Bill C-22: A New Phase for Lawful Access Legislation

Bill C-22, the Lawful Access Act, marks a new phase in the decades-long debate over government access to personal information, following the controversial Bill C-2. Last spring, Bill C-2 faced immediate backlash due to its "unprecedented rules permitting widespread warrantless access to personal information," which were on "very shaky constitutional ground" and unlikely to pass constitutional muster. The government subsequently decided to hit the reset button on lawful access, separating the border measures from the lawful access provisions, leading to the introduction of Bill C-22. This new bill addresses two primary aspects of lawful access: law enforcement's ability to access personal data held by communication service providers and the development of surveillance and monitoring capabilities within Canadian networks. The legislation is formally divided into two parts: the first half dealing with "timely access to data and information" and the second establishing the "Supporting Authorized Access to Information Act (SAAIA)."

Improved Data Access, But Oversight Concerns Remain

The "timely access to data and information" section of Bill C-22 shows considerable improvement over its predecessor, Bill C-2, which had an "astonishing" breadth. The earlier iteration targeted any service provider in Canada, including physicians and lawyers, for warrantless disclosure of personal information, directly contradicting recent Supreme Court of Canada jurisprudence. Bill C-22 now introduces a new "confirmation of service" demand power, allowing law enforcement to demand that telecom providers (not any service provider) confirm whether they provide service to a particular person. Access to other subscriber information will now be subject to a new production order, which must be reviewed and approved by a judge, addressing a longstanding police complaint that they may do considerable work seeking information about a subscriber only to learn the person isn’t a customer. The government has significantly limited the scope of warrantless information demand powers, now focusing solely on telecommunications providers and whether they provide service to a particular individual. While this shift towards judicial oversight for more personal data is a major concession, acknowledging Bill C-2's overly broad and privacy-invasive nature, concerns persist regarding the low "reasonable grounds to suspect" standard envisioned for these production orders.

Broadened Surveillance Powers Under SAAIA

Despite improvements in data access, the SAAIA component of Bill C-22 raises significant privacy and civil liberties concerns, largely mirroring or even expanding upon the problematic elements of Bill C-2. The SAAIA establishes new requirements for "electronic service providers" to actively work with law enforcement on surveillance and monitoring capabilities. This term is broadly defined as a person that... provides an electronic service... to persons in Canada; or carries on all or part of its business activities in Canada, explicitly extending beyond traditional telecom and Internet providers to include major international Internet platforms like Google and Meta, which are now key players in electronic communications (e.g., Gmail or WhatsApp). An "electronic service" itself is defined as "a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means." All electronic service providers are obligated to "provide all reasonable assistance, in any prescribed time and manner, to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information" and are required to keep such requests secret, preventing public scrutiny.

Expanded Metadata Retention and Security Risks

Beyond these basic obligations, the SAAIA identifies "core providers" who will be subject to additional, more stringent regulations. These may include requirements for the development, implementation, assessment, testing, and maintenance of operational and technical capabilities for extracting and organizing authorized information, as well as the installation, use, operation, management, assessment, testing, and maintenance of any device, equipment or other thing that may enable an authorized person to access information. Core providers may also be required to provide notices to the Minister or other persons regarding these capabilities and devices. Crucially, the bill introduces a new requirement for core providers to retain "categories of metadata — including transmission data, as defined in section 487.011 of the Criminal Code — for reasonable periods of time not exceeding one year," a significant expansion not present in Bill C-2. While the bill specifies limits, prohibiting the retention of content, web browsing history, or social media activities, and includes an exception for systemic vulnerabilities, critics argue these safeguards are insufficient. Concerns remain that networks could be made less secure by virtue of these rules, with changes kept secret from the public, hindering transparency and accountability. Furthermore, many of these rules appear geared towards global information sharing, including compliance with the Second Additional Protocol to the Budapest Convention (2AP) and the CLOUD Act, raising questions about data sovereignty and privacy across borders. The SAAIA... envisions a significant change to how government agencies interact with Canadian communications networks and network providers raising enormous privacy and civil liberties concerns. This section of the bill, despite increased oversight from the Intelligence Commissioner, continues to pose serious risks regarding surveillance capabilities, security vulnerabilities, secrecy, and cross-border data sharing.