Much of the discussion around the new lawful access bill (Bill C-22) has focused on provisions that improved upon Bill C-2, notably the decision to scrap the warrantless information demand power by requiring judicial oversight for access to subscriber information. Yet despite that improvement, there remain serious privacy concerns with the government’s latest iteration of lawful access. Buried in the second half of Bill C-22 is a provision granting the government the power to require “core providers” to retain categories of metadata, including transmission data, for up to one year. This is mandatory metadata retention that would require telecom and electronic service providers to store information about the communications of all their users, regardless of whether those users are suspected of anything. It is one of the most privacy invasive tools a government can deploy and the international experience suggests that there are major privacy risks.
The provision can be found in s. 5(2)(d) of the Supporting Authorized Access to Information Act, which authorizes regulations requiring core providers to retain categories of metadata for reasonable periods of time not exceeding one year. The categories scope in transmission data, which includes the date, time, duration, and type of a communication, the identifiers of the devices involved, and critically, information that identifies the location of the device. That last category is what makes this provision so significant since metadata retained under this power could be used to reconstruct a person’s movements over time through cell tower signals and other location identifiers. Robert Diab has flagged exactly this concern, noting that while this is not a police power to obtain the data (a warrant would still be required), the effect of the retention obligation is to ensure the data exists and is available when sought.
The bill does include some limits. Section 5(4) excludes retention of information that would reveal the content of communications, a person’s web browsing history, or a person’s social media activities. These exclusions are important and they address some of the concerns raised in more aggressive surveillance regimes elsewhere. But they should not obscure the effect of Bill C-22, which would be the blanket retention of metadata about the communications of every Canadian who uses a service provided by a core provider with no regard for wrongdoing.
The international experience is instructive and should give all Canadians pause. In the European Union, the Court of Justice struck down the EU Data Retention Directive in 2014 in Digital Rights Ireland, holding that the general and indiscriminate retention of all users’ telecommunications metadata was a disproportionate interference with the fundamental rights to privacy and data protection. The Directive had required member states to mandate retention for between six and twenty-four months. In the years since, the CJEU has progressively clarified that while targeted retention linked to specific threats or geographic areas can be lawful, blanket retention of all users’ data remains incompatible with EU fundamental rights. Further, several member states have had their domestic retention laws struck down by their own constitutional courts on similar grounds. For example, Germany has no mandatory metadata retention and has instead been debating a “quick freeze” model in which law enforcement can require preservation of existing data when grounds for a specific investigation arise, rather than requiring providers to store everything in advance.
Some Five Eyes partners have established data retention requirements. For example, Australia requires ISPs and telecoms to retain metadata for two years and law enforcement can access retained metadata without a warrant, an approach that would almost certainly violate Canada’s Charter of Rights and Freedoms. By contrast, there is no federal mandatory metadata retention law in the United States. The Electronic Communications Privacy Act allows law enforcement to request preservation of existing data when there are grounds for a specific investigation, but does not require providers to retain data they would not otherwise keep. The U.S. model is preservation on demand, not blanket retention.
The Criminal Code already provides for a version of the U.S. approach. The preservation demand under s. 487.012 allows a peace officer to require a person to preserve computer data that is in their possession when they receive the demand, provided the officer has reasonable grounds to suspect an offence and intends to seek a warrant or production order. This is a targeted tool that applies to specific data in specific investigations, not to all data held by all providers. It is the Canadian equivalent to the U.S. preservation model and to the quick freeze approach that Germany and other European countries have been moving toward. Given the alternatives, requiring mandated data retention for everyone as contemplated by Bill C-22 is excessive and raises serious privacy concerns.
In fact, Bill C-22 even contemplates expanding the metadata requirements beyond core providers to any electronic service provider, which would scope in a far broader range of Internet companies. Expanding the scope requires a Ministerial order and is subject to prior approval by the Intelligence Commissioner. That safeguard may help, but the absence of the Privacy Commissioner of Canada from any oversight role suggests that privacy is at best a secondary consideration.
The entire approach is a fundamental shift in the relationship between Canadians and their communications providers, under which the default is retention of data about everyone rather than preservation of data about specific suspects. European courts have repeatedly struck down similar blanket retention requirements as disproportionate. If the government doesn’t fix these rules, Canadian courts might well do the same.
Enjoyed this post? Get every post plus the Law Bytes podcast delivered to your inbox – subscribe on Substack.
Related posts:
A Tale of Two Bills: Lawful Access Returns With Changes to Warrantless Access But Dangerous Backdoor Surveillance Risks Remain
Why the Government’s Plan for Warrantless Access to Internet Subscriber Information Will Lead to Millions of Disclosure Demands Each Year
Why Bill C-2 Faces a Likely Constitutional Challenge By Placing Solicitor-Client Privilege at Risk
Government Doubles Down in Defending Bill C-2’s Information Demand Powers That Open the Door to Warrantless Access of Personal Information
That kind of data-retention demand form years ago caused Drew Sullivan, then President of the Toronto Linux Users Group, to realize that the cheapest way to collect that material was to capture everything. Large disks were available, and a small ISP with a home-style disk-array box could save at least a year’s traffic.
That caused a series of complaints by small ISPs, and “crickets” from Bell and Rogers.
It does an excellent job of breaking down Bill C-22 and explaining why the mandatory metadata retention provision is so concerning from a privacy standpoint. The comparison with EU and Five Eyes approaches really highlights how blanket retention can be excessive and disproportionate, there are layers of oversight and potential risks lurking in ways that aren’t obvious at first glance. I found the discussion of targeted “quick freeze” models versus blanket retention especially useful, as it shows how privacy-respecting alternatives are possible while still enabling law enforcement access when truly necessary.
Teslas currently spit out info to home base, as to speed, GPS, etc.
If the cops can access all this info, then,
are Tesla drivers exceeding a speed limit in certain areas now going to be automatically fined?
Watching movies while on the road/ distracted driving?
I found the discussion of targeted “quick freeze” models versus blanket retention especially useful, as it shows how privacy-respecting alternatives are possible while still enabling law enforcement access when truly necessary cookie clicker free.
Pingback: Fraud, Extortion, Spying: Ottawa’s Broken Immigration System Becomes Total Surveillance Instead of Border Shutdown | Wiretap Media
Pingback: John Carpay: New Bill Giving Federal Agencies Access to Canadians’ Data Raises Major Privacy Concerns | peckford42
Found a simple way to handle avif to png without installing anything—pretty convenient.
These Lawful Access Privacy Risks: Unpacking Bill C-22’s Expansive Metadata Retention Requirements are so unique and there are a lot of people who need to know how to deal with it to get the desired results. We can learn more from your experience. So I try using https://carolinapolebarnbuilders.com/pole-barn-construction/ to learn how to deal with it and how it will work.
The phrase “buried in the second half” does a lot here—you’re warning against being soothed by the headline fix when the real danger is a quiet normalization of storing everyone’s metadata.
I didn’t realize the bill could require providers to store metadata for up to a year, even for people not under investigation. That part made me pause a bit, especially thinking about how much location data gets generated every day.Mouse Scroll Test
The comparison with Germany’s “quick freeze” approach was interesting—I hadn’t heard of that before. It sounds like a very different way of handling investigations without storing everything upfront.
I found it a bit surprising that Canada doesn’t currently have a federal mandatory metadata retention law, while some other countries already do. It made me wonder how much this bill is trying to align with international practices.
Great article! I was surprised to learn about the mandatory metadata retention in Bill C-22. It’s concerning that providers have to store data on everyone, not just suspects. Thanks for breaking down these privacy risks.
Look forward to seeing more of your blog.
Interesting point about how location data could be used to track movements over time—definitely a big concern. I wonder how this compares to what’s happening in other countries now, especially after the EU struck down their data retention rules. Either way, sometimes it’s nice to just unplug and lose yourself in something lighthearted like a fun movie game.
Mandatory metadata retention is just a backdoor for mass surveillance, regardless of what they say about needing a warrant to access it. Creating a database of everyone’s movements for a year is a massive overreach.
Thank you for this clear and informative article. The subject is explained in a straightforward way, making it easy to understand. Content like this is helpful when learning about how digital media platforms are evolving.Your Eyes and Ears Can Deceive You. Dialed GG
With CS2 fully replacing CS:GO, the skin gambling scene has adapted quickly. There are now dozens of sites competing for attention, but not all of them are worth your time. I found a platform that reviews and compares close to 100 different options, focusing on usability, bonuses, and trust factors. It doesn’t feel overly promotional, which is a плюс.What I liked most was the breakdown of jackpot cs2 features across different sites. It explains how pools work, what to expect in terms of competition, and which platforms seem more active. For anyone looking to get into skin gaming or just compare options, it’s a helpful starting point without being overwhelming.
The way you frame the mandatory metadata retention as something buried in the second half really lands—it captures how easily a sweeping privacy measure can hide beneath a headline improvement like judicial oversight.
The warrant requirement is a distraction if they’re still forcing companies to hoard everyone’s location data for a year.
1) This is a small step toward the Chinese Social creditScore system.
2) Combining Five Eyes and Edward Snowden’s revelation of US surveillance, why does any one think that these data are not fully scraped and stored?
3) This is a smokescreen to permit easier investigation of those already chosen and fits nicely with the “Hate Speech” determinations. See Germany or Britain for current examples.
4) Mark Carney is a director of the group posting for universal digital ID, one of the reasons he was selected as bank Governor in two jurisdictions, and as PM in Canada.
5) With time and money this would be an excellent bill for FOI investigation of the direction and drafts which produced it.
4…. The group “promoting”, not “posting.”
Thanks, AutoPhil.
I couldn’t find an edit link.
R