Much of the discussion around the new lawful access bill (Bill C-22) has focused on provisions that improved upon Bill C-2, notably the decision to scrap the warrantless information demand power by requiring judicial oversight for access to subscriber information. Yet despite that improvement, there remain serious privacy concerns with the government’s latest iteration of lawful access. Buried in the second half of Bill C-22 is a provision granting the government the power to require “core providers” to retain categories of metadata, including transmission data, for up to one year. This is mandatory metadata retention that would require telecom and electronic service providers to store information about the communications of all their users, regardless of whether those users are suspected of anything. It is one of the most privacy invasive tools a government can deploy and the international experience suggests that there are major privacy risks.
The provision can be found in s. 5(2)(d) of the Supporting Authorized Access to Information Act, which authorizes regulations requiring core providers to retain categories of metadata for reasonable periods of time not exceeding one year. The categories scope in transmission data, which includes the date, time, duration, and type of a communication, the identifiers of the devices involved, and critically, information that identifies the location of the device. That last category is what makes this provision so significant since metadata retained under this power could be used to reconstruct a person’s movements over time through cell tower signals and other location identifiers. Robert Diab has flagged exactly this concern, noting that while this is not a police power to obtain the data (a warrant would still be required), the effect of the retention obligation is to ensure the data exists and is available when sought.
The bill does include some limits. Section 5(4) excludes retention of information that would reveal the content of communications, a person’s web browsing history, or a person’s social media activities. These exclusions are important and they address some of the concerns raised in more aggressive surveillance regimes elsewhere. But they should not obscure the effect of Bill C-22, which would be the blanket retention of metadata about the communications of every Canadian who uses a service provided by a core provider with no regard for wrongdoing.
The international experience is instructive and should give all Canadians pause. In the European Union, the Court of Justice struck down the EU Data Retention Directive in 2014 in Digital Rights Ireland, holding that the general and indiscriminate retention of all users’ telecommunications metadata was a disproportionate interference with the fundamental rights to privacy and data protection. The Directive had required member states to mandate retention for between six and twenty-four months. In the years since, the CJEU has progressively clarified that while targeted retention linked to specific threats or geographic areas can be lawful, blanket retention of all users’ data remains incompatible with EU fundamental rights. Further, several member states have had their domestic retention laws struck down by their own constitutional courts on similar grounds. For example, Germany has no mandatory metadata retention and has instead been debating a “quick freeze” model in which law enforcement can require preservation of existing data when grounds for a specific investigation arise, rather than requiring providers to store everything in advance.
Some Five Eyes partners have established data retention requirements. For example, Australia requires ISPs and telecoms to retain metadata for two years and law enforcement can access retained metadata without a warrant, an approach that would almost certainly violate Canada’s Charter of Rights and Freedoms. By contrast, there is no federal mandatory metadata retention law in the United States. The Electronic Communications Privacy Act allows law enforcement to request preservation of existing data when there are grounds for a specific investigation, but does not require providers to retain data they would not otherwise keep. The U.S. model is preservation on demand, not blanket retention.
The Criminal Code already provides for a version of the U.S. approach. The preservation demand under s. 487.012 allows a peace officer to require a person to preserve computer data that is in their possession when they receive the demand, provided the officer has reasonable grounds to suspect an offence and intends to seek a warrant or production order. This is a targeted tool that applies to specific data in specific investigations, not to all data held by all providers. It is the Canadian equivalent to the U.S. preservation model and to the quick freeze approach that Germany and other European countries have been moving toward. Given the alternatives, requiring mandated data retention for everyone as contemplated by Bill C-22 is excessive and raises serious privacy concerns.
In fact, Bill C-22 even contemplates expanding the metadata requirements beyond core providers to any electronic service provider, which would scope in a far broader range of Internet companies. Expanding the scope requires a Ministerial order and is subject to prior approval by the Intelligence Commissioner. That safeguard may help, but the absence of the Privacy Commissioner of Canada from any oversight role suggests that privacy is at best a secondary consideration.
The entire approach is a fundamental shift in the relationship between Canadians and their communications providers, under which the default is retention of data about everyone rather than preservation of data about specific suspects. European courts have repeatedly struck down similar blanket retention requirements as disproportionate. If the government doesn’t fix these rules, Canadian courts might well do the same.
Enjoyed this post? Get every post plus the Law Bytes podcast delivered to your inbox – subscribe on Substack.
Related posts:
A Tale of Two Bills: Lawful Access Returns With Changes to Warrantless Access But Dangerous Backdoor Surveillance Risks Remain
Why the Government’s Plan for Warrantless Access to Internet Subscriber Information Will Lead to Millions of Disclosure Demands Each Year
Why Bill C-2 Faces a Likely Constitutional Challenge By Placing Solicitor-Client Privilege at Risk
Government Doubles Down in Defending Bill C-2’s Information Demand Powers That Open the Door to Warrantless Access of Personal Information
That kind of data-retention demand form years ago caused Drew Sullivan, then President of the Toronto Linux Users Group, to realize that the cheapest way to collect that material was to capture everything. Large disks were available, and a small ISP with a home-style disk-array box could save at least a year’s traffic.
That caused a series of complaints by small ISPs, and “crickets” from Bell and Rogers.
It does an excellent job of breaking down Bill C-22 and explaining why the mandatory metadata retention provision is so concerning from a privacy standpoint. The comparison with EU and Five Eyes approaches really highlights how blanket retention can be excessive and disproportionate, there are layers of oversight and potential risks lurking in ways that aren’t obvious at first glance. I found the discussion of targeted “quick freeze” models versus blanket retention especially useful, as it shows how privacy-respecting alternatives are possible while still enabling law enforcement access when truly necessary.
Teslas currently spit out info to home base, as to speed, GPS, etc.
If the cops can access all this info, then,
are Tesla drivers exceeding a speed limit in certain areas now going to be automatically fined?
Watching movies while on the road/ distracted driving?
I found the discussion of targeted “quick freeze” models versus blanket retention especially useful, as it shows how privacy-respecting alternatives are possible while still enabling law enforcement access when truly necessary cookie clicker free.
Pingback: Fraud, Extortion, Spying: Ottawa’s Broken Immigration System Becomes Total Surveillance Instead of Border Shutdown | Wiretap Media
Pingback: John Carpay: New Bill Giving Federal Agencies Access to Canadians’ Data Raises Major Privacy Concerns | peckford42
Found a simple way to handle avif to png without installing anything—pretty convenient.
These Lawful Access Privacy Risks: Unpacking Bill C-22’s Expansive Metadata Retention Requirements are so unique and there are a lot of people who need to know how to deal with it to get the desired results. We can learn more from your experience. So I try using https://carolinapolebarnbuilders.com/pole-barn-construction/ to learn how to deal with it and how it will work.
The phrase “buried in the second half” does a lot here—you’re warning against being soothed by the headline fix when the real danger is a quiet normalization of storing everyone’s metadata.
I didn’t realize the bill could require providers to store metadata for up to a year, even for people not under investigation. That part made me pause a bit, especially thinking about how much location data gets generated every day.Mouse Scroll Test
The comparison with Germany’s “quick freeze” approach was interesting—I hadn’t heard of that before. It sounds like a very different way of handling investigations without storing everything upfront.
I found it a bit surprising that Canada doesn’t currently have a federal mandatory metadata retention law, while some other countries already do. It made me wonder how much this bill is trying to align with international practices.
Great article! I was surprised to learn about the mandatory metadata retention in Bill C-22. It’s concerning that providers have to store data on everyone, not just suspects. Thanks for breaking down these privacy risks.