Ryan MacDonaldDick Wolf's CIA premiered on CBS on February 23, 2026, pairing a CIA officer and an FBI agent in a joint intelligence task force — and it has been trending in Canada ever since. The show is gripping television. It is also prompting a question IT security professionals hear with increasing frequency: what can intelligence agencies actually collect about ordinary Canadians, and what can you do about it?
From the Screen to Your Smartphone
CIA stars Tom Ellis as Colin Glass, a CIA field operative, alongside Nick Gehlfuss as FBI agent Bill Goodman. The series follows their joint investigation into national security threats, and it depicts surveillance techniques — geolocation tracking, metadata analysis, digital communications interception — with enough authenticity to be unsettling.
The show is fictional, but the technologies it portrays are not. The question is not whether these methods exist. The question is who uses them, under what legal authority, and what rights Canadian residents have in response.
Canada's Real Intelligence Architecture
Canada has two primary signals and domestic intelligence agencies that Canadians should understand:
CSIS — Canadian Security Intelligence Service is Canada's domestic intelligence agency, responsible for investigating threats to national security including terrorism, espionage, and foreign interference. CSIS operates under the CSIS Act and requires judicial authorization (a warrant) to conduct surveillance of Canadians.
CSE — Communications Security Establishment is Canada's signals intelligence and cyber-security agency. It operates under the National Security Act, 2017. While CSE's primary mandate is foreign intelligence and cybersecurity, it has the legal authority to collect certain types of "publicly available" data — a category that has been interpreted broadly enough to include data from commercial data brokers and information exposed in data breaches.
The distinction matters: CSIS needs a warrant to target a specific person inside Canada. CSE's authorities are broader for foreign intelligence purposes, and the edges of what counts as "publicly available" are still being litigated and debated in policy circles.
PIPEDA, Bill C-27, and the Privacy Law Gap
Canada's federal private-sector privacy law is the Personal Information Protection and Electronic Documents Act — commonly called PIPEDA. It governs how private companies collect, use, and disclose your personal data, and it establishes your right to access information organizations hold about you.
The problem is that PIPEDA is showing its age. It was enacted in 2000, when smartphones, social media, and cloud computing did not exist in their current form.
Bill C-27, the Digital Charter Implementation Act, was intended to replace PIPEDA with a modern framework — including stronger consent requirements and significantly higher penalties for violations. The bill died on the order paper in January 2025 when Parliament prorogued. As of April 2026, Canada is still operating under a privacy law designed for a pre-smartphone era, while its trading partners in the EU operate under GDPR, which provides substantially broader individual rights.
This is the gap that IT security professionals find most significant. Your rights against government surveillance are relatively well-defined. Your rights against commercial data collection — and the secondary use of that data by intelligence-adjacent actors — are far murkier.
Four Ways Your Digital Privacy May Be More Exposed Than You Think
An IT security consultant would typically walk a Canadian client through four categories of digital exposure:
1. Data broker ecosystems. Your name, address, income range, purchase history, and social media activity are routinely sold and re-sold through commercial data brokers. Under current PIPEDA rules, companies can often collect and share this data without meaningful individual consent. CSE has legal authority to collect "publicly available" data, which in practice may include broker-sourced information.
2. App permissions and metadata. Most Canadians have installed dozens of apps that request location access, microphone access, and contact list access. Even without directly recording conversations, metadata — who you called, when, for how long, from where — can build a detailed profile of behaviour and associations.
3. Cross-border data flows. Canadian data frequently transits through US servers. When that happens, it may become subject to US law, including the CLOUD Act, which allows US authorities to compel US-based companies to produce data stored anywhere in the world.
4. Credential exposure. Data breaches at major Canadian institutions — financial, healthcare, telecom — have exposed millions of records. CSE's interpretation of "publicly available" data has been debated in terms of whether it could include breach-exposed data. At minimum, once your credentials are in a breach database, your digital footprint becomes significantly harder to control.
For context on your rights under Canadian privacy law, the Office of the Privacy Commissioner of Canada provides public resources and accepts complaints against private-sector organizations.
What an IT Security Expert Recommends
Whether you are an individual professional or a small business owner, the practical steps recommended by IT security consultants in Canada cluster around four priorities:
Audit your app permissions — review the permissions granted to every app on your devices and revoke access you do not actively need. This is especially important for location, microphone, and contacts.
Use end-to-end encrypted communications — applications that provide end-to-end encryption protect message content from being accessible even to the service provider. This does not prevent metadata collection, but it is significantly stronger than standard messaging.
Review your cloud storage jurisdiction — understand where your data is stored and which laws govern it. Many cloud providers allow Canadians to elect Canadian data residency; this is worth doing for sensitive business or personal information.
Request your PIPEDA access rights — under current Canadian law, you can write to any organization holding your personal data and request a copy of what they hold. Use this right. Understanding your own data footprint is the prerequisite to managing it.
The more interesting question CIA raises — whether the lines between authorized intelligence collection and commercial surveillance are blurring — is one that IT experts, privacy lawyers, and parliamentarians are actively debating. Viewers watching Colin Glass run metadata on a suspect's phone are watching a technique that commercial apps already perform routinely, with far less oversight.
When to Consult an IT Security Professional
If you are responsible for a small or mid-sized business, or you handle sensitive professional data — legal, financial, medical, or otherwise — a cybersecurity consultation is no longer optional. The regulatory landscape is shifting, and the cost of a breach — financial, reputational, and increasingly legal — makes proactive investment worthwhile.
On ExpertZoom, certified IT security specialists across Canada offer consultations on data protection frameworks, privacy compliance under current Canadian law, and practical steps to reduce your digital exposure. Whether CIA on CBS raised a question you want answered, or you have a concrete business need, expert guidance is available.
For a related look at how cross-border surveillance affects Canadians' rights at the physical border, see this expert analysis of US border biometric data collection and what Canadians can do.
This article provides general information about digital privacy law in Canada and is not a substitute for legal or professional IT security advice. Consult a qualified professional for advice specific to your situation.
