Metadata retention has emerged as one of the biggest lawful access concerns, with requirements that providers retain metadata for all subscribers for up to one year. As I argued before the Standing Committee on Public Safety and National Security last week, when retained at scale, the retention becomes a comprehensive surveillance map of virtually every Canadian with information on where and when they go and who they interact with. Under Bill C-22, this data would apply to every subscriber regardless of suspicion. The government’s Charter Statement remarkably fails to address the regime, despite the fact that bulk retention frameworks of this kind have been struck down by the European Court of Justice in Digital Rights Ireland and Tele2 Sverige, and by Germany’s Federal Constitutional Court.

One year is itself enough to raise serious privacy concerns, yet comments from both the government and from police witnesses at the committee studying Bill C-22 suggest that one year may only be a starting point. The first signal came during the second reading debate, when Conservative MP Glen Motz, a former police officer, asked Secretary of State for Combatting Crime Ruby Sahota whether law enforcement had made any requests for powers not yet in the bill. As I noted at the time, Sahota acknowledged that police would likely support an even broader scope, describing C-22 as a first step. Sahota said the government needed to get the bill passed to take further steps and added that she was open to going further.

Last Thursday’s Bill C-22 committee hearing gave a sense of just how much further the metadata retention requirements might go. Asked whether one year was the appropriate retention period, Darcy Fleury, Chief of Police in Thunder Bay, told MPs: “I think 12 months is a good start but obviously, yes, you’re right, if the investigations are prolonged, and they can be very long in some of these cases, then retention beyond the 12 months – 24 months, 36 months, would be ideal.” My own evidence at the same panel went in the opposite direction, arguing that a thirty-day retention default with court authorization to extend would meet immediate investigative needs without entrenching a permanent surveillance archive.

My post last month on the House debate closed by suggesting that the question Canadians should be asking is not whether Bill C-22 goes too far but how much further the government plans to go. The committee process has now begun to provide the answer, with Sahota describing Bill C-22 as a first step and a police chief outlining, on the record last week, what at least one piece of the next step would look like. Bill C-22 continues to grab the spotlight for all the wrong reasons, with U.S. Congressional concerns about the bill emerging, and Signal stating that it may leave the market altogether. But for those who remain, the metadata requirements would create significant privacy and security risks and require substantial costs that will ultimately raise consumer bills.

Some tend to claim that criticism of lawful access veers into conspiracy theories about government surveillance. Yet no one is trying to hide anything here: the government says lawful access is a first step and that it is prepared to go further, while the police state on the record at committee that years of metadata retention would be ideal. If the government follows through, Canada would have the most extensive (and most expensive) mandated metadata retention regime in the world.