GoKawiilThe decades-long battle over lawful access entered a new phase yesterday with the introduction of Bill C-22, the Lawful Access Act. This bill follows the attempt last spring to bury lawful access provisions in Bill C-2, a border measures bill that was the new government’s first piece of substantive legislation. The lawful access elements of the bill faced an immediate backlash given the inclusion of unprecedented rules permitting widespread warrantless access to personal information. Those rules were on very shaky constitutional ground and the government ultimately decided to hit the reset button on lawful access by proceeding with the border measures in a different bill.
Lawful access never dies, however. Bill C-22 cover the two main aspects of lawful access: law enforcement access to personal information held by communication service providers such as ISPs and wireless providers and the development of surveillance and monitoring capabilities within Canadian networks. In fact, the bill is separated into two with the first half dealing with “timely access to data and information” and the second establishing the Supporting Authorized Access to Information Act (SAAIA).
I anticipate providing extensive coverage of the bill on both this blog and my podcast. My initial take is that the access to data and information piece of the bill is much improved. The earlier Bill C-2 iteration of a new information demand power was astonishing in its breadth (covering far more than just communications providers by targeting anyone who provides a service in Canada including physicians and lawyers) and demands for warrantless disclosure of personal information in direct contradiction to recent Supreme Court of Canada jurisprudence.
The government has scrapped that approach by shifting to a new “confirmation of service” demand power. This would allow law enforcement to demand that telecom providers (not any service provider) confirm whether they provide service to a particular person. The other subscriber information would be subject to a new production order reviewed and approved by a judge. This would address the longstanding police complaint that they may do considerable work seeking information about a subscriber at a provider only to learn that the person isn’t a customer and they start over with someone else.
These new rules contain other orders and rules on voluntary disclosure, challenging the requests, exigent circumstances, and foreign orders for the same information. I plan to unpack these rules in the coming weeks. For example, there are concerns about the thresholds that the production orders envision, namely the low “reasonable grounds to suspect” standard. However, the main takeaway here is that the government has significantly limited the scope of warrantless information demand powers, now focusing solely on telecommunications providers and whether they provide service to a particular individual. Access to more personal information will require oversight. That’s a major concession and highlights how Bill C-2 was too broad, dangerous from a privacy perspective, and unlikely to pass constitutional muster.
If that is the good news, the bad news is very bad. The SAAIA, which establishes new requirements for communications providers to actively work with law enforcement on their surveillance and monitoring capabilities are largely unchanged from Bill C-2. In fact, there are elements involving data retention that are even worse. The government will point to increased oversight – ministerial orders must now be approved by the Intelligence Commissioner – but the concerns regarding surveillance capabilities, security vulnerabilities, secrecy, and cross-border data sharing remain.
The SAAIA has huge implications for network providers as they envision providing law enforcement with direct access to provider networks to test capabilities for data access and interception. The bill introduces a new term – “electronic service provider” – that is presumably designed to extend beyond telecom and Internet providers by scoping in Internet platforms (Google, Meta, etc.). Those international services are now key players in electronic communications (think Gmail or WhatsApp), though some may be beyond this form of regulation (eg. Signal if you don’t inadvertently add people to chat groups).
The definition of an ESP is:
a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that (a) provides the service to persons in Canada; or (b) carries on all or part of its business activities in Canada.
An electronic service includes:
... continue reading