Explainer: Bill C-22 increases risk of surveillance state, government spying

Last fall, the Canadian Constitution Foundation urged Canadians to write to their members of parliament to raise concerns about Bill C-2, the federal government’s Strong Borders Act.

The CCF warned that Bill C-2 would have opened the door further to a surveillance state and violated the privacy rights protected by section 8 of the Charter of Rights and Freedoms.

Thanks to pushback from Canadians, the federal government responded by splitting Bill C-2 into two bills, Bill C-12, the Strengthening Canada’s Immigration System and Borders Act, and Bill C-22, otherwise known as the Lawful Access Act. The less controversial Bill C-12 became law on March 26.

Major constitutional and privacy concerns remain with Bill C-22, which was introduced on March 12. While C-22 no longer contains some of the controversial measures that the Canadian Constitution Foundation warned about, it appears to create an even greater risk of a surveillance state than Bill C-2. Most concerningly, Bill C-22 will:

require companies that provide electronic services to create technical capabilities to allow easy access to private data for law enforcement and Canadian Security Intelligence Service Act (CSIS) agents;
allow the government to require companies to collect metadata like the location of your devices for up to one year;
allow the Minister of Public Safety and Emergency Preparedness in consultation with the Information Commissioner to order secret spying on Canadians; and
may allow the Minister of Public Safety and Emergency Preparedness to order companies to break encryption.

This explainer outlines what has been dropped and what continues to raise concerns.

The good news

Unlike Bill C-2, Bill C-22 will not ban businesses from accepting payments, donations or deposits of $10,000 or more made in cash. The CCF was concerned that the cash ban proposal in the original Bill C-2 would be a slippery slope to a cashless society where governments can more easily monitor how we spend our money. Paying in cash allows for more privacy because there is no electronic record.

Unlike Bill C-2, Bill C-22 will not allow Canada Post employees to open letter mail. The CCF was concerned that Bill C-2’s proposed new powers to open letter mail without judicial authorization when contraband was suspected would have allowed Canada Post employees to read private letters.

Bill C-22 will also provide for more limited powers for police and other officials to demand information without a warrant, in order to assist with seeking a lawful production order (an order from a justice to hand over information about a possible crime). Bill C-2 had proposed giving police and other public officers the power to secretly order anyone who provides electronic services to secretly hand over certain “subscriber information,” including whether a person provides or has provided services to a particular person or account; dates during which services were provided; the province, country or municipality where the services were provided; and whether the person is in possession of other information in relation to those services. This power was so broadly drafted that government employees would have been able to demand to know whether a certain medical provider had treated a person, whether a particular dating app provided services to a person, or whether a person had donated to a cause on GoFundMe.com.

Under Bill C-22, the only information accessible without a warrant is whether or not a telecommunications company such as Bell, Rogers or Telus provides a service to you.

The bad news

Bill C-22 will enact a new statute called the Supporting Authorized Access to Information Act. This “lawful access” statute will create a regime for requiring electronic service providers to build certain capabilities into their systems to assist law enforcement and CSIS in quickly and consistently accessing information held by electronic service providers when legally authorized.

The term “electronic service provider” is extraordinarily broad. It includes any service that deals with information in an electronic format. As such, the list of electronic service providers is almost limitless. Any business operating in Canada on the Internet appears captured by this definition.

Bill C-22 also refers to “core providers,” who will be defined later on by regulations, but who are expected to include telecommunications companies like Bell, Rogers and Telus. Core providers could be ordered by the Governor in Council (that is the federal cabinet) to assist law enforcement and intelligence-gathering with:

developing, testing, and maintaining of technical capabilities for extracting and organizing information that is authorized to be accessed;
the installation, use, or management of a device, equipment, or anything else that can enable authorized access; and
retaining metadata including transmission (the signals your phone constantly sends to remain connected to its network, including its location) for up to one year.

These powers are not limited to core providers. The Minister of Public Safety and Emergency Preparedness will be able to make orders to require any electronic service provider to undertake the same steps, if approved by the Intelligence Commissioner. These orders can be made entirely in secret.

Privacy experts say that creating a mandatory, uniform regime for police and CSIS to plug into systems to get your data puts your information at higher risk of theft by nefarious actors.

Even more concerning is that core providers may be required to retain certain metadata for up to a year, if ordered to do so by cabinet. Metadata is information that is created when we use electronic devices like phones and computers, including our locations and the time when a text message was sent. Metadata, as defined in C-22, excludes things such as the content of a text message, a person’s web browsing history, a person’s social media activities. In other words, although the bill will not require internet providers to keep all of your text messages, it does allow the government to require that cellphone companies track the location of devices for up to one year, so that law enforcement and CSIS can later access that data if given judicial authorization. This will turn every cell phone in Canada into a tracking device.

The power is so broad that privacy expert David Fraser warns it would allow the Minister of Public Safety and Emergency Preparedness with approval from the Intelligence Commissioner to turn any electronic device – from a smartphone to a smart TV to a smart fridge – into a listening device, and to do so secretly.

Even more concerning is that the secret orders could include so-called “back doors” whereby companies are required to secretly break encryption and give law enforcement access to information. As Matt Hatfield of Open Media points out, this is not hypothetical. The United Kingdom government secretly ordered Apple in 2025 to give the government global access to encrypted iCloud data, which later leaked to the public. Bill C-22 states that companies cannot be ordered to introduce systemic vulnerabilities that compromise user security, but the government can redefine what counts as a “systemic vulnerability” by regulation.

The CCF will continue to monitor Bill C-22 and inform its supporters of any developments.

You Might Also Like

Going forward with the fight for healthcare freedom

April 5, 2024: What we’re watching

Our fraying constitutional order

Email Newsletter