Submission to the Standing Committee on Public Safety and National Security on its study of Bill C-22, An Act Respecting Lawful Access

May 21, 2026

BY EMAIL

The Hon. Jean-Yves Duclos, P.C., M.P.
Chair, Standing Committee on Public Safety and National Security
House of Commons
Ottawa, ON  K1A 0A6

---

Dear Chair:

Thank you for the invitation to appear before the Standing Committee on Public Safety and National Security (the Committee) on May 26, 2026, in support of its study of Bill C‑22, An Act Respecting Lawful Access. In anticipation of that appearance, my Office has prepared the present submission, which identifies what I consider to be among the most notable privacy risks in this bill. For the benefit of the Committee’s deliberations, I have also proposed related amendments, which I will be happy to discuss further, in addition to any other matter put to me, during my upcoming appearance.

The question as to what constitutes an appropriate balance between the fundamental right to be free from unreasonable intrusions into one’s private life, on the one hand, and the legitimate needs of the state to access private information for law-enforcement and national-security purposes, on the other, is a matter of significant debate.

As the National Security and Intelligence Committee of Parliamentarians recognized in its 2025 Special Report on the Lawful Access to Communications by Security and Intelligence Organizations, the interception of communications and the search and seizure of information are among the most intrusive forms of power that the state can bring to bear. This is so not only because of the reasonable expectation of privacy that we may have in such information as individuals, but also because of the impacts that its collection and use by state actors may have on our ability to exercise and enjoy other fundamental rights as members of a free and democratic society.

There is no doubt that Bill C-22 meaningfully improves upon its predecessor, Bill C-2, the Strong Borders Act. However, in my view, further changes would help achieve the appropriate balance between lawful-access needs and privacy rights.

Part 1: Timely Access to Data and Information

1. Subscriber information

The proposed definition of “subscriber information” in clause 4(2) (s. 487.‍011) includes such categories as “information that may be used to identify” a client or subscriber and “information relating to the services provided.” Depending on the nature of the services in question, such information could reasonably attract a heightened expectation of privacy.

The issues with the definition are magnified by the other provisions in Part 1 that rely on it. For example, the proposed production order for subscriber information (clause 6; s. 487.0142) could be served on any “person who provides services to the public.” Given the breadth of the definition, this means that – at least in some cases (e.g., healthcare providers, lawyers, financial institutions, certain apps and online services) – service providers could be ordered to produce highly sensitive information about clients or subscribers based on a threshold of only reasonable suspicion. In contrast to the confirmation-of-service demand (proposed at s. 487.‍0121 of the Criminal Code and s. 20.‍22 of the CSIS Act), the production order for subscriber information would not include carveouts for medical and privileged information.

Further, the production order provision stipulates that a person who receives such an order would have to produce “all the subscriber information that relates to any information […] that is specified in the order” (underline added). This means that recipients would be compelled to produce any and all subscriber information that is in their possession or control, so long as it “relates to” what is specified in the order. While the issuing justice or judge could specify what the subscriber information must relate to (e.g., a person’s name, an IP address, transmission data), they would not otherwise be able to limit the subscriber information that must be produced. As a result, service providers could be compelled to produce much more subscriber information than is necessary for the purposes of a given investigation.

Recommendation 1: Narrow the definition of subscriber information to a finite list of discrete identifiers, such as a subscriber’s name, address, telephone number, email address, account number, IP address, device serial number, and local service provider identifier (similar to s. 16(1) of Bill C-30 (41-1, 2012)).

Recommendation 2: Restrict the range of persons or entities from whom subscriber information may be sought to “telecommunications service providers.”

Recommendation 3: Amend the proposed s. 487.0142(1) and the associated Form 5.0052 to provide that the recipient of a production order for subscriber information must prepare and produce a document containing the subscriber information that is specified in the order and that is in their possession or control when they receive the order (emphasis added).

2. Publicly available information

Clause 11 would add a new subsection (4) to s. 487.0195 of the Criminal Code to clarify that, for greater certainty, no production order, warrant, or confirmation-of-service demand is necessary for a peace or public officer to receive, obtain, and act on “any information that is available to the public.” However, the concept of “publicly available” information continues to evolve: it is not always clear whether or to what extent personal information that is technically accessible online is publicly available, and an individual does not automatically forfeit any reasonable expectation of privacy in such information (e.g., when it has been disclosed as a result of a data breach or published without a person’s knowledge or consent).

The Communications Security Establishment Act (CSE Act) recognizes this in its definition of “publicly available information,” which expressly excludes “information in respect of which a Canadian or a person in Canada has a reasonable expectation of privacy.” Since this term is currently undefined in Bill C-22 (and the Criminal Code), there is a risk that it will be interpreted broadly to include information in which an individual has a reasonable privacy interest.

Recommendation 4: As in s. 2 of the CSE Act, define “publicly available information” in such a way as to exclude information in respect of which a person has a reasonable expectation of privacy.

Part 2: Supporting Authorized Access to Information Act (SAAIA)

3. Necessity and proportionality

The SAAIA would require both the Governor in Council and the Minister of Public Safety to take into account several factors when making regulations or orders, respectively (ss. 5(3) and 7(3)). However, there is no overarching requirement that obligations imposed under the Act be necessary and proportionate. The inclusion of a requirement to this effect would help ensure that any such obligations – including with respect to the retention of metadata – are tailored to minimize privacy impacts.

Recommendation 5: Require that any obligation imposed under ss. 5(2) and 7(1) be necessary and proportionate.

4. Systemic vulnerability

Regulations and orders made under the SAAIA could compel a wide range of “electronic service providers” (ESPs) to implement capabilities to enable authorized persons to access or intercept information and communications in support of criminal or intelligence investigations. There is a possibility that such capabilities could be discovered and exploited by unauthorized persons or otherwise compromise electronic data protections. The bill seeks to mitigate this risk through exemptions from any provision of a regulation or order that would require ESPs to introduce – or prevent them from rectifying – a “systemic vulnerability” (as defined in s. 2(1)). However, as drafted, these exemptions would not strictly prohibit compliance with or the making of regulations or orders that would result in such a vulnerability: instead, they stipulate only that ESPs are “not required to comply” (ss. 5(5) and 7(5)).

Moreover, in its current form, the definition of this critical term may be too imprecise to minimize privacy and cybersecurity risks. For example, it does not explicitly preclude actions that could render systemic methods of authentication or encryption less effective – an important feature of the definition of “systemic vulnerability” in Australia’s equivalent law (the Telecommunications Act 1997).

Recommendation 6: Amend ss. 5(5) and 7(5) of the SAAIA to specify that regulations and orders made under ss. 5(2) and 7(1) “must not have the effect of” requiring an ESP to introduce, or of preventing an ESP from rectifying, a systemic vulnerability.

Recommendation 7: Amend the definition of “systemic vulnerability” to include any action that would render systemic methods of authentication or encryption less effective.

5. Reporting of privacy breaches to the OPC

Section 15 would impose confidentiality requirements on ESPs, restricting their ability to disclose information related to a ministerial order made under s. 7(1). Absent an express exemption in the Act to permit ESPs to disclose information to appropriate regulators or oversight bodies, these restrictions could limit the ability of the OPC to discharge its mandate in connection with a SAAIA-related data breach. For example, an ESP could be prohibited from providing details to the OPC about a data breach resulting from an unauthorized third party’s exploitation of an intercept capability implemented pursuant to a ministerial order. The lack of such details could limit the OPC’s ability to recommend effective remedial actions.

Recommendation 8: Add an exemption from the confidentiality rules in s. 15 to expressly allow ESPs to disclose information related to orders made under s. 7(1) to appropriate regulatory bodies for the purpose of exercising their powers or performing their duties or functions.

I hope that this information will be of assistance to the Committee.

Sincerely,

c.c.: Paul Cardegna, Clerk of the Committee