Backgrounder – Securing Access to Information (Bill C-22 – Part 2)

Rapid technological growth has created a complex digital ecosystem with far more data, devices, and ways to interact than ever before. The use of smartphones and instant messaging applications, for example, make communication with others easier and instant. Threat actors exploit this digital environment for criminal activities like online sexual abuse, online fraud and radicalization, or the planning, coordination, financing or perpetration of transnational and domestic threats to public safety, such as terrorism, organized crime, and foreign interference.

These technologies generate unique data about a person, which in specific circumstances, can help law enforcement agencies and CSIS gather the information needed to effectively investigate crimes and threats to the security of Canada. Law enforcement agencies and CSIS have worked for decades with outdated laws that have not kept pace with our new technological and digital reality. As a result, investigations are missing critical information needed to generate leads or help identify and prosecute individuals or groups involved in serious criminal activities or national security threats. In some cases, investigations are abandoned due to these challenges.

This is why the Government of Canada introduced an act to keep Canadians safe (Bill C-22). The Bill would keep Canadians safe by providing a modernized legal framework that helps ensure that CSIS can investigate threats to the security of Canada and law enforcement agencies can effectively detect, deter and respond to crime.

The Act Proposal

Part 2 of the Bill C-22 does not create new authorities for law enforcement agencies and CSIS to intercept communications or obtain information. It focuses solely on ensuring that electronic service providers (ESPs) are able to comply with existing legal orders, which are found in the Criminal Code, and the Canadian Security Intelligence Service Act.

Current framework

Currently, Canada relies on a 1995 condition of license that only covers voice telephony despite vast technological changes, including the internet, Satellite and messaging platforms. Law enforcement agencies and CSIS can obtain authorization, though a warrant or production order, to intercept communications or obtain information; however, there is no corresponding requirement for an ESP to actually establish and maintain a system capable of providing the communication/information in question. Furthermore, outside of voice telephony services, the support of ESPs to fulfill lawful access requests is entirely voluntary.

Bill proposes to

SAAIA would require select ESPs, to develop and maintain the capabilities necessary to enable law enforcement and CSIS to effectively obtain communications and information they are legally authorized to have for their criminal and intelligence investigations, while respecting rights and freedoms.

Instead of requiring whole sectors, including small enterprises, to have the same capabilities in place, the proposed framework adopts a more targeted approach for technical capability development. Under the proposed Bill, there are two ways by which an ESP could be mandated to develop and maintain lawful access capabilities: ESPs designated as ‘core providers’ and through Ministerial Orders.

Core Providers

The class of ESPs designated as core providers will be defined in regulations and will likely include, traditional telecommunications companies, satellite providers and others. Each class of designated ESPs would have to abide by specific requirements laid out in regulations, tailored to that particular class.

• Classes of ESPs: the different classes would be based on criteria, such as; the type of company, number of subscribers, technology and service.
• Regulations: in making them, the Governor in Council must consider:
  • Benefits to the administration of justice: in particular to investigations under the Criminal Code, and to the performance of duties and functions under the CSIS Act;
  • Feasibility: whether complying with the order would be technically feasible for the ESP;
  • Cost: The cost to be incurred by the ESP to ensure compliance with the order;
  • Impact: The potential impact on privacy and cyber security;
  • Risk assessment: potential impact on persons to whom the ESP provides services; and
  • Any other factor that the Governor in Council considers relevant.
• Forbearance: ESPs subject to requirements will be able to request more time to implement capabilities. ESPs must provide information including a detailed rationale with a plan and timeline for implementing requirements for approval by the Minister of Public Safety.

Ministerial Orders

The Minister of Public Safety could issue a Ministerial Order (MO), subject to approval by the Intelligence Commissioner,  to electronic service providers (ESP) compelling the development of specific capabilities. MOs would be based on operational needs, as threats evolve and new technologies develop, and could be issued to both core and non-core providers. In deciding whether to issue an MO, the Minister must consider the same factors as the Governor in Council when making regulations for core-providers. MOs would be reviewable by the courts.

Why is this needed?

Currently, law enforcement and CSIS may have the legal authority to obtain information from ESPs but there are no laws that require ESPs to maintain a system that can effectively respond to requests. This means that despite having the requested communications and information in their systems, an ESP may be unable to provide it. This lack of technical capability has caused investigations to stall or not begin at all. The issue can be as simple as an ESP not having the secure infrastructure to transfer information to these agencies in a useable format. In other cases, they may not be able to retrieve the information within a certain timeline, or to ensure its accuracy.

Offences, Administration and Enforcement

Current framework

Compliance enforcement under the current framework is extremely limited.

Bill proposes to

To promote compliance, SAAIA would create monetary penalties for contravening obligations under the Act. SAAIA sets out parameters for the issuance of administrative penalties, including in what amount and how an ESP can request a review from the Minister.

In addition to administrative monetary penalties, SAAIA also contains offences for contravening provisions.  

Why is this needed?

Penalties are required to make sure that a regulatory regime can be properly enforced.

What’s changed from the previous SAAIA proposals under Bill C-2

Additional oversight and transparency 

Previous proposal (Bill C-2)

Ministerial orders were approved by the Minister of Public Safety after consultation with the Minister of Industry. 

Bill C-22 proposes to

• Require Ministerial Orders (MOs) to be approved by the Intelligence Commissioner (IC) before issuance. The consult role for the Minister of Industry would be removed. 
• Require a mandatory annual report be prepared by the Minister of Public Safety and that a public version be made available within 60 days
• Require a Parliamentary review of the Act three years after coming into force. 

Why is this needed?

MOs are a powerful tool that allow the Minister of Public Safety to request a broad range of technical capabilities in a confidential way to avoid tipping off threat actors. The Intelligence Commissioner’s role in MO approvals strengthens the framework by providing an external oversight mechanism. The addition of an annual report and parliamentary review, three years after the Act comes into force, further increases transparency.

Inspection powers, obligation to assist, privacy and cybersecurity

Previous proposal

Industry identified several places where provisional language could benefit from greater detail and or clarity, which could correct potential misinterpretation. 

Bill C-22 proposes to

• Clarify that the obligation to assist is for assessing and testing devices 
• Specify that internal audit reports and any information obtained during an inspection is confidential and can cannot be released without authorization. 
• Clarify that regulation making must take into account the same factors considered during the issuance of Ministerial Orders. 

Why is this needed?

It important to clarify the intention of provisions that could be misinterpreted by industry. 

Data retention

Previous proposal

The implementation of certain capabilities implicitly requires the retention of data. 

Bill C-22 proposes to

Explicitly allow regulations to be made regarding the retention of prescribed metadata for a reasonable period of no longer than one year, but not for content, web-browsing history or social media activity.

Why is this needed?

To make sure requirements around data retention are clear and transparent.