Paper 5 in the sovereignty series. Papers 1 through 4 described the infrastructure, the costs, and the symptoms of ungovernability. This paper describes the necessary instruments.

Whose AI Runs the Government established what sovereignty exposure looks like. The cost-of-dependency paper established what it costs. The Palantir Map established what the Canadian instantiation of the exposure has produced in practice. The Palantir Staircase established that the exposure is a process with identifiable phases, and that different jurisdictions are at different points on the same curve.

Across all four papers, a pattern has emerged that neither the framework nor the Canadian case could surface on its own. The jurisdictions that resisted resisted with specific instruments. France had CNIL, the Senate, and medical professional bodies. Germany had a Federal Constitutional Court willing to hear the case. The United Kingdom has cross-party parliamentary scrutiny, an organised civil society coalition, and a legal culture willing to contest procurement decisions in public.

Canada has had none of these, in the sovereignty-specific sense the Palantir record requires. The federal Supply Arrangement was signed. The Ontario Provincial Police contract was signed. The Department of National Defence contract was disclosed five years after signing. The MacNaughton pathway produced findings under one statute and not under another, and the loophole has not been closed. There has been no Westminster Hall debate. There has been no constitutional challenge. There has been issue specific coalition work, but much of that work was interrupted by the pandemic and geopolitical turmoil.

The five instruments

Five instruments do the work of interrupting a vendor dependency before it consolidates. Each instrument maps to a phase on the staircase from the companion paper. Each has a standing test, a trigger test, a scope test, and an enforcement test. An instrument that fails any of these tests is performative; it produces reports and resolutions but does not change procurement outcomes.

Instrument 1 – A data protection authority with binding pre-procurement authority. Interrupts Phase 0, the consideration stage, before any contract is signed. The test is whether the authority can say no to a public-sector procurement and make the no stick. France’s CNIL meets this test; the arrangement that would have placed Palantir inside the Health Data Hub was stopped at the consideration stage, and the government moved to a domestic track.

Instrument 2 – A mandatory disclosure registry at the point of signing. Interrupts Phase 1 and Phase 2 by making the admission of a foreign platform vendor visible while political intervention is still cheap. The test is whether the disclosure is statutory rather than administrative, because administrative disclosure policies are waived during emergencies, which is precisely when Phase 1 crisis-entry procurement occurs. No jurisdiction in the Palantir record has a functioning statutory registry of this kind. The UK investigation by The Nerve that surfaced 34+ contracts across 10+ departments was investigative journalism doing the work a registry would do automatically.

Instrument 3 – A parliamentary standing committee on sovereign technology dependencies. Interrupts Phase 3 by creating a forum where standing agreements are surfaced and questioned before Phase 4 consolidation. The test is whether the committee has a specific mandate on platform procurement and foreign vendor exposure, rather than inheriting the topic incidentally from broader industry or privacy jurisdictions. Westminster Hall’s debate on the NHS FDP on April 20, 2026 is the kind of proceeding such a committee would produce routinely rather than as a one-off.

Instrument 4 – Judicial reviewability of platform deployment in high-stakes domains. Interrupts Phase 4 by requiring specific statutory grounding that ordinary administrative authorisation cannot supply. The test is whether the courts will hear a case that contests not the procurement itself but the deployment — the use of the platform in policing, health, or defence contexts — on sovereignty and constitutional grounds. Germany’s Federal Constitutional Court ruling on Hessen’s use of Gotham meets this test. It is the instrument of last resort, and it only works if the three earlier instruments have failed or been bypassed.

Instrument 5 – Cross-sector civil society coalitions with research capacity. Makes the other four instruments politically sustainable. The test is whether the coalition can generate sustained public pressure across news cycles, can produce primary research rather than only commentary, and can coordinate across human rights, health sector, legal, and academic constituencies. The UK’s No Palantir in the NHS coalition (Amnesty International, Privacy International, the Good Law Project, Corporate Watch, Medact, backed by public-interest legal capacity) meets this test. It is the instrument that determines whether the other four stay awake or atrophy.

What the instruments require to function

The instruments have prerequisites that are not themselves instruments but without which the instruments do not work. Naming these matters, because the failure mode of a sovereignty regime is not usually the absence of the instrument on paper. It is the presence of an instrument that has been hollowed out.

Data protection authorities require statutory independence from the government department whose procurement they are reviewing. They require binding authority, not advisory authority. They require budget and staffing sufficient to evaluate platform procurements at the technical level the vendors are operating at. A DPA that has to rely on the vendor’s own documentation to evaluate the vendor’s product is not a DPA functioning as an instrument.

Disclosure registries require legislative mandate, enforcement penalties for non-compliance, and a centralised public interface that does not require Access to Information requests to surface. They require coverage across the federal government, Crown corporations, and agencies, without the exemptions for “national security” or “commercial sensitivity” that reduce current disclosure to a checkbox. They require the disclosure to happen at signing, not on response to a written question.

Parliamentary committees require specific jurisdictional mandate over platform procurement. They require security clearances for committee researchers so that classified deployments can be examined without losing the ability to report publicly on the architecture. They require standing rather than ad hoc status, because ad hoc committees lose institutional memory between files. They require clerks and analysts with technical capacity to read procurement documents, not only legal capacity to read them.

Judicial reviewability requires legal standing for public-interest litigants, a court culture willing to hear deployment cases as distinct from procurement cases, and sufficient civil society legal infrastructure to mount the cases. It requires test litigation capacity, because the first case on any novel question is expensive and slow, and without dedicated public-interest legal organisations the instrument is theoretically available but functionally out of reach.

Civil society coalitions require sustained funding that is independent of both government and vendor sources. They require research capacity; people who can read procurement documents and technical specifications, not only people who can write op-eds. They require coordination infrastructure across sectors that are not used to working together. They require persistence through the cycles where the issue is not in the news, because the work done between news cycles is the work that produces the coalition when the news cycle returns.

These prerequisites are the difference between an instrument that exists on paper and an instrument that interrupts a procurement.

The Canadian instruments, assessed

Now the hard part. Each of the five instruments, as they currently exist in Canada, assessed against the tests.

Instrument 1: the Office of the Privacy Commissioner. The closest Canadian analogue to CNIL. The OPC has guidance authority, investigative authority after the fact, and public advocacy capacity. It does not have binding pre-procurement authority over federal departments. When a department proposes to onboard a platform through a Supply Arrangement, the OPC is not a stop; it is a voice. The Commissioner’s recent public posture reflects the limit honestly. The office is “increasingly sought after to provide guidance” to departments planning AI deployments, which is the language of an advisory body. The CNIL, by contrast, can refuse. Philippe Dufresne is an engaged commissioner. The gap is not in the office. It is in the statute. Even a fully resourced, fully alert Privacy Commissioner cannot interrupt a procurement the way the French architecture allows.

Instrument 2: the disclosure registry. Canada does not have one. The federal procurement catalogue operates in the opposite direction. The Software Licensing Supply Arrangement, by design, front-loads the political decision into Phase 1 and allows Phase 2 purchasing to proceed through simplified process that does not attract parliamentary attention. CanadaBuys contract history surfaces contracts after signing but does not cross-reference them against foreign vendor exposure, jurisdictional regime, or sovereignty risk. The $14.4M DND contract with Palantir surfaced through a written question in September 2025, five years after signing, because the system that would have surfaced it earlier does not exist. This is the largest single gap in the Canadian architecture.

Instrument 3: parliamentary committees. Canada has no standing committee on sovereign technology dependencies. The closest functional bodies are the Standing Committee on Access to Information, Privacy and Ethics (ETHI), the Standing Committee on Government Operations and Estimates (OGGO), and the Standing Committee on Industry and Technology (INDU). Each has touched adjacent questions. None has sustained a platform-procurement sovereignty inquiry at the level Westminster Hall produced on the NHS FDP. The single written question that surfaced the DND contract is the high-water mark of parliamentary engagement on Palantir specifically, and it was reactive rather than structural. The Canadian parliamentary system is capable of producing the committee; what is missing is the mandate and the specific jurisdictional focus.

Instrument 4: the courts. No Canadian court has ruled on the deployment of a commercial data-fusion platform in policing or health. The German precedent has no Canadian analogue. A Charter challenge on section 7 or section 8 grounds against a specific deployment is theoretically imaginable, the Ontario Provincial Police use of Gotham is the most obvious candidate, but no case has been brought. The instrument is available in principle and unavailable in practice, because the public-interest legal infrastructure that would carry such a case has not been assembled and funded for this purpose.

Instrument 5: civil society. This is the gap that is at once the widest and the most specific. Canada has engaged, capable organisations working in adjacent areas. The Canadian Civil Liberties Association, OpenMedia, Citizen Lab at the University of Toronto, and Amnesty International Canada each do related work. None has taken on platform procurement sovereignty as a sustained campaign in the way the UK coalition has organised around the NHS FDP.

The sustained Canadian work that most directly addresses this question has been authored by my colleague, friend and Tech Reset Canada co-founder Bianca Wylie. Bianca’s now decade-long body of work on public-sector technology procurement, from the Sidewalk Toronto work, through her research with Matthew Claudel on procurement as public value, to her ongoing writing at Digital Public and her earlier CIGI fellowship, has established the frame this paper extends to the platform-procurement case. Her Boston Review argument that “technology procurement is thus one of the largest democratic vulnerabilities that exists today” is, in structural terms, the argument the Palantir Map made in a specific vendor case. Her observation that Canadian oversight processes were “designed with the procurement of snowplows and sewers in mind” is the intellectual predecessor of the Palantir Map’s argument that the SLSA was designed for commercial software of uncontroversial character and is now being used to onboard a vendor whose CEO publishes political manifestos.

What exists, then, is a body of sustained intellectual work and a set of adjacent organisations. What does not exist is the coalition. The difference matters. A coalition is an organising structure that coordinates across sectors, funds research, generates public pressure on a consistent cadence, and carries an issue through the news cycles when the issue is not in the news. Canada has the intellectual foundation for such a coalition and has had it for nearly a decade. The coalition itself has not formed.

Sequencing: the order the instruments have to be built in

The instruments are not independent. They fail in predictable ways when implemented partially, and the pattern of partial-implementation failure is instructive.

A disclosure registry without a parliamentary committee to receive the disclosures is performative. The disclosures accumulate and nobody reads them. This is the current state of CanadaBuys contract history.

A parliamentary committee without civil society pressure to act on its reports is performative. The committee produces findings that are tabled, responded to in government statements, and archived. This is the pattern of most Canadian parliamentary committee work on digital policy questions in the last decade.

A data protection authority without statutory binding authority is advisory. The guidance is thorough, the advice is sound, the procurement proceeds anyway. This is the current state of the OPC on platform procurement.

A court challenge without civil society legal infrastructure is unavailable. The instrument exists and cannot be used. This is the current Canadian position on platform deployment.

A civil society coalition without the other four instruments to act on is exhausting and eventually demoralising. The coalition produces excellent work, generates public pressure, wins news cycles, and watches procurement proceed anyway. This is the risk for any coalition that forms in Canada in the current state of the other instruments.

The sequencing implication: the coalition and the disclosure registry have to come first, in parallel. The coalition provides the pressure that makes the registry politically possible. The registry provides the evidentiary base that makes the coalition’s work effective. Neither can wait for the other. The parliamentary committee follows, because its mandate is only defensible once the registry has produced evidence that platform procurement is a distinct category that warrants specific committee attention. The OPC’s statutory reform follows the committee, because the committee’s findings build the political case for the statutory change. The judicial instrument is last and contingent, because the courts will act when the first four instruments have either failed or been bypassed.

The 2028 deadline

The Palantir Supply Arrangement expires in July 2028. That is the forcing function. Whatever institutional reforms Canada intends to make have a deadline attached, and the deadline is known, and the window in which reforms can be initiated before the Supply Arrangement renewal is the window that exists now.

Twenty-six months is a compressed timeline for institutional reform. It is not impossible. A disclosure registry can be drafted, debated, and legislated inside twenty-six months if the political will exists. A parliamentary committee can be stood up inside six months. A civil society coalition can be organised inside twelve months if the funding is available and the intellectual foundation already exists, which in Canada it does. A statutory amendment to expand the OPC’s authority is legislatively straightforward if the government chooses to act. The judicial instrument cannot be built on this timeline, but that is acceptable because the judicial instrument is the last line, not the first.

What is not available on any timeline is the path that treats the Prime Minister’s “weakness” address as rhetorical rather than operational. The speech act committed the government to structural correction. The Supply Arrangement is the procurement reality that tests the commitment. Twenty-six months is the distance between the commitment and the test.

The parallel track: C-22 in real time

Bill C-22, the Lawful Access Act, 2026, was tabled on March 12 and is at second reading. It is the second attempt at a lawful access regime after the first attempt, buried inside the omnibus Bill C-2 border security bill, was withdrawn under civil liberties opposition. C-22 narrows some of the worst elements of its predecessor, replacing warrantless information demand powers with judicial oversight for access to subscriber information. On that specific change, the bill is improved.

What C-22 retains is more significant. Part 2 grants the government authority to require designated “core providers” to retain categories of metadata, including transmission data, for up to one year. This is mandatory metadata retention of all Canadian users of designated services, regardless of whether those users are suspected of anything, available to law enforcement and CSIS under production order, with cross-border production mechanisms for foreign requests. European courts have repeatedly struck down similar blanket retention regimes as disproportionate.

The Privacy Commissioner of Canada has no oversight role in the metadata retention regime C-22 proposes. The statute is being drafted as if the office did not exist. Instrument 1’s absence is not historical here. It is being legislated in the present tense, inside the construction of the surveillance architecture itself.
C-22 and the Palantir arc are not separate stories. A mandatory metadata retention regime produces standing data about the communications of all users of designated services. A data-fusion platform under Supply Arrangement ingests standing data. The DND contract, the OPP contract, the SLSA, and the C-22 retention regime are four components of the same architecture. They are being built in parallel, by different departments, under different statutory authorities, without the instruments that would surface the relationship between them.
Opposition to C-22 exists in scattered form. Privacy lawyers have issued bulletins. Conservative MP Jacob Mantle gave one of the few substantive opposition speeches on the bill on April 20, 2026, and the speech travelled through specialist privacy networks rather than a coordinated public campaign. One MP’s careful reading of the bill registering as news is the measure of Instrument 5’s absence.

The window to contest C-22 is the same window as the Supply Arrangement renewal. What data gets retained and who gets to fuse it are the same question separated by procurement category. Twenty-six months.

The scope of the claim

This paper is not a call for a sovereign Canadian platform competitor to Palantir. The question of whether Canada should build a domestic data-fusion capability is a separate policy question with its own analysis, and conflating it with the sovereignty-instruments question produces bad policy in both directions.

This paper is also not an industrial policy document. The argument does not turn on supporting Canadian AI firms, on procurement preferences for domestic vendors, or on restricting foreign vendor access to Canadian markets. It turns on building the institutional instruments that would allow Canada to make procurement decisions deliberately rather than by default.

Finally, this paper is not a procurement reform document in the narrow sense. The SLSA and its successor vehicles will continue to exist and to do legitimate work for commercial software of uncontroversial character. The argument is that platform procurement in sovereignty-adjacent domains (policing, health, defence, core government operations) requires a distinct governance track, not that all procurement requires reform.

The claim is narrower and more specific: the governance architecture is the upstream determinant of every downstream outcome. A Canada that builds a domestic AI industry without building the governance architecture produces a Canadian dependency rather than a Canadian capability. The instruments come first. The rest follows.

The Canadian question

The Palantir Map asked what Canada had disclosed. The Palantir Staircase asked where Canada sits on the dependency arc. This paper asks what Canada has built to hold the position it is in.

The answer is: not enough, not yet, and the agreement deadline is twenty-six months away.

None of the five instruments is fully functional in the Canadian case. The closest approximations (the OPC, the adjacent parliamentary committees, the intellectual foundation for a civil society coalition including our work at Tech Reset Canada) are real, and each is short of the standard the comparative record demonstrates is necessary. The instruments that do not exist at all: the disclosure registry, the standing committee specifically on sovereign technology dependencies, the tested judicial pathway, are buildable on a timeline that matches the Supply Arrangement’s expiry.

What the comparative record demonstrates is that the jurisdictions which resisted did not do so because they were lucky, or because they were constitutionally advantaged, or because their vendors were different. They resisted because the specific instruments were awake. The instruments were awake because they had been built and funded and staffed and given statutory standing, over years, before the moment they were needed.

Canada has the time to build them. The question is whether the commitment the Prime Minister made on April 19, 2026 extends to the procurement reality that tests it along with the near-term legislative calendar, or whether the commitment ends at the speech.

Jennifer Evans is the principal of Pattern Pulse AI and a cofounder of Tech Reset Canada.

Sources and cited work: Bianca Wylie and Matthew Claudel, “Technology procurement: Shaping future public value” (Community Solutions Network Research Briefs, 2021); Bianca Wylie, “In Toronto, Google’s Attempt to Privatize Government Fails — For Now” (Boston Review, 2022); Office of the Privacy Commissioner of Canada annual report 2024-25; OPC Submission to ISED consultation on a renewed AI strategy (October 2025); ISED, “Engagements on Canada’s Next AI Strategy: Summary of Inputs” (February 2026); Government of Canada, Digital Sovereignty Framework (November 2025); Canadian Bar Association submission to ISED consultation on AI strategy; public record on the French Health Data Hub decision (2019-2020); German Federal Constitutional Court ruling on Hessen police use of Gotham (February 2023); The Register on the Westminster Hall debate on the NHS Federated Data Platform (20 April 2026); The Logic, CBC, and CanadaBuys records on Palantir’s Canadian contracts (2019-2025); Office of the Conflict of Interest and Ethics Commissioner Order on David MacNaughton (September 2020); Office of the Commissioner of Lobbying Investigation Report on David MacNaughton (March 2021). Disclosure: the author is a co-founder of Tech Reset Canada (2017).