Canadian Privacy Law Blog: July 2025

Wednesday, July 16, 2025

Bill C-2 "Strong Borders Act" - Supporting Authorized Access to Information Act (Part 15)

On June 3, the new Canadian government tabled Bill C-2 in Parliament, called “An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures” but with a short title of the “Strong Borders Act”.

Once again, following in the footsteps of past conservative and liberal governments, it contains a trojan horse that revives what has come to be known as “Lawful Access”. I’m really getting tired of these sorts of bills. (See Canadian Privacy Law Blog: Past Canadian "lawful access" attempts, both by Liberal and Conservative governments.)

In my last episode, I discussed Part 14 of the Bill, which creates new law enforcement authorities to get customer information, either without a warrant or court order, or with an order but based on a very low standard. In this episode, I’ll go over Part 15, which creates a standalone “Supporting Authorized Access to Information Act”. The government says this is simply to make sure that electronic service providers have the capacity and capability to “share information” with “authorized persons”.

I think it goes beyond this. It is similar to Bill C-26 from the last Parliament, as it allows the government to dictate what technologies electronic service providers use. This time is to create the capability for law enforcement to plug into service providers’ systems.

Throughout this discussion, I can’t help but be reminded that the US has had something similar in their laws, and the mandated intercept capabilities were used by Chinese hackers to get access to data.

The "Salt Typhoon" hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major U.S. telecommunications companies. The stolen information included call and text message metadata, and in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures.

A critical factor facilitating the Salt Typhoon incident was the very infrastructure put in place to comply with the Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, CALEA mandates that telecommunications providers build "lawful intercept" capabilities into their networks to allow law enforcement and intelligence agencies to conduct court-authorized wiretaps. While intended for legitimate surveillance, these mandated "backdoors" created inherent vulnerabilities within the telecom networks. Salt Typhoon exploited these CALEA-mandated systems, effectively turning the tools designed for lawful access into pathways for unauthorized espionage.

This is what’s coming to Canada …

The Supporting Authorized Access to Information Act creates a framework in which the Government of Canada can require electronic service providers to facilitate law enforcement and intelligence services’ access to data and information. Much of its scope is left to regulations. The sweep of what entities can be in scope of the Bill if very broad by regulating “electronic service providers”:

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that

(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.‍ (fournisseur de services électroniques)

electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.‍ (service électronique)

This is extremely broad, and would likely capture almost all communications services that provide any service to Canadians. It likely covers VPN – or virtual private network – providers as they provide a service that involves the transmission of information. This would also scope in text messages, emails, phone calls, voice over IP calls and video calls.

The Act specifically will target “core providers”, who are “electronic service provider[s] belonging to a class of electronic service providers set out in the schedule.” In the version of the Bill tabled at first reading, the schedule is blank. I guess “to be determined”, but I expect it’ll be all the major telcos and internet service providers in Canada. It may include the significant messaging providers, like Apple, WhatsApp, Microsoft Teams, Zoom and email providers like Microsoft, Apple, Google.

It is very, very broad in its possible scope.

Ministerial regulations for “core providers”

The Act, in s. 5(2), empowers the government to create regulations placing obligations on core providers which relate to intercept and access capabilities and includes the installation of devices, etc. on behalf of “authorized persons”.

(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information; and

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b).

Importantly, a core provider is not required to comply with a regulation “if compliance with that provision would require the provider to introduce a systemic vulnerability in electronic protections (defined as ‘authentication, encryption and any other prescribed type of data protection’) related to that service or prevent the provider from rectifying such a vulnerability.” This would permit a regulated core provider to refuse to install a backdoor or compromise encryption if that would create a systemic vulnerability.

Core providers can apply for an exemption for a specified period of time, in order to have time to come into compliance.

Orders directed to specific electronic service providers

Per s. 7, the Minister is able to issue orders to any electronic service provider, regardless of whether they are a core provider, along the lines of regulations authorized under s. 5(2) for a specified period of time. In making the order, the Minister must consider:

(a) the benefits of the order to the administration of justice, in particular to investigations under the Criminal Code, and to the performance of duties and functions under the Canadian Security Intelligence Service Act;

(b) whether complying with the order would be feasible for the electronic service provider;

(d) the potential impact of the order on the persons to whom the electronic service provider provides services; and

(e) any other factor that the Minister considers relevant.

The Minister, in their discretion, may provide compensation to offset some of the costs incurred in paragraph (c). Similar to compliance with regulations, an electronic service provider is not required to comply with a portion of an order that would “require the provider to introduce a systemic vulnerability in electronic protections related to that service or prevent the provider from rectifying such a vulnerability.”

The Minister is required to permit affected electronic service providers to make representations prior to issuing an order under s. 7.

Obligations to assist

The Act contains a very broad and problematic obligation on all electronic service providers to provide all reasonable assistance to a range of persons to “permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.” The list of persons authorized to make this demand include the Minister, CSIS employees, police officers and civilian employees of a police force.

There is no threshold and no limitation on this power. For example, there is no requirement for approval from the Minister or any other senior person. It does not have to be reasonably necessary for any purpose related to the Act. You could have a lineup of people from every municipal police department out the door of an electronic service provider, the they have to provide this unlimited and unbounded assistance.

Prohibitions on disclosure

The Act contains, at s. 15, very broad prohibitions on disclosure by electronic service providers, including whether one is subject to an order, the contents of an order, information relied upon by the Minister in making an order, representations made by the electronic service provider or the Minister, the fact that representations were made. This is ridiculous. It may make sense to give the Minister the power to issue gag orders from time to time, where they are of the view that disclosure of the information would compromise law enforcement or national security.

In this country secrecy should be the exception – and should have to be justified – not the default, particularly with respect to services we use every day and our civil liberties. This is so prone to overreach and possible abuse, and all of it takes place in the shadows.

It is very problematic that an electronic service provider is prohibited from disclosing “information related to a systemic vulnerability or potential systemic vulnerability in electronic protections employed by that electronic service provider”. This would mean that if any electronic service provider were to discover a vulnerability in their system, it would be prohibited by Canadian law from disclosing it to anyone. This may include a prohibition on disclosure to customers who may have been affected by a past or current vulnerability, or even that company’s own contractors who carry out security audits on its systems. For example, if a telco discovers a vulnerability in a router, they will tell the manufacturer of the router and various organizations that work diligently to make sure that the entire cybersecurity community can identify and fix vulnerabilities.

If a telco finds a vulnerability in a system used by all Canadian telcos (because the government will get to dictate what systems telcos use), they can’t alert the other telcos about that vulnerability.

Paragraph (g) is actively harmful to Canadians, and will be a huge boon for the bad guys who look for and exploit these vulnerabilities. It really, really has to go.

The parameters of these prohibitions on disclosure can be subject to regulations made pursuant to s. 17 of the Act.

Under s. 16, if an electronic service provider is to seek an application for judicial review of any order or decision under the Act, it is prohibited from doing so unless it gives fifteen days’ advance written notice to the Minister, along with a copy of the notice of application.

Under s. 17, the Government can make regulations respecting confidentiality and security requirements for electronic service providers and persons acting on their behalf must comply. Specifically, it authorizes regulations:

(a) respecting the disclosure of information referred to in section 15;

(b) establishing rules of procedure for the protection of information referred to in section 15 in administrative or judicial proceedings;

(c) respecting requirements related to employees of electronic service providers and other persons whose services may be engaged by electronic service providers, including with respect to their security clearance and location; and

(d) respecting security requirements with respect to the facilities and premises of electronic service providers.

This is extremely broad, and is not limited to confidentiality and security measures that are reasonably required related to the purposes of the Act. Remember, “electronic service provider” is broad enough to include service providers completely and entirely outside of Canada.

It potentially includes requirements for all of an ESP’s facilities regardless of location, and paragraph (c) even permits regulations regarding where facilities can be located, and security clearances for employees.

This is clear overreach. None of it is limited to protecting the security of the lawful intercept and information gathering capabilities dictated by the Act.

Enforcement and administration

The Act gives the Minister authority to designate persons (or classes of persons) to administer and enforce the Act. These designated persons are given vast powers under s. 19 to enter any place (other than a dwelling) to verify compliance or to prevent non-compliance with the Act. Within such a place, they are authorized to:

(a) examine anything found in the place, including any document or electronic data;

(b) make copies of any document or electronic data that is found in the place or take extracts from the document or electronic data;

(d) use or cause to be used any computer or data processing system at the place to examine or copy electronic data; and

(e) use or cause to be used any copying equipment at the place to make copies of any document.

The Act places an obligation on every owner of a place, a person in charge of the place and everyone in the place to give all assistance that is “reasonably required” by the designated person, including providing any document or electronic data “they may reasonably require”. In addition, in 19(6), a designated person can bring anyone with them to assist.

This is not specifically limited to places in Canada, but likely cannot be enforced outside of Canada. Again, this is completely without limits. The designated person can say “I want your entire customer database” and the ESP ostensibly needs to comply. Even more, it would be illegal for an employee there to not assist with this outrageous demand.

Audit orders

Under s. 21, a designated person can order an electronic service provider to conduct an internal audit “of its practices, documents and electronic data to determine whether it is in compliance with any provision of this Act or the regulations.” A copy of the audit must be provided to the designated person, and if the audit uncovers any non-compliance, it must specify the non-compliance and measures taken or to be taken to comply with the relevant provision or order.

Orders by designated persons

The Act, at s. 23, gives the designated persons order-making powers. If they believe “on reasonable grounds that there is or is likely to be a contravention of the Act or regulations, they can issue a written, mandatory order requiring an electronic service provider to:

(a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or

(b) take any measure that is necessary to comply with the requirements of that provision or mitigate the effects of non-compliance.

These orders are subject to review by the Minister, on request of the electronic service provider. Unless otherwise ordered by the Minister, the order issued by the designated person must be complied with.

Administrative monetary penalties and offences

The Act, at s. 27 et seq, provides for a full administrative monetary penalty (AMP) regime that is intended to “promote compliance with this Act and not to punish”, along with penal offences at s. 40 et seq.

If a contravention results in an AMP, the penalty can be up to CAD $250,000, and if a violation continues more than one day, each day constitutes an additional violation. The due diligence defence is available, as are common law defences.

The Act provides for liability by corporate “directors, officers or agents or mandataries who directed, authorized, assented to, acquiesced in or participated in the commission of the violation”. A notice of violation will set out the amount of the AMP, which can be simply paid, which amounts to an admission of the violation. Alternatively, the alleged violator can enter into a compliance agreement with the Minister or request a review by the Minister of the acts or omissions that constitute the alleged violation, or the amount of the penalty.

In a review by the Minister for a violation, the evidentiary standard is balance of probabilities and there is no prescribed appeal from the Minister’s decision. Judicial review would likely be available in the Federal Court of Canada.

Violations can also be penal offences, which are summary conviction offences with a maximum fine of $500,000. If a violation continues more than one day, each day constitutes an additional violation. As with AMPs, due diligence is a defence and officers/directors can also be convicted if they “directed, authorized, assented to, acquiesced in or participated in the commission of the offence”. It is also an offence to obstruct or make a false or misleading statement to (a) a person authorized to assess or test any device, equipment or other thing, or (b) a designated enforcement person.

In a nutshell, this part of Bill C-2 has enormous impacts on electronic service providers – globally – and represents a huge overreach with enormous power and discretion given to the Minister and “designated persons”. It has the potential to introduce significant vulnerabilities into the systems we use every day for our most private communications and also may completely upend the practice of information sharing that is the foundation for keeping the internet safe and secure.

This “Supporting Authorized Access to Information Act” should be taken out of Bill C-2 so it can get the attention, discussion and scrutiny it deserves. I am really, really afraid that it’ll be jammed through Parliament under the guise of strengthening our border to appease the current US government. And we know that once governments get powers, they never surrender them.

Bill C-2 "Strong Borders Act" - New demands and orders for customer information (Part 14)

As the name implies, it’s mostly about border measures, customs stuff, fentanyl and immigration. But once again, following in the footsteps of past conservative and liberal governments, it contains a trojan horse that revives what has come to be known as “Lawful Access”. The Bill contains a number of search, seizure and surveillance measures that have nothing to do with the border or fentanyl. In the past, governments have tried to introduce similar measures under the guise of fighting terrorism, child abusers and cyberbullies. Now it’s apparently border security.

I’m really getting tired of these sorts of bills and for a brief moment, I was hopeful that this new government would take a different route. Apparently not. I am completely confident that the lawful access provisions of his bill have been sitting in a drawer at the Department of Public Safety, desperately waiting for an opportunity to put it in a slightly relevant bill. Sigh.

For now, I’m going to focus on Part 14 of Bill C-2 which amends the Criminal Code in a bunch of ways. Part 15 creates a whole new law called the “Supporting Authorized Access to Information Act”, which I’ll have to cover in another episode.

Part 14 creates a new police order or “information demand”, without judicial oversight or control, to require service providers to hand over basic information about customers. It dramatically truncates the response time for production orders and unrealistically gives service providers only five days to challenge a production order. It amends the law to clarify that cops can just ask for information and service providers can just hand it over. It may also permit the cops to use illegally hacked and leaked data in their investigations.

It creates a new production order for subscriber information that police can get with only “reasonable grounds to suspect” an offence has taken place, not the usual “usual grounds to believe” an offence has taken place. And it’s broader than most general production orders I’ve seen for “basic subscriber information”.

The Bill creates a puzzling new warrant that allows a judge to authorize a peace officer or public officer to obtain tracking data or transmission data that relates to any thing that is similar to a thing in relation to which data is authorized to be obtained under the warrant and that is unknown at the time the warrant is issued. So if the cops get a warrant to track a certain thing, and then discover it's related to another thing that can also track the person, they can get data from the second thing. Hmm.

Finally, Part 14 includes a weird judicial authorization to make a request for data from a foreign entity.

The new “information demands”.

This new section 487.0121 of the Criminal Code authorizes a “peace officer or public officer”, without judicial authorization, to make a demand of any person who “provides service to the public” requiring them to provide any of the following information in this list.

Information demand

487.‍0121 (1) A peace officer or public officer may make a demand in Form 5.‍0011 to a person who provides services to the public requiring the person to provide, in the form, manner and time specified in the demand, the following information:

(a) whether the person provides or has provided services to any subscriber or client, or to any account or identifier, specified in the form;

(b) if the person provides or has provided services to that subscriber, client, account or identifier,

(i) whether the person possesses or controls any information, including transmission data, in relation to that subscriber, client, account or identifier,

(ii) in the case of services provided in Canada, the province and municipality in which they are or were provided, and

(iii) in the case of services provided outside Canada, the country and municipality in which they are or were provided;

(c) if the person provides services to that subscriber, client, account or identifier, the date on which the person began providing the services;

(d) if the person provided services to that subscriber, client, account or identifier but no longer does so, the period during which the person provided the services;

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

(f) if the person is unable to provide any information referred to in paragraphs (a) to (e), a statement to that effect.

Paragraphs (a) and (b) are clearly intended to deal with the situation where the police have a phone number, and want to go to Rogers or Bell and ask “is this number serviced by you”? And if so, where is the service provided and whether they have customer records. That tells them enough information to refer the case to the local police where the customer is. Regularly, the RCMP in Ottawa receive information from a foreign police agency that’s just associated with an IP address. They may know it’s a Rogers IP address, but they don’t know where the potential suspect is. Now Rogers will have to tell them, without a warrant or court order, “yes, that’s our customer and they live in Montreal.” No directly identifying information is supposed to be shared.

I don’t have a big problem with this. I am concerned about paragraph (e), however.

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

So if the service provider knows that the customer in question gets services from anyone else, that also has to be disclosed. So if the Eastlink customer has a Hotmail address on file, I think they have to disclose that the person is also a Microsoft customer. What could be more problematic is if a company that supports OAuth logins (like using your Microsoft account to log into other services), this may require disclosing where those logins take place.

The threshold for making such a demand is that they have “reasonable grounds to suspect” (a very low threshold) that (a) an offence has been or will be committed under any Act of Parliament and (b) the information demanded will assist with the investigation of the offence. The peace officer or public officer can impose a non-disclosure order.

The person receiving the order has only 5 days to seek to have the demand varied or revoked, and has to give notice to the peace officer or public officer of its intent to have the demand varied or revoked. Five days is not much, in my view. The threshold for varying or revoking a demand is if “(a) it is unreasonable in the circumstances to require the applicant to provide the information; or (b) provision of the information would disclose information that is privileged or otherwise protected from disclosure by law.” Demands like these seem unlikely to disclose privileged information.

The next significant thing in Part 14 of Bill C-2 is a “production order for subscriber information”. Unlike in previous “lawful access” attempts, this does require judicial authorization, but the threshold is very, very low. It’s just above the police having a “hunch”.

We have a new section 487.0142, which creates a new production order for subscriber information with a very low threshold of simply “reasonable grounds to suspect” that (a) an offence has been or will be committed under the Criminal Code or any other Act of Parliament; and (b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Unlike a General Production Order, this order requires the production of “all the subscriber information” in the recipient’s possession. The General Production Orders that I see on a regular basis name the specific data being sought. These orders are for “all subscriber information”, which is broadly defined:

subscriber information means, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person,

(a) information that the subscriber or client provided to the person in order to receive the services, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services. (renseignements relatifs à l’abonné)

Look at (a): it likely also includes billing information. If it’s a paid service, like a cell phone, bank account or credit card information would have been provided when the account was set up. I do not regularly see this in general production orders for subscriber information.

It is worth pointing out that these orders can be obtained to investigate any “offence” in any Act of Parliament. This is not limited to the Criminal Code or the Controlled Drugs and Substances Act or the Customs Act. This includes the Canada National Parks Act.

And I really must emphasise that “reasonable grounds to suspect” is a very low threshold. It is the lowest in our legal system, since our system doesn’t recognize “hunches” or “spidey senses”.

This is in direct response to the Supreme Court of Canada’s decision in R. v. Spencer where the court said that the police can’t just ask for subscriber information, but it must be on the basis of exigent circumstances or in accord with a “reasonable law”. The government clearly thinks this is a “reasonable law” that gets them there.

Next up are Applications for requests of transmission data or subscriber information from a foreign entity.

The new s. 487.0181 is a bit unusual, as it creates a power to authorize a “request” (not an order) directed at a “foreign entity that provides telecommunications service to the public.” The request is approved by a judge on an application by a peace officer or a public officer.

487.‍0181 (1) On ex parte application made by a peace officer or public officer, a justice or judge may authorize a peace officer or public officer to make a request to a foreign entity that provides telecommunications services to the public to prepare and produce a document containing transmission data or subscriber information that is in the foreign entity’s possession or control when it receives the request.

The request is limited to transmission data or subscriber information.

The threshold for issuing such a request is again “reasonable grounds to suspect that (a) an offence has been or will be committed under this or any other Act of Parliament; and (b) the transmission data or the subscriber information is in the foreign entity’s possession or control and will assist in the investigation of the offence.”

It is really weird. So the police go to a judge to get an authorization to make a non-compulsory request to a foreign entity. Essentially all this does is make sure that the cop swears in front of a judge that they have reasonable grounds to suspect, and the judge concurs with this. But it’s not compulsory.

I expect that this is in response to the controversy surrounding the Breknell case from British Columbia that questioned whether production orders can be issued naming entities physically outside of Canada.

This may also be intended to take account of arrangements like a CLOUD Act agreement, contemplating the inclusion of information that may be necessary under the laws of a foreign state:

Form

(4) The production request is to be in Form 5.00803 and may include any information that is required by the foreign entity, by the foreign state in which the foreign entity is located or under an international agreement or arrangement to which Canada and the foreign state are parties.

Again, these are not court orders, but are issued like a court order. What the cop sends to the foreign service provider is the request, and a copy of the authorization.

I think this will cause a lot of confusion. A large number of non-Canadian service providers will respond to general production orders, particularly where the investigation relates to a person they identify as being in Canada. For some such entities, their privacy policies say they’ll only disclose information where “required by law”, and if they are following PIPEDA with respect to Canadian customer data – as they should – “required by law” is one of the exceptions that allows a disclosure to police. These requests don’t trigger the “required by law” exception in our privacy law. Also, some US service providers require that the thresholds largely align with the American “probable cause” standard. Reasonable grounds to suspect does not meet that threshold.

So cops may think they just have to send a request and the foreign service provider may say that’s not sufficient, we want a production order. So back to the judge.

I note these can be combined with an order of non-disclosure, which is binding at least under Canadian law. Whether it can really bind a foreign company is not clear.

What’s also puzzling is that officials from the government, during the technical briefing on the Bill, said none of our “five eyes partners” (meaning the US, UK, Australia and New Zealand) require an order for police to get subscriber information. That’s not my experience.

Now onto “exigent circumstances”...

Clause 167 of the Bill codifies what I understand to be the common law related to “exigent circumstances.” Just so we’re on the same page: “Exigent circumstances” exist where (a) there is imminent threat to the public or public safety; or (b) a risk of loss or destruction of evidence.”

The Code has generally permitted peace officers to search and seize in “exigent circumstances” if the conditions for obtaining a warrant exist, but exigent circumstances mean it would be impracticable to obtain a warrant. The provision, s. 487.11 of the Code, is being replaced to scope in powers that are available under certain production orders. The underlined portions are what have been added to the existing s. 487.11.

Essentially, this means that a peace officer or public officer may make a demand that has the force of law without a court order where exigent circumstances make seeking the order impracticable.

It is unclear to me whether a demand under (b) would have the same force and effect as a production order for the same data, and whether non-compliance could result in the same penalties.

Bill C-2 amends section 487.0193 to dramatically and problematically truncate the window of time to commence a review to revoke or vary a production order issued under sections 487.014 to 487.018 of the Criminal Code. The new timeframe is FIVE DAYS after the date of the Order. It was previously prior to the deadline referred to in the order, which is generally 30 days.

This is unworkable in my view. I regularly see production orders that were delivered to the service provider days after they were issued. I sometimes interact with cops who already have an order and want to know where to send it. After this amendment, the clock is ticking rather loudly. If a cop gets an order on a Thursday before a long weekend, delivers it on a Friday, it may not come to anyone’s attention until Tuesday. And making a decision to challenge a production order isn’t usually made by the person in corporate security who first review it. It’ll have to go up a chain of command. By the time a decision-maker gets their eyes on it, the window will have closed. And they can’t even make an application unless they get ahold of the cop to tell them that it will be challenged.

In my experience, this will be completely unworkable for most service providers.

For some time, s. 487.0195 of the Code has contained provisions that say a police officer can always ask for information that would otherwise be subject to a production order, and to obtain that information where the person is not prohibited by law from disclosing. Clause 164 Bill C-2 amends this section to add subsections that clarify that this includes data that could be the subject of an information demand under the new section 487.0121.

The section appears intended to provide immunity to a service provider who voluntarily provides information that would otherwise be subject to a production order. So a cop asks a bank or a telco to “voluntarily” provide customer data, and the bank or telco says “sorry, we can’t because privacy laws prohibit it and we’ve agreed with our customers that we’ll only provide data where required by law.” The cop can point to this section and say “so what? They can’t successfully sue you and you have no civil or criminal liability for providing the data”. I’d respond saying that our privacy laws are not about criminal or civil liability, come back with a warrant.

And paragraph (4) says that cops can always use information that is “available to the public.” I’ve heard some raise concerns that this would include data that is publicly leaked via hacking or other nefarious means. So they can go trolling through the Ashley Madison leaks, I guess.

I’ll have to save the deeply Supporting Authorized Access to Information Act for another episode, so stay tuned for that.

Overall, I really hope that the government gets a lot of shaming for putting this trojan horse in the border bill. These expanded law enforcement powers are consequential and deserve to be appropriately discussed and debated. I think that’s why the government decided to go this route, to avoid the huge outcry we’ve seen in the past related to prior lawful access attempts.