Buried in a Border Bill, Canada Creates Major New Search Powers Over Private Data

In early June, Canada’s new Liberal government under Prime Minister Mark Carney tabled its first bill, the Strong Borders Act, responding to pressure from the Trump administration and its ungrounded claims about the flow of fentanyl to the south. Tucked in the middle of Bill C-2’s various new measures on customs and immigration are a raft of new search powers completely unrelated to the border.

They do more to expand the state’s power to access private data in Canada than any law in the past decade.

The measures revive long-standing efforts to pass a “lawful access” regime that would make it easier for police to obtain subscriber information attached to an account with an internet service provider (ISP) or a user’s internet protocol (IP) or device IP address. The bill also allows third parties such as ISPs or platforms like iCloud, Gmail, or Instagram to be compelled to install equipment to provide “authorized persons” direct access to stored data and communication.

Privacy experts foresee challenges to the new provisions under Canada’s Charter of Rights and Freedoms. Section 8 of the Charter, Canada’s equivalent to the Fourth Amendment, guarantees “everyone the right to be secure against unreasonable search or seizure.” Police carry out a search under Section 8 where they interfere with a reasonable expectation of privacy. The question is then whether a search is authorized by law, and if so, whether the law itself is reasonable.

The concern is that the new powers in the bill allow police to conduct potentially invasive searches without probable cause and in some cases without a warrant, thereby failing to strike a reasonable balance between state interests and personal privacy.

Why the government wants these powers — and why now — has to do with key decisions in recent years by Canada’s Supreme Court that differ in important ways from US court holdings on similar issues, creating important safeguards for Canadians regarding online privacy.

Where the courts may land in likely challenges to these new government powers in C-2 will turn in part on these earlier decisions by the Canadian courts. But it will also depend on the merits of controversial new approaches in the bill to address older problems. Lawmakers around the world are likely watching this experiment with interest.

The earlier context in brief

In the first decade or so after the birth of the web in the mid-1990s, democratic states passed laws to provide for production orders or warrants to obtain data in the hands of third-party providers, such as ISPs or digital platforms. This could include metadata or the content of communication, such as email, texts, or stored files. In US law, the third-party doctrine has circumvented the need for a warrant (for data aside from content itself) in many cases, holding that information entrusted to a commercial third party does not attract a reasonable expectation of privacy. Police in the US can obtain subscriber information, along with an IP address, by a subpoena rather than a warrant.

The third-party doctrine does not apply in Canada, with its Supreme Court having rejected it soon after the Charter was adopted. Canada’s original production order could be obtained on reasonable suspicion that an offense had or will occur. Courts were divided on whether this was too low a standard. (Presumptively, a reasonable search in Canada, in the criminal law context, requires probable grounds.)

In 2014, two relevant events unfolded. Canada’s Parliament revised the production order regime, with a new general order (for the content of communication, among other things) on probable grounds, and more specific orders for things like tracking or transmission data based on reasonable suspicion.

That same year, the Supreme Court of Canada held that the subscriber information associated with an IP address or ISP account carries a reasonable expectation of privacy. It does so because the name attached to an account ties a person to a highly private search history. The Charter protects not only an interest in privacy online, the Court held, but also a user’s anonymity. A police demand for subscriber ID amounts to a search, requiring authorization under the law. The Court, however, left unclear what kind of law would be reasonable here: a warrant on probable grounds or reasonable suspicion?

In 2024, Canada’s highest court took a further step and held that even an IP address alone raises a reasonable privacy interest for much the same reasons. It can link a person to an extensive search history. As a result, a police demand for this requires legal authority. In a passing comment, the majority pointed to the availability of a production order for transmission data on reasonable suspicion, signaling this was a reasonable search power for the purpose. But could it be even lower?

Controversial new powers

The new bill proposes a power for police to make an “information demand” on the basis of reasonable suspicion, without a warrant. Police can ask a service provider or a platform whether they have “provided services” to a certain user, phone number, or other identifier, and if so, where and when. They can also ask a provider for information about other parties from which the user may have received service.

Although the information that the police can demand here is limited — neither subscriber information nor an IP address itself — answers given can readily tie a person to a platform, a website, or service in a specific place and time. This may not amount to location tracking, since it doesn’t track physical movements closely enough. But even a link to a gambling or porn site, or phone activity within a certain window, can be invasive. Access without a warrant would seem likely to be held unreasonable. But not necessarily. The Supreme Court might view these demands as too preliminary, too many steps away from revealing a person’s identity.

The bill also allows for production orders for subscriber information on reasonable suspicion. This seems likely to be held unconstitutional given the Supreme Court’s holding on the high privacy interest in online activity, which subscriber information unlocks. A further new power allows police to ask a judge to grant permission to make a “request” of a foreign entity, such as Apple or Google at headquarters in California, to provide user information voluntarily — a half-way measure meant to clarify that Canadian police can act beyond the border without Parliament infringing on the sovereignty of other nations.

Lawful access provisions

What may be the most concerning provisions for privacy advocates are found in a whole new statute contained in the bill, the “Supporting Authorized Access to Information Act.” This would add to Canadian law a rough equivalent to Australia’s lawful access bill passed in 2018. That law gives Australia’s Director-General of Security the power to make a “technical assistance request” for help accessing user data or issue a more onerous “technical capability notice” compelling technical modifications to enable access. This goes further than power in the United States under the Communications Assistance for Law Enforcement Act, which established requirements for how ISPs and other providers must design systems to ensure that law enforcement can access data where authorized.

Canada’s new lawful access regime would apply broadly and grant extensive powers. The Minister of Public Safety can impose obligations on “electronic service providers,” or anyone offering a digital service (storage, creation, or transmission of data) to persons in Canada, and more onerous obligations on a class of “core providers” the Minister may designate. While all providers must “permit the assessment or testing of any device” for access, core providers can be compelled to “install[]… any device, equipment or other thing that may enable an authorized person to access information.” Core providers will likely include ISPs, but might also include Apple, Meta, or Microsoft.

The new act does contain some important limits. Similar to the Australian legislation, and contrary to the law in the UK, Canada appears to draw a clear line against building backdoors to encryption. No provider needs to follow an order “if compliance… would require the provider to introduce a systemic vulnerability in electronic protections related.”

Even if equipment is installed to make access easier, law enforcement will still need to be authorized by law to act, typically with a warrant. What remains to be seen is whether certain measures will be challenged for amounting to an interception or wiretap by enabling access to data in real-time, thus requiring a more onerous wiretap warrant.

If passed in their present form, all the new search powers in the bill will likely be challenged under the Charter. On second reading in Parliament, they should be discussed and debated at length, but may well be eclipsed by more politically salient provisions in the bill on immigration and border enforcement, and pass into law quietly.

If Canada’s election of the Prime Minister Carney was meant to be a rejection of authoritarian trends down south, things are not off to a good start.