The new Lawful Access Act needs work

Log in to listen to this article

In a nutshell

Despite the federal government shelving the bill’s previous iteration (parts 14 and 15 of Bill C-2, the Strong Borders Act), the new Lawful Access Act (Bill C-22) still poses significant concerns for Canadians’ privacy and cybersecurity. The CBA’s Criminal Justice, Privacy and Access to Information Law Sections and Anti-Corruption Team therefore submit extensive recommendations to improve the bill’s safeguards, clarify lawful access powers, and ensure compliance with Canada’s Charter.

Key concerns and recommendations

Highlighted here are some key concerns the CBA has with the bill:

• Bill C-22 creates new law enforcement and national security authorities in Part 1 and requires electronic service providers to create new capabilities in Part 2. While both parts are under the banner of “lawful access”, they are distinct enough that separate bills would improve debate and discussion.
• Regarding voluntary disclosure and immunity, a significant concern is that no information demand is necessary for a peace officer or public officer to “ask” for information if the person is lawfully in possession of the information. 
• The CBA is concerned about the balance between the threshold for obtaining subscriber information in light of the scope of data that is included in the definition (services and devices).
• Bill C-22 expands lawful access powers while reducing judicial oversight, materially impacting individual rights and freedoms and imposing costs on the private sector. Such changes require strong evidence of necessity and a proportionate impact on rights, which the government has not provided.
• Part 1 of Bill C-22 reduces judicial oversight, while the combination of expanded powers, limited transparency, and limited safeguards in Part 2 creates serious risks to individual rights and freedoms.
• The bill risks violating the s. 8 Charter protection against unreasonable search and seizure.

Below are some CBA recommendations to improve the bill:

• That use of information collected by law enforcement or national security authorities be limited to specific, statutorily defined purposes connected with the purposes for which was collected, with explicit prohibitions on secondary use beyond the initial authorization.
• The new Act should not override privacy rights or accountability mechanisms in other statutes.
• Section 7 empowers the Minister of Public Safety and Emergency Preparedness to issue Ministerial Orders imposing obligations on ESPs. There is no evidence that assistance orders under the Code or CSIS Act are inadequate and recommends that Ministerial Orders be removed from the bill.
• The CBA supports annual public reporting obligations to Parliament and an oversight mechanism such as the Privacy Commissioner, the National Security and Intelligence Review agency, or another designated tribunal, to audit compliance, review complaints, and investigate overreach or misuse.
• The CBA recommends public and stakeholder consultation, particularly from privacy, legal, and civil liberties organizations.

Why this matters

Bill C-22 has significant implications that affect Canadians’ privacy, safety and cybersecurity interests. The government must avoid deferring core definitions and obligations to future regulations. Legislation expanding government powers must be clear to ensure legal predictability and prevent function creep. The recommendations put forward by the CBA are intended to be a good faith contribution to Parliament’s important deliberations in crafting laws that are effective, understandable and consistent with the Charter.

Read the full submission.