RSS

Analysis of Canadian Surveillance Law Expansion Under Bill C-22 – CitizenLab

EmbarrassedHelp1 pts0 comments

(Un)forced Errors: Analysis of Proposed Surveillance Law Expansion under Bill C-22, An Act respecting lawful access - The Citizen Lab

Skip to content

Opens in a new window<br>Opens an external site<br>Opens an external site in a new window

Search by keyword

Search for:

Focus Areas

App Security & Privacy

Artificial Intelligence

Censorship

Digital Transnational Repression

Disinformation

Law & Policy

Mass Surveillance

Targeted Surveillance

Subscribe to our newsletter

Search by keyword

Search for:

Contents

SAAIA Creates an Untenable Risk to Privacy & Cybersecurity

Provisions on publicly available information & voluntary disclosure are inconsistent with Canadian Charter jurisprudence

Bill C-22’s connection to international data-sharing agreements must be disclosed

Conclusion

Executive Summary

Bill C-22, the Lawful Access Act, proposes a range of new surveillance authorizations to be made available to Canadian law enforcement agencies and the Canadian Security Intelligence Service (“CSIS”), and enacts a broad-ranging regime for imposing surveillance obligations onto electronic service providers, including building technical capabilities they may not already have. The bill effectively reintroduces what were formerly Parts 14 and 15 of Bill C-2, the Strong Borders Act, with modifications. While the government made efforts to address some of the problematic elements of Bill C-2, several deeply concerning issues remain, and other concerns have been exacerbated by the broadening of certain elements of the earlier proposed legislation. More than one aspect of the bill is almost certainly constitutionally fatal.

In this submission, we provide targeted analysis and recommendations focused on aspects of Bill C-22 with pressing and far-reaching implications.1 Due to the stringent timeline imposed on the House of Commons Standing Committee on Public Safety and National Security’s (“SECU”) legislative study of the bill, the analysis provided in this submission is far from exhaustive. Indeed, there are highly problematic elements of this legislative proposal that are not addressed in this analysis at all, in light of the time constraints.

In fact, the extreme fast-tracking of this bill by the government is itself cause for concern and reason to question whether the committee process is capable of remedying the legislative proposal’s many flaws. By comparison, the less complex Bill C-8, the Critical Cyber Systems Protection Act, has been granted far more time in committee for due scrutiny and broad expert input, while the Australian equivalent of the technical surveillance capability regime proposed in Part 2 of this bill was subject to no less than 173 amendments before being passed.2 Yet the government has allotted barely three weeks to the committee’s study of this bill. The government’s failure to confirm in advance the interaction between Bill C-22 and pending international information-sharing agreements as it is required to do is a further procedural flaw that has severely impeded the effective legislative study of this proposal.

While the submission provides amendments that might mitigate some of the destructive consequences of Bill C-22, our core recommendation is that the offending elements of the Bill be withdrawn. The government must also comply with its own treaty-implementation transparency policy prior to any of the bill’s provisions related to a foreign data-sharing agreement moving forward.

SAAIA Creates an Untenable Risk to Privacy & Cybersecurity

In Part A of our submission, we address how Bill C-22 would enact the Supporting Authorized Access to Information Act (“SAAIA”) under Part 2 of the bill. The proposed SAAIA would create a surveillance capability regime by which the government can impose any obligation onto any electronic service provider (“ESP”) for the purpose of facilitating lawful use of surveillance authorizations. These obligations could include requiring ESPs to change how they operate or to embed surveillance tools in their services. In addition to this surveillance capability regime, SAAIA also includes a mandatory metadata retention regime that the government could potentially use to require any ESP to access, record, and keep sensitive metadata within their reach on every person in Canada or abroad for up to one year.

The ability to impose an open-ended set of obligations on a broad range of ESPs creates direct challenges for any attempt to meaningfully constrain SAAIA, leaving little to no way to ensure that it will be applied in a manner that is consistent with privacy and other human rights while respecting cybersecurity integrity. This will be even more so the case as surveillance technologies continue to evolve. With a growing arsenal of “AI”-based3 surveillance techniques on the horizon, SAAIA’s potential for intrusiveness will grow apace.

SAAIA’s data retention mechanism is almost certainly unconstitutional. It lets the government obligate any ESP to keep...

bill surveillance saaia government analysis regime

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.