Make It Make Sense: My Appearance Before the Standing Committee on Public Safety and National Security on Bill C-22’s Lawful Access Plan
Technologies change, the governments may change, but the challenge with striking the balance with lawful access between privacy and security has always been the same.
Fresh off appearing before a Senate committee on AI on Wednesday, yesterday I provided expert testimony to the Standing Committee on Public Safety and National Security as part of its study on Bill C-22, the government’s latest lawful access plan. Appearing alongside David Fraser and Robert Diab (the same trio that discussed the bill on my Law Bytes podcast), I opened my remarks by noting that technologies change, the governments may change, but the challenge with lawful access has always been the same: to give law enforcement and security agencies the tools they need to address serious crime while respecting Canadians’ privacy rights and the constitutional framework the Supreme Court has built around privacy in decisions such as Spencer and Bykovets. I focused on three major concerns with the bill, including mandatory metadata retention, the inadequacy of the systemic vulnerability safeguards, and the lowering of the production order threshold for subscriber information. My full opening statement is embedded below.
Two other brief exchanges from the appearance stand out. First, I tried to convey the risk that may arise from outlier rules that could force companies to remove privacy protections from the Canadian market or to exit the market altogether.
Second, I pointed to the inconsistency of prioritizing cybersecurity when discussing AI policy one day, only to debate legislation that would arguably weaken cybersecurity the next. As I noted in closing, make it make sense.
Appearance before the House of Commons Standing Committee on Public Safety and National Security, May 7, 2026
Good afternoon and thank you for the invitation. My name is Michael Geist. I’m a law professor at the University of Ottawa where I hold the Canada Research Chair in Internet and E-commerce Law. I appear in a personal capacity representing only my own views.
In preparation for today’s hearing, I looked back at the history of my engagement with lawful access policy. I found that I wrote my first op-ed on the issue more than 20 years ago and first began appearing before committees on various bills a few years after that. As I’m sure you know, lawful access has been the subject of legislative debate in Canada for decades, under both Liberal and Conservative governments. The technologies change, the governments may change, but the challenge has always been the same: to give law enforcement and security agencies the tools they need to address serious crime while respecting Canadians’ privacy rights and the constitutional framework the Supreme Court has built around privacy in decisions such as Spencer and Bykovets.
Bill C-2 is what happens when the balance is not well struck, as its warrantless information demand power envisioned compelling disclosure of subscriber information from any provider of a service in Canada without court oversight. The decision to drop that power was the right one and replacing it with a confirmation of service demand is a meaningful change.
Bill C-22 nevertheless contains some serious problems. I’ll focus on three in my remarks.
The first is the mandatory metadata retention regime, which would require providers to retain metadata for up to a year, on every subscriber, regardless of suspicion. On a mobile network, that data includes the cell towers each phone connects to and when. Retained at scale, the aggregate amounts to a comprehensive surveillance map of virtually every Canadian: where and when they go and who they interact with.
This is the kind of bulk data retention regime that the European Union Court of Justice struck down in the Digital Rights Ireland case and, in the Tele2 Sverige case, extended to mandated private-sector retention of traffic and location data. Germany’s Federal Constitutional Court has reached similar conclusions. Yet the Charter Statement on Bill C-22 remarkably fails to address the regime, despite the obvious Charter implications. The committee is being asked to entrench a surveillance architecture and accept the security risks that come with it. The obvious approach is to remove this entirely, as it is disproportionate and likely to be struck down by the Supreme Court. Alternatively, a 30-day cap on metadata retention would surely be sufficient to meet immediate investigative needs while allowing for a court order if a longer period is required.
The second concern is the systemic vulnerability safeguard in the technical capability provisions. Sections 5(5) and 7(5) of SAAIA say providers are not required to comply with an order if doing so would create a systemic vulnerability. But sections 12 and 13 make compliance unconditional and provide that orders prevail over inconsistent regulations. That leaves a safeguard that exists in name only, that is cloaked in secrecy, with the burden of invoking it falling on the provider.
The consequence is a back-door capability mandate that could weaken encryption, place user data at risk, and lead companies to remove privacy-enhancing services from Canada. This needs a fix that should include amending Section 12 to make compliance subject to the provisions of Sections 5 and 7. Further, the definition of “systemic vulnerability” should be expanded in the statute by clarifying that there will be no requirement that would weaken or break encryption or introduce any security weakness.
The third concern is the production order threshold for subscriber information. Bill C-22 sets the standard at reasonable grounds to suspect, rather than the current reasonable grounds to believe. The Spencer and Bykovets decisions establish a high informational privacy interest in subscriber data. Yet, the Charter Statement nevertheless asserts that the subscriber information sought does not, by itself, constitute particularly sensitive information. That sentence is difficult to reconcile with both Supreme Court jurisprudence and the technical reality of what subscriber information may reveal. Setting the bar lower invites further Charter litigation, placing the provision on shaky legal ground.
None of these changes would be incompatible with effective law enforcement. Rather, they are about ensuring that the framework can withstand Charter scrutiny, respect Canadians’ privacy rights, avoid creating a surveillance infrastructure, and sustain public trust and confidence. I look forward to your questions.
Post originally appeared at https://www.michaelgeist.ca/2026/05/make-it-make-sense-my-appearance-before-the-standing-committee-on-public-safety-and-national-security-on-bill-c-22s-lawful-access-plan/
Find me on: