The government's misleading and incomplete Charter Statement for Bill C-22, the Lawful Access Act

[Note: I have 55 exams to mark, so the video and podcast versions of this will unfortunately have to wait.]

Finally, the federal government has released the so-called “Charter Statement” for Bill C-22, the Lawful Access Act of 2026. Forty three days after the bill was tabled in Parliament. I don’t know why it took so long, since they just took the Charter Statement for Bill C-2 and did some editing.

In the Charter Statement, the Minister of Justice significantly mischaracterizes his own bill in a manner that makes it appear more Charter-compliant. Given how the government has spoken about this bill, I’m NOT going to say these are honest mistakes. And the Charter Statement doesn’t even address one of the MOST problematic elements of the revised bill: mandatory metadata retention. 

As it is, I do not think that Bill C-22 is Charter compliant, but with some changes, I think that it can be made Charter-compliant. 

Some background on what Charter Statements are about can be found in the Charter Statement itself:

Section 4.2 of the Department of Justice Act requires the Minister of Justice to prepare a Charter Statement for every government bill to help inform public and Parliamentary debate on government bills. One of the Minister of Justice’s most important responsibilities is to examine legislation for inconsistency with the Canadian Charter of Rights and Freedoms. By tabling a Charter Statement, the Minister is sharing some of the key considerations that informed the review of a bill for inconsistency with the Charter. A Statement identifies Charter rights and freedoms that may potentially be engaged by a bill and provides a brief explanation of the nature of any engagement, in light of the measures being proposed.

Essentially, this is a half-hearted attempt to say this is how the government thinks this can be called Charter compliant, rather than being an honest assessment of the Charter compliance of Bill C-22. If a student handed this to me as an assessment of the Bill, it would be a bad day for that student. 

So let’s dig into it.

It starts by saying “What follows is a non-exhaustive discussion of the ways in which Bill C-22 potentially engages the rights and freedoms guaranteed by the Charter.” As you’ll see, it’s far from “exhaustive.” That said, this essay will not be exhaustive since I’m only going to focus on the deficiencies in the Charter Statement. 

With respect to the Production Order for Subscriber Information, they simply misstate what the Bill actually says.  The Charter Statement says:

The following considerations support the consistency of the amendments with section 8. The subscriber information sought does not by itself constitute particularly sensitive information, since it is limited to information that identifies clients and services, and does not include the contents of communications. The judge would have discretion as to whether to issue an order, and if they choose to issue an order, the judge would have discretion as to what information is specified in it. [emphasis added]

This last part is not true. It is simply false. The way the Bill is currently written, the judge has NO discretion. Here’s what it says in the proposed new section 487.0142 of the Criminal Code:

487.‍0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

It says “all the subscriber information”. The words “that is specified in the order” refers to the “that relates to any information, including transmission data” part. The judge has no discretion to order the production of a subset of Subscriber Information. It is all or nothing. And what is “all” is also a problem. 

The Charter Statement also says:

The subscriber information sought does not by itself constitute particularly sensitive information, since it is limited to information that identifies clients and services, and does not include the contents of communications.

Subscriber information is actually more than that, and can be much more sensitive than they suggest.

subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means

(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(c) information relating to the services provided to the subscriber or client, including

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.

(a) and (b) in the definition mostly do that, but paragraph (c) goes much further than that. It refers to the “types of services provided” and “devices, equipment or things” used by the customer. Remember, this order can be directed to anyone who provides services to the public, which can be a medical clinic. What sort of services you get from a medical clinic is certainly sensitive information in which there is a very high privacy interest. Those devices can include things like pace-makers, CPAP machines and insulin pumps. Again, a very high privacy interest. 

If your internet service provider is also your cable company and your cellphone provider, asking for subscriber information based on an IP address can result in information about your cable packages, your cell number, your cell’s IMEI and IMSI numbers, and the serial number of your cable modem. That is way more information than is necessary to simply connect an IP address to a person.

But of course, the government shrugs that off.

Next up is the provision regarding “publicly available information.” This provision says:

(4) For greater certainty, no production order or warrant, or confirmation of service demand made under section 487.‍0121, is necessary for a peace officer or public officer to receive, obtain and act on any information that is available to the public.

The Charter statement says “Where information is available to the public, a person will usually have no reasonable expectation of privacy in it.” I think that’s generally right. But notice the use of the words “usually”. Some critics of Bill C-2 and now Bill C-22 are concerned that this appears to authorize the cops to use information that was hacked by a third party and leaked on the internet. These hacks and leaks take place all the time. I am also concerned about the police buying location data from companies in the advertising ecosystem. That’s “available to the public”, but I’d argue that the individuals retain a significant privacy interest in that data when it’s associated with them. 

The Citizenlab recently reported that US law enforcement, like ICE and the Department of Homeland Security, have been buying this location information for use in their surveillance operations. 

I’m not sure that would survive Charter scrutiny in Canada. 

Let’s move onto Part 2, which will create the “Supporting Authorized Access to Information Act.” I have said, in general terms, that Part 1 is about new ‘authorities’ to obtain information and Part 2 is generally about new mandatory ‘capabilities’ to obtain information. That’s true in general terms, but Part 2 actually does create new authorities. 

At the beginning of the Charter Statement, it largely says “all good" …

The provisions would not grant any new authorities to lawfully access information and data or expand or derogate from any existing authorities for such access.

Now, that’s not entirely true. Part 2 does create two new authorities for accessing data. While they seem intended to allow access to information about “electronic service providers”, the guardrails are lacking. 

First of all, we have section 14 which requires electronic service providers to allow the Minister’s designates to assess and test any device, equipment or other thing that may enable an authorized person to access information.

Obligation to assist

14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.

…

For greater certainty

(4) For greater certainty, the assessment or testing must not have the effect of granting access to personal information.

They’ve sensibly added a bit of a guardrail in subsection (4) that says they can’t use this authority to get access to personal information. That is a new authority to obtain information. 

More troubling is section 20, which creates a search authority on the part of the Minister’s designates to enter any premises other than a dwelling, without a warrant and without notice. They don’t even need to suspect any sort of infraction. It just has to be related to an activity regulated by the Act. Once they’re in, they can examine anything, make copies of it, remove documents, use computers found there, and more:

Authority to enter place
20 (1) Subject to subsection 21(1), a designated person may, for the purpose of verifying compliance or preventing non-compliance with this Act, at any reasonable time enter any place if they have reasonable grounds to believe that anything relevant to that purpose, including any document or electronic data, is located in that place or that an activity regulated by this Act is conducted in that place.
…
Powers on entry
(3) The designated person may, for a purpose referred to in subsection (1),

(a) examine anything found in the place, including any document or electronic data;

(b) make copies of any document or electronic data that is found in the place or take extracts from the document or electronic data;

(c) remove any document found in the place for examination or copying;

(d) use or cause to be used any computer or data processing system at the place to examine or copy electronic data; and

(e) use or cause to be used any copying equipment at the place to make copies of any document. 

 

The Charter Statement says not to worry about it. First they say “Privacy interests are diminished in the regulatory and administrative contexts.” That’s largely correct. Then it says:

“Further, information gathered in this context would generally relate to technical capabilities of ESPs, which would not attract a heightened privacy interest. In addition, the powers would not be available for the purpose of advancing a criminal investigation.” [emphasis added]

The word “generally” is doing a lot of work there. It then says: “The proposed powers are similar to regulatory inspection powers that have been upheld in other contexts.”

Yes, it is true that warrantless inspection powers have been upheld in other regulatory contexts. However, this is unlike other regulatory contexts. For example, inspectors from the Department of Fisheries can – without a warrant – enter a fish plant or a fishing boat, and review all the records of the company’s activities. They can go in and count the halibut.

This context is qualitatively different from that. By definition, an electronic service provider is the custodian of very sensitive information of its customers and all of those customers, whether they're good guys or bad guys – and the majority will be good guys – have a Charter protected right to be free from unreasonable search and seizure. The records of your internet service provider are very different from the records of a fish plant, and the government has not included any guardrails. 

The most problematic part of this Charter Statement is what is not said. Perhaps the most problematic part of Bill C-22 – mandatory metadata retention – is not even mentioned. Just because it is one subsection among many is not an excuse.

Core providers — obligations

(2) The Governor in Council may make regulations respecting the obligations of core providers, including regulations respecting ...

(d) the retention of categories of metadata — including transmission data, as defined in section 487.‍011 of the Criminal Code — for reasonable periods of time not exceeding one year.

The loudest and most credible commentators on Bill C-22 have pointed to this and have said it will likely violate the Charter. (Michael Geist: The Lawful Access Privacy Risks: Unpacking Bill C-22’s Expansive Metadata Retention Requirements and Robert Diab: Is the Power to Preserve Everyone’s Metadata Constitutional?)

In the European Union, the Court of Justice struck down the EU Data Retention Directive in 2014 because the general and indiscriminate retention of all users’ telecommunications metadata was a disproportionate interference with the fundamental right to privacy. The Courts there have held that specific metadata retention associated with specific threats or targets can be justified, but blanket metadata retention cannot. It is simply incompatible with EU fundamental rights. 

Currently in Canada, in some circumstances, the police can simply order the retention of information or can get a court order requiring it to be done. Mandatory, blanket metadata retention is wildly problematic and the Charter Statement doesn’t even mention it. 

Finally, we have the blanket confidentiality that makes it an offence for anyone to disclose the contents of a ministerial order, the facts that it exists, what information the Minister used to make the order, any communications between the Minister and the electronic service provider and any “prescribed information”, meaning information that is prescribed in the regulations. 

Prohibition on disclosure

15 An electronic service provider and any person acting on its behalf must not disclose any of the following information except as permitted under this Act or the Canada Evidence Act:

(a) information contained in an order made under subsection 6(1) [temporary exception for a core provider] or 7(1) [ministerial order];

(b) information on which the Minister relied in making the order;

(c) the fact that the electronic service provider is subject to the order;

(d) information provided in the course of representations made under section 8 or in any response given by the Minister and the fact that the Minister has invited the representations;

(e) information contained in an application referred to in subsection 6(1) or in a decision made under subsection 6(4);

(f) information submitted under subsection 11(2) and any information received from the Minister in response;

(g) any prescribed information.

I have previously shared my view that this is over the top and the Minister should have to justify any confidentiality orders on a case-by-case basis. 

The Charter Statement says:

To achieve this objective, the provisions would place limits on communication about the technical capabilities of ESPs, which are commercial entities. While restrictions on commercial speech can engage the right to freedom of expression, they usually do not implicate the core values of the right. These include the search for political, artistic and scientific truth, the protection of individual autonomy and self-development, and the promotion of public participation in the democratic process. Rather, the restrictions would be narrowly focused on the existence and contents of orders and exemptions, all linked to the objective of protecting sensitive information. Limits on expression that do not engage the core values of the right are more easily justified. [emphasis added]

That may be generally true, but public discussion about massive surveillance of Canadians and potential government overreach and abuse is actually very, very close to the core of “Charter values” – it’s about the protection of individual autonomy and public participation in the democratic process. They’re missing the mark here, widely. 

And then there’s the cumulative effect of all of this. The government can require an ESP to retain a  year of metadata, which can include the minute-by-minute location of every phone in Canada. And then they can send in inspectors to say “hey, we’re here to inspect your metadata databases.” And by the way we’re making a copy for easier inspection back at the office. That amounts to a HUGE invasion of privacy.

The Charter Statement, not surprisingly says: “it’s fine.” 

It’s not fine.

 

The Deeply Problematic Part 2 of Bill C-22: The Supporting Authorized Access to Information Act.

Part 2 of Bill C-22, the Lawful Access Act of 2026, is and remains a huge problem. The outcry associated with the Strong Borders Act was principally focused on warrantless information demands and overbroad subscriber information orders. In a lot of the debate and discussion, Part 15 of that Bill was largely ignored. I really hope that the equivalent of that Part in Bill C-22 gets as much attention as it deserves. 

In a nutshell, Part 2 will require a huge range of service providers – well beyond traditional telecommunications service providers – to build in real-time interception and monitoring capabilities so that cops and national security folks can just plug into the systems to access data when “authorized” to do so. 

Part 2 creates a new standalone statute called the Supporting Authorized Access to Information Act or SAAIA. Section 3 sets out its purpose: 

3 The purpose of this Act is to ensure that electronic service providers can facilitate the exercise of authorities to access information that are conferred on authorized persons.

So it talks about authorities that are conferred on authorized persons to access information. It doesn't say “lawful authorities”, nor does it say “judicially authorized authorities”. It just says authorities. From the discussion about Part 1, it’s clear that the police and CSIS are authorized to obtain data without a warrant by just asking for it.

The Supporting Authorized Access to Information Act has “electronic service providers” in its crosshairs. It is therefore really important to understand what an electronic service provider is. ESP is defined in the bill, as is an electronic service. 

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that

(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.‍ 

You will note that it says it provides an electronic service, “including for the purpose of enabling communications”. The use of the word “including” clearly signals that it is not limited to those providers who are strictly engaged in communications. It goes broader than that. We can see from the very broad definition of electronic service: 

electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.‍ 

Hey, I am in the business of creating information in digital form. What is a YouTube video, or podcast? Or emails to my clients. My law firm is in the business of creating information in digital form. The Canadian Broadcasting Corporation, the Globe and Mail and the Canadian Press are in the business of creating information in digital form. I am not sure that any business exists in Canada that is not some way or somehow creating, processing or storing digital information. This is dramatically broad. In conversations I have had with people from Public Safety, it is clearly their intent to cover traditional telcos, internet service providers and ALSO cloud computing providers, social media providers and online game services. Again, this is dramatically broad. 

The Bill is going to deal with two broad categories of electronic service providers. The first is something called a “core provider”, and there will be subcategories of core providers. The second group is the rest of the universe that could fit into the category or definition of “electronic service provider”. 

The categories of core providers are to be listed in the schedule to the Act, which is currently blank, not surprisingly. So these core providers are going to be subject to a number of obligations that will be set out in the regulations. Subsection (2) describes these obligations, but note the use of the word “including” which means that the regulations and the obligations can go well beyond what is listed in subsections (a) through (d).

(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;

[This is essentially a requirement to build in the operational and technical capabilities to enable access to information on the core provider’s infrastructure or within their systems.]

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information;

[This can require core providers to install particular devices or equipment on their infrastructure.]

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b); and

[It’s not yet clear what these notices are all about ….]

(d) the retention of categories of metadata — including transmission data, as defined in section 487.‍011 of the Criminal Code — for reasonable periods of time not exceeding one year.

The requirement to retain metadata was NOT in Bill C-2, the Strong Borders Act. This is very concerning. There are some small protections about this, in subsection (4). That says:

(4) Paragraph (2)‍(d) does not authorize the making of regulations that require core providers to retain information that would reveal

(a) the content — that is to say the substance, meaning or purpose — of information transmitted in the course of an electronic service;

(b) a person’s web browsing history; or

(c) a person’s social media activities.

Ok. That’s some protection. But it does not put location information out of scope, which is concerning. The government clearly wants all cellphones to be trackable, and under this authority they can be required to save your detailed location history for a full year.

Subsection (3) lists a number of factors that the government must take into account in creating and drafting the regulations which place the specific obligations on the core providers. These include …

(a) the benefits of the regulation to the administration of justice, in particular to investigations under the Criminal Code, and to the exercise of powers and the performance of duties and functions under the Canadian Security Intelligence Service Act;

(b) the feasibility of compliance with the regulation for the core providers;

(c) the costs to be incurred by the core providers to ensure compliance with the regulation;

(d) the potential impact of the regulation on the persons to whom the core providers provide services;

(e) the potential impact of the regulation on privacy protection and cybersecurity; and

(f) any other factor that the Governor in Council considers relevant.

I am glad that they have included the potential impact on privacy and cybersecurity. I would like it if it required the government to release their analysis of all these considerations along with the regulatory impact analysis statement that will accompany the regulations when they are first published. 

The only good news when dealing with core providers is that these requirements will be in a regulation that will be public. We will be able to understand, at least in general terms, what obligations are being imposed on these core providers.

There is another bit of small comfort in subsection (5) which says 

(5) A core provider is not required to comply with a provision of a regulation made under subsection (2), with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.

Of course, this turns on what is a “systemic vulnerability”, which is defined in the bill: 

systemic vulnerability means a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.‍ 

electronic protection means authentication, encryption and any other prescribed type of data protection.‍ 

Note that it is limited to systemic vulnerabilities in “services”. It does not include devices or processes. Just the services themselves. Professor Robert Diab has pointed out that there’s enough wiggle room in this for the Minister to say that an operating system, such as Windows or iOS is not a “service”. Firmware is a part of the device, so please root them all. (The use of the word “please” is only because we’re Canadian … it would actually be an order.)

Also, what this does NOT say is that the government is prohibited from requiring an ESP to circumvent or undermine encryption. We have been told by the government that they would never do that, but they do not seem willing to put it in the law.

The second significant power contained in the Supporting Authorized Access to Information Act are ministerial orders, set out in Section 7. Essentially, the minister of Public Safety can issue secret orders directed at any one or more electronic service providers to implement measures that could have been contained in a regulation for a core provider, but these are secret and would be limited to a defined time period. Of course this time can be extended at the discretion of the minister. These orders can also be directed at ESPs that are already core providers. Bonus requirements! 

The only real protection introduced since the Strong Borders Act is in subsection (2), which says that these secret orders must be approved by the Commissioner designated under the Intelligence Commissioner Act. I think this is a real protection, principally because the intelligence commissioner has to be a former Superior Court judge who would have spent a career dealing with criminal law matters and Charter rights. He is currently entrusted with approving certain National Security orders as a form of semi-judicial oversight. This is, in my view, real progress. 

Subsection (3) of Section 7 sets out the sorts of considerations that the Minister has to take into account before issuing a secret ministerial order. This parallels the considerations that the government would have to take into account in issuing regulations affecting core providers. 

And subsection (5) has a parallel provision saying that 

(5) The electronic service provider is not required to comply with a provision of the order, with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.

Section 14 creates an obligation for all electronic service providers to assist a range of people to do a range of things on the Minister’s request. Remember, while we review this, that my law firm, your doctor’s office and Apple are all “electronic service providers”. It reads:

14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.

Persons to be assisted

(2) Only the following persons or classes of persons may receive assistance:

(a) the Minister;

(b) an employee of the Canadian Security Intelligence Service;

(c) a person appointed or employed under Part I of the Royal Canadian Mounted Police Act or a civilian employee referred to in section 10 of that Act;

(d) a civilian employee of another police force;

(e) a peace officer, as defined in section 2 of the Criminal Code.

There is some protection in subsection (4) so that “the assessment or testing must not have the effect of granting access to personal information.”

One of the huge problems I have with these Ministerial Orders is the mandatory secrecy that surrounds them. Without exception, under section 15, an ESP is prohibited by law from revealing that they are subject to an order, the substance or contents of an order, any dialogue they’ve had with the Minister in connection with any order. 

This is draconian, overbroad and frankly offensive. There’s no requirement that the Minister be satisfied that disclosure of this information would be harmful to law enforcement or to national security. There is no sunset and no means by which an ESP can challenge the gag order if  they think it’s in the public interest to disclose the information. I am not sure that this provision, on its own, would survive a Charter challenge. It also means that a foreign company can’t advise their own government that they are subject to an order. 

I can’t help but think of the fact that under the UK equivalent of this law, Apple was issued with a secret order to circumvent or turn off encryption on iCloud. Apple couldn’t tell anyone, yet it somehow leaked. The United States government was of the view that this was contrary to an agreement between the UK and the US, but Apple was prohibited by UK law from letting their own government know what shenanigans the US’ own ally was engaging in. 

The bill does anticipate at section 17 that ESPs may seek judicial review of a Minister’s order, but the cards are again stacked in favour of secrecy, and conducting its business outside of public scrutiny.

Section 18 allows the government to make a range of regulations related to confidentiality and security. These are scaled back from the absurd scope anticipated in the Strong Borders Act. There are security and confidentiality rules for judicial proceedings provided for in subsection (b). Subsections (c) and (d) authorize regulations related to ESP employees and contractors involved with law enforcement and national security access to information, including security clearances and where they are located, and where facilities are located. As I understand it, most American service providers run this function from the US and I’m sure they will not be interested in moving that to Canada or having their employees subject to Canadian security clearances. I would imagine that some companies will just decide to not do business in Canada. 

Part 2 also contains a whole regulatory oversight structure, with inspections, audits and penalties. I’m not going to get into that today. 

Throughout this discussion, I can’t help but be reminded that the US has had something similar in their laws for some time, and the mandated intercept capabilities were used by Chinese hackers to get access to data. 

The "Salt Typhoon" hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major US telecommunications companies. The stolen information included call and text message metadata, and in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures. 

A critical factor facilitating the Salt Typhoon incident was the very infrastructure put in place to comply with the Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, CALEA mandates that telecommunications providers build "lawful intercept" capabilities into their networks to allow law enforcement and intelligence agencies to conduct court-authorized wiretaps. While intended for legitimate surveillance, these mandated "backdoors" created inherent vulnerabilities within the telecom networks. Salt Typhoon exploited these CALEA-mandated systems, effectively turning the tools designed for lawful access into pathways for unauthorized espionage. 

This is what’s coming to Canada … 

So let’s bring this down to earth and make it more concrete. At a technical briefing this week, the government offered only two examples for why they think we need the Supporting Authorized Access to Information Act: 

“CSIS cannot track a cellphone

CSIS is trying to determine the movements of a terrorist group and has received a warrant to track a person of interest’s cellphone. The electronic service provider did not have the necessary capabilities to track the device because they are not required to. As a result, CSIS had to resort to costly and risky in-person surveillance. 

With C-22: The GIC will have the authority to make regulations requiring that ESPs develop and maintain location tracking capabilities that are standard in Europe and among the Five Eyes.”

First of all, I don’t really care what they are doing in the other Five Eyes. Essentially, the UK, Australia and New Zealand don’t have a Charter of Rights and Freedoms and their surveillance laws reflect that. And the law doesn’t we’ll just do what they do in “Europe and among the Five Eyes.” I bet the Chinese security services have this capability. 

Let’s take a moment to ponder this scenario and what it means. CSIS wants to be able to track any cellphone in real-time, with a warrant. That means that they want every cellphone in Canada to be a tracking device. And they want historical metadata – which includes location data – retained for one year.

The second example is equally sympathetic, but shows that the government wants everyone to be carrying a tracking device:

“Police cannot consistently obtain location information 

An at-risk 16-year-old girl was reported missing. She had already been missing for 10 days when she made an emergency call. The telecommunications provider was able to confirm the call and the tower used to make the call but could not provide the last known location of the phone before it was disconnected since they are not required to have that capability. 

With C-22: Core providers would be required to maintain accurate and consistent localization capabilities across the country.”

That device in your pocket will be a tracking device. And the law doesn’t say that this data can only be accessed if you’re a suspected terrorist or a missing teenaged girl. It can be tracked by ANY police agency in Canada with an order issued merely on “reasonable grounds to suspect.” Judicial authorization isn’t even required in a whole bunch of cases: There are dozens of laws that permit regulators and others to access this data without judicial authorization. 

“If you build it, they will come.” And the government wants ESPs to build the surveillance infrastructure for them, to which the police and others will almost certainly come. And this is even without considering that the backdoors will be a HUGE target for cybercriminals and threat actors. 

I don’t think that the government has come close to making any sort of compelling case for Part 2 of Bill C-22, and certainly not one that convinces me that the public safety interest in building all of this surveillance infrastructure outweighs the privacy and cybersecurity risk of doing so. 

We should also be looking at this through the lens of what we have now. If the police or CSIS get a production order, a wiretap order or a tracking order, they can also ask the judge to issue an “assistance order”. This is an order, directed at the service provider, ordering them to give all reasonable assistance, reasonably required to give effect to the production order, wiretap order or tracking order. On every occasion when I have brought this up with “lawful access” supporters, nobody has been able to point me to any problems with this. Assistance orders are like one-off ministerial orders that are appropriately tailored to the case and circumstances, and are signed off by a judge. And they’re subject to judicial review. I’m not sure the current system is broken. It just doesn’t give the police friction-free access to the universe of data that they want collected on their behalf. 

The new "Production Order for Subscriber Information" in Bill C-22, the Lawful Access Act 2026

I’ve been doing a series of episodes taking a closer look at the elements of the new lawful access bill, Bill C-22.  The bill contains a revamped version of something that caused a lot of controversy in the earlier Bill C-2, and is the thing most sought after by the police. That is the production order for subscriber information.

Before we dive into this new production order, a bit of background:

The Bill is in two parts. The first part is called “Timely Access to Data and Information” and the second part of the Bill creates a new statute: the “Supporting Authorized Access to Information Act”.

The two parts do wildly different things. Part one is intended to create new AUTHORITIES by which police and national security folks can require companies to provide them with information about their customers. Part two is intended to create new CAPABILITIES by which police and national security folks can require companies to provide them with information about their customers. Part one is about authorities and part two is about capabilities. The authorities under part one are mostly subject to judicial supervision and control, and I can largely live with them. The capabilities under Part Two cause me a LOT of concern. 

The government has clearly tried to fix some of the biggest problems from Bill C-2. But when you look more closely, there are still some very serious issues – particularly around the legal threshold, the scope of information, and just how broadly this power can be used.

So in this episode, I’m going to do three things:

First, I’ll explain what a production order for subscriber information actually is.

Second, I’ll walk through what was proposed in Bill C-2, the Strong Borders Act.

And third, I’ll show what’s changed in Bill C-22, the Lawful Access Act of 2026 — and what hasn’t changed.

Let’s start with the baseline. What are they trying to accomplish? Let’s look at the situation described in the leading case on the topic called R v Spencer from the Supreme Court of Canada. In that case,

“The police identified the Internet Protocol (IP) address of a computer that someone had been using to access and store [CSAM] through an Internet file-sharing program. They then obtained from the Internet Service Provider (ISP), without prior judicial authorization, the subscriber information associated with that IP address. This led them to the appellant, Mr. Spencer. He had downloaded [CSAM] into a folder that was accessible to other Internet users using the same file-sharing program. He was charged and convicted at trial of possession of [CSAM] and acquitted on a charge of making it available.”

The “subscriber information” here is the customer name and address associated with the IP address that the police already had. The Court in Spencer said the police have to get a court order to get that information from the internet service provider, or there has to be a "reasonable law” that enables them to get that info. 

Under the current Criminal Code, police already have access to something called a general production order. This allows them to go to a judge or a justice of the peace and, if they meet a legal threshold, compel a third party to produce records relevant to an investigation. That type of order has been available since 2004, ten years before the Spencer decision. The police could have gotten such an order, but they didn’t want to. 

For General Production Orders, the police have to show that there are reasonable grounds to believe that an offence has been or will be committed.

That’s a meaningful standard. It requires evidence that would lead a reasonable person to actually believe a crime occurred. And importantly, these orders are targeted. They specify the particular records being sought. The cop has to convince the judge that the particular records sought are relevant and useful. 

Now, “subscriber information” is a subset of that. This is the information that links a person to a service. The police have a phone number or an IP address and they want to know who is the particular customer who is associated with that phone number or IP address. 

And as the Supreme Court of Canada has said in the leading case called Spencer, this kind of information engages a reasonable expectation of privacy. You have the right to be anonymous on the internet. The Court said the police can only get this type of information pursuant to a court order or a “reasonable law”. They currently get it using a general production order, based on reasonable grounds to believe. 

So access to it generally requires judicial authorization or the more nebulous “reasonable law”.

Now let’s look at the former Bill C-2—the Strong Borders Act.

This bill introduced a new, standalone production order for subscriber information.

And it had two major features that drew a lot of criticism. First, the legal threshold was extremely low. Instead of reasonable grounds to believe, the bill required only reasonable grounds to suspect an offence. That’s a much lower standard.

It doesn’t require belief—just suspicion. And in practical terms, it’s just above a hunch.

Second, the scope of information was extremely broad. The definition of subscriber information included any information provided by the customer to obtain the service. And these orders could be directed to anyone who provides service to the public. And that’s where things got concerning.

And on top of that, the order required the production of all subscriber information—not just specific, targeted records. That could include things like banking information, credit card details, and potentially other very sensitive data. 

So what you had was a combination of a very low threshold and a very broad scope. And that raised serious concerns.

Now let’s fast forward to Bill C-22. And to be fair, the government has made some meaningful changes.

The first change is to the definition of subscriber information. It’s now more constrained. It includes identifying information like name, address, and email. It includes account identifiers. It includes information about the services provided. And it includes device or equipment identifiers.

subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means

(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(c) information relating to the services provided to the subscriber or client, including

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.

But importantly, what’s been removed is that catch-all category of information provided by the customer to obtain the service.

And that’s a big deal because it likely excludes things like payment information, medical intake forms, and other highly sensitive data.

So from a scoping perspective, this is clearly an improvement, but it’s still too broad in my view.

But—and this is important—the order can still be directed at any person who provides services to the public. Not just telecommunications companies. That means banks, hotels, doctors’ offices, online platforms—really, anyone providing services to the public.

So while the type of information has been narrowed, the range of organizations that can be compelled to produce it is still very broad. 

But the legal threshold has not changed. It is still reasonable grounds to suspect. Not “believe”. And that matters.

Production order — subscriber information

487.‍0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order. 

 

Conditions for making order 

 

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

Because it means there is no requirement for the officer to actually believe that a crime has been committed or will be committed. Only that there are reasonable grounds that could lead someone to suspect that an offence has occurred. That is a very low bar.

Another important point is that this power is not limited to serious crimes. It applies to any offence under any Act of Parliament. That includes relatively minor regulatory offences.

So we are talking about a power that is broadly available, triggered on a low threshold, and capable of compelling disclosure of personal information from a wide range of organizations.

So what does this mean in practice?

Well, first, it makes it easier for police to connect an identifier—like an IP address, or a device—to a real person. And that’s clearly the goal.

I have a problem with the fact that the order is “to prepare and produce a document containing ALL THE SUBSCRIBER INFORMATION that relates to any information, including transmission data, that is specified in the order”. ALL the subscriber information. It’s not just the subscriber information that will identify and locate the recipient of the services. That goes beyond the “investigative breadcrumb” the police say they really need. 

But even with the narrowed definition, the inclusion of things like service types and device identifiers can still be quite revealing. It can tell you what services someone uses. It can tell you what devices they rely on. And in some cases, that can paint in some details into the picture of an individual’s activities.

It can be directed to a doctor’s office with the requirement to tell the police what services the individual gets. It can include the serial number of your CPAP machine or blood glucose monitor. 

It can be directed to an ISP that’s also a telco and a cable company, requiring the production of information about what cable packages you subscribe to, what your phone number is, what is the MAC address of your modem, the IMEI of your phones.

It can be directed at a company like Apple, requiring the production of your iCloud account identifier, the bluetooth device identifiers for all your airtags, your airpods, the identifiers for your MacBook, your iPhone, your iPad. 

And because the threshold is lower, judges are being asked to approve these orders with less evidentiary grounding than we would normally expect.

The government is thinking that customer name and address, IP addresses and phone numbers attract a lower expectation of privacy, so can be obtained on a lower standard like “reasonable suspicion”. That may be true and the courts may agree with that point, but the inclusion of “all services” and “all devices” and “all identifiers” would be information that has a higher expectation of privacy, and presents a real risk that the order will be found to violate section 8 of the Charter of Rights and Freedoms. 

So, in my view, it’s still too broad. 

So stepping back, here’s the comparison. 

Bill C-2 had a very, very broad definition of subscriber information, including customer-provided data, combined with a low threshold and bulk disclosure.

Bill C-22 narrows the definition and removes the most sensitive categories of information. But it keeps the low threshold, it still applies broadly, and it still allows relatively expansive disclosure.

So yes, it’s better. But the core issue—the low legal threshold for access to personal data—remains.

Bill C-22 clearly reflects an attempt to respond to the criticism of Bill C-2. And in some respects, it succeeds. But the fundamental policy choice is still there:. To allow police to obtain subscriber information AND MORE on the basis of suspicion, not belief.

And that raises a real question: Is that an appropriate balance between investigative efficiency and privacy? Or does it place the line too far in favour of the state?

That’s the issue Parliament is going to have to grapple with when this gets to committee, and then this will be decided by the courts. I think if they narrow the scope a bit further to remove information about services and devices, this may be Charter compliant. If not, there’s a real risk it’ll be struck down by the courts and the police will be back to the drawing board.