What Bill C-22 Was Designed For, What It Now Walks Into, and What Has to Change Before It Passes
By Jen Evans, Principal, Pattern Pulse AI; co-founder, Tech Reset Canada; publisher, B2BNN
Paper 12 in the “Whose AI Runs the Government?” series.
———
Experts including Michael Geist and industry including Signal have already identified Bill C-22 as a privacy, security, and market-access problem. Geist has also, on a separate track at his Law Bytes podcast, treated Claude Mythos and Project Glasswing as a frontier AI governance crisis. The April 20, 2026 episode with Jason Millar walked through Mythos, the Glasswing coordination architecture, the AI security versus AI safety distinction, and the question of what governments should be doing in response. Both files are open. They have not yet been placed on top of each other.
The synthesis is straightforward to state and consequential in its implications. Canada is considering lawful access obligations at the same moment AI systems are compressing the time between vulnerability discovery, exploit development, and operational use by roughly two orders of magnitude. The bill was drafted against a threat environment in which adversaries operated at human speed, compliance systems could be hardened on human-review cycles, the breach signal surfaced through normal disclosure pathways, and the data the bill mandates into existence would flow into Canadian processing infrastructure that Canada controlled. None of those four conditions hold in May 2026. The bill is not irrelevant. The investigative purposes it serves – child exploitation networks, organized crime, foreign intelligence operations, terrorism – remain real. The architecture chosen to advance those purposes has been overtaken by the environment it would enter.
This paper argues that the standard privacy-frame opposition to C-22 concedes more than it defends, and that the available defensible objection is architectural rather than constitutional. A user whose communications already flow through Palantir-class access at the federal data layer, through ODIT-class vendor tools at the device layer, through CLOUD Act-exposed compute at every layer of the procured Canadian sovereign stack, and through application-embedded AI agents that have collapsed the encryption guarantee at the OS layer, is not meaningfully protected by an argument that resists Canadian government access at the metadata layer. The data the bill mandates retention of is data already being collected, retained, processed, and accessed at every layer underneath it. The case against C-22 that holds is architectural survivability. The bill builds new attack surfaces on top of existing exposures, in a threat environment where the attack rate runs two orders of magnitude ahead of the patching rate, without any of the defensive instruments that would make the resulting architecture survivable. The amendments that follow from this objection are surgical, available at SECU committee, and consistent with the bill’s stated policy goals.
Anthropic’s original six-month proliferation horizon has compressed to three to five months on Palo Alto Networks’ May 13, 2026 estimate, with the Klarich blog post on frontier AI defense as the citable source. The Zhipu GLM-5.1 release in April 2026 established near-parity capability under MIT license on Huawei Ascend hardware, fully outside US export-control reach. The GTG-1002 campaign Anthropic disclosed in November 2025 ran 80 to 90 percent of operations autonomously through Claude Code against intelligence-grade targets. The window is not approaching. The capability has been operational in adversary hands for over a year. Bill C-22 is being legislated into that environment. Mythos is the Shinkansen coming at the bill on a track Canada has already built but is not standing on.
What the Bill Says
The Lawful Access Act, 2026 was tabled by Public Safety Minister Gary Anandasangaree on March 12, 2026, after the previous effort in Bill C-2 collapsed at committee under expert opposition. The same day, in a coincidence that becomes load-bearing later in this paper, Palantir and NVIDIA announced their joint Sovereign AI Operating System Reference Architecture, the productized infrastructure layer through which the data this bill mandates into existence is structurally designed to be processed.
The bill passed Second Reading in the House of Commons on April 20, 2026 and is at SECU committee.
Part 1 narrowed one element of the previous bill. The warrantless information demand that could be issued to “any person who provides services to the public” was replaced with a confirmation-of-service demand limited to telecommunications service providers, with subscriber information now subject to a judicial production order. The standard for that production order is set at “reasonable grounds to suspect,” the lowest investigative threshold in Canadian criminal law and a departure from the “reasonable grounds to believe” standard that has governed general production orders for the past decade. The structural retreat from warrantless access was real. The threshold for the warrant-equivalent that replaced it was set at the floor.
Part 2 is where the architecture lives. The Supporting Authorized Access to Information Act creates a regulatory regime for electronic service providers, defined in the bill as any person providing an electronic service to persons in Canada or carrying on business activities in Canada, with “electronic service” defined to cover the creation, recording, storage, processing, or transmission of information by any technological means. The definition is broad enough that, as Geist puts it, a law professor might be an ESP. Public Safety has signalled the intent is to capture traditional telcos, internet service providers, cloud computing providers, social media platforms, and online game services.
Within that universe, the bill creates two regulatory tiers. ESPs in general carry an obligation to provide all reasonable assistance for the assessment or testing of any device that may enable authorized access. “Core providers,” to be designated by regulation, face the full capability-building regime: developing, implementing, assessing, testing, and maintaining technical capabilities to extract and organize information authorized to be accessed, and installing and maintaining the devices and equipment that enable that access.
Three additional provisions complete the architecture. Mandatory metadata retention requires designated providers to retain detailed metadata for up to one year, a provision added to C-22 after C-2’s collapse rather than retained from it. Ministerial orders allow Public Safety to compel specific technical capability development outside the regulatory designation process. The secrecy obligation prohibits providers from disclosing the existence of specific orders, including to the users whose communications are subject to them.
What Industry and Experts Are Saying
The substantive case against the bill on the public record is led by Geist, whose two-headed monster framing is the cleanest available reading: mandatory metadata retention as the direct privacy harm, and the technical capability mandate as the indirect harm working through the architecture of the services themselves. The international jurisprudence Geist points to is the strongest single argument on the privacy side. The Court of Justice of the European Union has repeatedly struck down general and indiscriminate data retention regimes as inconsistent with the Charter of Fundamental Rights. Germany’s Federal Constitutional Court has reached similar conclusions. The Charter Statement accompanying C-22 engages with none of this. The Supreme Court of Canada jurisprudence in Spencer and Bykovets points in the same direction. The bill’s Charter analysis does not reach it.
The services most affected have responded on the record. Signal’s Vice President of Strategy Udbhav Tiwari has stated the company would rather pull out of Canada than be compelled to compromise on its privacy promises. Windscribe, the Toronto-headquartered VPN provider, said it would relocate its headquarters out of Canada. NordVPN warned it would consider following. Apple and Meta have raised public concerns about the bill’s effect on encryption and cybersecurity. The Canadian Chamber of Commerce, the Cybersecurity Advisors Network, the Canadian Civil Liberties Association, CIPPIC, and a long line of legal and security experts have called for changes.
On May 8, 2026, the chairs of the U.S. House Judiciary Committee (Jim Jordan) and Foreign Affairs Committee (Brian Mast) wrote to Public Safety Minister Anandasangaree warning that the bill threatens U.S. national security and the integrity of cross-border data flows, and that it could compel American companies to create backdoors and architectural changes that bypass or weaken encryption. The National Security and Intelligence Review Agency, the bill’s own oversight body, has told the SECU committee it lacks the access it would need to conduct the oversight the bill assigns to it.
The expert case is correct. It also stops at the threat environment of 2024. The bill is being written into the threat environment of 2026 forward, and the architecture being objected to on privacy grounds is being layered on top of architectures that have already, practically, all but conceded the privacy ground at every layer underneath it.
The Ontario Case That Was Already the Future
This series has documented how Canadian AI procurement and implementation is well ahead of the country’s much-delayed strategy. The Ontario Joint Technical Assistance Centre case is the live operational demonstration.
On May 19 and 20, 2026, reporting in the Toronto Star, The Deep Dive, and Ontario regional outlets disclosed the operational architecture of a program called the Joint Technical Assistance Centre, or JTAC. JTAC is a provincial unit pooled across six Ontario police services, led by the OPP and funded by the province. It operates a program of on-device investigative tools the police call ODITs: spyware deployed against target phones and computers with the capacity to download photos, read encrypted messages, record keystrokes, and remotely activate microphones and cameras without the device owner’s knowledge.
The vendor JTAC sources from is classified. Citizen Lab has reported a possible technical link to Paragon Solutions, an Israeli surveillance firm that markets a product called Graphite. The classification is so tightly enforced that Ontario police forces have signed agreements committing to abandon major prosecutions rather than disclose the vendor’s name in court. A Crown filing in Windsor Superior Court documents that the Crown may walk away from prosecutions in an active auto-theft case, the same one that produced 23 arrests and $9 million in recovered vehicles, rather than reveal the ODIT vendor and capabilities under defense challenge. Federal prosecutors have refused to release more than 140 related documents, citing Section 37 of the Canada Evidence Act. The Ontario Information and Privacy Commissioner has confirmed that none of the named police services consulted the office before acquiring the tools.
This is C-22 in operational preview. The architecture the federal bill would mandate at provider scale, the JTAC program already runs at provincial police scale. The secrecy obligation that C-22 writes into statute, the JTAC vendor agreements have already operationalized at the procurement contract layer. The Charter scrutiny that has not been applied to C-22’s regime is now being applied, retroactively, to the JTAC regime through defense challenges in active proceedings. The Crown’s response is to drop the prosecutions rather than submit the architecture to constitutional review.
The structural question C-22 is being legislated into and the structural question the JTAC case is now testing in court are the same question. The C-22 secrecy obligation would extend the JTAC architecture to every designated electronic service provider in Canada, on a statutory basis, with the same vendor opacity and the same Charter exposure now metastasizing through the Ontario Superior Court. The 627 Ontario court rulings between 2015 and May 2025 documenting more than 1,000 police Charter violations, released by Sunil Gurmukh and co-authors in March 2026, are the baseline track record of how surveillance authority operates in practice in this jurisdiction. The JTAC case is the leading edge. C-22 is the federal version, written for a threat environment the JTAC case has not yet reached.
The reasonable reader of C-22 has to assume the JTAC pattern is what compliance looks like under the bill in practice. Classified vendors. Undisclosed procurement. Operational secrecy that collapses prosecutions rather than discloses the architecture. Charter challenges arriving years after deployment. A privacy commissioner monitoring rather than authorizing. This is the regime C-22 would extend nationally. The Ontario case is the live demonstration.
What Mythos and Other AI of Its Kind Can Do
On April 8, 2026, Anthropic announced Project Glasswing and disclosed the model anchoring it. Claude Mythos Preview is a frontier model that, in pre-announcement red-team testing, identified thousands of high-severity zero-day vulnerabilities across widely deployed software, including a previously unknown OpenBSD flaw that had survived 27 years of expert human review. The FreeBSD NFS remote code execution vulnerability, CVE-2026-4747, is the crown jewel disclosed in the Mythos announcement: a 17-year-old bug fully autonomously identified and then exploited, giving an unauthenticated attacker remote code execution. The model can chain independent bugs into working exploit sequences that bypass renderer and OS sandboxing autonomously. According to Anthropic’s own characterization, Mythos surpasses all but the most skilled human security experts at finding and exploiting software vulnerabilities. The model has not been generally released. Anthropic has stated the reason is the offensive cybersecurity capability of the model itself.
One disclosed metric carries most of the weight. Fewer than 1 percent of the vulnerabilities Mythos found had been patched at the time of the Glasswing announcement, on Anthropic’s own reporting. Discovery is running ahead of remediation by roughly two orders of magnitude.
The proliferation framing has compressed since the original announcement. Anthropic’s initial six-month estimate, published in early April, was revised to three to five months in the Palo Alto Networks blog post by CTO Lee Klarich on May 13, 2026. Palo Alto’s internal testing ran Mythos and OpenAI’s GPT-5.5-Cyber against the company’s own products. Three weeks of model-based analysis produced coverage equivalent to a year of manual penetration testing. The time from initial access to data exfiltration in AI-supported scenarios collapses to roughly twenty-five minutes. The Zhipu GLM-5.1 release in April 2026 established near-parity capability under MIT license on Huawei Ascend hardware, fully outside US export-control reach. The UK AI Security Institute’s Expert-tier cyber evaluation, published May 1, 2026, scored GPT-5.5 at 71.4 percent, Mythos Preview at 68.6 percent, and Opus 4.7 at 48.6 percent. The capability the Glasswing window was constructed to defend against is already globally distributed and operational in adversary hands. The GTG-1002 campaign, a China-linked intrusion operation Anthropic disclosed in November 2025, used Claude Code as its operational backbone with 80 to 90 percent of operations executed autonomously across reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, and data exfiltration.
This is the Shinkansen headed for the legislation. The C-22 debate is being conducted as if the bill enters a regulatory environment where the principal threats are the actors the bill was written to surveil: organized crime, foreign intelligence, domestic terrorism, child exploitation networks. Those threats remain real. They are not the threats the compliance architecture proposed by C-22 is most exposed to. The threats the compliance architecture is most exposed to are agentic adversaries operating on a capability curve the bill’s drafters have not engaged with.
Meredith Whittaker, CEO and founder of Signal, in her Davos 2026 remarks and subsequent Globe and Mail interview, articulated the structural argument the C-22 debate needs to absorb. Encryption remains mathematically sound. Its real-world protections are increasingly bypassed by the privileged position AI systems occupy inside modern user environments. AI agents integrated into operating systems collapse what Whittaker called the blood-brain barrier between applications and the OS. Once that boundary is crossed, individual applications can no longer guarantee privacy on their own. The barrier for hackers and hostile nation states is no longer the encrypted layer at the application level. It is the agentic layer beneath it, which has system-level access by design.
The C-22 architecture sits directly underneath that agentic layer. The metadata retention store holding a year of detailed records, the technical interception capability that extracts and organizes authorized communications on demand, the assistance-and-testing function that grants external access to the devices and equipment used to deliver a service: each is software, running on infrastructure, exposed to networks, sitting beneath the application layer where the encryption guarantees would otherwise operate. The agentic adversary the Mythos curve produces is not constrained by the human-review cycle that has historically governed how fast new compliance systems get audited and patched. The window between “compliance system deployed” and “compliance system mapped by an agentic adversary” is measured against the same three-to-five-month proliferation curve Palo Alto has now documented, not against the regulatory implementation calendar of C-22.
The secrecy obligation is the structural multiplier. A user whose data is held in a metadata retention store cannot be told whether their data has been accessed under a specific order. A provider whose interception capability has been compromised cannot disclose the compromise without violating the secrecy provision in the bill. The breach detection signal that would normally surface in a public security disclosure is, by statute, suppressed. This is the JTAC pattern, federalized.
The metadata retention regime concentrates the target. The technical capability mandate builds the access path. The secrecy obligation suppresses the breach signal. Each is an independent vulnerability. The combination is the architecture an agentic adversary would design if granted regulatory authority to specify the conditions of its own attack.
The Implications: Metadata, Personal Privacy, and the Palantir Stack Canada Already Built
The Sovereign AI Architecture for Canada paper this series published in March 2026 mapped four chains describing how Canadian AI procurement actually flows. Chain 1, marketed as sovereign AI compute, runs from NVIDIA’s California-designed GPUs through TSMC fabrication in Taiwan to CoreWeave operating compute in New Jersey, with Cohere running its Canadian model on CoreWeave’s American infrastructure, ending at the Government of Canada processing citizen data. Three of five links are foreign-controlled. The $240 million federal investment in Cohere bought a Canadian label on American infrastructure. Chain 2, federal cloud operations, runs Microsoft Azure into CRA, IRCC, and Shared Services Canada with Azure Canada itself operating in US-owned data centres under CLOUD Act jurisdiction. Chain 3, the SAP-Cohere chain into RBC, Bell, and federal agencies, returns to CoreWeave as the same compute node it occupied in Chain 1: two “sovereign” chains, one American operator. Chain 4, the hypothetical sovereign stack with six of seven links Canadian-controlled, is the aspiration the procurement record does not match.
Paper 4 in this series documented the Palantir architecture sitting underneath all of this. The Supply Arrangement mechanism, the MacNaughton lobbying record, the five-jurisdiction map, and the July 2028 expiry as the forcing function were the structural facts. On March 12, 2026, the exact day C-22 was tabled, Palantir and NVIDIA announced their joint Sovereign AI Operating System Reference Architecture, productizing the integration layer between NVIDIA Blackwell Ultra hardware and Palantir’s full software suite: AIP, Foundry, Apollo, Rubix, and AIP Hub. The architecture is marketed for customers with existing GPU infrastructure, latency-sensitive workflows, data sovereignty requirements, and high geographic distribution. It is, by design, the turnkey integration layer for governments processing sensitive citizen data through an integrated American AI operating system. The product launched the same day Canada tabled the bill that would feed it.
The C-22 compliance architecture stacks directly on top of this pre-existing federal data infrastructure. A Canadian user whose metadata is retained under SAAIA for up to a year sits inside a stack that already routes federal data processing through Palantir-class access at the operating-system layer, on NVIDIA hardware, through CoreWeave compute, on Microsoft Azure, with Cohere as the Canadian-labelled application veneer. The bill does not create the foreign-access exposure. The bill concentrates the data, extends the access pathways, and suppresses the disclosure that would otherwise constrain the resulting flow. The federal data layer Palantir has procurement-level access to is the layer where law enforcement and CSIS requests under C-22 ultimately resolve. The provincial sovereignty gap documented in Paper 3 is the layer where provincial compliance with C-22 will be patchy and contested. The JTAC architecture is the operational template at the provincial police layer for how this kind of regime actually operates in practice.
The user sits in the middle of a stack with five compounding exposures. Their metadata held for a year at the provider layer under SAAIA, accessible under the “reasonable grounds to suspect” production order threshold or ministerial action to law enforcement and CSIS. Their underlying communications subject to the JTAC-style ODIT pattern at the device layer, with classified vendors operating under Crown agreements that drop prosecutions rather than disclose the architecture. Federal processing of resulting data through a foreign-controlled AI operating system Palantir productized and sells as sovereign. Compute infrastructure operating under CLOUD Act jurisdiction at every layer of the Canadian sovereign stack as documented in the four-chains paper. And a statutory secrecy obligation that prevents the provider, the user, or the public from learning that any of this has occurred.
The C-22 architecture does not create any of these exposures alone. It concentrates the data, extends the access, and suppresses the disclosure. The cumulative exposure is the architectural fact the existing debate is not assembling into a single picture. Geist’s two heads of the monster are accurate. The third head is the foreign-controlled processing stack the metadata flows into once retained. The fourth, demonstrated live in Ontario this week, is the operational template for how Canadian state surveillance authority handles disclosure of its own architecture: by collapsing prosecutions rather than submitting the architecture to constitutional review.
This is the architecture the standard privacy-frame opposition to C-22 has not been able to address. The argument that Canadians should resist Canadian government access at the metadata layer presumes the data is currently private. It is not. The privacy ground has already been conceded at every layer underneath the metadata layer the bill addresses. Application-embedded AI agents have crossed the OS barrier. Device-layer ODIT vendors are operating under Crown agreements that collapse prosecutions rather than disclose their architecture. Federal data processing routes through American sovereign-AI operating systems sold as turnkey integrations. CLOUD Act jurisdiction reaches every layer of the Canadian compute stack. The case against C-22 that holds is not that the bill compromises privacy that currently exists. It is that the bill builds new attack surfaces on top of an architecture in which privacy has already been operationally lost, without any of the defensive instruments that would make the resulting stack survivable in the threat environment the architecture actually faces.
The Fact Canada Is Not at the Glasswing Table
Paper 11 established the defensive deficit at sharp resolution. Project Glasswing provides twelve launch partners and more than 40 additional organizations with controlled access to Mythos Preview at $25 per million input tokens and $125 per million output tokens. The launch partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The European Union has been granted access to OpenAI’s GPT-5.5-Cyber through the EU AI Office under a separate framework. The Financial Stability Board and the Bank of England are running parallel briefings on financial-system defense.
No Canadian government agency, no Canadian critical infrastructure operator, and no Canadian cybersecurity firm appears in the published Glasswing partner list. The Communications Security Establishment is not a Glasswing partner of public record. CSIS is not. The RCMP is not. ISED is not. PSPC is not. No Canadian provincial cybersecurity authority is. No Canadian-headquartered cybersecurity firm is. Five Eyes intelligence-sharing arrangements give CSE channel access to frontier model threat intelligence that non-Five-Eyes Glasswing partners may not have. What that downstream channel access provides at the operational layer for industry, provincial deployment, and the broader critical infrastructure surface is not publicly specified. Five Eyes access does not give Canadian critical infrastructure operators access to Mythos. It does not give Canadian cybersecurity firms participation in partner coordination. It does not give Canadian provincial authorities a seat in the room where critical infrastructure protection priorities are set.
C-22 enters force into this absence. The federal government is legislating a compliance architecture into Canadian services on the same proliferation clock during which it has not procured, partnered into, or built the defensive capability that would let those services detect, respond to, or remediate against the threat curve the architecture is most exposed to. The bill is being written as if the threat environment of the next decade will be governed by the law enforcement requests of the last one. The threat environment of the next decade will be governed by capability that has already proliferated, on hardware that is not under Western export control, in operational use by adversary actors at scale.
The expert case Geist has built is accurate. It is also the floor. The ceiling is the architectural cost of legislating a compliance regime into a Mythos-era threat environment without any of the defensive instruments that would make the regime survivable, on top of a federal data stack already procured to foreign operators, with a provincial police architecture already demonstrating that the secrecy operating model collapses prosecutions rather than submitting to Charter review.
Canada Cannot Build a Glasswing. Canada Can Negotiate a Seat at the One That Exists.
The clear answer on whether Canada can build a Glasswing counterpart in the window the bill enters is no. Glasswing is the controlled deployment of a frontier model whose general release Anthropic has determined is unsafe. Canada does not have a frontier model. The Canada Strong Fund pointed at frontier capability development on a ten-to-twenty-year timeline is the Paper 11 generative answer, and it may be the right sovereignty answer for the next decade. It is not the answer for the next three to five months.
What Canada can build inside the window is not a Glasswing counterpart. It is Canadian access to coordination architectures that already exist, on terms the critical minerals position makes negotiable. Three instruments, all operationally available before the CUSMA review opens July 1.
The CUSMA Article 19.16 reciprocity ask Paper 11 framed is the first instrument. Canada has the critical minerals leverage. The US AI hardware stack runs on inputs Canada supplies and no other Western partner can supply at scale. The ask is not access to Mythos as a model. The ask is participation in the Glasswing architecture for Canadian critical infrastructure operators, Canadian provincial cybersecurity authorities, and CSE-cleared Canadian-headquartered cybersecurity firms on terms that include threat intelligence sharing beyond Five Eyes channels, audit access, and capability-sharing into Canadian remediation systems. The architecture exists. The negotiating instrument exists. The political will to frame the leverage as leverage is what Paper 11 documented as the missing piece.
A domestic remediation capability is the second instrument. The Mythos discovery rate runs two orders of magnitude ahead of patching. The Glasswing partners are the organizations capable of patching at the rate Mythos discovers. CSE has some of this capability at the federal level. Canadian utilities, provincial health systems, municipalities, and the broader critical infrastructure surface Bill C-8 names do not have it at the operational scale the threat curve requires. Australia has built an analog through its Cyber Security Strategy. The UK has it through the NCSC. A federally funded sectoral remediation capability across the critical infrastructure layer is buildable inside the window. It is not a frontier-model build. It is the operational layer that consumes frontier-model threat intelligence and turns it into patched systems.
The third instrument is formal Canadian participation in the OpenAI/EU AI Office framework, which is a separate architecture from Glasswing and which Canada is also outside. If the Glasswing negotiation is hard, the EU-equivalent negotiation may be easier and gives Canada a second venue. The instrument is straightforward: Canada formally requests inclusion in the EU AI Office’s frontier model access framework as a third-country participant on terms equivalent to what the EU has secured for itself.
None of these is a frontier-model build. All three are operationally available inside the window. None has been activated. The C-22 architecture is being legislated into the country before any of them are.
What Has to Be Amended Before the Bill Passes
The bill is at SECU committee. The amendments that would mitigate the worst of the exposure are available in clause-by-clause committee work. None of them require withdrawal and reintroduction. None of them require abandoning the policy goal the bill was written to advance. All of them are consistent with the international jurisprudence the Charter Statement has not engaged with.
Narrowing the definition of ESP to exclude end-to-end encrypted services, no-log VPN providers, and device manufacturers would remove the architectural categories where the compliance burden is structurally incompatible with the underlying service. This is the amendment that would keep Signal, Windscribe, NordVPN, and the broader privacy-protective service layer in the Canadian market. Signal’s position through Vice President of Strategy Udbhav Tiwari is on the record: the company would rather pull out of Canada than be compelled to compromise on its privacy promises. The exit threat is operational.
Removing the mandatory metadata retention provision would eliminate the concentration risk that makes the architecture an attractive target. The provision was added to C-22 after C-2’s collapse and is not load-bearing for the law enforcement use cases the bill articulates. Production orders under the existing framework continue to reach data that providers retain in the normal course. The argument for mandatory retention is the argument for ensuring the data exists when an order arrives. The cost of that guarantee is the year-long honeypot the existing debate has documented, sitting on top of a federal processing stack already procured to operators outside Canadian jurisdiction.
Modifying the secrecy obligation to permit structural disclosure of the compliance architecture while preserving operational secrecy on specific orders would restore the breach signal. The provider should not be able to disclose that a specific user is under investigation. The provider should be able to disclose, and required to disclose, that a compliance system has been compromised, on a timeline that permits remediation across the industry. The JTAC case is the operational warning of what happens when the secrecy operating model is allowed to absorb both layers: the Crown drops the prosecution rather than disclose the architecture. C-22 in its current form would make that pattern the default federal posture.
Aligning the production-order threshold with the “reasonable grounds to believe” standard would close the constitutional exposure the lower threshold creates. The international jurisprudence and the Supreme Court of Canada cases point at the same standard. The Charter Statement does not engage with this. The committee amendment is straightforward.
These four amendments are the floor. They do not, on their own, make the C-22 architecture survivable in a Mythos-era threat environment. They reduce the worst of the exposure. The defensive instruments that would make the resulting regime survivable have to be built in parallel, and the four-part defensive package Paper 11 specified is the available frame: a published Canadian national security framework for AI deployment in federal departments and agencies before the CUSMA review opens July 1; the capability-sharing reciprocity ask at CUSMA Article 19.16 backed by the critical minerals position; a procurement architecture that distinguishes capability-building from operational tool procurement from infrastructure hosting from equity investment; and a procedural framework that allows federal policy to operate at the speed of the capability environment. The compliance architecture C-22 mandates is the test case for whether any of these instruments actually exist in operational form.
The provincial governments should treat the JTAC case as the leading constitutional indicator and act on it. The Ontario Information and Privacy Commissioner’s current posture of monitoring rather than authorizing is the regulatory failure the JTAC architecture has already exploited. A provincial sovereignty backstop for compliance-adjacent procurement, including the on-device tools the JTAC program operates and any equivalent capabilities at other provincial police services, is the threshold instrument. The Crown’s willingness to drop prosecutions rather than disclose vendor architecture is not a sustainable governing posture for a constitutional democracy. The federal government should not be legislating C-22 into a country where the provincial demonstration of its own architecture is collapsing under Charter challenge.
The Track Canada Has Not Stepped Onto
The Shinkansen does not stop. The three-to-five-month window Palo Alto has now documented does not pause for legislative review. The compliance architecture C-22 mandates would enter force into a threat environment that has already arrived, on top of a federal data stack already procured to foreign operators, with a provincial police architecture already demonstrating that the secrecy operating model fails its first contact with the Charter. The bill could pass. The architecture could be built. The window will close on the same schedule either way. The cost of governing the architecture rises with every month between now and the proliferation horizon. The cost of governing the country after the architecture is in production, the window has closed, and the Charter challenges have begun arriving at the federal scale the JTAC case is currently demonstrating at the provincial scale, is the question this paper exists to put on the record before that becomes the only question available.
Canada has built one track in the right direction. The Canada Strong Fund exists. The critical minerals leverage is real. The CUSMA window opens July 1. The instruments to negotiate inclusion in the coordination architecture already operating around frontier model defense are available. The choice that has not been made is whether to point any of those instruments at the architecture C-22 is about to make permanent. Geist has both files open. The synthesis is available. The amendments are surgical. The Shinkansen is on the other track. Canada is not on either one yet.
———
Paper 12 in the “Whose AI Runs the Government?” series. Previous papers: Paper 1 on the Sovereign AI Maturity Model, Paper 2 on the inverted AI bubble, Paper 3 on dependency triggers and cost layers, Paper 4 on Palantir exposure, Paper 5 on safety drift, Paper 6 on architecture restructuring, Paper 7 on grid sovereignty and Project Glasswing, Paper 8 on the coordination architecture, Paper 11 on capital following capability. Sovereign AI Architecture for Canada: A Visual Walkthrough, published March 2026.