Privacy Versus Power

On June 18^th, 2025, the federal government quietly dropped a legislative thunderclap: Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. On paper, it promises to shield Canadians from surging cyberattacks by making our infrastructure more resilient. In the undercurrent of the policy, a more intimate question stirs; how much control should we hand over to be kept safe?

This is a reshaping of the boundaries between: government, business, and personal privacy. If a law this powerful passes largely unnoticed, what else could slip by under the banner of “national security”?

The Bill in brief

Bill C-8 has two engines driving its overhaul:

• Telecommunications Act Amendments
  These give federal ministers sweeping powers to direct telecom companies. From banning certain suppliers to ordering the removal of existing equipment (without compensation) the state is positioned as the ultimate referee on who gets to play in Canada’s digital networks. Non-compliance carries heavy penalties, not just for corporations, but for individual executives.

• Critical Cyber Systems Protection Act (CCSPA)
  This applies directly to operators in “critical sectors:” banking, energy, telecommunications, transportation, and more. The rules include mandatory cybersecurity programs, incident reporting, Canadian data retention, and compliance with government instruction. Fines can go as high as $15 million per day for corporations and $1 million for individuals.

At first glance, it reads like a logical response to rising cyber threats, but when you examine the psychological and economic ripple effects, another story comes into focus.

The hidden weight on small and medium businesses

While SMEs aren’t the direct targets of the bill, they are uniquely vulnerable to its aftershocks:

• Supply-chain compliance pressure
  If you’re a small IT consultant, logistics provider, or contractor tied into critical infrastructure, your larger clients may demand that you step up to Bill C-8 standards, even if you’re not designated as “critical.”
• Financial strain
  Cybersecurity upgrades aren’t cheap. Adding new encryption systems, monitoring tools, compliance audits, and in-house staff can overwhelm smaller budgets. For many SMEs, this shifts cybersecurity from a “good-to-have” into a survival-level requirement.

• Legal exposure
  With the bill carrying steep fines and risk of criminal liability for executives, even indirect involvement in a regulated sector could expose businesses to higher legal and insurance costs.

For African Caribbean Canadian entrepreneurs (many of whom operate small and medium-sized businesses in fields connected to larger supply chains) the stakes are amplified. These are businesses already navigating systemic barriers to: capital, growth, and contracts. Now, they must also navigate compliance mandates shaped for banks and telecom giants, not family-owned operations.

Government power vs. citizens’ privacy

This is where Canada finds itself in a delicate tension. The bill assumes national security must take priority over individual transparency, and autonomy. That sounds reasonable, until you pause on what these new powers entail:

• Information access and sharing: Regulators can access confidential data and share it both domestically and internationally.
• Intrusive inspections: Officials can enter corporate premises, audit records, and issue binding orders with minimal judicial oversight.
• No guaranteed compensation: If your equipment, or suppliers are banned by government order, you absorb the financial hit.

The danger is that once laws build a precedent for such expansive oversight, it becomes far easier to widen their scope. Today the focus is “critical systems.” Tomorrow it could quietly extend to more sectors of the economy, or even personal technologies in households.

The emotional undercurrent: What Canadians fear

Behind every law is an unspoken psychological contract between people and state. Bill C-8 forces Canadians (especially racialized and marginalized communities already wary of surveillance) to ask, “What does safety cost when it comes through control?”

Citizens remember lessons from other moments in history when “temporary” powers became permanent. Will my personal information, or my business’s operational details, now flow through government systems without my consent? With enforcement shrouded by confidentiality clauses, how do we know decisions aren’t politically motivated?

For communities like African Caribbean Canadians, already navigating disproportionate scrutiny, systemic barriers, and heightened policing, the risks of expanded surveillance feel particularly acute. This fear is part of our historical muscle memory.

Why national security still matters

Yet, we must also face a contrasting truth; cyber threats in 2025 are real, escalating, and targeted. In just the last five years:

• Canadian hospitals have been crippled by ransomware, delaying urgent surgeries.
• Hydro utilities reported attempted international cyber breaches.
• Entire municipalities had their digital services paralyzed, from permits to policing.

The argument for Bill C-8 is simple; without protective legal frameworks, the damage of one national-level cyberattack could dwarf concerns about convenience, or compliance costs.

Open questions that remain (The Cliffhanger)

• Who truly gets to define what “critical” means?
• How will transparency be ensured when confidentiality clauses prevent public scrutiny?
• Will SMEs find government support to handle compliance, or will survival depend only on who has the deepest pockets?
• Perhaps most importantly, once the door is opened for expanded executive power, what guarantees it will ever be closed?

These unanswered questions are where the public conversation needs to live; in our collective negotiation between safety and freedom.

Toward common ground

What if we imagine different approaches? A framework where:

• Privacy by design is woven into enforcement powers, so that security gains do not mean personal loss.
• Tiered compliance standards are created, ensuring SMEs face achievable requirements rather than crippling costs.
• Independent oversight is mandated, with judicial, or parliamentary checks providing transparency.
• Community engagement ensures racialized and vulnerable groups are consulted before surveillance powers expand.

Canada need not choose between resilience and rights, but making that balance requires political imagination and cultural empathy.

Bill C-8 reminds us that laws are cultural contracts. We, as communities, must ask hard questions about who benefits, who pays, and who decides.

For African Caribbean Canadians and other racialized groups, this is also about demanding a seat at the table where “national security” gets defined, because history shows that when protections expand without consultation, oversight, or challenge, marginalized communities too often face the sharpest edge of the policy.

Cybersecurity is not optional in 2025, but nor is questioning power. Canadians must push for safeguards that protect both our infrastructure and our freedoms. Communities, entrepreneurs, and institutions alike will need to watch this bill closely, not after it passes, but as it evolves, because in the digital era what we permit the government to do in cyberspace will define how free we remain outside of it.