The return of lawful access in Bill C-22 has unsurprisingly focused on the government’s significant shift on warrantless access to subscriber information, which was the headline concern with Bill C-2, the previous lawful access proposal. As noted in my initial summary of the bill, Bill C-22 establishes court oversight for subscriber information with the warrantless access piece limited to requiring telecom companies to confirm whether they provide service to a given individual. That is a positive step, but there is a tradeoff, namely that the evidentiary standard needed to obtain an order for access to subscriber information is actually being lowered.

Since the Supreme Court decision in Spencer in 2014, the bulk of subscriber information – the names, addresses, account details, service types, and device identifiers that link a person to their online activity – requires a court order. The standard the courts have applied to obtain the information through a general production order is that there are “reasonable grounds to believe” that a crime has been or is about to be committed. Bill C-22 creates a new, specific production order for subscriber information, but lowers the threshold to “reasonable grounds to suspect,” which is the lowest standard in Canadian criminal law. That is the troubling tradeoff in the bill: the warrantless access for some subscriber information that was previously proposed may be gone, but in its place the government is establishing a lower threshold for a court order for that information than is currently required. 

Under the Criminal Code, when police want subscriber information from a telecom company or ISP such as name, address, and account details associated with an IP address or phone number, they use the general production order under s. 487.014. That order requires a judge to be satisfied that there are reasonable grounds to believe that an offence has been or will be committed and that the data will afford evidence of the offence. This is the same standard that applies to search warrants. In R. v. West, the Ontario Court of Appeal excluded evidence obtained through a production order precisely because the officer had asserted only “grounds to suspect” rather than “grounds to believe” in the information to obtain. The case is a concrete illustration that the distinction between the two standards is not semantic but can be the difference between admissible and excluded evidence.

Bill C-2, the previous lawful access bill, tried to bypass that framework altogether. Its Information Demand power would have allowed police to obtain a sweeping range of subscriber information from any service provider in Canada, without a warrant. Bill C-22 scraps the warrantless demand entirely. In its place, the bill creates two new tools. The first is the confirmation of service demand, which allows police to ask a telecom company whether it services a particular person or account. The second is the new subscriber information production order under s. 487.0142.

The order requires judicial authorization, but the standard the judge must be satisfied of is not “reasonable grounds to believe” but rather “reasonable grounds to suspect.” Reasonable grounds to believe requires a probability that an offence has occurred and that the data sought will provide evidence. Reasonable grounds to suspect requires something less: a reasonable suspicion, which the courts have held demands less factual grounding. As David Fraser notes, police obtain production orders under the reasonable grounds to believe standard all the time and lowering the standard raises serious concerns.

What can police get with this lower standard? The Bill C-22 definition of subscriber information states that it includes:

(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;
(b) identifiers assigned to the subscriber or client by the person, including account numbers; and
(c) information relating to the services provided to the subscriber or client, including (i) the types of services provided, (ii) the period during which the services were provided, and (iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.

Paragraphs (a) and (b) cover basic identifying data such as names, addresses, phone numbers, email, and account numbers. This is the information most people think of when they hear “subscriber information.” For this category, C-22 is better than C-2 since the previous approach did not require court oversight. The problem lies with paragraph (c), which covers far more revealing personal information such as the types of services a person subscribes to, the duration of their subscription, and the devices they use. Robert Diab identifies this concern with C-22, arguing that the provision contemplates access to information that goes right to the biographical core.

The Supreme Court held in Spencer that subscriber information attracts a high degree of privacy precisely because it connects a person’s identity to their online activity. The Bykovets decision reinforced the point by extending the same reasoning to IP addresses, which the Court described as the first digital breadcrumb. The government may point to an existing precedent in the Criminal Code for the lower standard. Production orders for transmission data, which covers routing information used to identify a device or person involved in sending a communication, require only reasonable grounds to suspect. But transmission data is routing information that covers the technical details of transmitting a communication. Subscriber information can be far more revealing — and Spencer and Bykovets suggest it warrants a higher threshold.

It is worth noting that this is not the standard the government proposed in earlier lawful access proposals. For example, Bill C-13, introduced in 2013 and eventually enacted as the Protecting Canadians from Online Crime Act, established the current general production order under s. 487.014 with the reasonable grounds to believe standard. That standard has governed access to subscriber data for a decade. The decision to lower it in C-22 is a deliberate choice, bundling a genuine concession on warrantless access with a reduction in the threshold for judicially authorized access.

The government could split the subscriber information definition into two tiers: basic identifying data in paragraphs (a) and (b) accessible on reasonable grounds to suspect, and service and device information in paragraph (c) requiring the higher reasonable grounds to believe standard. That would preserve the dedicated tool the government wants, maintain the investigative efficiency gains over the general production order, and respect the constitutional line the Supreme Court has drawn around information that reveals the biographical core of a person’s online life. The relevant comparison for C-22 is not C-2 but rather current law. And on that measure, the bill lowers the standard for access to personal information that the courts have treated as constitutionally sensitive. It’s a privacy tradeoff in need of a fix.