It’s hard to see how it is
One of the main concerns with the lawful access bill re-tabled in recent weeks (C-22) involves a new power to order our cellphone companies to preserve the metadata attaching to all of our calls, emails, and texts for up to a year.
Metadata as defined in the bill captures precisely where and when we used our phones, and the coordinates of who we were in touch with at those times and places — though not the content of our communications.
Even though police would still need a warrant or other authority, such as exigent circumstances, to access this data from Shaw or Telus, the power to order its preservation has raised concerns. Our government is saying here: we’re now going to keep a record of every time you use your phone and where you used it — just in case. But don’t worry. You’re not being watched.
I’ve already had two journalists ask me if this is constitutional. David Fraser has flagged it in his excellent overview of C-22. And Professor Michael Geist has written a very informative and insightful post about this, noting that efforts to pass similar law in Europe have been struck down by the Court of Justice of the EU and by various constitutional courts.
The point of this short post is to explain, in plain terms, how and why this new power might be held to violate our right to privacy under Canada’s Charter of Rights and Freedoms. (The power appears in section 5(2)(d) of the proposed Supporting Authorized Access to Information Act, found in Part 2 of the bill here.)
A skeptic might ask: if police have to get a warrant or need other authority to obtain this data, why would ordering Shaw to preserve it violate my privacy?
The answer, in short, is that an order to retain this information itself involves state interference with our privacy, and the interference is not justified.
We have a reasonable expectation that our movements in time and space, and the coordinates of who we speak with and when, are private. And that includes an expectation that this information will not be preserved at the government’s behest and stored for lengthy periods of time.
It doesn’t matter that police can’t access it without authority. What matters is that companies are being told to preserve it for the state and for investigative purposes. It treats all of us with suspicion. It puts everyone on notice that you’ll be left alone so long as you don’t break the law — but, just to be sure, we’re keeping watch. We’re keeping records on what everyone is up to for the past year. We just won’t look at them unless we need to.
The Charter challenge in brief
Our right to privacy is protected in section 8 of the Charter. That right is breached if a state agent interferes with our privacy without being authorized by the law to do so. The right is also breached if the law authorizing the interference is unreasonable. A law will be unreasonable here if it fails to strike a proper balance between the state’s interests (in public safety or national security) and personal privacy.
In this case, how do we know the law itself, the power to compel Shaw or Telus to preserve our metadata, involves state interference with our privacy?
The government will likely argue that there’s no interference with privacy unless police or CSIS actually access the data preserved under this power. Merely asking Telus to preserve it is not itself an interference.
The problem with this argument is that, 12 years ago, Parliament took the opposite view. It assumed that the power to ask Shaw or Telus to preserve any “computer data” for up to three weeks would require an officer to have reasonable suspicion of an offence, and it created the preservation demand in the Criminal Code for this purpose. A request to preserve the data for up to 3 months requires a warrant, a preservation order.
Parliament also assumed that once police obtain the data a company had been ordered to preserve, the company must destroy it — and the Code makes it a crime not to do so.
In other words, the Criminal Code scheme for making preservation demands and orders assumes that asking a company to preserve our metadata involves an interference with our privacy — and keeping it for longer than 90 days without lawful authority was a serious enough infringement of privacy to be a criminal offence.
Why else would Parliament have seen the need for special powers set out in law for police to make these demands — if it did not assume that preserving data amounted to an interference with privacy?
Could it be that those earlier powers — preservation demands and orders — pertain to a much wider class of data, i.e., to any “computer data,” which would include things that are obviously private, like emails and texts, whereas metadata is not private?
No, that can’t be the answer. We have ample authority from courts that metadata, including transmission data, is private. Even an IP address is private.
No getting around it
An order to preserve personal data amounts to an interference with our privacy.
And imposing a blanket obligation on a whole class of service providers to preserve everyone’s metadata for law enforcement purposes would amount to a significant interference with the privacy interests of millions of Canadians.
That Bill C-22 would allow for the preservation of everyone’s metadata without individualized suspicion, or any other basis, is likely to be held to be unreasonable under section 8. We should not impair everyone’s privacy on an ongoing basis in order to increase safety in hypothetical cases that are likely to be rare, if they do occur at all.
If the power to compel service providers to retain metadata does become law, and police make use of that data, persons accused of a crime will challenge the law. And when they do, it should be struck down.
Or the government can avoid this by reconsidering the wisdom of mandatory metadata collection.