A Public Safety Canada memo, obtained by The Canadian Press under the Access to Information Act and reported on June 1, 2026, makes a claim that deserves to be taken seriously rather than dismissed: data collected by connected and automated vehicles "can have intelligence value" to foreign adversaries. The document warns that unauthorized access to vehicle systems "could be used to establish patterns of life or conduct surveillance," and that the national-security laws of certain countries — China is named explicitly — "can compel manufacturers and suppliers to share data with their home government." The risk, it adds, increases when Canadian data is "sent to — or transit[s] through — foreign jurisdictions with more permissive data management frameworks."
The timing is not coincidental. Under a trade arrangement struck after Prime Minister Mark Carney's January 2026 visit to China, Canada cut its 100 percent tariff on Chinese electric vehicles to 6.1 percent for up to 49,000 cars a year. More than 2,900 Chinese EVs cleared customs in May 2026 — the first month of imports under the new regime. The memo is the security establishment's reaction to cars it can no longer keep out at the border.
The security case is real
The strongest version of the government's argument is sound, and worth stating plainly before disputing the remedy. A modern connected vehicle is a rolling sensor platform: it logs precise GPS traces, cabin microphone audio, paired-phone contact lists, dashcam and external-camera footage, and fine-grained telematics. Canada's own Canadian Centre for Cyber Security warns that location data, navigational history, mobile-device contacts and camera feeds are all collected and exposed to interception. Aggregate that across thousands of vehicles and you can indeed map who visits a military base, a defence contractor, or a minister's residence — and when. China's 2017 National Intelligence Law compounds the worry. Article 7 obliges "all organizations and citizens" to "support, assist, and cooperate with national intelligence efforts," giving Beijing a legal lever over any China-domiciled manufacturer's data. That is not paranoia; it is text.
But origin is the wrong variable to regulate
The problem with letting that analysis slide into a country-of-origin ban is that it mistakes the symptom for the disease. The risk the memo describes — excessive collection, opaque cloud routing, foreign-government compulsion — is a property of how data is handled, not of where a logo was designed. A Canadian-branded SUV that streams unencrypted location data to a poorly secured server in a permissive jurisdiction is a more concrete threat than a Chinese EV whose data is encrypted and provably localized. Tesla, GM and Hyundai vehicles collect the same categories of data; Western manufacturers route telematics through global cloud infrastructure too. An origin rule would wave those through while banning a competitor — which is industrial protectionism wearing a national-security badge.
It is also a poor fit for where the global market is going. The International Energy Agency's May 2026 outlook found global EV sales grew about 20 percent in 2025 to exceed 20 million, with roughly one in four new cars sold worldwide now electric — a boom led overwhelmingly by affordable Chinese models. Canada cannot decarbonize road transport on schedule while structurally excluding the cheapest EVs on the planet. The policy question is not whether Canadians will drive connected, data-hungry cars — they already do, and will buy more — but whether Ottawa writes rules that make every such car safer.
A proportionate, technology-neutral path
Encouragingly, the memo's own conclusion is restrained: the government says it is "assessing" the "need for additional tools," not announcing a ban. That restraint should hold, and the assessment should build on the framework Canada already has rather than improvising a blacklist. Transport Canada's Vehicle Cyber Security Guidance and Vehicle Cyber Security Strategy already set out technology-neutral best practices across the vehicle lifecycle, and its Vehicle Cyber Security Assessment Tool gives manufacturers a voluntary yardstick. The gap is that these instruments are voluntary and origin-blind in the wrong way — they neither bite nor distinguish on the variables that actually matter.
Three proportionate moves would address the memo's concerns without resorting to a trade war:
- Data-handling mandates, applied to all makers. Require that connected-vehicle data on Canadians be encrypted in transit and at rest, with disclosed data-residency: buyers and regulators should know which jurisdictions data transits and where it is stored. This neutralizes the "permissive foreign framework" risk regardless of brand.
- Foreign-compulsion transparency. Require manufacturers to disclose any legal regime — Chinese, American, or otherwise — under which a home government can demand vehicle data, and to report compelled-access requests. Sunlight lets buyers and fleet operators price the risk themselves.
- Sensitive-site controls, not consumer bans. Where the real concern is surveillance of bases or critical infrastructure, restrict or geofence connected-vehicle data collection in those zones — a targeted control that addresses the actual threat without dictating what civilians may park in their driveways.
The Public Safety memo is right that connected vehicles are an intelligence surface and that authoritarian data laws change the calculus. It is right to assess the threat. But the lesson of a decade of connected-device policy is that origin bans are easy to announce, easy to evade, and easy to weaponize for protectionism — while doing little for the driver whose Western-branded car leaks the same data. Govern the conduct: collection limits, encryption, residency disclosure, and hard rules around sensitive sites. That protects Canadians' patterns of life without surrendering the affordable, electric, increasingly autonomous future to a border wall.