As modern vehicles become rolling data hubs, the debate around electric cars is no longer only about price, range, or tariffs. In Ottawa, officials are increasingly focused on what connected vehicles know: where a car goes, what devices it links to, how it is used, and what those data trails might reveal if accessed by the wrong hands. That concern has sharpened as Canada opens its market to a limited number of Chinese-made EVs, forcing policymakers to weigh affordability and industrial strategy against privacy, security, and public trust. The result is a far more consequential question than which badge sits on the hood. It is whether the next generation of cars could quietly become a map of Canadians’ movements, routines, and vulnerabilities.
The warning is about patterns, not just passwords
Ottawa’s latest concern is not framed like a typical cybersecurity scare about stolen logins or hacked credit cards. The warning is broader, and in some ways more unsettling. An internal federal memo prepared by Public Safety Canada says connected vehicles can collect significant amounts of data with intelligence value, and that unauthorized access could help establish “patterns of life” or enable surveillance of sensitive sites. That phrase matters. It points to a world in which a vehicle does not merely reveal a single trip, but a routine: the same office tower every weekday, the same defence campus twice a month, the same government building before sunrise.
The political timing makes the warning harder to ignore. Earlier in 2026, Canada moved to allow up to 49,000 Chinese EVs into the market annually at the most-favoured-nation tariff rate of 6.1 per cent, replacing the previous 100 per cent surtax. Ottawa presented that shift as part of a larger trade and economic strategy. But the memo suggests officials also understand the downside of opening the door to more connected devices from high-risk environments. It does not say every imported EV is a threat. It does say the risk is serious enough that the government is assessing whether new tools are needed.
Cars now behave like smartphones on wheels
Many drivers still think of privacy as something tied to phones, apps, and social media accounts. In practice, modern vehicles now sit in the same category. Canada’s Privacy Commissioner has warned that today’s cars can collect and transmit location history, driving behaviour, and personal preferences. That may sound abstract until it is translated into everyday life. A connected vehicle can learn the route of a parent doing school drop-offs, the habits of a commuter heading to the same office garage, or the stops a consultant makes during a week of client visits. Once a phone is synced, the picture can become even richer.
Privacy researchers have been sounding the alarm for years. Mozilla famously concluded that all 25 car brands it reviewed were poor performers on privacy, calling cars the worst product category it had examined. In Canada, the B.C. Freedom of Information and Privacy Association found that automaker privacy policies had improved from 2015 to 2019 but still remained inadequate under core data-protection principles. Even before the current China debate, public unease was visible. A 2015 poll cited in that Canadian research found half of respondents believed connected-car technologies put privacy at risk while offering little benefit, and just 28 per cent thought the benefits outweighed the risks.
Why foreign access changes the stakes
The central Ottawa fear is not simply that a vehicle collects data. It is that the data could become reachable from outside Canada. The Privacy Commissioner has warned that connected-vehicle information may be transferred or stored in foreign jurisdictions, where different legal standards can increase the risk of access by foreign courts, law-enforcement agencies, or national-security authorities. That changes the debate from consumer convenience to state exposure. A location trail is not merely a marketing asset in that context. It can become an intelligence asset, especially when tied to people working in government, research, infrastructure, or other sensitive sectors.
This is one reason Canadian concerns now resemble arguments already made elsewhere. In the United States, the Bureau of Industry and Security concluded that certain connected-vehicle transactions linked to China or Russia pose national-security risks because companies from those countries may be compelled to share data or allow remote access. That is a much more muscular policy response than Canada has taken so far, but it helps explain why Ottawa’s warning sounds different now. A family crossover parked in a suburban driveway may look ordinary. In the wrong data ecosystem, however, it can reveal routines, relationships, and destinations that a foreign adversary would otherwise have to work much harder to piece together.
Canada’s privacy law has ground rules, but not a clean answer
Canada is not starting from zero. The country already has private-sector privacy rules under PIPEDA, which sets the ground rules for how businesses collect, use, and disclose personal information in commercial activity. Those rules are supposed to cover accountability, consent, safeguards, openness, and limits on unnecessary collection. On paper, that matters. It means automakers and related service providers operating in Canada cannot simply treat driver data as an unlimited free-for-all. It also means organizations are expected to be transparent when personal information crosses borders in the course of business.
The problem is that transparency is not the same as prohibition. The Privacy Commissioner has explicitly said PIPEDA does not ban organizations in Canada from transferring personal information to China or any other jurisdiction. Instead, the law mainly requires openness about those practices. That may have looked workable in an earlier digital era. It feels thinner in a world of constantly connected vehicles generating continuous streams of location and behavioural data. The Commissioner has also argued that Canada still needs modernized privacy laws after Bill C-27 died on the order paper in early 2025. In other words, the current framework still applies, but even the regulator overseeing it has been signaling that the system was not built for the scale and sensitivity of today’s data economy.
Safety checks and data risks are not the same thing
One of the easiest ways to misunderstand this debate is to assume that if a vehicle is legal to sell in Canada, the hardest questions have already been answered. They have not. Safety certification and data governance are related, but they are not the same thing. Canada requires all vehicles made for sale or imported into the country to meet federal motor-vehicle safety standards. Transport Canada’s updated framework for connected and automated vehicles is also explicit that these technologies present novel safety challenges and that cyber security is part of the oversight picture. That matters because connected features are not frivolous add-ons; they sit inside systems people increasingly rely on.
The appeal of those features is real. Transport Canada notes that 1,931 Canadians were killed on the roads in 2022, and around 85 per cent of fatal collisions involved human behaviour as a contributing factor. That is part of why automakers keep pushing smarter safety, navigation, and driver-assistance tools. But the June 2026 federal memo makes clear that a vehicle being compliant under the Motor Vehicle Safety Act does not settle the data-security question. The memo itself says Chinese-made vehicles intended for sale in Canada are subject to the same rules as vehicles from elsewhere, yet it also warns that growing threats tied to connected-vehicle technologies and their supply chains may require additional tools. Roadworthiness, in other words, is not the end of the story.
Other regulators are already moving faster
Canada’s current posture looks cautious, but not decisive. Other regulators have already moved beyond warnings. In the United States, the Bureau of Industry and Security finalized rules restricting the import and sale of certain connected vehicles and related hardware or software linked to China or Russia. The restrictions are phased, but the principle is unmistakable: Washington concluded that the risk was substantial enough to justify a hard regulatory line. Reuters reported in April 2026 that U.S. officials saw no plans to relax that crackdown. For Canadian policymakers, that creates a difficult comparison. Ottawa is still weighing new tools while its closest ally has already chosen a much more restrictive path.
There is another lesson in the U.S. response, and it cuts in a different direction. The data problem is not confined to Chinese automakers. In January 2026, the FTC finalized an order against GM and OnStar after alleging that the company collected and sold precise geolocation and driving-behaviour data without consumers’ informed consent. The order imposed a five-year ban on sharing certain driver data with consumer-reporting agencies and required stronger consent, opt-out, access, and deletion rights. That example matters because it shows the underlying issue is bigger than one country. Connected-car data is valuable, monetizable, and potentially intrusive whether the badge on the grille is domestic or foreign. China sharpens the national-security dimension, but the privacy issue is already industry-wide.
Ottawa now has to balance affordability against trust
That is the policy trap in front of the federal government. Ottawa has promoted the new China arrangement as a way to widen EV choice, bring more affordable models into the market, and attract investment tied to Canada’s clean-tech future. Official messaging has suggested that, within five years, more than half of the vehicles entering under the arrangement could be affordable EVs priced below $35,000. In a country where cost remains one of the biggest barriers to EV adoption, that is not a trivial promise. Lower prices can move markets. They can also make governments more willing to tolerate strategic ambiguity they would reject in other sectors.
But trust is its own form of infrastructure. If Canadians believe their cars are becoming rolling sensors with unclear loyalties, the damage will not be limited to one trade deal or one class of imports. It could chill confidence in connected vehicles more broadly, including vehicles built by brands already on Canadian roads. That is why Ottawa’s warning matters beyond the China file. It is really a warning about the future of mobility itself. The modern car is no longer just transport. It is also a diary, a map, a communications node, and a stream of behavioural data. Once policymakers accept that, the question stops being whether connected vehicles are useful. The question becomes who gets to learn from them.
Alanna Rosen is an experienced content writer that focuses on many EV and educational content. Her articles are regularly published on Get CyberTrucked and syndicated on large publications.