Midnight Madness: The Government Rushes Lawful Access Bill Through the House Without Debate or a Recorded Vote

Bill C-22, the lawful access bill, passed the House of Commons yesterday with the government invoking a single motion to approve several bills without further debate or individual votes as MPs raced for home for the summer. Bill C-22 will now head to the Senate, where it can expect a rougher ride when study begins in the fall. Rather than use the final days of the House session to answer the privacy, security, and oversight concerns raised by the Privacy Commissioner, academics, technology companies, and civil society groups, the government spent the time ensuring it would not have to, rushing the bill through committee, cutting off debate, and maligning critics with tactics that they once decried when in opposition.

The final days of Bill C-22 in the House marked a genuine abrogation of democratic norms. The government moved a motion to shut down the clause-by-clause study in the Standing Committee on Public Safety and National Security, preventing the committee from adjourning until the bill had been pushed through. That led to a session that stretched past midnight, as MPs were barred from introducing new amendments and left to vote on amendment after amendment without any discussion, debate, or even public disclosure of the contents of the amendments. By the end of the committee session, no one could have known the contents of the bill that MPs had duly approved and sent back to the House for final approval. As noted, once back in the House, there was no further debate, discussion or even a vote. Just a motion that said the deal was done.

If the process was troubling, the rhetoric was embarrassing. I wrote earlier this week about Public Safety Minister Gary Anandasangaree’s Vic Toews moment, as he said it was time for opposition parties to “choose” whether to stand with law enforcement and victims of crime (a refrain that sounded a lot like Toews’ 2012 comment to Liberal MP Francis Scarpaleggia, who is now the Speaker of the House, that he could “either stand with us or with the child pornographers”). Government House Leader Steven MacKinnon pushed that posture further on Thursday by dismissing the bill’s critics as wearing “tinfoil hats” engaged in “paranoia.” The charge fits a broader pattern in which this government treats independent privacy scrutiny as an obstacle rather than a safeguard, seen most clearly in the Bill C-36 approach to strip the Privacy Commissioner of authority over private-sector privacy law altogether.

The committee did approve some government amendments to the bill that improve aspects of the lawful access plan but they are still likely to leave companies, security experts, and privacy advocates concerned. For example, the maximum metadata retention period the government can impose drops from one year to six months, and a category of metadata can now be mandated only where the Minister is satisfied that the category and all of its elements are essential to investigations. That is better, but still not good enough as it is not tied to any actual evidence about why six months is needed and both the costs and risks associated with metadata retention, which is not a requirement in the U.S., are largely unchanged.

The definition of systemic vulnerability was amended, with the original “substantial risk” replaced by a “credible risk, based on recognized international technical standards,” though the committee also added a carve-out stating that a flaw exposing only a target’s data is not systemic. A new decryption provision, borrowed from U.S. law, states that nothing in the Act compels a provider to decrypt user-encrypted data unless the provider supplied the encryption and holds the key. Ministerial orders, which originally carried no maximum duration, are now capped at two years without the open-ended review-and-extend mechanism, and compliance with those orders was made expressly subject to the systemic vulnerability exception, which answers the internal contradiction I flagged between provisions that told providers they were not required to comply and provisions that told them they must.

Yet none of this cures the core of the bill. The secret ministerial orders survive, the mandatory metadata retention regime survives, the capability requirements survive, the expansive electronic service provider definition survives, and the Privacy Commissioner remains excluded from any oversight role. Google, which warned the committee that the bill would establish a surveillance infrastructure that compromises cybersecurity, said after the amendments that the changes have not eased its concerns, and the Chamber of Progress, an industry coalition, dismissed them as “half measures” and “cosmetic changes to a fundamentally flawed bill.” The companies that have signalled they may limit services or leave Canada are unlikely to read the amendments any differently, and the changes are themselves the clearest evidence that the concerns were serious rather than imagined, since a government does not amend a bill to address tinfoil hats.

Privacy will be at the centre of the parliamentary agenda when Parliament resumes in September, with the Senate studying Bill C-22 and the House examining Bill C-36, the privacy reform bill that I’ve characterized as taking one step forward, and two steps back. I expect the Senate will reject the government’s efforts to malign those concerned with the bill by ultimately sending it back to the House with amendments, thereby requiring MPs from all parties to do what they should have done yesterday: go on the record with their views on the lawful access bill.