The government is playing down key concerns, but they haven’t gone away
On Tuesday, Bill C-22 came before the House of Commons’ Standing Committee on Public Safety and National Security. The Ministers of Justice and Public Safety were there to defend the bill in response to strong concerns raised about it by MPs who had clearly done their homework.
Ministers Fraser and Anandasangaree defended the bill largely in line with the government’s Charter Statement on C-22 tabled in the House on April 24th. This is a document intended to set out why the government thinks potentially contentious elements of the bill are Charter compliant.
The Ministers’ appearance before the Committee followed comments by officials from the Department of Justice and the RCMP that were also largely consistent with the framing of the bill in the Charter Statement.
Because the Statement sets out the playbook of the bill’s main advocates, this post looks briefly at what it gets right and what it gets wrong or leaves out.
The Charter Statement gets a few things right.
The reincarnation of the highly contentious ‘information demand’ as the more restricted ‘confirmation of service demand’ allows for what will likely be held to be a reasonable search under section 8 of the Charter. So too, I think, do the ‘request to a foreign entity’ provisions, along with those for the search of data in exigent circumstances, and tweaks to warrants for tracking devices and computer searches.
But the Charter Statement is misleading on a few points, or skirts important Charter dimensions of the bill altogether.
Misleading
The Statement defends the new production order for subscriber information on reasonable suspicion as reasonable under section 8 because: “the subscriber information sought does not by itself constitute particularly sensitive information, since it is limited to information that identifies clients and services, and does not include the contents of communications.” (This is in the proposed s. 487.0142 of the Criminal Code, along with the definition of ‘subscriber information’ to be added to s. 487.011.)
This is in fact a broad power that can reveal sensitive information. As noted in my earlier post , it permits police to obtain information about a range of digital services, including subscriptions, tiers, channels, and device IDs.
We’re also told the new subscriber information demand power is reasonable because: “[t]he judge would have discretion as to whether to issue an order, and if they choose to issue an order, the judge would have discretion as to what information is specified in it.”
True, a judge does have this discretion (the section contains the standard language: “a justice or judge may order…”). But in virtually all cases where there is a reasonable suspicion of an offence, judges will give police what they ask for, and under the provision, they can ask for a lot.
True but only in part
The Statement asserts: “[T]he bill would clarify, for greater certainty, that no production order, warrant, or confirmation of service demand is necessary for a police officer to receive or act on information if a person provides it voluntarily, or is required by law, including the law of a foreign state, to provide it.” (This is in the proposed s. 487.0195(3).)
And this is fine because the provision only clarifies that police do not need authority “to receive information that is voluntarily provided to them by people lawfully in possession of it — for example, victims or witnesses of crime.”
Yes, this is true, but only if what is volunteered is mere information, or more precisely, knowledge of it.
If a victim or witness of a crime volunteers evidence in the form of a document — the text of a chat, an email exchange, a series of private photos — and police receive and review it, that could constitute a search or seizure if the document is private. Police would then need authority, such as a production order or other warrant. This remains an unsettled question in the courts, but a live one.
(The distinction I’m drawing here between knowledge and evidence breaks down in the case of an employee at Shaw who contacts police to convey that someone with the following IP address is involved in suspicious activity. We know from Bykovets that an IP address is private. Do police, receiving this information — for example, by reading an email Shaw has sent to them disclosing the IP address — conduct a search or seizure of it? Arguably, yes they do the moment they decide to act on it. At that point, police are taking possession of private information for an investigative purpose. There is support for this reading in a number of Supreme Court cases including R v Cole .)
In short, police do not need authority in law to ask for or receive documents or information from third parties who volunteer it — except if either of those things is private and police are acting with an investigative intent. (For more on this, see pages 13 to 16 of my C-2 Backgrounder .)
Overlooking important Charter dimensions of the bill
The most contentious part of C-22 is the new statute in Part 2 of the bill, the Supporting Authorized Access to Information Act. This is the Act that compels ’electronic service providers’ to make modifications to their equipment to allow for more direct and immediate access by CSIS and law enforcement acting with lawful authority (such as a warrant).
The Statement claims that the SAAIA “would not grant any new authorities to lawfully access information and data or expand or derogate from any existing authorities for such access.”
As a result, the Charter Statement restricts its commentary to whether the confidentiality requirements in SAAIA violate freedom of expression; whether the inspection powers violate section 8; and whether penalty provisions violate fair trial rights. On all these points, the Statement makes a plausible case for Charter compliance — though it is silent on the Charter dimensions of how SAAIA might work with the CLOUD Act and Second Additional Protocol (as Michael Geist points out ).
However, the Statement’s assertion that the SAAIA “would not grant any new authorities to lawfully access information and data or expand or derogate from any existing authorities for such access” is not true with respect to one major new power in the Act.
This is the power to compel service providers to preserve metadata for up to a year (in s. 5(2)(d) of SAAIA). As I have outlined in an earlier post , this is a power that would affect almost all Canadians, amounting to a seizure of our data — including where and when we used our phones or other devices, and the coordinates of who we were in touch with at those times and places. And all of this without any individualized suspicion or authority.
The Charter Statement fails to address this at all. By excluding it, the Statement implies that if a service provider like Shaw or Telus were to preserve this data following a Ministerial order under SAAIA, this would not entail the provider acting as state agent or the preservation constituting a seizure — on the theory that it would not constitute an interference with our privacy.
For reasons I expand on in my earlier post about this, both propositions are false. Courts have consistently held that metadata is private. And the Criminal Code’s existing preservation demand and order powers assume that when a state agent directs a provider like Shaw or Telus to preserve data, for an investigative purpose, they carry out a seizure — otherwise, why would police need special powers in the Criminal Code to ask for it? And why would the Code make it an offence to hold on to the data beyond the short periods contemplated in those powers?
The Charter validity of the metadata preservation power is a significant oversight in the Statement, especially given that at least a few of us, including me, had flagged it back in March.