Erik Avatar
Erik
  • 10 min read
Canadian medical records flowing through interconnected data networks under foreign jurisdiction
Canadian medical records flowing through interconnected data networks under foreign jurisdiction

What Bill C-22 Means for Canadian Medical Privacy

Bill C-22's metadata mandate, US-hosted health records under the CLOUD Act, a pending Canada-US surveillance pact, insurer pharmacy-data screening, and hospital ad-tech. The infrastructure for future discrimination against Canadian patients is being built right now.

C-22 is really getting under my skin. I should know about privacy. Pre-corona, I almost had my medical records breached, and the government did nothing about it.

When I was living in Calgary, I was looking for a new dentist. Mine had moved too far away. Found a local one, called, set an appointment. They wanted me to fill in forms. They were using Google Forms for full medical histories. Total PIPEDA breach.

I reported it to the College of Dental Surgeons of Alberta because I knew how cavalier the dentist was with patient records. I have a background in tech. I own my own MSP, had school district contracts, and ran a web design firm near the turn of the century before that. So over many hours I documented, screenshotted, referenced the PIPEDA Act, laid out the case for the violation, and submitted it.

In late 2021 my girlfriend (now ex) and I drove across Canada to move to Toronto, and I kind of forgot about the submission. About a year later I received an email asking if I wanted to continue the case or drop it. Every six months the college would email again: reply to continue, or it gets dropped. After about a year and a half of this back-and-forth I called. Turns out they had a two-plus year backlog of dentist violation cases.

Another six months go by. I get a call from a retired police detective who, it turns out, knows nothing about cybercrime, the internet, online privacy, or PIPEDA. I spent over 20 hours educating, screenshotting, referencing, and spoon-feeding him evidence. He said he finally had something to work with. The dentist was still taking medical history on Google Forms.

Months later I got an email saying the college didn’t find any evidence of a privacy breach.

That’s the institutional response when the violation is local, obvious, and documented. Now look at what happens when the records aren’t even on Canadian soil.

Canadians treat their medical files as sovereign. Provincial privacy acts, the federal Personal Information Protection and Electronic Documents Act, the doctor-patient relationship, and a publicly funded system all imply a quiet promise that what you tell your physician stays inside Canadian law. The promise is fiction. In 2025, Microsoft alone processed 847 US CLOUD Act requests affecting Canadian data, up from 623 the year before, and challenged just twelve percent of them. The rest were handed to American authorities without any Canadian court hearing the matter. Most patients have no idea their records sit on infrastructure that responds to foreign subpoenas.

Set aside the question of whether any single foreign request is reasonable, or whether any one database has been breached. The story worth telling is that several converging forces are quietly building a future in which your health history becomes exploitable. By foreign intelligence agencies. By insurers writing policies you have not yet bought. By advertisers selling your diagnosis to pharmaceutical brands. By employers, eventually, in jurisdictions where the rules let them. Each of these threads is already in motion. The real question is how much of that future has already arrived.

Where Your Chart Actually Lives

Three American vendors dominate hospital electronic health records in Canada: Epic, Cerner, and MEDITECH. Their systems run on Microsoft Azure, Amazon Web Services, or Google Cloud. Even when the physical servers sit in Toronto, Quebec, or Calgary, the parent companies remain US-incorporated, which puts them squarely inside the reach of the 2018 Clarifying Lawful Overseas Use of Data Act. Under the CLOUD Act, American authorities can demand data from US companies regardless of where the servers physically sit. Microsoft has stated plainly that it will comply with valid US orders. The 847-request figure is the consequence, not an anomaly.

Alberta Health Services took the implication seriously. In late 2025, AHS terminated two vendor contracts after determining the providers’ US-based infrastructure violated section 60.1 of Alberta’s Health Information Act regarding cross-border disclosures. The decision treated US-hosted clinical data as presumptively non-compliant with provincial law. No other province has followed publicly, which means hundreds of millions of patient interactions every year continue to flow through American-controlled infrastructure governed primarily by American legal process. PIPEDA’s much-cited “comparable protection” standard for cross-border transfers is, in practice, an administrative shrug. It permits the transfer, and then leaves the legal authority of the receiving country untouched.

Bill C-22 and the Quiet Surveillance Stack

Dystopian Canadian street scene illustrating Bill C-22 Lawful Access Act with surveillance billboards and metadata retention warnings

While that back door already exists, the federal government is building a front door. Public Safety Minister Gary Anandasangaree tabled Bill C-22, the so-called lawful access bill, in March 2026. Internet law scholar Michael Geist has called it a “two-headed surveillance monster.” The bill mandates one year of metadata retention by electronic service providers and requires those providers to maintain intercept-capable infrastructure on demand, with specific orders cloaked in secrecy provisions. Geist warns the result is “a comprehensive surveillance map of virtually every Canadian, including where they go, when they go there, and who they communicate with.”

The detail that should concern any clinician or patient is the definition of “electronic service provider.” Bill C-22 captures, in its current drafting, “any person that provides an electronic service to persons in Canada or carries on business activities in Canada.” A clinic that runs a patient portal qualifies. A telehealth platform qualifies. A pharmacy operating a refill app qualifies. Geist explicitly flags that the scope could rope in physicians, lawyers, and digital platforms alongside telecom carriers, while the Charter Statement that accompanies the bill says nothing about the regime at all. The Hill Times reported a sharper irony: this bill is “so bad, the Americans hate it, even though they are the ones who pushed for this in the first place.”

The Kicker: A Cross-Border Pact With No Judicial Brake

Bill C-22 does not exist alone. Since 2022, Canadian and US negotiators have been working on a bilateral data-sharing agreement under the CLOUD Act. Researchers at the Citizen Lab have laid out what the deal would do. American police could directly demand personal data from any Canadian provider of electronic communication or remote computing services with ties to the US. “No judicial oversight whatsoever would be involved north of the border,” the researchers write. The arrangement could authorize real-time wiretapping, location tracking, and remote device access. The Citizen Lab analysis specifically references the risk that Canadian health information could be used to enforce US laws targeting transgender individuals. That is a concrete reminder this is not abstract. Health records become evidence in foreign prosecutions when a foreign administration decides what counts as a prosecutable condition.

Insurers Already Know What You Filled at the Pharmacy

Canadian patient under surveillance by life insurance underwriters reviewing prescription history and pharmacy data

Foreign-government access is the dramatic threat. Insurer access is the boring one, and the more advanced. The Medical Information Bureau, which operates across the United States and Canada, maintains a shared database that member life insurance companies consult during underwriting. After a Canadian policyholder dies inside the two-year contestability window, insurers run retroactive investigations that pull pharmacy benefit manager records and national prescription databases going back five years or more. Lawyers who represent denied beneficiaries describe a recurring pattern: an SSRI filled briefly years before the application, a statin started after a borderline lab, an antianxiety prescription that was never tied to a formal diagnosis. Any of these can become the lever for denial, because the prescription itself becomes proof of an undisclosed “condition.” The pharmacy record shows what was dispensed. It can’t show whether it mattered. The insurer’s burden of proof is thin enough that it does not have to.

Canada’s Genetic Non-Discrimination Act, upheld by the Supreme Court in 2020, blocks insurers from compelling genetic tests or demanding existing genetic results. That protection is real, and narrow. The Canadian Life and Health Insurance Association’s voluntary code still allows insurers to ask for prior genetic results on policies over $250,000. Everything outside the genetic carve-out, including your prescriptions, your imaging, your psychiatric history, your sleep study, and your hormone panels, remains fair game for underwriting and for retroactive claims investigation. The GNDA is one fence around one corner of a very large field.

The Telematics Template Is Coming for Health Data

Anyone who wants a preview of where insurer data appetite goes next should look at car insurance. A 2024 New York Times investigation, followed by lawsuits and a Texas Attorney General probe, exposed that General Motors had been quietly piping driver behaviour to LexisNexis Risk Solutions and Verisk Analytics. Hard braking. Sharp acceleration. Trip start and stop times. Late-night routes. The data was then licensed to auto insurers. Drivers found out the way Floridian Romeo Chicco found out: Liberty Mutual denied him coverage, and on a phone call he learned his “LexisNexis report” was the reason. GM faced a $12.75 million settlement in 2026, and class actions remain unresolved. Nobody asked the drivers. Their consent was buried inside a connected-vehicle terms-of-service screen they tapped through at the dealership.

That template is the future of medical underwriting, and it is not speculative. Continuous glucose monitors, wearable ECGs, smart scales, sleep trackers, and connected hormone-testing services all generate data streams that look exactly like the auto-telematics pipeline did in 2018: voluntary, app-mediated, terms-of-service-gated, and commercially routable to data brokers. The Texas case made clear that automakers and brokers do not believe consumer consent has to be informed to be legally sufficient. There’s no reason to think the health-data version of that argument will be more scrupulous.

What Your Hospital’s Website Already Tells Facebook

Hidden ad-tech trackers and data brokers monitoring patient activity on healthcare websites

If the insurance angle still feels distant, the advertising one is already here. The US Federal Trade Commission has been working through a list. GoodRx paid $1.5 million in 2023 for sharing prescription data with Facebook, Google, and Criteo. BetterHelp paid $7.8 million for piping the mental-health intake answers of three million users to advertising platforms. Advocate Aurora Health settled for $12.25 million over Meta Pixel placements that exposed three million patients. Mass General Brigham settled a similar matter for $18.4 million. The pattern is so reliable that the FTC and the US Department of Health and Human Services jointly warned roughly 130 hospital systems in 2023. Pixel-tracking violations across US healthcare have triggered, by mid-2025 estimates, more than $100 million in penalties and settlements.

Canadian hospitals and clinics use the same Meta business tools. They use the same Google Tag Manager. They run on the same WordPress themes that ship with telemetry hooks pre-wired into the page. No comparable Canadian enforcement action has landed yet, which shouldn’t be read as evidence of better practice. It is evidence of weaker enforcement. The data has already left the building.

The Future Is Already Filed

Now stack these forces against a foreseeable economic backdrop. Canadian provincial health budgets are under sustained pressure. Wait times have grown. A larger share of public commentary, including from voices that were unthinkable five years ago, openly entertains a wider private-insurance footprint in Canadian healthcare. If private insurers expand further into the Canadian market, they will bring the underwriting playbook that already exists south of the border: pharmacy-data screening, retroactive contestability investigations, third-party data-broker enrichment, and pricing models that look a lot like LexisNexis-flavoured auto coverage. The legal infrastructure to feed those models is already being built. Broad data flows. Weak cross-border enforcement. A permissive PIPEDA. A soon-to-pass surveillance bill that ropes in clinics and telehealth providers. The political conversation about whether to permit any of it is happening, in practice, nowhere.

Employers are a smaller but not zero risk. Canadian law restricts direct employer access to medical records, but the same restrictions do not apply to inference. An employer that learns, through publicly traded data segments, that a region’s workforce skews toward certain prescriptions can act on it without ever requesting a single chart. The decisions look like staffing choices, expansion choices, relocation choices. The mechanism is the data.

What a Patient Can Actually Do

The honest answer is: less than they should be able to. Patients can ask where their clinic stores its records and which vendors host the data. They can request paper-only records where the option exists, knowing it usually doesn’t. They can avoid apps that ask for prescription history in exchange for discounts. They can read insurance applications carefully, because the contestability window means years of pharmacy data will be inspected if a claim ever has to be paid. They can pressure provincial regulators to follow Alberta’s lead and treat US-hosted clinical infrastructure as out of compliance until proven otherwise.

The honest answer to “how does The Mas Clinic protect you from all of this” is bleaker than any clinic should be allowed to pretend. The only way to keep a Canadian patient’s record genuinely out of the flows described above is to pay cash, give a name that is not yours, and keep a parallel chart on a system that never touches a network and never leaves the room. Even that does not survive a court order or a physical seizure. The state can compel a device. The state can compel a clinician. Privacy as a clinic-level practice does not scale against a federal apparatus that has decided it wants the data, and pretending otherwise is the marketing pitch this article was written to refuse.

The real defence is not technical. It is political. Bill C-22 is still a bill. The Canada–US CLOUD Act agreement is still in negotiation. PIPEDA is still rewritable. The Genetic Non-Discrimination Act exists because Canadians wrote to their MPs and demanded it, and the Supreme Court upheld it because the political conversation had already been won.

Find your MP at ourcommons.ca/Members/en/search and write to them. Tell them you do not consent to one-year metadata retention. Tell them you do not consent to a cross-border data-sharing arrangement that bypasses Canadian courts. Tell them you expect Canadian health information to remain under Canadian-jurisdiction law, and that “comparable protection” under PIPEDA is not a substitute for it.

We’ve drafted a letter you can adapt and send. Download the template (PDF)

References

  1. Geist, Michael. “The Lawful Access Two-Headed Surveillance Monster: How Bill C-22 Went Off the Rails.” michaelgeist.ca, May 2026. michaelgeist.ca/2026/05/the-lawful-access-two-headed-surveillance-monster-how-bill-c-22-went-off-the-rails/
  2. Parliament of Canada. Bill C-22 (44th Parliament). parl.ca/legisinfo/en/bill/44-1/c-22
  3. Fasken. “The Government of Canada Introduces Bill C-22.” March 2026. fasken.com/en/knowledge/2026/03/the-government-of-canada-introduces-bill-c22
  4. CBC News. “Federal Officials on the Defensive as Momentum Grows Against Lawful Access Bill.” cbc.ca/news/politics/federal-officials-on-the-defensive-as-momentum-grows-against-lawful-access-bill-9.7206179
  5. Ifill, Erica. “Bill C-22 Reveals a Troubling Trend With the Carney Government.” The Hill Times, May 20, 2026. hilltimes.com/2026/05/20/bill-c-22-reveals-a-troubling-trend-with-the-carney-government/504535/
  6. BetaKit. “Digital Surveillance Bill C-22 Threatens to Drive Tech Firms Out of Canada.” betakit.com/digital-surveillance-bill-c-22-threatens-to-drive-tech-firms-out-of-canada/
  7. CBC News. “Canadians’ Health Data at Risk of Being Handed Over to U.S. Authorities, Experts Warn.” cbc.ca/news/health/health-data-cloud-servers-canada-us-1.7597441
  8. The Citizen Lab. “Canada–U.S. Cross-Border Surveillance Negotiations Raise Constitutional and Human Rights Whirlwind Under U.S. CLOUD Act.” citizenlab.ca/research/canada-us-cross-border-surveillance-cloud-act/
  9. CMAJ. “Ensuring the Sovereignty and Security of Canadian Health Data.” 2025. cmaj.ca/content/197/26/E763
  10. Supreme Court of Canada. Reference re Genetic Non-Discrimination Act, 2020 SCC 17. decisions.scc-csc.ca/scc-csc/scc-csc/en/item/18417/index.do
  11. The Conversation. “Canada’s Genetic Non-Discrimination Act Has Only Had a Limited Impact on the Use of Genetic Information by Life Insurers.” theconversation.com/canadas-genetic-non-discrimination-act-has-only-had-a-limited-impact-on-the-use-of-genetic-information-by-life-insurers-223068
  12. Insurance Business. “GM, LexisNexis Face Class Action Over Telematics Insurance Data Collection.” insurancebusinessmag.com/us/news/technology/gm-lexisnexis-face-class-action-over-telematics-insurance-data-collection-481325.aspx
  13. Insurance Journal. “Suit Says OnStar, LexisNexis Shared Driving Data With Insurers, Spiking Rates.” insurancejournal.com/news/southeast/2024/03/15/765068.htm
  14. Davis Wright Tremaine. “FTC Targets Tracking Pixels Amid Data Sharing Settlements with GoodRx, BetterHelp.” 2023. dwt.com/blogs/privacy—security-law-blog/2023/03/ftc-pixel-tracking-health-goodrx-betterhelp
  15. US Federal Trade Commission and US Department of Health and Human Services. Joint warning letter to hospital systems and telehealth providers on online tracking technologies, July 2023. ftc.gov/news-events/news/press-releases/2023/07/ftc-hhs-warn-hospital-systems-telehealth-providers-about-privacy-security-risks-online-tracking
  16. Feroot Security. “Pixel Tracking Violations Cost US Healthcare $100M+.” feroot.com/blog/pixel-tracking-violations-us-healthcare-100m/
  17. CBC News. “Privacy Investigator in Ontario Hospital Cyberattack Outlines Missteps, Chances to Improve.” cbc.ca/news/canada/windsor/ransomware-privacy-commissioner-hospitals-1.7564336

Word count: ~1,820