I’ve been doing a series of episodes taking a closer look at the elements of the new lawful access bill, Bill C-22. The bill contains a revamped version of something that caused a lot of controversy in the earlier Bill C-2, and is the thing most sought after by the police. That is the production order for subscriber information.
Before we dive into this new production order, a bit of background:
The two parts do wildly different things. Part one is intended to create new AUTHORITIES by which police and national security folks can require companies to provide them with information about their customers. Part two is intended to create new CAPABILITIES by which police and national security folks can require companies to provide them with information about their customers. Part one is about authorities and part two is about capabilities. The authorities under part one are mostly subject to judicial supervision and control, and I can largely live with them. The capabilities under Part Two cause me a LOT of concern.
The government has clearly tried to fix some of the biggest problems from Bill C-2. But when you look more closely, there are still some very serious issues – particularly around the legal threshold, the scope of information, and just how broadly this power can be used.
So in this episode, I’m going to do three things:
First, I’ll explain what a production order for subscriber information actually is.
Second, I’ll walk through what was proposed in Bill C-2, the Strong Borders Act.
And third, I’ll show what’s changed in Bill C-22, the Lawful Access Act of 2026 — and what hasn’t changed.
Let’s start with the baseline. What are they trying to accomplish? Let’s look at the situation described in the leading case on the topic called R v Spencer from the Supreme Court of Canada. In that case,
“The police identified the Internet Protocol (IP) address of a computer that someone had been using to access and store [CSAM] through an Internet file-sharing program. They then obtained from the Internet Service Provider (ISP), without prior judicial authorization, the subscriber information associated with that IP address. This led them to the appellant, Mr. Spencer. He had downloaded [CSAM] into a folder that was accessible to other Internet users using the same file-sharing program. He was charged and convicted at trial of possession of [CSAM] and acquitted on a charge of making it available.”
The “subscriber information” here is the customer name and address associated with the IP address that the police already had. The Court in Spencer said the police have to get a court order to get that information from the internet service provider, or there has to be a "reasonable law” that enables them to get that info.
Under the current Criminal Code, police already have access to something called a general production order. This allows them to go to a judge or a justice of the peace and, if they meet a legal threshold, compel a third party to produce records relevant to an investigation. That type of order has been available since 2004, ten years before the Spencer decision. The police could have gotten such an order, but they didn’t want to.
For General Production Orders, the police have to show that there are reasonable grounds to believe that an offence has been or will be committed.
That’s a meaningful standard. It requires evidence that would lead a reasonable person to actually believe a crime occurred. And importantly, these orders are targeted. They specify the particular records being sought. The cop has to convince the judge that the particular records sought are relevant and useful.
Now, “subscriber information” is a subset of that. This is the information that links a person to a service. The police have a phone number or an IP address and they want to know who is the particular customer who is associated with that phone number or IP address.
And as the Supreme Court of Canada has said in the leading case called Spencer, this kind of information engages a reasonable expectation of privacy. You have the right to be anonymous on the internet. The Court said the police can only get this type of information pursuant to a court order or a “reasonable law”. They currently get it using a general production order, based on reasonable grounds to believe.
So access to it generally requires judicial authorization or the more nebulous “reasonable law”.
This bill introduced a new, standalone production order for subscriber information.
And it had two major features that drew a lot of criticism. First, the legal threshold was extremely low. Instead of reasonable grounds to believe, the bill required only reasonable grounds to suspect an offence. That’s a much lower standard.
It doesn’t require belief—just suspicion. And in practical terms, it’s just above a hunch.
Second, the scope of information was extremely broad. The definition of subscriber information included any information provided by the customer to obtain the service. And these orders could be directed to anyone who provides service to the public. And that’s where things got concerning.
And on top of that, the order required the production of all subscriber information—not just specific, targeted records. That could include things like banking information, credit card details, and potentially other very sensitive data.
Now let’s fast forward to Bill C-22. And to be fair, the government has made some meaningful changes.
The first change is to the definition of subscriber information. It’s now more constrained. It includes identifying information like name, address, and email. It includes account identifiers. It includes information about the services provided. And it includes device or equipment identifiers.
subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;(b) identifiers assigned to the subscriber or client by the person, including account numbers; and(c) information relating to the services provided to the subscriber or client, including
(i) the types of services provided,(ii) the period during which the services were provided, and(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.
But importantly, what’s been removed is that catch-all category of information provided by the customer to obtain the service.
And that’s a big deal because it likely excludes things like payment information, medical intake forms, and other highly sensitive data.
So from a scoping perspective, this is clearly an improvement, but it’s still too broad in my view.
But—and this is important—the order can still be directed at any person who provides services to the public. Not just telecommunications companies. That means banks, hotels, doctors’ offices, online platforms—really, anyone providing services to the public.
So while the type of information has been narrowed, the range of organizations that can be compelled to produce it is still very broad.
But the legal threshold has not changed. It is still reasonable grounds to suspect. Not “believe”. And that matters.
Production order — subscriber information487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.
Conditions for making order
(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.004 that there are reasonable grounds to suspect that
(a) an offence has been or will be committed under this Act or any other Act of Parliament; and
(b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.
Because it means there is no requirement for the officer to actually believe that a crime has been committed or will be committed. Only that there are reasonable grounds that could lead someone to suspect that an offence has occurred. That is a very low bar.
Another important point is that this power is not limited to serious crimes. It applies to any offence under any Act of Parliament. That includes relatively minor regulatory offences.
So we are talking about a power that is broadly available, triggered on a low threshold, and capable of compelling disclosure of personal information from a wide range of organizations.
So what does this mean in practice?
Well, first, it makes it easier for police to connect an identifier—like an IP address, or a device—to a real person. And that’s clearly the goal.
I have a problem with the fact that the order is “to prepare and produce a document containing ALL THE SUBSCRIBER INFORMATION that relates to any information, including transmission data, that is specified in the order”. ALL the subscriber information. It’s not just the subscriber information that will identify and locate the recipient of the services. That goes beyond the “investigative breadcrumb” the police say they really need.
But even with the narrowed definition, the inclusion of things like service types and device identifiers can still be quite revealing. It can tell you what services someone uses. It can tell you what devices they rely on. And in some cases, that can paint in some details into the picture of an individual’s activities.
It can be directed to a doctor’s office with the requirement to tell the police what services the individual gets. It can include the serial number of your CPAP machine or blood glucose monitor.
It can be directed to an ISP that’s also a telco and a cable company, requiring the production of information about what cable packages you subscribe to, what your phone number is, what is the MAC address of your modem, the IMEI of your phones.
It can be directed at a company like Apple, requiring the production of your iCloud account identifier, the bluetooth device identifiers for all your airtags, your airpods, the identifiers for your MacBook, your iPhone, your iPad.
And because the threshold is lower, judges are being asked to approve these orders with less evidentiary grounding than we would normally expect.
The government is thinking that customer name and address, IP addresses and phone numbers attract a lower expectation of privacy, so can be obtained on a lower standard like “reasonable suspicion”. That may be true and the courts may agree with that point, but the inclusion of “all services” and “all devices” and “all identifiers” would be information that has a higher expectation of privacy, and presents a real risk that the order will be found to violate section 8 of the Charter of Rights and Freedoms.
So, in my view, it’s still too broad.
So stepping back, here’s the comparison.
Bill C-2 had a very, very broad definition of subscriber information, including customer-provided data, combined with a low threshold and bulk disclosure.
Bill C-22 narrows the definition and removes the most sensitive categories of information. But it keeps the low threshold, it still applies broadly, and it still allows relatively expansive disclosure.
So yes, it’s better. But the core issue—the low legal threshold for access to personal data—remains.
Bill C-22 clearly reflects an attempt to respond to the criticism of Bill C-2. And in some respects, it succeeds. But the fundamental policy choice is still there:. To allow police to obtain subscriber information AND MORE on the basis of suspicion, not belief.
And that raises a real question: Is that an appropriate balance between investigative efficiency and privacy? Or does it place the line too far in favour of the state?
That’s the issue Parliament is going to have to grapple with when this gets to committee, and then this will be decided by the courts. I think if they narrow the scope a bit further to remove information about services and devices, this may be Charter compliant. If not, there’s a real risk it’ll be struck down by the courts and the police will be back to the drawing board.
No comments:
Post a Comment