Major new search powers in the Strong Borders Act: are they constitutional?
June 8, 2025
The Liberal’s first bill in Parliament last week proposes a raft of new search powers to give police easier access to our private data. They may turn out to be the most consequential search powers added to the Criminal Code in the past decade.
They have little to do with the primary aim of the bill, strengthening borders by expanding powers in customs and immigration.
Tucked in the middle of Bill C-2 are measures that revive long-standing aims to pass “lawful access” legislation that will make it easier for police to obtain subscriber information attached to an ISP account (with Shaw or Telus) and give police direct access to private data held by ISPs or platforms like iCloud, Gmail, or Instagram.
I’ve written a general overview of these powers for The Conversation here, and Michael Geist has a very informative op-ed in the Globe that sets out a wider context and walks through some of the provisions in detail. If you’re new to this story, you might begin there.
In this post, I offer a few thoughts on the constitutionality of three key powers in the bill: the new production order for subscriber info; the new information demand power; and the provisions that compel service providers to assist police in gaining direct access to personal data.
This is a long post, almost 3k words. It might have been three shorter ones, but I thought I’d put it all in one post.
It’s meant for those looking for a deeper dive on the constitutional questions.
What do you mean by ‘constitutional’?
The larger issue here is whether these provisions will survive a challenge under section 8 of the Charter of Rights and Freedoms, guaranteeing “everyone has the right to be secure against unreasonable search or seizure.”
Two things to keep in mind about section 8: What is a search? And when will a search be reasonable?
A search for the purpose of section 8 is anything done by a state agent for an investigative purpose that interferes with a reasonable expectation of privacy in a place or thing (R v Bykovets).
A search will be reasonable where it is authorized by law, the law is reasonable, and it is carried out in a reasonable manner (R v Collins).
The powers created in this new bill set out authority for a search. The issue here is whether each of them sets out a ‘reasonable law’ authorizing a search.
(In case you’re interested, I’ve co-authored an entire book on section 8, which you can check out here.)
Relevant background: production orders and the Spencer situation
In 2004, Parliament created what are called ‘production orders’ to give police the power to ask an internet or cellphone service provider to hand over data about digital communications, including the content of messages.
That power required reasonable suspicion, and it was challenged under section 8 of the Charter as being too low a standard, giving rise to an unreasonable search.
In 2014, the BC Supreme Court said it was too low: it should be probable grounds; the Alberta Court of Appeal disagreed: it should only be reasonable suspicion.
That same year Parliament passed Bill C-14, which created a general production order requiring probable grounds (487.014) and four more specific production orders requiring only reasonable suspicion — for tracing communications (e.g., metadata attached to email or phone calls), transmission data (call or text histories); tracking data (location data); and financial data (487.015 to 487.018).
Meanwhile, in June of 2014, Supreme Court of Canada decided R v Spencer, which held that subscriber information attached to an IP address — the name and physical address of the person linked to it — is private, because it associates a person with their online search history. Police can’t demand it from an ISP without authority in law to do so (which may or may not involve a warrant).
The Court in Spencer noted (at para 11) that police had demanded the subscriber ID from Shaw without first obtaining a production order in that case — thus contemplating its use as a means for doing so.
But the Court did not address the question of what kind of search power would be reasonable to obtain subscriber info. After explaining why provisions in private sector legislation (PIPEDA) didn’t authorize the search, the Court simply concluded (in para 73) that “in the absence of exigent circumstances or a reasonable law,” police couldn’t lawfully search (i.e., demand) it.
So what remained unclear after Spencer was: what is a reasonable search law that authorizes police to make a demand for subscriber information?
The presumptive standard for a reasonable search in criminal law (i.e., what constitutes a “reasonable law” authorizing a search) is one involving a warrant issued on “reasonable grounds to believe” (probable grounds) that an offence has been or will be committed, rather than “reasonable suspicion.” It would seem, then, that a demand for subscriber ID should be a warrant on probable grounds.
Things said in Spencer support this inference. It held the privacy interest in subscriber information is high, given that it links a person to search activity that can be highly revealing. Anything less than probable grounds would not strike the right balance between law enforcement interests and personal privacy. But at least one privacy scholar disagrees.
In the wake of Spencer, to obtain subscriber info, police have been using the new general production order power added in 2014, requiring probable grounds. Again, this isn’t a powered tailored specifically for obtaining subscriber ID, so it’s unclear whether anything less would suffice. Police and Crown hope so. Probable grounds is a relatively high standard; why not just a warrant on reasonable suspicion?
Privacy in a set of numbers alone?
And what about demanding an IP address? Sometimes police can’t get far without asking an ISP or an online platform like Instagram to reveal a user’s IP address. Did they need a warrant for this? Was an IP address on its own private?
In R v Bykovets, the Supreme Court of Canada held that an IP address is private because it readily links a person to their online activity. But the Court didn’t specify what kind of power would render a search (demand) for an IP address reasonable.
At para 85 of the decision, Karakatsanis J for the majority, points the production order power in section 487.015(1) of the Code (for transmission data) on reasonable suspicion as possible tool police might use here. This is obiter, since the Court is not being asked whether the use of this to demand an IP address would constitute a reasonable law. Yet we can assume that the judges in the majority think that a warrant on reasonable suspicion would suffice.
New production order in the Strong Borders Act
The new bill gives police and Crown what they want: a production order power tailored to making a demand for subscriber info by obtaining a warrant issued on reasonable suspicion that a federal offence has been or will be committed (a new 487.0181(2) of the Criminal Code).
Will this be constitutional? More specifically, a search conducted under this power will be authorized by law, but is this law reasonable?
There is no single test for when a law authorizing a search is reasonable under section 8 of the Charter. But the Supreme Court has generally considered four factors: whether the power relates to a criminal or regulatory offence; the state or law enforcement interest at issue; the impact on personal privacy; and the oversight and accountability safeguards.
Demanding subscriber info on reasonable suspicion is, I think, likely to be found unreasonable. In this case, the privacy interest is high (i.e., the online activity linked to a person’s name). Given things said about this in Spencer, this alone could favour a finding that nothing less than probable grounds is reasonable.
Further possible support may be found in R v Tse, which held that emergency wiretap provisions of the Code were unreasonable for failing to include a post facto notice requirement to persons affected. In this case, there’s no requirement to advise a person that they were subject to a production order, if charges do not follow. Not sure a court would view production order powers to be sufficiently analogous to wiretap provisions. But I flag it as a potential consideration.
The new “information demand” power
Bill C-2 also creates a new power on the part of police to demand information. In some cases, police may only ask if a service provider has info about something. In other cases, they can demand the info itself.
Under a new section 487.0121 in the Code, police can ask a service provider whether they have “provided services to any subscriber or client, or to any account or identifier.” If so, police can demand to be told where and when service was provided — along with info about any other providers who may have offered the person service.
They can do this on reasonable suspicion alone, without a warrant.
Police can thus ask Shaw or Gmail things like: does this user have an account with you? Do you have an IP address or phone number associated with their account? If so, tell us where and when you provided it.
Why do police need this power? Aren’t police free to ask questions as part of their investigation? Is there not a distinction between a person describing to police what they know or have observed and police demanding to see it themselves? Can’t we assume that police only carry out a search when they ask for and receive private data itself?
Recall that a search is anything done for an investigative purpose that interferes with a reasonable expectation of privacy. Police demanding private information in the hands of a third party can constitute a search. For example, police carried out a search in Spencer by asking Shaw: whose name is attached to this IP address?
What is contemplated here differs in some ways but is similar in others. Police might ask simply: do you have a name (or an account) attaching to this IP address? Did you lease this IP address to a person? Or they might ask: when and where did you provide use of this IP address?
In some cases, depending on the question and the limited info revealed by the answer, it may not amount to a search. But in some cases it can.
If police have a name, or an IP or email address and they ask a dating, gambling, or porn website whether they have a user account related to any of them, a “yes” in response could be quite revealing. If a service provider can link a person to a location, or more than one, in a window of time, this could also be invasive.
Should this too require a warrant? We’re in genuinely new terrain here.
The information demand power gives police authority to go poking around the edges of our digital lives — knocking on the doors of anywhere we’ve left a digital trace — to ask questions that could readily create a clear picture of who we are and where we’ve been. All on nothing more than reasonable suspicion.
I can see a challenge to this power leading to a deeply divided the Supreme Court decision similar to that in Bykovets, where half the Court says: reasonable suspicion is enough, and the other half says no, it should require a warrant.
I suspect it will come down to half the Court seeing this power as too preliminary to pose a real threat to privacy and police needing some leeway to act without undue hindrance, and half the Court seeing this as too close in nature to a means of circumventing the protections around subscriber ID and IP addresses. In some cases a positive answer to the question: “does this user have an account with you?” will be all the police need to know to link a person with an extensive amount of personal data.
If I were a betting man, which I’m not, I would bet that a majority of the Court will find this power reasonable. (But there will be a wonderful, eloquent dissent, probably by Karakatsanis J or Martin J or maybe both, on the importance of privacy and the need for a warrant.)
Briefly, Bill C-2 also extends to agents of the Canadian Security Intelligence Service the ability to make an information demand on no grounds at all. But they may not target a Canadian citizen or permanent resident. Given the high state interest in these cases and the limited privacy interest engaged, this power is likely to be found reasonable.
The lawful access provisions
Bill C-2 contains a whole new statute called the “Supporting Authorized Access to Information Act,” which brings about a “lawful access” regime for private data that police and Crown have long been seeking.
(See Professor Geist’s Globe article on the history of this.)
The Criminal Code has long had something called an assistance order, which compels third parties to assist police in executing a warrant. (Open that storage locker please.) The lawful access provisions do the same but on a larger scale.
They impose of obligations on “electronic service providers,” or anyone providing a digital service (storage, creation, or transmission of data) to people in Canada or if situated here, and more onerous obligations on a class called “core providers” who can be added to a schedule to the Act.
An ESP can be ordered to “provide all reasonable assistance, in any prescribed time and manner, to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information”.
But core providers will be subject to regulations that mandate the “installation… of any device, equipment or other thing that may enable an authorized person to access information”.
A core provider might be Google or Meta, Shaw or Telus. And the equipment at issue could enable direct access to accounts, stored files, data logs, and so on.
There are two important limits on this.
One is that police (or an authorized person, such as a CSIS agent) can only go ahead and access data or demand it if they have authority to do so under law — which may or may not involve a warrant, reasonable grounds, and so on.
The other limit applies to both ESPs and core providers: they do not have to follow an order “if compliance… would require the provider to introduce a systemic vulnerability in electronic protections related”. I take this to mean that they cannot be compelled to install a backdoor to encryption.
Are these powers immune to challenge under section 8 of the Charter?
They do not contemplate a search directly. But depending on how an assistance order is used, it could result in an unreasonable search.
For example, a while ago, there was a debate about whether using an assistance order to compel a person to provide police their password might amount to an unreasonable search.
The companies subject to a requirement under this new lawful access statute could challenge it in court — either in response to an order made to them specifically or under a regulation that applies to them as a core provider (on administrative law principles).
But it’s harder to imagine a case where police have conducted a search on lawful grounds, or with a valid warrant, which is found to be unreasonable under section 8 because police were able to gain access to private data more readily through technical means of access made possible under this new statute.
But I can envision two possible exceptions.
One is if the means of access mandated under the new Act amounts to an interception: realtime access to data that police use to obtain the data at issue. An accused person would need to show, however, that police came into possession of their private data in realtime and without a warrant under the wiretap (interception) provisions in Part VI of the Criminal Code. (See the Telus case for more on this distinction.)
Another exception is simply that police gained quick access technically, but without a lawful basis (a warrant, etc.).
But it isn’t inconceivable that the Supreme Court might eventually say that mandating certain measures, means, or forms of access amount to an unreasonable search even if used with lawful authority such as a warrant. These might include means that somehow give police with a warrant access to data being created now and in the future, in addition to data already created.
If you’re still with me, thanks for reading! I’ll continue to follow the bill as it makes its way through Parliament and try to post about it here.