Two posts on Bill C-22 in a single day are not my typical approach, but the volume of misinformation coming from the government about the lawful access bill has made it hard to keep up. Earlier today, I posted about the repeated use by government ministers and MPs of the phony “it’s just phone book information” analogy to misleadingly describe the collection of subscriber data and metadata. But a press conference yesterday by Public Safety Minister Gary Anandasangaree demands comment, as he accused U.S. tech companies of spreading misinformation, even though his own claims were plainly inaccurate and within hours required a walkback.
In response to a question about metadata collection, Anandasangaree claimed that “if you look at the Five Eyes G7 countries they have very similar types of legislative tools that are embedded within their lawful access regime” and later added that “we would ensure that metadata pieces in line with our U.S. counterparts’ language.” Within hours, the Minister was forced to walk back the metadata comment since it is simply not true. The United States, the G7 partner most often invoked in this debate, has no federal mandatory metadata retention law. Further, the Court of Justice of the European Union struck down the EU Data Retention Directive in Digital Rights Ireland and has held in Tele2 Sverige and La Quadrature du Net that general, indiscriminate retention of all users’ traffic and location data is incompatible with fundamental rights. Within the Five Eyes, only Australia (two years) and the United Kingdom (twelve months) have mandatory regimes. Anandasangaree’s walkback suggested he was actually talking about encryption, rather than metadata, but there is no U.S. equivalent on that issue either. The comment wasn’t credible, and neither is the government’s effort to clean it up.
The Minister’s reliance on Australia compounded the problem. Asked whether the one-year retention mandate could be shortened, he answered: “Australia, for example, has a two-year retention period. So, I believe one year is a reasonable timeline if you look at a life of an investigation, oftentimes it takes several months to even get to that point, if not longer.” The Australian regime is the closest comparator to Bill C-22, and its experience is a cautionary one with agencies using a loophole in the Telecommunications Act to access metadata far beyond what Parliament intended, while in a separate case the federal police accessed a journalist’s records without the required warrant. Not exactly the metadata model Canada should be seeking to emulate.
On encryption, Anandasangaree said the bill “was never meant to breach encryption” and promised to “clarify it in the Bill.” Language clarification is welcome but structural problems remain. The safeguards in Bill C-22 at ss. 5(5) and 7(5), which state that a provider is not required to comply if compliance would create a systemic vulnerability, are incompatible with s. 12, which unconditionally requires compliance with orders, and with s. 13, which specifies that orders prevail over regulations when inconsistencies arise. The term “systemic vulnerability” is not defined in the statute, and the Governor in Council has the power to make regulations “respecting the meaning of any term or expression for the purposes of this Act.” None of this is fixed by promising clearer language. It is fixed by the kind of amendment the Privacy Commissioner proposed this week, namely adopting Australia’s definition, which expressly covers actions that render encryption less effective, together with an explicit prohibition on regulations or orders that require the introduction of, or prevent the rectification of, a systemic vulnerability.
Moreover, Anandasangaree’s defence of the bill’s privacy implications was a deflection rather than an answer, as he tried to turn the attention to the privacy practices in the private sector, stating, “I drive a vehicle where every single point that I drive to is tracked. And that data is not with me.” Commercial data practices are indeed a real concern and Canada needs stronger laws to address them. However, the bill’s surveillance map of every Canadian is not justified by pointing to the absence of meaningful constraints on data collection and to the failure of his own government to address long-overdue private-sector privacy reform.
That brings the press conference back to the Privacy Commissioner. Asked directly whether he would accept Commissioner Philippe Dufresne’s amendments, the Minister said he would “be looking at” them and “looking to see what he has to offer.” Dufresne tabled eight concrete amendments at committee on Tuesday: narrowing subscriber information to a closed list (name, address, telephone number, IP address), restricting who can be compelled to telecommunications service providers, defining “publicly available information” to exclude information in which a person has a reasonable expectation of privacy, an overarching requirement that SAAIA obligations be necessary and proportionate, an Australian-style amendment to “systemic vulnerability,” an explicit prohibition on orders requiring vulnerability introduction or preventing rectification, an exemption to the SAAIA’s confidentiality rules to allow disclosure to regulatory bodies such as the OPC, and allowing his office to investigate if data breaches result from application of the new powers. Anandasangaree’s comments, coming a day after the Dufresne’s committee appearance, noted that “we have until like five o’clock today” for amendments. That window does not leave room to seriously consider the Commissioner’s recommendations. The “I will be looking at” claim, delivered hours before the deadline, amounted to a rejection of the recommendations.
The political pressure against Bill C-22 has been steadily mounting, with the opposition parties, tech companies, and privacy experts all increasingly vocal about the need for significant amendments. At this stage, it seems all the government has in response are misleading or inaccurate claims with little in the way of an actual defence. Indeed, the government’s disregard for facts and privacy is fast becoming Bill C-22’s legacy.
Related posts:
The Phony Phone Book Analogy: How Liberal Cabinet Ministers and MPs are Misleading Canadians About the Privacy Risks of Bill C-22
More Surveillance Demands to Come?: Government Admits Bill C-22’s Lawful Access Provisions Could Be Expanded
Wilful Blindness?: How the Lawful Access Charter Statement Skips Bill C-22’s Most Constitutionally Vulnerable Provisions
The Lawful Access Two-Headed Surveillance Monster: How Bill C-22 Went Off the Rails
I would really like a comparison to other countries in this space. UK has metadata retention and Technical access request process and the governing bodies for privacy oversight. Australia has the technical access but not meta data, USA has deeper access laws and state rules. Snowden showed how they do an end run and effectively break E2EE. It just feels like this is being looked at in a vacuum of Canada when really it should be a global, conversation. It’s a continuation of the battle on E2EE and the presumption of innocence vs criminal and illegal behaviour and how do we as a society want to limit our freedoms for the collective good. If we want to at all and what that really means.
Even the media posts from corporate responses act like technical access requests don’t exist elsewhere. It’s just feels like a non serious conversation.
Hi Professor Geist,
Regarding the ostensible conflict between ss. 5(5) and 7(5), on one hand, and ss. 12 and 13, on the other hand, does the “presumption against tautology” not provide an answer? In other words, faced with interpreting these provisions, would a court not conclude that s. 12 is implicitly subject to s. 7(5), and therefore there is no conflict in practice?
I would also like a comparison of what dictators, surveillances States and repressive regimes do vs what Canadian government is planning.
Be curious my friends, ask why this Bill C-22 is.so important to the Government(s). Here is a hint…9/11 immediate Acts passed afterwards, PATRIOT ACT, Canada’s Anti-Terrorism Act, Budapest Convention(s), you will see how the past 24 years, all governments in Canada have been wanting to sign on to the Convemtion. In order to do so, they have to pass Acts within their own respective jurisdictions. Is a rabbit hole!
The irony of Prof Geist accusing the government of “misinformation” only to casually toss out misinformation in the very same article.
Prof Geist claims that the term “systemic vulnerability” is not defined in the bill, when in fact it is.
Prof Geist also claims that the systemic vulnerability exception (ss. 5(5) and 7(5)) is “incompatible” with ss. 12 and 13, when in fact these provisions all work harmoniously and ensure this important exception applies for all regulations and ministerial orders.
Liberal cope bot but I’ll write this anyways.
It actually doesn’t. The definition of systematic vulnerable is given such a lose definition it’s basically not defined at all. The definition on the bill is literally “as one that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so”. As Geist has said in the past the definition acknowledges there could be a problem but leaves it so vague that it’s all up to the regulators and regulations to define (which there are none as of last I looked). This means companies are not required to comply with regulations that introduce a vulnerability, but allows the government to issue such mandates in the first place, that’s not a good idea in just the amount of taxpayer money that will be wasted on the court proceedings … which brings us to point number two. He literally explains why they aren’t compatible, you going against an order which us illegal in Canada, otherwise non compliance against the gun grab would have been the answer, the problem is the government has the right what to decide and we have to follow, go look at the millions of dollars and hours spent on fighting the gun grab even though they said all of these safety things were in place to prevent law abiding gun owners into criminals, while that’s literally what happened due how terrible the buyback program was (timings and payments). They’ve already proved to us that the Carney government will take advantage of vagueness. The funny thing is the same liberals supporting this are some of the same ones that cried when Harper attempted to pull this, and at least his walls were tungsten instead of Carney’s wet paper walls lol
You can disagree with the definition or call it vague. Those are matters of opinion. But to say the bill “does not define” the term is just factually incorrect, and Prof Geist knows better than this.
As for the supposed “incompatible” provisions in ss. 12-13, this argument rests on an incorrect interpretation of the provisions. It’s not clear to me why Prof Geist is erroneously insisting on it.
Prof Geist is sort of correct. While the bill does provide a definition of the term “systemic vulnerability” it also provides language that allows regulation to change that definition of the term, making the definition in the bill moot. In fact, the definition in the bill uses the expression “substantial risk”. Given that what you call a substantial risk and what someone else does most likely is not the same, whose definition of “substantial risk” is used?
The bill would allow cabinet to make regulations respecting, among other things, “the meaning of any term or expression for the purposes of this Act”. But legally, cabinet cannot override a definition set by parliament. If they did, the courts wouldn’t have it.
More importantly, none of this gets around the simple fact that Prof Geist is peddling misinformation when he writes above that “The term ‘systemic vulnerability’ is not defined” in C-22. He is free to disagree with the definition, but he cannot claim it doesn’t exist.
La página se siente más natural en comparación con muchas otras similares que he visto recientemente. Tras abrir Geometry Dash Online, noté lo fácil que resultaba seguir leyendo con comodidad.
Government officials must communicate about data collection practices with precision, as misleading analogies can result in public misunderstanding and reduce the seriousness with which privacy concerns are regarded wordle unlimited.