Canada's ability to investigate and respond to foreign interference by introducing new offences, modernizing intelligence‑sharing authorities, and creating transparency requirements for foreign influence activities. These measures address real gaps identified through years of public reporting and inquiry work. At the same time, like any national‑security framework, they expand the state's capacity to scrutinize political activity, advocacy, and cross‑border engagement through a security lens. The intent is protective, but the structural reality is that enhanced powers can be interpreted differently by future governments. The challenge is ensuring that the safeguards, oversight mechanisms, and democratic norms surrounding these tools remain strong enough to prevent their use drifting beyond their original purpose.

None of these bills, on their own, constitute authoritarianism. Canada is not becoming China. There is no Great Firewall, no centralized propaganda bureau, no mass censorship apparatus. But that comparison misses the point. Modern democratic control rarely looks like its twentieth‑century predecessors. It emerges instead through layers of regulation, infrastructure, and compliance — each justified by a different policy goal, each expanding the state's leverage over digital and financial life.

The real risk is structural. When governments build systems that can shape what people see, track how they transact, direct how infrastructure operates, and govern how data flows, they are building tools that can be repurposed. These powers are being built and expanded by the same government that has been in office for more than a decade, which means this isn't a case of one administration inheriting another's tools — it is a continuous accumulation of authority over time. The concern is not about sudden shifts in intent, but about the structural reality that once these systems exist, they can be interpreted, applied, or expanded in ways that go far beyond their original purpose. The risk is baked into the architecture itself, not into any single moment or political transition.

This is what some readers describe as the "risk of digital weaponization." It's an accurate phrase. It captures the idea that the danger lies not in current intentions but in future possibilities. A democratic system can accumulate powers that are entirely compatible with authoritarian uses, even if it seems no one in power today intends to use them that way.

For diaspora and exile communities, these structural shifts carry an additional layer of risk. Many newcomers, activists, and families with ties to authoritarian states already navigate the fear of transnational repression — monitoring, intimidation, or pressure that crosses borders through digital channels. When domestic systems expand state visibility into online speech, financial activity, encrypted communication, or cross‑border engagement, the line between "safety regulation" and "surveillance infrastructure" becomes harder to distinguish. Even if Canada's current government has no intention of targeting diaspora communities, the architecture being built could make those communities more vulnerable if a future administration interprets political advocacy, cultural organizing, or overseas communication through a security lens. For people who have fled censorship or state monitoring, the concern is not abstract: it is whether the digital tools of their new home could one day resemble the ones they escaped.

The challenge for Canada is to recognize this trajectory before it becomes irreversible. Transparency, oversight, and sunset clauses can help. So can public debate that looks beyond the immediate policy problem and asks a deeper question: "What kind of digital state are we building, and who will inherit it?" Because once the tools exist, the only real safeguard is the character of the people who wield them — and history shows that is the least reliable safeguard of all.

Next
Next

Refusing to Stay Silent: Petition e‑2835 and Canada's Reckoning with Foreign Interference