While much of the focus on lawful access and subscriber information has centred on the reduced standards for obtaining an order for such information from Canadian telecom and Internet providers, there is another new production order deserving of attention (see earlier posts on domestic subscriber information standards and mandatory metadata retention). Bill C-22 introduces a new mechanism for Canadian courts to authorize police to request subscriber information and transmission data held outside the country directly from foreign platforms such as Google, Meta, and other services that provide communications services to the public. The provision is presented as a tool to modernize cross-border investigations, but in practice, it is likely to reduce privacy safeguards.

When Canadian police need subscriber information or communications data held by a company based outside Canada, there is no domestic tool to compel the foreign company to comply, since a Canadian production order has no extraterritorial force. For example, because Google is based in California, it is under no legal obligation to comply with a Canadian order. Instead, police typically go through a slow Mutual Legal Assistance Treaty (MLAT) process in which the RCMP sends a request to Canada’s Department of Justice, which transmits it to its counterpart in the foreign state, which then obtains a court order in its own jurisdiction and serves it on the company.

Investigations involving online child exploitation, terrorism, and organized crime routinely depend on data held by foreign platforms, and a process measured in months is poorly suited to cases where time matters. The U.S. Stored Communications Act compounds the problem for the content of communications by making it illegal for U.S. companies to disclose it to foreign authorities unless an order is served through the U.S. court system. For non-content data such as subscriber information and transmission data, U.S. law does not prohibit voluntary disclosure, but the information may not be admissible in Canadian courts without prior judicial authorization.

Bill C-22’s response is the international production request, which allows a judge to authorize a police officer to request subscriber information or transmission data from a foreign entity. The standard that must be met is “reasonable grounds to suspect”, which is the same lower threshold I have written about in the context of the domestic subscriber production order. Since a Canadian court can’t issue a binding order in this situation, the authorization is a request, not a compulsion. In other words, the Canadian court gives police permission to ask, but the foreign entity has no legal obligation to respond.

On this week’s Law Bytes podcast, David Fraser describes the provision as a kind of clever legal hack. U.S. providers are often concerned about violating domestic law when complying with a foreign court order. However, some may instead provide the requested subscriber information voluntarily. The problem from a Canadian perspective is that the information may not be admissible in court because there was no judicial oversight. The international production request solves that problem on the Canadian side. By requiring a judge to authorize the request before it is sent, the information has been subject to a form of judicial oversight.

But opening the door to voluntary subscriber information disclosures by big tech companies isn’t even the whole story. At a technical briefing on Bill C-2, Justice Canada officials confirmed that the intent of the international provisions was to allow Canada to ratify the Second Additional Protocol to the Budapest Convention, known as the 2AP. I covered this issue in a podcast episode with Kate Robertson last summer, but in short, the 2AP is designed to do what the MLAT system does not: allow law enforcement in one country to seek subscriber information directly from service providers in another country, bypassing the government-to-government process entirely.

Article 7 of the 2AP, the provision that most directly maps onto C-22’s international production request, states:

Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to issue an order to be submitted directly to a service provider in the territory of another Party, in order to obtain the disclosure of specified, stored subscriber information in that service provider’s possession or control, where the subscriber information is needed for the issuing Party’s specific criminal investigations or proceedings.

The provision enables a direct order from one country’s law enforcement to a service provider in another country without using an MLAT or mandated judicial involvement in the country where the service provider is located. Canada did not have to do this to comply with the 2AP. Under Article 7(9), a Party can declare at the time of ratification that it reserves the right not to apply this article. In fact, the government’s consultation on the 2AP specifically asked stakeholders whether Canada should exercise this reservation. The Privacy Commissioner of Canada, in its submission, recommended that Canada opt out, calling it “the clearest, simplest, and least contentious option from a privacy perspective.”

The privacy implications become clear when comparing the two systems. Under the current MLAT process, a cross-border request for subscriber data involves dual judicial oversight: a Canadian authority initiates the request, and a court in the foreign jurisdiction independently assesses it before any order is served on the company. There is a government-to-government review at each stage, with discretion to refuse on public interest grounds. The process is slow, but each layer exists to protect the privacy interests of the person whose data is sought.

Under Bill C-22’s international production request, that architecture is replaced with a single Canadian court authorization on the lower “reasonable grounds to suspect” standard. If the 2AP is ratified and Article 7 is in force, the foreign service provider is expected to respond directly with no review by a court in the provider’s jurisdiction, and no government-to-government assessment. The result is a less privacy-protective model in need of reform, as it leaves Canadians with data held by foreign companies subject to a lower disclosure threshold, fewer layers of review, and no guarantee that the data will be protected to Canadian legal standards once it reaches a foreign jurisdiction.

Enjoyed this post? Get every post plus the Law Bytes podcast delivered to your inbox – subscribe on Substack.