[Note: I have 55 exams to mark, so the video and podcast versions of this will unfortunately have to wait.]
Finally, the federal government has released the so-called “Charter Statement” for Bill C-22, the Lawful Access Act of 2026. Forty three days after the bill was tabled in Parliament. I don’t know why it took so long, since they just took the Charter Statement for Bill C-2 and did some editing.
In the Charter Statement, the Minister of Justice significantly mischaracterizes his own bill in a manner that makes it appear more Charter-compliant. Given how the government has spoken about this bill, I’m NOT going to say these are honest mistakes. And the Charter Statement doesn’t even address one of the MOST problematic elements of the revised bill: mandatory metadata retention.
As it is, I do not think that Bill C-22 is Charter compliant, but with some changes, I think that it can be made Charter-compliant.
Some background on what Charter Statements are about can be found in the Charter Statement itself:
Section 4.2 of the Department of Justice Act requires the Minister of Justice to prepare a Charter Statement for every government bill to help inform public and Parliamentary debate on government bills. One of the Minister of Justice’s most important responsibilities is to examine legislation for inconsistency with the Canadian Charter of Rights and Freedoms. By tabling a Charter Statement, the Minister is sharing some of the key considerations that informed the review of a bill for inconsistency with the Charter. A Statement identifies Charter rights and freedoms that may potentially be engaged by a bill and provides a brief explanation of the nature of any engagement, in light of the measures being proposed.
Essentially, this is a half-hearted attempt to say this is how the government thinks this can be called Charter compliant, rather than being an honest assessment of the Charter compliance of Bill C-22. If a student handed this to me as an assessment of the Bill, it would be a bad day for that student.
So let’s dig into it.
It starts by saying “What follows is a non-exhaustive discussion of the ways in which Bill C-22 potentially engages the rights and freedoms guaranteed by the Charter.” As you’ll see, it’s far from “exhaustive.” That said, this essay will not be exhaustive since I’m only going to focus on the deficiencies in the Charter Statement.
With respect to the Production Order for Subscriber Information, they simply misstate what the Bill actually says. The Charter Statement says:
The following considerations support the consistency of the amendments with section 8. The subscriber information sought does not by itself constitute particularly sensitive information, since it is limited to information that identifies clients and services, and does not include the contents of communications. The judge would have discretion as to whether to issue an order, and if they choose to issue an order, the judge would have discretion as to what information is specified in it. [emphasis added]
This last part is not true. It is simply false. The way the Bill is currently written, the judge has NO discretion. Here’s what it says in the proposed new section 487.0142 of the Criminal Code:
487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.
It says “all the subscriber information”. The words “that is specified in the order” refers to the “that relates to any information, including transmission data” part. The judge has no discretion to order the production of a subset of Subscriber Information. It is all or nothing. And what is “all” is also a problem.
The Charter Statement also says:
The subscriber information sought does not by itself constitute particularly sensitive information, since it is limited to information that identifies clients and services, and does not include the contents of communications.
Subscriber information is actually more than that, and can be much more sensitive than they suggest.
subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means
(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;
(b) identifiers assigned to the subscriber or client by the person, including account numbers; and
(c) information relating to the services provided to the subscriber or client, including
(i) the types of services provided,
(ii) the period during which the services were provided, and
(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.
(a) and (b) in the definition mostly do that, but paragraph (c) goes much further than that. It refers to the “types of services provided” and “devices, equipment or things” used by the customer. Remember, this order can be directed to anyone who provides services to the public, which can be a medical clinic. What sort of services you get from a medical clinic is certainly sensitive information in which there is a very high privacy interest. Those devices can include things like pace-makers, CPAP machines and insulin pumps. Again, a very high privacy interest.
If your internet service provider is also your cable company and your cellphone provider, asking for subscriber information based on an IP address can result in information about your cable packages, your cell number, your cell’s IMEI and IMSI numbers, and the serial number of your cable modem. That is way more information than is necessary to simply connect an IP address to a person.
But of course, the government shrugs that off.
Next up is the provision regarding “publicly available information.” This provision says:
(4) For greater certainty, no production order or warrant, or confirmation of service demand made under section 487.0121, is necessary for a peace officer or public officer to receive, obtain and act on any information that is available to the public.
The Charter statement says “Where information is available to the public, a person will usually have no reasonable expectation of privacy in it.” I think that’s generally right. But notice the use of the words “usually”. Some critics of Bill C-2 and now Bill C-22 are concerned that this appears to authorize the cops to use information that was hacked by a third party and leaked on the internet. These hacks and leaks take place all the time. I am also concerned about the police buying location data from companies in the advertising ecosystem. That’s “available to the public”, but I’d argue that the individuals retain a significant privacy interest in that data when it’s associated with them.
I’m not sure that would survive Charter scrutiny in Canada.
Let’s move onto Part 2, which will create the “Supporting Authorized Access to Information Act.” I have said, in general terms, that Part 1 is about new ‘authorities’ to obtain information and Part 2 is generally about new mandatory ‘capabilities’ to obtain information. That’s true in general terms, but Part 2 actually does create new authorities.
At the beginning of the Charter Statement, it largely says “all good" …
The provisions would not grant any new authorities to lawfully access information and data or expand or derogate from any existing authorities for such access.
Now, that’s not entirely true. Part 2 does create two new authorities for accessing data. While they seem intended to allow access to information about “electronic service providers”, the guardrails are lacking.
First of all, we have section 14 which requires electronic service providers to allow the Minister’s designates to assess and test any device, equipment or other thing that may enable an authorized person to access information.
Obligation to assist
14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.
…
For greater certainty
(4) For greater certainty, the assessment or testing must not have the effect of granting access to personal information.
They’ve sensibly added a bit of a guardrail in subsection (4) that says they can’t use this authority to get access to personal information. That is a new authority to obtain information.
More troubling is section 20, which creates a search authority on the part of the Minister’s designates to enter any premises other than a dwelling, without a warrant and without notice. They don’t even need to suspect any sort of infraction. It just has to be related to an activity regulated by the Act. Once they’re in, they can examine anything, make copies of it, remove documents, use computers found there, and more:
Authority to enter place
20 (1) Subject to subsection 21(1), a designated person may, for the purpose of verifying compliance or preventing non-compliance with this Act, at any reasonable time enter any place if they have reasonable grounds to believe that anything relevant to that purpose, including any document or electronic data, is located in that place or that an activity regulated by this Act is conducted in that place.
…
Powers on entry
(3) The designated person may, for a purpose referred to in subsection (1),
(a) examine anything found in the place, including any document or electronic data;(b) make copies of any document or electronic data that is found in the place or take extracts from the document or electronic data;(c) remove any document found in the place for examination or copying;(d) use or cause to be used any computer or data processing system at the place to examine or copy electronic data; and(e) use or cause to be used any copying equipment at the place to make copies of any document.
The Charter Statement says not to worry about it. First they say “Privacy interests are diminished in the regulatory and administrative contexts.” That’s largely correct. Then it says:
“Further, information gathered in this context would generally relate to technical capabilities of ESPs, which would not attract a heightened privacy interest. In addition, the powers would not be available for the purpose of advancing a criminal investigation.” [emphasis added]
The word “generally” is doing a lot of work there. It then says: “The proposed powers are similar to regulatory inspection powers that have been upheld in other contexts.”
Yes, it is true that warrantless inspection powers have been upheld in other regulatory contexts. However, this is unlike other regulatory contexts. For example, inspectors from the Department of Fisheries can – without a warrant – enter a fish plant or a fishing boat, and review all the records of the company’s activities. They can go in and count the halibut.
This context is qualitatively different from that. By definition, an electronic service provider is the custodian of very sensitive information of its customers and all of those customers, whether they're good guys or bad guys – and the majority will be good guys – have a Charter protected right to be free from unreasonable search and seizure. The records of your internet service provider are very different from the records of a fish plant, and the government has not included any guardrails.
The most problematic part of this Charter Statement is what is not said. Perhaps the most problematic part of Bill C-22 – mandatory metadata retention – is not even mentioned. Just because it is one subsection among many is not an excuse.
Core providers — obligations
(2) The Governor in Council may make regulations respecting the obligations of core providers, including regulations respecting ...
(d) the retention of categories of metadata — including transmission data, as defined in section 487.011 of the Criminal Code — for reasonable periods of time not exceeding one year.
The loudest and most credible commentators on Bill C-22 have pointed to this and have said it will likely violate the Charter. (Michael Geist: The Lawful Access Privacy Risks: Unpacking Bill C-22’s Expansive Metadata Retention Requirements and Robert Diab: Is the Power to Preserve Everyone’s Metadata Constitutional?)
In the European Union, the Court of Justice struck down the EU Data Retention Directive in 2014 because the general and indiscriminate retention of all users’ telecommunications metadata was a disproportionate interference with the fundamental right to privacy. The Courts there have held that specific metadata retention associated with specific threats or targets can be justified, but blanket metadata retention cannot. It is simply incompatible with EU fundamental rights.
Currently in Canada, in some circumstances, the police can simply order the retention of information or can get a court order requiring it to be done. Mandatory, blanket metadata retention is wildly problematic and the Charter Statement doesn’t even mention it.
Finally, we have the blanket confidentiality that makes it an offence for anyone to disclose the contents of a ministerial order, the facts that it exists, what information the Minister used to make the order, any communications between the Minister and the electronic service provider and any “prescribed information”, meaning information that is prescribed in the regulations.
Prohibition on disclosure
15 An electronic service provider and any person acting on its behalf must not disclose any of the following information except as permitted under this Act or the Canada Evidence Act:
(a) information contained in an order made under subsection 6(1) [temporary exception for a core provider] or 7(1) [ministerial order];
(b) information on which the Minister relied in making the order;
(c) the fact that the electronic service provider is subject to the order;
(d) information provided in the course of representations made under section 8 or in any response given by the Minister and the fact that the Minister has invited the representations;
(e) information contained in an application referred to in subsection 6(1) or in a decision made under subsection 6(4);
(f) information submitted under subsection 11(2) and any information received from the Minister in response;
(g) any prescribed information.
I have previously shared my view that this is over the top and the Minister should have to justify any confidentiality orders on a case-by-case basis.
To achieve this objective, the provisions would place limits on communication about the technical capabilities of ESPs, which are commercial entities. While restrictions on commercial speech can engage the right to freedom of expression, they usually do not implicate the core values of the right. These include the search for political, artistic and scientific truth, the protection of individual autonomy and self-development, and the promotion of public participation in the democratic process. Rather, the restrictions would be narrowly focused on the existence and contents of orders and exemptions, all linked to the objective of protecting sensitive information. Limits on expression that do not engage the core values of the right are more easily justified. [emphasis added]
And then there’s the cumulative effect of all of this. The government can require an ESP to retain a year of metadata, which can include the minute-by-minute location of every phone in Canada. And then they can send in inspectors to say “hey, we’re here to inspect your metadata databases.” And by the way we’re making a copy for easier inspection back at the office. That amounts to a HUGE invasion of privacy.
The Charter Statement, not surprisingly says: “it’s fine.”
It’s not fine.
No comments:
Post a Comment