The government unveils its long-awaited national AI strategy this morning. AI Minister Evan Solomon has made it clear that the strategy will emphasize trust, noting that Canadians will only embrace the technology if they are confident their privacy is protected and safeguards are in place against potential harms. The privacy assurances are likely to take the form of a new private-sector privacy bill that includes European-style rules, stronger penalties, and recognizing privacy as a fundamental right. The government has proposed as much before, adding fundamental-rights language to the Consumer Privacy Protection Act in Bill C-27 before that bill died on the order paper. But the government is, at the same time, pressuring the public safety committee to pass Bill C-22, whose mandatory metadata retention regime is the single largest privacy risk in Canada in years and one that comparable countries have already struck down as a violation of the fundamental right to privacy. The disconnect is dizzying: the government cannot claim privacy as a fundamental right in the morning and enact mandatory metadata retention that overrides it in the afternoon.

As I have repeatedly raised in recent weeks, when the Court of Justice of the European Union struck down the Data Retention Directive in the Digital Rights Ireland case, it held that the general and indiscriminate retention of every user’s telecommunications metadata was a disproportionate interference with the fundamental rights to privacy and data protection. Bill C-22 builds the blanket model of data retention that the European courts have consistently rejected, as it would require providers to retain, for up to a year, the date, time, duration, origin of communications, and location of the devices involved. The result is a surveillance map of the movements and communications practices of virtually all Canadians for a year, the very opposite of what recognizing privacy as a fundamental right envisions.

Retention is not the only privacy problem in Bill C-22. The technical capability powers would let the government require providers to engineer access to communications, and the RCMP has told the committee directly that it wants the law to reach encrypted messages. Faced with a comparable demand in the UK, Apple withdrew Advanced Data Protection from the market rather than build a way in for the authorities, leaving British users with less security rather than more. If Bill C-22 becomes law in its current form, the same pressure would drive privacy protection out of the country: Signal has said it would leave rather than weaken its encryption, Toronto-based Windscribe has said the same, and DuckDuckGo and NordVPN have warned they would pull their VPN services from the Canadian market. These are the same tools the government’s own cyber-security guidance urges Canadians to use to protect their personal information.

Solomon argues that a strong privacy law will give Canadians the confidence to use AI, yet a year of retained metadata on the entire population is precisely the kind of aggregated record that AI systems can mine to reconstruct identities and movements from data that was never meant to identify anyone. As I argued in the Globe earlier this year, the risk of re-identifying de-identified data is precisely the privacy harm new reforms need to address. Yet the lawful access bill badly undermines those potential reforms as the government creates more privacy risks than it solves.

Whether the government means what it says about privacy will not be settled by the preamble of the bill Solomon tables after the strategy, however much fundamental-rights language it contains, but rather by whether the government is willing to drop the Bill C-22 mandatory metadata retention and the encryption mandates it is fighting to pass unchanged at the same time. A right the government writes into one bill and overrides in the next is neither a true fundamental right nor the foundation of trust that Solomon insists the AI strategy needs.