The lawful access debate in Canada has to date focused on privacy concerns such as access to subscriber information, mandatory metadata retention, and international production orders. But there is another dimension to Bill C-22 that has received less attention and may matter even more to the daily security of Canadians: the risk that the bill’s surveillance-capability requirements and lack of clarity about systemic vulnerabilities will make Canadians less secure. The international experience with similar laws is not reassuring, as it points to risks of hacking, removal of security features that protect users, and reduced investment and innovation. Bill C-22 heads in much the same direction.
Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh
Privacy
Scoping in the Tech Giants: Bill C-22’s International Production Order and the Shift to a Less Privacy-Protective Cross-Border Disclosure System
While much of the focus on lawful access and subscriber information has centred on the reduced standards for obtaining an order for such information from Canadian telecom and Internet providers, there is another new production order deserving of attention (see earlier posts on domestic subscriber information standards and mandatory metadata retention). Bill C-22 introduces a new mechanism for Canadian courts to authorize police to request subscriber information and transmission data held outside the country directly from foreign platforms such as Google, Meta, and other services that provide communications services to the public. The provision is presented as a tool to modernize cross-border investigations, but in practice, it is likely to reduce privacy safeguards.
The Law Bytes Podcast, Episode 263: The Lawful Access Act Roundtable With David Fraser and Robert Diab
Lawful access is back. The decades-long battle has entered a new phase with the introduction of Bill C-22, the Lawful Access Act. This bill follows last spring’s attempt to bury lawful access provisions in Bill C-2, a border measures bill. The latest bill covers the two main aspects of lawful access: law enforcement access to personal information held by communication service providers such as ISPs and wireless providers, and the development of surveillance and monitoring capabilities within Canadian networks.
To discuss the latest iteration of lawful access, I’m joined on the Law Bytes podcast by David Fraser and Robert Diab for a roundtable discussion of the key elements of the proposed legislation. David is one of Canada’s leading privacy lawyers and a partner with McInness Cooper in Halifax, and Robert is a law professor at Thompson Rivers University in BC and the co-author of a book on search and seizure law.
Setting Canada’s AI Policy Priorities: My Appearance Before the Standing Committee on Industry, Science and Technology
The Standing Committee on Industry, Science and Technology is one of several House and Senate committees currently grappling with legal, regulatory and policy challenges and opportunities presented by AI. I appeared before the committee yesterday alongside Yoshua Bengio and Colin Bennett. Bengio unsurprisingly garnered the lion’s share of the questions, but the committee did give me the chance to highlight my thoughts on policy priorities and to address a few questions. I plan to post some reflections on the policy tensions in the coming days. In the meantime, the video and text of my opening statement are posted below.
The Lawful Access Privacy Risks: Unpacking Bill C-22’s Expansive Metadata Retention Requirements
Much of the discussion around the new lawful access bill (Bill C-22) has focused on provisions that improved upon Bill C-2, notably the decision to scrap the warrantless information demand power by requiring judicial oversight for access to subscriber information. Yet despite that improvement, there remain serious privacy concerns with the government’s latest iteration of lawful access. Buried in the second half of Bill C-22 is a provision granting the government the power to require “core providers” to retain categories of metadata, including transmission data, for up to one year. This is mandatory metadata retention that would require telecom and electronic service providers to store information about the communications of all their users, regardless of whether those users are suspected of anything. It is one of the most privacy invasive tools a government can deploy and the international experience suggests that there are major privacy risks.
Recent Posts
More Surveillance Demands to Come?: Government Admits Bill C-22’s Lawful Access Provisions Could Be Expanded 
Win, Lose or Draw?: The Federal Court of Appeal Overrules a Key Copyright Case on Procedural Grounds 
The Lawful Access Debate Begins: Canadians Should Pay Attention to What the Government Isn’t Saying 
The Global Battle for Data Control: How the 2026 U.S. Report on Trade Barriers Targets Data Sovereignty Worldwide 
The Law Bytes Podcast, Episode 264: Jon Penney on Chilling Effects in the Digital Age
