Debate on Bill C-22, the Lawful Access Act, continued this week with Public Safety Minister Gary Anandasangaree and Secretary of State for Combatting Crime Ruby Sahota leading the government’s case on Wednesday. I posted earlier on the first day of debate, which was notable for what the government chose not to say, as Justice Minister Fraser devoted just a single paragraph to the bill’s expansive metadata retention provisions and offered only process answers to questions about systemic vulnerability risks. The government continues to do its best to ignore the metadata issue, but the most alarming outcome of the debate was the admission that the current bill may only be the starting point, with support for an even broader scope in follow-up regulations or legislation.

The admission came when Conservative MP Glen Motz, himself a former police officer, asked Sahota whether law enforcement had communicated whether there are things they want that are not yet in this bill. Sahota acknowledged that law enforcement would likely support an even broader scope, described Bill C-22 as a first step, and said the government needs to get the bill passed to take further steps. In case her position wasn’t clear, she added that she would be open to going further. That framing should concern anyone who thinks the bill already goes too far. As I have argued, Bill C-22’s metadata retention requirements would compel service providers to store data for all their users for up to a year, and the surveillance-capability provisions would require permanent intercept infrastructure embedded in Canadian networks through secret ministerial orders. Both raise serious constitutional and security questions. Yet the government’s position is apparently that these provisions represent not the outer boundary of what it wants but merely a starting point. For a bill that the government has been at pains to characterize as balanced and carefully circumscribed, telling Parliament you plan to go further is a chilling admission.

Conservative MP Dane Lloyd raised a second question that has received too little attention: who bears the cost of compliance? Bill C-22 comes with significant costs and Lloyd asked whether the government planned any compensation schemes. Anandasangaree’s answer was blunt: the government expects compliance and is not contemplating compensation, framing the obligation as part of the CRTC’s licensing regime. Yet the problem with that answer is that Bill C-22’s obligations extend well beyond CRTC-licensed telecommunications carriers. Indeed, elements of the bill apply to anyone providing a service in Canada. Framing the compliance obligation as a condition of CRTC licensing mischaracterizes the scope of the bill’s own requirements. Building and maintaining intercept-capable infrastructure and responding to law enforcement demands requires ongoing investment in hardware, software, staffing, and security. Smaller providers, who compete against incumbents with far greater resources, will be disproportionately affected. Moreover, fees have a disciplining effect on requests. If there is no cost, law enforcement is likely to aggressively demand more access. Even modest fees may prompt them to reconsider whether the request for user information is strictly necessary. In short, zero cost is likely to mean more surveillance.

The Bloc Québécois’ Claude DeBellefeuille pressed Sahota on what may be the most important legal question in Part 1 of the bill: why did the government choose to reduce the standard for subscriber information production orders from “reasonable grounds to believe” to the lower “reasonable grounds to suspect”. I have written on the difference and the concern that the lower standard will harm user privacy. Sahota defended the lower threshold by arguing that subscriber information requests occur at the earliest stages of an investigation, where requiring reasonable grounds to believe would be too burdensome. Yet reasonable grounds to believe has been in place for over a decade for precisely this kind of information. Further, the Supreme Court’s Spencer and Bykovets decisions emphasized the sensitivity of the information at stake and the constitutional weight of the privacy interests involved. Choosing the lower standard for precisely the type of information the Court has flagged as constitutionally sensitive invites Charter scrutiny. As noted earlier this week, the government has still not released the Charter statement for Bill C-22.

Three days into the lawful access debate (it is set to continue on Friday), and things have gone from bad to worse. What started with little willingness to engage on key privacy concerns with Bill C-22 has now expanded to the admission that this iteration of lawful access may only be the first step. If mandatory metadata retention and the risk of systemic vulnerabilities in Canadian networks are only the beginning, the privacy and security concerns with this legislation demand far more scrutiny than they have received. The question Canadians should be asking is not whether Bill C-22 goes too far, but how much further the government plans to go.