Slick Videos Won’t Save Lawful Access: Why The Government’s Bill C-22 Defence Avoids the Charter, Privacy and Security Concerns Raised By Critics

With opposition to Bill C-22, the lawful access bill, mounting, Public Safety Minister Gary Anandasangaree has turned to social media with a video defending the bill as one that “respects Canadian privacy and Charter rights.” The video signals that the government has noticed the growing public concern. But the case against the bill, which I argued in committee testimony last week and in a series of earlier posts, raises at least four issues on which the government has not engaged: mandated metadata retention (which is ignored in its Charter Statement), a lower threshold for access to subscriber information that hurts privacy, security risks now alarming Canada’s closest allies, and an oversight architecture the oversight body itself says is incomplete.

The mandatory metadata retention obligation in the bill would compel providers to retain transmission data, including the date, time, duration, and type of communication, the identifiers of the devices involved, and information identifying device location, on virtually every Canadian for up to a year, without any individualized suspicion. As I set out in this post, the government’s own Charter Statement on the bill remarkably says nothing about this provision. That silence is striking given the Spencer and Bykovets decisions that recognize the informational privacy interest in data that links online activity to identity, and given that the Court of Justice of the European Union struck down precisely this kind of regime in Digital Rights Ireland and extended that reasoning to mandated private-sector retention in Tele2 Sverige. Robert Diab has reached the same conclusion on the Charter Statement’s silence on metadata retention. The refusal to address the most Charter-vulnerable element of its own bill leaves the government unable to credibly insist that the bill respects the Charter.

Further, claims that the bill respects privacy ring hollow in light of the reduced threshold for access to subscriber information. Bill C-22 creates a new, dedicated production order for subscriber information, but sets the standard at “reasonable grounds to suspect”. This is the lowest evidentiary threshold in Canadian criminal law and below the “reasonable grounds to believe” standard that has governed subscriber data production orders for more than a decade. Law enforcement has used the production order hundreds of thousands of times, yet now wants to reduce the standard, thereby undermining the privacy balance.

Meanwhile, the government’s position on encryption and systemic vulnerability is facing criticism from a wide range of groups. Despite insisting that the bill brings Canada into line with its Five Eyes partners, Apple, Meta, the Canadian Chamber of Commerce, the Cybersecurity Advisors Network, and even the chairs of the U.S. House Judiciary and Foreign Affairs Committees have all warned that Bill C-22’s technical capability requirements would create systemic vulnerabilities that adversaries could exploit. When the U.S. Congress writes to Canada’s Public Safety Minister to say a Canadian bill threatens U.S. national security and the integrity of cross-border data flows, the government’s defence that the bill is needed to catch-up to allies no longer holds water.

Finally, even established oversight committees are sounding the alarm. In a letter to the SECU committee studying Bill C-22, the National Security and Intelligence Review Agency wrote that the bill creates oversight at the front end of a Ministerial order, through Intelligence Commissioner approval, but provides no mechanism for NSIRA to review the activities conducted under that order afterward. It proposed targeted amendments to require the same level of notification and information sharing that its counterpart receives under Australia’s lawful access regime. Insisting that the bill includes meaningful independent review is on shaky ground when the body responsible for independent review tells Parliament it does not have the necessary level of access for effective review.

These issues have been raised by virtually every expert submission on Bill C-22, yet the government implausibly argues that its bill respects privacy and Charter rights. Rather than another video, it should commit to extending the committee hearings to ensure proper expert scrutiny, address the Charter issues the Charter Statement has thus far avoided, and open the door to the real amendments to the bill.