Much of the discussion around the new lawful access bill (Bill C-22) has focused on provisions that improved upon Bill C-2, notably the decision to scrap the warrantless information demand power by requiring judicial oversight for access to subscriber information. Yet despite that improvement, there remain serious privacy concerns with the government’s latest iteration of lawful access. Buried in the second half of Bill C-22 is a provision granting the government the power to require “core providers” to retain categories of metadata, including transmission data, for up to one year. This is mandatory metadata retention that would require telecom and electronic service providers to store information about the communications of all their users, regardless of whether those users are suspected of anything. It is one of the most privacy invasive tools a government can deploy and the international experience suggests that there are major privacy risks.

The provision can be found in s. 5(2)(d) of the Supporting Authorized Access to Information Act, which authorizes regulations requiring core providers to retain categories of metadata for reasonable periods of time not exceeding one year. The categories scope in transmission data, which includes the date, time, duration, and type of a communication, the identifiers of the devices involved, and critically, information that identifies the location of the device. That last category is what makes this provision so significant since metadata retained under this power could be used to reconstruct a person’s movements over time through cell tower signals and other location identifiers. Robert Diab has flagged exactly this concern, noting that while this is not a police power to obtain the data (a warrant would still be required), the effect of the retention obligation is to ensure the data exists and is available when sought.

The bill does include some limits. Section 5(4) excludes retention of information that would reveal the content of communications, a person’s web browsing history, or a person’s social media activities. These exclusions are important and they address some of the concerns raised in more aggressive surveillance regimes elsewhere. But they should not obscure the effect of Bill C-22, which would be the blanket retention of metadata about the communications of every Canadian who uses a service provided by a core provider with no regard for wrongdoing.

The international experience is instructive and should give all Canadians pause. In the European Union, the Court of Justice struck down the EU Data Retention Directive in 2014 in Digital Rights Ireland, holding that the general and indiscriminate retention of all users’ telecommunications metadata was a disproportionate interference with the fundamental rights to privacy and data protection. The Directive had required member states to mandate retention for between six and twenty-four months. In the years since, the CJEU has progressively clarified that while targeted retention linked to specific threats or geographic areas can be lawful, blanket retention of all users’ data remains incompatible with EU fundamental rights. Further, several member states have had their domestic retention laws struck down by their own constitutional courts on similar grounds. For example, Germany has no mandatory metadata retention and has instead been debating a “quick freeze” model in which law enforcement can require preservation of existing data when grounds for a specific investigation arise, rather than requiring providers to store everything in advance.

Some Five Eyes partners have established data retention requirements. For example, Australia requires ISPs and telecoms to retain metadata for two years and law enforcement can access retained metadata without a warrant, an approach that would almost certainly violate Canada’s Charter of Rights and Freedoms. By contrast, there is no federal mandatory metadata retention law in the United States. The Electronic Communications Privacy Act allows law enforcement to request preservation of existing data when there are grounds for a specific investigation, but does not require providers to retain data they would not otherwise keep. The U.S. model is preservation on demand, not blanket retention.

The Criminal Code already provides for a version of the U.S. approach. The preservation demand under s. 487.012 allows a peace officer to require a person to preserve computer data that is in their possession when they receive the demand, provided the officer has reasonable grounds to suspect an offence and intends to seek a warrant or production order. This is a targeted tool that applies to specific data in specific investigations, not to all data held by all providers. It is the Canadian equivalent to the U.S. preservation model and to the quick freeze approach that Germany and other European countries have been moving toward. Given the alternatives, requiring mandated data retention for everyone as contemplated by Bill C-22 is excessive and raises serious privacy concerns.

In fact, Bill C-22 even contemplates expanding the metadata requirements beyond core providers to any electronic service provider, which would scope in a far broader range of Internet companies. Expanding the scope requires a Ministerial order and is subject to prior approval by the Intelligence Commissioner. That safeguard may help, but the absence of the Privacy Commissioner of Canada from any oversight role suggests that privacy is at best a secondary consideration.

The entire approach is a fundamental shift in the relationship between Canadians and their communications providers, under which the default is retention of data about everyone rather than preservation of data about specific suspects. European courts have repeatedly struck down similar blanket retention requirements as disproportionate. If the government doesn’t fix these rules, Canadian courts might well do the same.