Canada Keeps Sabotaging Its Own Digital Sovereignty

Canada should know better.

That's the part that makes the past few weeks of digital policy discourse so frustrating. This is not a country without technical memory. Canada has been home to serious telecommunications engineering, security software, cryptography, mobile infrastructure, privacy law, artificial intelligence research, and some of the best computer science institutions in the world. The knowledge is here. The people are here. The institutions are here.

What's missing is the willingness to listen to them.

Kitchener-Waterloo alone should make Canada impossible to dismiss as a country that doesn't understand software. The University of Waterloo is one of the strongest computer science schools on the planet. In the 2026 QS subject rankings, the University of Waterloo placed 27th in the world for computer science (a position it shares with the University of British Columbia). Waterloo's coop program is the world's leader, with more than 8000 employers in more than 70 countries. Waterloo doesn't just produce papers, it's producing people who go directly into the systems, platforms, infrastructure, and companies that shape the digital world.

Research In Motion is personal for me in a way that is hard to separate from Kitchener-Waterloo itself. I grew up in Kitchener. I remember driving through Waterloo and being surrounded by RIM buildings. Many of my classmates in school had parents who worked there. In a very real sense, I grew up in the shadow of Canadian tech.

My own father briefly worked at RIM and once met CEO Jim Balsillie. Years later, in a Globe and Mail article about Waterloo during RIM’s decline, he described the company’s troubles plainly: “It’s sad. They have contributed a lot to this community.”

That's the part that is easy to miss from outside the region. RIM was not only a phone company. It was part of the local geography. It shaped jobs, buildings, philanthropy, housing, and the ordinary civic atmosphere of Kitchener-Waterloo. BlackBerry’s secure communications legacy matters technically, but RIM’s presence in Waterloo also matters because it showed what Canadian digital capacity looked like when it was rooted in a place.

And while Waterloo may be the top, it is far from alone. The University of Toronto, UBC, McGill, Université de Montréal, Alberta, Ottawa, Carleton, and others form a serious national base of computer science and engineering talent. Times Higher Education’s 2026 Canadian computer science rankings place Toronto 22nd globally, Waterloo 41st, Université de Montréal 52nd, UBC 57th, and McGill 74th.

The same holds true geographically. Canada has a handful of places that should, in theory, make the country punch well above its weight in digital policy. Waterloo has the talent pipeline. Toronto and Montréal have deep AI, privacy, finance, platform, and research ecosystems. Vancouver has cloud infrastructure, gaming, and cross-border west coast technical talent. Waterloo, UBC, McGill, and the University of Toronto give Canada globally recognized academic depth. This is not a country short on people who can explain how digital systems behave when the law touches them.

And maybe this is just the University of Ottawa grad in me, but Ottawa is arguably one of the more interesting places on this map.

It sits at the intersection of technical memory and public power. The federal government is there. Parliament is there. The regulators are there. The institutions are there. The policy schools, legal community, national-security apparatus, telecommunications history, and procurement machinery are there. And just outside Ottawa sits Kanata North, one of the clearest reminders that Canada once had an enormous telecommunications-industrial base.

Canada's largest technology park didn't just appear out of nowhere. Its lineage runs through Computing Devices Canada, Bell Northern Research, Nortel, Mitel, and Corel. Even when Nortel collapsed, the expertise didn't just vanish. Many of its people remained in the area. They joined other companies, became entrepreneurs, and helped Ottawa earn the title of "Silicon Valley North".

Ottawa is not just a national capital that happens to have some tech nearby. It is a capital beside a deep reservoir of telecommunications and infrastructure expertise. It has the people who write policy close to the people who understand networks. It has lawyers, regulators, engineers, security specialists, civil servants, researchers, and industry veterans in the same region. In theory, that should make Canada unusually capable of building world-class digital policy.

The tragedy, as it unfortunately often is, is that Canada has almost all of the ingredients. It has the schools. It has the talent. It has the security history. It has the telecom memory. It has the policy institutions. It has the legal expertise. It has the companies. It has the civil society groups. It has enough people who understand exactly how these systems fail. And yet, file after file, Canada chooses to ignore them.

Sovereignty is not control

The desire for digital sovereignty isn't the problem. Arguably, it makes more sense now than it did even just a few years ago.

Canada's dependence on American digital infrastructure has always been politically awkward. But the recent tensions between Canada and the United States have made it harder to treat that dependence as harmless convenience. If most of Canada's cloud services, office software, social networks, search engines, mobile operating systems, app stores, advertising systems, content distribution networks, and AI infrastructure are controlled by American companies, then Canadian digital dependence is also geopolitical dependence. An article by Policy Options put it bluntly:

Much of Canadian digital communications infrastructure is under the control of U.S. companies and thus potentially the U.S. government. In the Trump 2.0 era, this raises critical economic, political and national security concerns.

So, the instinct behind a push for digital sovereignty is not wrong. It's entirely reasonable for Canada to want more domestic capacity, more control over its critical infrastructure, more resilience against foreign pressure, and less dependence on companies and legal systems outside Canadian control. A middle power living beside an increasingly aggressive superpower would be foolish not to think about this.

"Middle powers must act together because if you are not at the table, you are on the menu." - Prime Minister Mark Carney, World Economic Forum Annual Meeting, Davos, January 20, 2026

The mistake is what Ottawa seems to think sovereignty means. Canada keeps acting as if sovereignty is the ability to assert jurisdiction. If it can compel a provider, it calls that sovereignty. If it can tax a platform, mandate a contribution, order retention, block a site, regulate a service, or require an identity check, it calls that sovereignty.

But control is not the same thing as sovereignty. Control is the ability to issue a demand. Sovereignty is the ability to make that demand survive contact with reality.

That distinction matters because digital systems do not become trustworthy just because a law tells them to behave. Infrastructure has architecture. Cryptography has constraints. Platforms have incentives. Companies have exit options. Trade partners have retaliation tools. Users have trust thresholds. Domestic firms have limited capital. Small providers have compliance limits. Every digital policy touches a system that can respond in ways the law did not intend.

The federal government already knows the right words. Canada's Digital Charter says that Canadians must be able to trust that their personal information is protected, that their data won't be misused, and that organizations clearly communicate with users. It then states:

This trust is the foundation on which our digital and data-driven economy will be built.

Ottawa wrote this sentence, and then immediately forgot it.

Canada’s National Cyber Security Strategy similarly frames cybersecurity as central to Canada’s digital future, saying the strategy is meant to help secure that future in partnership with provinces, territories, Indigenous communities, industry, and academia.

Today, it is abundantly clear that to safely advance Canada's digital and clean economy, to protect our democracy and our day-to-day livelihoods, and to ensure our future economic prosperity, cyber security must be a fundamental building block of our country's national security, economic security, and public safety.

The government’s AI strategy consultation also identified sovereignty, sustainability, public benefit, safe AI systems, and public trust as key themes. None of these are bad aspirations. They're exactly the right aspirations for a country in Canada's position. But, if trust is the foundation, then digital sovereignty cannot be built through policies that make trust harder to maintain.

A country cannot build digital sovereignty by making secure systems legally uncertain. It cannot build digital sovereignty by treating data minimization as an obstacle to law enforcement. It cannot build digital sovereignty by forcing sensitive online activity through identity-checking infrastructure. It cannot build digital sovereignty by creating trade liabilities and then backing down once another country notices. It cannot build digital sovereignty by publishing AI ambitions while leaving privacy law, procurement, compute, security, competition, and public-sector adoption in a half-built state.

Real digital sovereignty requires resilient infrastructure. Not just data centres with Canadian addresses, but systems that can withstand outages, attacks, dependency shocks, supply-chain pressure, foreign legal demands, and policy instability. The Government of Canada’s own public-cloud white paper acknowledges that cloud adoption raises data sovereignty, residency, and security risks, even as federal IT policy has been shaped around a cloud-first approach.

It requires trusted law. People and companies need to know that the legal environment protects secure design, privacy, due process, and basic constitutional limits. If the law is vague, secretive, or technically careless, it becomes part of the threat model.

It requires technical credibility. Governments don't need to become engineering teams, but they do need to understand enough to know when a proposed legal power conflicts with how secure systems actually work. A statute can authorize a result. It cannot repeal the engineering consequences of achieving that result.

It requires trade awareness. Canada is not the United States. It cannot assume that every platform, vendor, trading partner, or multinational company will simply absorb a Canadian rule because Ottawa has announced it. A middle power has to know where it has leverage and where it's creating exposure.

It requires geopolitical realism. Canada has to assume that foreign governments, especially the United States, may use trade, market access, legal demands, and industrial pressure to protect their own firms and strategic interests. Digital sovereignty cannot be built on the fantasy that Canada can simply announce a policy and the most powerful country on Earth will politely absorb the consequences.

It requires user trust. Digital sovereignty is meaningless if Canadians do not trust Canadian systems. A domestic platform that people believe is less private, less secure, or more exposed to state access is not sovereign in any meaningful sense. It is merely local.

And it requires credible domestic capacity. Sovereignty cannot just mean forcing foreign companies to comply. It has to mean building enough Canadian capability that there are real alternatives: cloud capacity, AI compute, cybersecurity talent, public-sector technical competence, privacy-preserving infrastructure, procurement discipline, and firms that can scale without being crushed by the very compliance burdens the government creates.

Bill C-22: mistaking access for capability

I've already written a fair bit about Bill C-22, because frankly, I'm angry about it. The point here though is narrower: Bill C-22 is one example of a larger Canadian digital-policy failure. It shows Ottawa mistaking legal authority for safe technical capability.

The government’s stated goal is not necessarily absurd. Police and intelligence agencies do need lawful tools to investigate serious crime and threats to national security. Digital systems have changed how evidence is stored, transmitted, deleted, encrypted, and hidden. A country cannot simply pretend that the investigative environment of the 1990s still exists.

The question around C-22 isn't "should lawful access exist?" It already does. The question is whether the state can demand access in ways that risk the security of the systems being accessed. That's where Bill C-22 becomes genuinely dangerous.

A warrant can authorize access to information. It cannot make the information exist. A production order can compel disclosure of data a provider has. It cannot safely conjure data the provider deliberately does not collect. A law can say police are entitled to evidence. It cannot repeal the security consequences of forcing systems to preserve access paths.

A government can authorize access, but it cannot legislate away the security consequences of building access paths. That's the line Bill C-22 keeps blurring. The bill states providers aren't required to introduce a "systemic vulnerability", but then in the same breath allows technical capability requirements, access-enabling equipment, metadata retention, and secret ministerial orders.

That's why Apple, Meta, Google, Signal, VPN providers, privacy lawyers, and civil liberties groups are alarmed. They aren't simply asking whether lawful access should exist. They are asking what systems will have to become in order to comply.

Google’s brief to SECU made the institutional problem especially clear. Existing Canadian law already allows law enforcement to seek court orders requiring reasonable assistance with warrants. Bill C-22 would move far more power into executive hands, including secret orders requiring providers to create or maintain technical capacity for access.

• Part 2 of Bill C-22 also gives the Minister of Public Safety sweeping powers to issue secret orders mandating providers to create or maintain the technical capacity to facilitate data interception and retrieval (“Ministerial Orders”) (ss. 7-13). Providers are permanently prohibited from disclosing the contents of Ministerial Orders, the fact that they are subject to one, or any information related to vulnerabilities created by a Ministerial Order.

• The Ministerial Order framework is unnecessary. In Canada, authorized law enforcement may already apply to the courts for an order to provide reasonable assistance in giving effect to a warrant, which may in turn be accompanied by non-disclosure provisions, if appropriate. Critically, the existing framework is subject to judicial oversight. As written, C-22 would replace this effective, balanced and transparent regime with broad executive powers, in the absence of a compelling basis or rationale for such a fundamental overhaul.

This is not just an abstract concern about foreign tech companies trying to avoid Canadian law. Some of the most important warnings are coming from exactly the kind of companies a digitally sovereign Canada should want to keep.

Tailscale, a Canadian-founded secure networking company, put the problem in almost perfect terms. Its VPN does not inspect customer traffic, does not log browsing activity, and does not have the keys needed to decrypt what its relay servers carry. That isn't a feature it can casually disable by flipping a flag. It's how the product is built. As Tailscale wrote, Bill C-22 risks turning “data minimization from a security virtue into a compliance problem.”

There’s a big difference between preserving data for a specific investigation and requiring providers to collect or retain data in bulk because it might be useful later. The first can be targeted and accountable. The second changes the design incentives for every service in scope.

Once a law requires a company to retain more metadata, the company now has a new database. That database needs access controls, audit logs, backups, operators, retention systems, legal processes, and incident response plans. It becomes part of the attack surface. It becomes a temptation for theft or misuse.

The safest database is the one you never created.

Windscribe, another Canadian privacy company, made the point even more bluntly:

We won't be far behind if C-22 passes. In its current state, VPNs would almost certainly require us to log identifying user data. Signal isn't headquartered in Canada so they can just shut off Canadian servers, but our HQ is. We pay an ungodly amount of taxes to this corrupt government, and in return they want to destroy the entire essence of our service to basically spy on its own citizens. Not happening. We'll move HQ and take our taxes elsewhere.

That is a remarkable failure. A country that wants trusted domestic infrastructure should want companies like Tailscale or Windscribe. It should want companies that collect less data, hold fewer keys, reduce attack surfaces, and build systems where even the provider has limited access. Those are not the companies Canadian law should be pushing into uncertainty. These are the companies Canada should be able to hold up as part of its digital-sovereignty story.

Canada's AI strategy: mistaking ambition for capacity

Canada’s AI strategy should be one of the strongest parts of its digital sovereignty agenda. The country has a real claim here. Canada wasn't just a spectator in the development of modern AI. It has world-renowned researchers, globally respected universities, strong research clusters, and a long history of public investment in the field. If any middle power should be able to build a credible democratic AI strategy, Canada should be near the top of that list.

AI leadership, though, requires more than an "AI strategy". It depends on capacity. It depends on compute. It depends on energy. It depends on adoption trust. It depends on public-sector technical literacy. It depends on companies believing Canada is a stable, serious, technically literate place to build and deploy systems.

That's where Canada's AI ambitions are already in trouble. The government's own consultation record admits the infrastructure gap:

Canada faces significant gaps in AI infrastructure

with respondents calling for a roadmap focused on sovereign, sustainable, public-benefit infrastructure. The government’s Sovereign AI Compute Strategy is a partial answer to this, with up to $700 million intended to support domestic compute capacity and help safeguard Canadian data and intellectual property. It's an important investment, a necessary one, but compute alone is not capacity.

A sovereign data centre does not fix weak privacy law. A public supercomputer does not fix poor procurement. A compute fund doesn't fix regulatory instability. A national AI strategy doesn't create public trust if the rest of the government is simultaneously normalizing surveillance, identity checks, rushed lawful-access powers, and trade fights that make digital investment in Canada feel unpredictable.

That was the contradiction Canadian digital policy expert Michael Geist pointed at when he argued Canada's AI strategy is set to fail before it even launches. As he put it:

Canada cannot become an AI leader while it builds a reputation for poorly conceived policies that threaten security, make internet services uneconomic and raise new barriers to the very adoption the strategy is meant to encourage.

People already distrust AI systems. People definitely will not trust AI systems if they believe the surrounding legal environment is careless with privacy. Companies will hesitate to build in Canada if lawful-access rules create uncertainty around encryption and data minimization. Public institutions will struggle to deploy AI responsibly if procurement treats technical capacity as something that can be purchased after policy is already decided. Researchers and startups will struggle if sovereign compute exists on paper but access remains scarce, expensive, or captured by large incumbents.

And ordinary Canadians will not be reassured by a government that says “AI for all” while floating age-verification and identity-checking ideas that could turn broad access to online services into another place where people must prove who they are.

A serious Canadian AI strategy would start from the premise that trust is infrastructure. Privacy law is infrastructure. Public-sector competence is infrastructure. Procurement discipline is infrastructure. Clear liability rules are infrastructure. Secure cloud capacity is infrastructure. Interoperability, auditability, data governance, and competition policy are all infrastructure. Instead, Ottawa too often treats AI as an adoption campaign with some guardrails attached.

Canada does not yet need another ambitious strategy document that says the country will lead in responsible AI. It needs the boring machinery that makes leadership plausible. It needs a privacy regime people can trust. It needs public institutions that can buy and evaluate technology intelligently. It needs domestic compute that researchers and companies can actually use. It needs rules that protect secure systems instead of making them legally uncertain. It needs child-safety policy that does not quietly become identity infrastructure. It needs a trade-aware digital policy that does not keep triggering predictable backlash and retreat.

Canada’s AI strategy risks becoming ambition without the capacity to back it up.

And ambition without capacity is not sovereignty. It's a press release waiting to be disappointed.

Streaming and the Digital Services Tax: mistaking assertion for leverage

The same mistake appears again in Canada’s fights over streaming and digital taxation.

Both of these files start from legitimate concerns. Canadian culture matters. Francophone Canadian content matters. Indigenous content matters. Local news, documentary work, children’s programming, independent production, and the simple ability of Canadians to see themselves reflected in their own media all matter.

The reality is that Canada lives beside the most powerful cultural machine in human history. The United States doesn't merely export products. It exports stories, accents, politics, celebrities, platforms, formats, assumptions, and a shared default reality that can swallow smaller countries whole without anyone needing to plan it. English Canada in particular exists in the shadow of a cultural juggernaut that speaks largely the same language, dominates the same platforms, and can flood the zone with more money, more content, and more global attention than Canadian creators can reasonably match.

So the instinct behind CanCon is not ridiculous. It is not embarrassing. It's not some quaint nationalist relic from the broadcast era. It is a recognition that markets alone will not reliably preserve Canadian cultural space when the neighbouring market is enormous, wealthy, aggressive, and globally dominant.

The problem isn't that Canada wants to protect its cultural identity. The problem is that cultural sovereignty still has to be implemented competently.

The CRTC’s online streaming decision is the clearest example. In 2024, the CRTC created a 5% base contribution requirement for certain online streaming services. In May 2026, it went much further, setting the Canadian programming expenditure requirement for online streaming services at 15%, including that earlier 5% base contribution. The regulator described the framework as part of a modernized system for Canadian and Indigenous programming. The policy goal was cultural. The instrument was financial. The consequences were predictable.

Experts immediately raised the alarm. In a blog post from Geist, he argued that the ruling created serious trade exposure for Canada under CUSMA, with Canada potentially relying on the cultural exemption while giving the United States the right to retaliate with measures of equivalent commercial effect, putting Canada at risk of hundreds of millions in retaliatory tariffs.

Within a matter of weeks, the federal government was ordering the CRTC to review its decision after pressure from the Motion Picture Association and the US ambassador, with trade talks between Canada and the United States in the background. A sovereign cultural policy shouldn't have to be unwound almost immediately because the trade and affordability consequences were too obvious to ignore.

This mirrored the Digital Services Tax. Similarly, Canada had a reasonable underlying complaint. Digital giants earn substantial revenue in Canada, and traditional tax systems have struggled to capture value created through users, data, advertising, platforms, and marketplaces. The Canadian Digital Services Tax applied a 3% tax to certain digital services revenue from Canadian users above the relevant threshold, and it was designed to apply retroactively.

Then, the completely predictable thing happened. The United States suspended trade negotiations with Canada over the tax. Canada announced it would rescind the Digital Services Tax, halt collection, and bring forward legislation to repeal the Act in order to advance broader trade negotiations.

The streaming decision and the Digital Services Tax belong together because they show the same failure from different angles. In both cases, Ottawa identified a real problem. In both cases, the policy goal was defensible. In both cases, the execution underestimated how foreign firms and foreign governments would respond. And in both cases, Canada’s eventual position looked weaker because the government had asserted control without first establishing leverage.

Age verification: mistaking safety for identity infrastructure

Age verification is another place where Ottawa appears to be mistaking a legitimate goal for a safe mechanism. The legitimate goal is obvious. Children should not be abandoned online. They should not be pushed into adult content by platforms, recommendation systems, advertising incentives, search results, or services designed with no serious regard for age, vulnerability, or consent. A country is allowed to care about that. It arguably should care about that.

Bill S-209 is framed as a bill to restrict young people’s access to online pornography. It makes it an offence for organizations to make pornographic material available to young persons on the Internet, and allows an enforcement authority to take steps to prevent that material from being made available in Canada. The bill creates a defence only where the organization implemented a prescribed age-verification or age-estimation method. It also contemplates Federal Court orders requiring Internet service providers to prevent access, and even acknowledges that such orders may have the effect of blocking access to material other than the targeted pornographic material.

All noble goals, but not without serious risk. Once the law requires people to prove they are old enough before accessing online content, the question immediately becomes: prove it to whom, using what system, with what data, retained where, audited by whom, and usable for what else later?

Age verification can mean checking government ID. Age estimation can mean biometric or AI-based inference. Age assurance can involve third-party credential systems, device-level checks, tokens, accounts, facial analysis, or other mechanisms that may be more or less privacy-protective depending on implementation. The point is that there is no single harmless thing called “age verification.” There are systems, and those systems all have failure modes.

If age checks become a standard condition for accessing broad categories of online material, then Canada is not merely keeping minors away from pornography. It is helping build a web where adults increasingly have to identify, verify, estimate, or credential themselves before they can read, search, post, watch, or communicate. And that's a massive architectural change.

It changes the web from a space where access is often anonymous or pseudonymous by default into one where access can depend on passing through an identity layer. Once that layer exists, it will not necessarily remain politically confined to the first use case. The same infrastructure built for pornography can be demanded for gambling, alcohol, cannabis, social media, violent content, health information, dating apps, app stores, AI chatbots, or anything else a future government decides is harmful to minors.

A Canadian law, passed in the name of protecting children, may push Canadians toward third-party identity and age-verification services, potentially outside Canada, so they can access lawful online content. That is an astonishing result for a country claiming to care about digital sovereignty.

The institutional pattern

The same institutional failure keeps appearing. Ottawa identifies a real problem:

Police investigations are real. Law enforcement does need lawful access to evidence in serious cases. Child safety is real. Children should not be abandoned to platforms, content systems, and recommendation engines that were not designed with their interests in mind. AI capacity is real. Canada cannot simply watch the next industrial platform form elsewhere and hope research prestige will carry it through. Canadian culture is real. A country should care about whether its stories, languages, news, and artists can survive in a platform-dominated media environment. Tax fairness is real. The largest digital companies should not be able to extract revenue from Canadian markets while escaping meaningful public obligations.

These are all real problems for a government to solve. The issue is not that Ottawa cares about the wrong things. The issue is that it keeps reaching for frameworks that ignore how digital systems behave.

Bill C-22 takes the real problem of lawful access and drifts toward a framework that may make secure architecture legally uncertain. Age verification takes the real problem of child safety and risks building identity infrastructure into ordinary access to the web. The AI strategy takes the real problem of national capacity and risks treating ambition as if it were infrastructure. The streaming fight takes the real problem of Canadian cultural production and turns it into a trade and affordability problem. The Digital Services Tax took the real problem of tax fairness and produced a predictable confrontation that Canada ultimately retreated from.

The problem isn't just that the policies are controversial. The problem is the downstream effects were entirely predictable. If you require providers to retain data, some systems will become less secure. If you create secret technical-access powers, companies that sell privacy and security will warn that they cannot operate under them. If you impose broad age-verification duties, the issue will not remain “children and pornography.” It will become identity, privacy, blocking, scope creep, and who controls the credential layer of the web. If you create expensive obligations for streaming services, some of those costs will be passed to consumers, challenged in court, or turned into trade pressure. If you tax American digital companies unilaterally, the United States may retaliate. If you release an AI strategy while the rest of your digital policy stack is unstable, privacy-invasive, trade-exposed, and legally uncertain, builders will notice.

None of this requires prophecy. It simply requires you to listen. That's the part Ottawa seems worst at. The institutional habit is to treat technical, legal, trade, and civil-liberties warnings as stakeholder noise. A company objects, so it must be protecting its business model. A civil liberties group objects, so it must be absolutist. A privacy lawyer objects, so it must be legal caution. A security engineer objects, so it must be implementation detail. A trade expert objects, so it must be pessimism. A platform threatens to leave, so it must be bluffing.

Sometimes those motives are definitely real. Companies are self-interested. Advocacy groups have priors. Lawyers are cautious. Engineers can be narrow and strongly-opinionated. Trade experts can be conservative. Platforms can posture.

But a warning doesn't become false just because the person giving it has interests. Apple can be self-interested and right about encryption. Signal can be uncompromising and right about secure messaging. Privacy lawyers can be severe and right about constitutional risk. Civil society groups can be ideological and right about overbreadth.

The government’s job is not to sort every critic into a dismissible category. Its job is to ask whether the warning is true. Too often, the warning is treated as something to manage after the bill has already become politically committed. That's frankly, a really backwards way to approach policy. In digital policy specifically, the implementation details are not minor details. They are the policy.

A metadata-retention power isn't a drafting footnote. It changes what providers must keep. A secret technical order is not merely an investigative tool. It changes how infrastructure may be governed. An age-verification requirement is not just a content rule. It changes how people access the web. A streaming contribution formula is not just cultural policy. It changes pricing, investment, trade exposure, and market behaviour. An AI strategy is not just a strategy. It depends on compute, privacy, procurement, energy, security, data governance, and trust.

Ottawa seems to keep legislating as if digital systems are passive. They are not. Companies route around risk. Users lose trust. Small firms avoid markets. Large incumbents absorb compliance costs and become stronger. Foreign governments retaliate. Courts intervene. Security architectures change. Data gets retained because the law made deletion risky. Identity systems appear because a safety rule required proof. Public institutions buy tools they don't fully understand because adoption targets came before capacity.

That's how bad digital policy compounds. One file creates a trust problem. Another creates a trade problem. Another creates an identity platform. Another creates a compliance problem. Each one is defended in isolation as narrow, necessary, and manageable. Together, they form the operating environment in which Canadian digital systems have to exist.

That's why "digital sovereignty" can't just be a campaign slogan attached to individual announcements. It requires institutional discipline. It requires the government to see the whole stack: law, infrastructure, markets, security, trade, privacy, competition, public-sector capacity, and user trust. It requires asking not only “what power do we want?” but “what system will this create?” It requires understanding that control can reduce sovereignty when it drives away capacity, weakens trust, or increases dependence on larger foreign firms that can survive the compliance burden.

The real scandal isn't that Ottawa gets every file wrong. It doesn't. The scandal is that the same mistakes keep recurring across files that should have taught each other something.

The Online News Act should have taught Ottawa that platforms have exit options.

The Digital Services Tax should have taught Ottawa that digital policy is trade policy.

The CRTC's streaming ruling should have taught Ottawa that cultural policy still has to survive affordability, market, and trade reality.

Bill C-22 should teach Ottawa that lawful authority is not the same as safe architecture.

Age verification should teach Ottawa that child-safety policy can become identity infrastructure.

The AI strategy should teach Ottawa that ambition is meaningless without capacity and trust.

The lessons are all here. The question is whether the institution can learn them before the next bill, mandate, levy, framework, or strategy repeats the same mistake under a different name.

What digital sovereignty would actually require

Canada does not need to abandon its digital sovereignty ambitions. It needs to become serious about them.

That means treating digital sovereignty as more than the ability to assert jurisdiction over foreign companies. It's not enough to compel, tax, mandate, block, regulate, or require. Those are tools. They are not a strategy. Used badly, they can make Canada less sovereign by weakening trust, increasing dependence on large foreign incumbents, driving away domestic firms, creating trade exposure, or building privacy-invasive infrastructure that Canadians have no reason to trust.

Real digital sovereignty starts from a different premise. One that treats secure systems as national assets. Strong encryption should not be seen as a law enforcement obstacle to be worked around. Data minimization should not be treated as suspicious. No-logs architecture should not become a compliance defect. Systems where provider access does not exist by design should be recognized as part of Canada’s security posture, not as an inconvenience for future access demands.

A country that wants trustworthy digital infrastructure should want companies that collect less data, hold fewer keys, and reduce attack surfaces. It should want Canadian companies like Tailscale and Windscribe to stay here, build here, pay taxes here, hire here, and contribute to a domestic security ecosystem. It should not put them in the position of wondering whether Canadian law will make their core security promises impossible to keep.

Real digital sovereignty would also require better law. Not just more law. Better law.

Law that is narrow where it touches digital rights. Law that is technically literate when it touches architecture. Law that uses courts and independent oversight where state power is intrusive. Law that understands the difference between targeted access to existing evidence and broad obligations to preserve future access. Law that does not hide major infrastructure-shaping powers behind secrecy and then ask the public to trust that nothing important will happen. If trust is the foundation of the digital economy, then the law itself has to be trustworthy.

Real digital sovereignty would require public-sector competence. Canada cannot govern digital systems well if the public sector lacks the internal capacity to understand what it is buying, regulating, mandating, or deploying. A government that cannot evaluate technical claims becomes dependent on vendors. A government that cannot retain technical talent becomes dependent on consultants. A government that treats implementation as someone else’s problem will keep discovering that the implementation was the policy all along. The people who understand systems need to be in the room before policy hardens, not called as witnesses after the government has already decided what it wants the bill to mean.

Real digital sovereignty would require trade competence. Canada is a middle power. It lives beside the United States. As much as we'd like to, we cannot pretend otherwise. That doesn't mean surrendering every policy choice to American pressure. It means understanding leverage before picking the fight.

A digital services tax, a streaming levy, an app-store rule, a cloud policy, a data-localization requirement, or a platform obligation doesn't exist in a domestic vacuum. These are also trade policies, industrial policies, and geopolitical signals. If Canada wants to regulate powerful foreign companies, it needs rules that can survive retaliation, litigation, market response, and consumer impact.

Real digital sovereignty would require humility.

This may be the hardest part. Ottawa needs to stop treating expert criticism as something to be categorized and managed. A warning from Apple is not automatically false because Apple has interests. A warning from Signal is not automatically extreme because Signal is uncompromising. A warning from privacy lawyers is not automatically procedural caution. A warning from engineers is not merely implementation detail. A warning from civil society is not automatically activism. A warning from trade experts is not defeatism. Every critic has interests. The question is whether the criticism is true.

That's the discipline Canada keeps failing to show. It identifies a real problem, reaches for power, dismisses predictable objections, and then discovers that the system responds. Providers threaten to leave. Platforms block links. Trade partners retaliate. Costs rise. Courts get involved. Trust declines. Compliance burdens strengthen incumbents. Identity infrastructure expands. Secure systems become legally uncertain. Then everyone acts surprised.

Canada can't keep governing digital systems this way. It has too much talent for that. It has too much history for that. Waterloo, Toronto, UBC, McGill, Montréal, Ottawa, Vancouver, Kanata North, OpenBSD, BlackBerry, Nortel’s ghost, Canadian privacy law, civil society, security engineers, AI researchers, telecom veterans, cloud infrastructure people, and open-source contributors all point to the same uncomfortable fact.

Canada has enough knowledge to do better. To know better. To be better.

Canada keeps saying it wants digital sovereignty.

Maybe we should start acting like we understand what that really means.