Two posts on Bill C-22 in a single day are not my typical approach, but the volume of misinformation coming from the government about the lawful access bill has made it hard to keep up. Earlier today, I posted about the repeated use by government ministers and MPs of the phony “it’s just phone book information” analogy to misleadingly describe the collection of subscriber data and metadata. But a press conference yesterday by Public Safety Minister Gary Anandasangaree demands comment, as he accused U.S. tech companies of spreading misinformation, even though his own claims were plainly inaccurate and within hours required a walkback.

In response to a question about metadata collection, Anandasangaree claimed that “if you look at the Five Eyes G7 countries they have very similar types of legislative tools that are embedded within their lawful access regime” and later added that “we would ensure that metadata pieces in line with our U.S. counterparts’ language.” Within hours, the Minister was forced to walk back the metadata comment since it is simply not true. The United States, the G7 partner most often invoked in this debate, has no federal mandatory metadata retention law. Further, the Court of Justice of the European Union struck down the EU Data Retention Directive in Digital Rights Ireland and has held in Tele2 Sverige and La Quadrature du Net that general, indiscriminate retention of all users’ traffic and location data is incompatible with fundamental rights. Within the Five Eyes, only Australia (two years) and the United Kingdom (twelve months) have mandatory regimes. Anandasangaree’s walkback suggested he was actually talking about encryption, rather than metadata, but there is no U.S. equivalent on that issue either. The comment wasn’t credible, and neither is the government’s effort to clean it up.

The Minister’s reliance on Australia compounded the problem. Asked whether the one-year retention mandate could be shortened, he answered: “Australia, for example, has a two-year retention period. So, I believe one year is a reasonable timeline if you look at a life of an investigation, oftentimes it takes several months to even get to that point, if not longer.” The Australian regime is the closest comparator to Bill C-22, and its experience is a cautionary one with agencies using a loophole in the Telecommunications Act to access metadata far beyond what Parliament intended, while in a separate case the federal police accessed a journalist’s records without the required warrant. Not exactly the metadata model Canada should be seeking to emulate.

On encryption, Anandasangaree said the bill “was never meant to breach encryption” and promised to “clarify it in the Bill.” Language clarification is welcome but structural problems remain. The safeguards in Bill C-22 at ss. 5(5) and 7(5), which state that a provider is not required to comply if compliance would create a systemic vulnerability, are incompatible with s. 12, which unconditionally requires compliance with orders, and with s. 13, which specifies that orders prevail over regulations when inconsistencies arise. The term “systemic vulnerability” is not defined in the statute, and the Governor in Council has the power to make regulations “respecting the meaning of any term or expression for the purposes of this Act.” None of this is fixed by promising clearer language. It is fixed by the kind of amendment the Privacy Commissioner proposed this week, namely adopting Australia’s definition, which expressly covers actions that render encryption less effective, together with an explicit prohibition on regulations or orders that require the introduction of, or prevent the rectification of, a systemic vulnerability.

Moreover, Anandasangaree’s defence of the bill’s privacy implications was a deflection rather than an answer, as he tried to turn the attention to the privacy practices in the private sector, stating, “I drive a vehicle where every single point that I drive to is tracked. And that data is not with me.” Commercial data practices are indeed a real concern and Canada needs stronger laws to address them. However, the bill’s surveillance map of every Canadian is not justified by pointing to the absence of meaningful constraints on data collection and to the failure of his own government to address long-overdue private-sector privacy reform.

That brings the press conference back to the Privacy Commissioner. Asked directly whether he would accept Commissioner Philippe Dufresne’s amendments, the Minister said he would “be looking at” them and “looking to see what he has to offer.” Dufresne tabled eight concrete amendments at committee on Tuesday: narrowing subscriber information to a closed list (name, address, telephone number, IP address), restricting who can be compelled to telecommunications service providers, defining “publicly available information” to exclude information in which a person has a reasonable expectation of privacy, an overarching requirement that SAAIA obligations be necessary and proportionate, an Australian-style amendment to “systemic vulnerability,” an explicit prohibition on orders requiring vulnerability introduction or preventing rectification, an exemption to the SAAIA’s confidentiality rules to allow disclosure to regulatory bodies such as the OPC, and allowing his office to investigate if data breaches result from application of the new powers. Anandasangaree’s comments, coming a day after the Dufresne’s committee appearance, noted that “we have until like five o’clock today” for amendments. That window does not leave room to seriously consider the Commissioner’s recommendations. The “I will be looking at” claim, delivered hours before the deadline, amounted to a rejection of the recommendations.

The political pressure against Bill C-22 has been steadily mounting, with the opposition parties, tech companies, and privacy experts all increasingly vocal about the need for significant amendments. At this stage, it seems all the government has in response are misleading or inaccurate claims with little in the way of an actual defence. Indeed, the government’s disregard for facts and privacy is fast becoming Bill C-22’s legacy.