On June 18, the Canadian Civil Liberties Association joined 39 organizations and 122 experts including OpenMedia, the International Civil Liberties Monitoring Group, the BC Civil Liberties Association, and researchers from the Citizen Lab in calling on the federal government to withdraw Bill C-2, the Strong Borders Act, a sweeping omnibus bill that raises significant privacy concerns and undermines migrant rights. The letter is part of a broader initiative that brings together four major coalitions comprised of over 300 organizations in opposition to Bill C-2.
The Bill’s privacy eroding elements include a power to demand revealing information without independent authorization from any service provider, could pave the way to expanded international information-sharing agreements, and will empower the government to significantly expand the amount of data police and security agencies can access by compelling digital services to redesign their services.
Easy access to sensitive information
Under Bill C-2, public officials including police, CSIS agents and others, will be able to demand information from various companies without any judicial oversight and with less proof of suspicion. The government argues this information is innocuous and only includes general details about the nature of the services a company is providing. But in practice law enforcement officials will be able to extract highly revealing information about people with these demands, including whether they’ve purchased something at any company, interacted with any website, or stayed at any hotel. These demands will occur in secrecy, and organizations are given only 5 days to challenge overbroad demands in court.
Bill C-2 will also authorize wide-ranging sharing of sensitive information on migrants and asylum seekers. This includes limitless sharing of information within the Department of Citizenship and Immigration for any purposes relating to the department’s mandate. Removing privacy restrictions on intra-department information-sharing poses a significant risk that data will be centralized, mirroring similar efforts to eliminate “information silos” seen recently in the United States federal government. Bill C-2 will further authorize sharing of sensitive immigration data including the status and identity of asylum seekers with any Canadian agency or crown corporation if it would generally relate to their duties.
Siloing information—particularly sensitive information relating to immigration status—is a critical privacy safeguard for preventing security breaches and for ensuring that personal data is only accessed on a need-to-know basis. Under Bill C-2, recipient agencies and crown companies will remain bound by their own privacy restrictions, and will require written authorization to share personal data with foreign governments. However, it is not clear whether this written authorization will be provided on a case-by-case basis and Canada’s federal privacy laws and restrictions on facilitating mistreatment by foreign governments are severely outdated, resulting in a framework that puts migrants at risk.
Cross-border information-sharing agreements looming in the background
As pointed out by research from the Citizen Lab, Bill C-2 also paves the way for the potential adoption of problematic international information-sharing agreements, which could be critical to understanding Bill C-2’s potential impact and its justification.
The Second Additional Protocol to the Budapest Convention (referred to as the “2AP”) is a 2022 treaty that Canada has signed, but not yet fully adopted. The 2AP would require Canada to enforce foreign metadata and identification data orders. Under Bill C-2, any foreign identification or metadata order issued by a state with an applicable information-sharing agreement with Canada could become a binding order of a Canadian court. While Canadian courts must be satisfied that certain conditions are met before giving the foreign order force, the potential for abuse by foreign states remains high. The 2AP would require Canada to process metadata or digital identification orders from any other country that adopts the treaty—a list of 80+ eligible countries that includes states with a history of abusing policing mechanisms to repress diaspora communities abroad. Last year, for example, an RCMP officer was charged with providing records from a police database to Rwandan officials. Turkey is similarly notorious for its abuse of international police cooperation tools to oppress its critics abroad. Under the 2AP, suspending personal information-sharing with abusive states can only occur under limited circumstances.
Since 2022, Canda has also been negotiating an agreement under the auspices of a U.S. law called the Clarifying Lawful Overseas Uses of Data Act (“CLOUD Act”). The agreement represents a problematic attempt to expand bilateral information-sharing at a time of heightened tensions between Canada and the U.S. Under U.S. law, the constitution offers no protection to the privacy rights of non-U.S. persons, and past CLOUD Act agreements between the United Kingdom and Australia have done nothing to remedy this lack of effective redress. The U.S. also lacks a federal data protection law, meaning that few limitations will be placed on any personal information that ends up in the hands of private U.S. companies after it is shared with the U.S. government. Expanded information-sharing with the U.S. government poses a heightened threat to peaceful protesters, political dissidents and those that exercise their reproductive rights in Canada, among others.
As Citizen Lab reports, government officials have indicated in a briefing that Bill C-2 is intended to facilitate Canada’s ratification of the 2AP. While Canada has not publicly indicated it will complete a CLOUD Agreement, many of the new powers in Bill C-2 represent a concerning attempt to align Canadian law with U.S. surveillance practices and Canadian public officials have acknowledged that elements of Bill C-2 are responsive to U.S. political pressure for enhanced law enforcement cooperation using the “same kind of toolkit”. With these data-sharing agreements looming in the background, Bill C-2’s information-sharing proposals present a particularly dire threat to privacy rights in Canada, particularly in light of the outdated nature of our framework for safeguarding people in Canada against foreign assistance requests.
Expanded Surveillance Capabilities Undermine Cybersecurity & Privacy
Yet another part of Bill C-2 would empower the government to issue surveillance capability orders, potentially requiring email providers, Virtual Private Networks, social media companies, laptops and mobile phones, and other digital services to reengineer their platforms in order to facilitate access to information by CSIS and police agencies. While law enforcement agencies would still need independent authority to access information, the government could force services to be redesigned in ways that significantly expand what data is accessible and the ability to access it without scrutiny.
Redesign obligations are open-ended and broad, but could compel the integration of surveillance equipment, the creation of any “technical capabilities” to extract an organize information, or the need to provide law enforcement agencies with the ability to directly access information from their services. A “technical capability” could even, in theory, include an obligation to record information that a service provider only transmits onwards, dramatically expanding the accumulation of personal data by private companies.
The proposed regime threatens digital security. It explicitly permits the government to put in place regulatory conditions that undermine cybersecurity safeguards as long as no “systemic vulnerability” is created or maintained in a limited class of technical safeguards. Bill C-2’s attempt to reduce “systemic vulnerabilities” is equally flawed—the term is not defined in the statute and governments around the world have advanced problematic visions of what constitutes a systemic vulnerability, often presenting mass surveillance capabilities as only impacting the people they are used against despite their significant collateral harm.
No element of the regulatory framework requires the government to specifically determine that the impact of its orders on privacy and cybersecurity are strictly minimized, or to ensure that orders are only issued when strictly necessary to achieve specific law enforcement objectives.
If the government chooses to issue its orders in secret (and only in those instances), it must also consider whether the benefit of the order to the administration of justice can justify the potential impact on a targeted service provider’s user base. But if the recipient of a secret order doesn’t choose to challenge it, the order may receive no meaningful independent scrutiny at all and service providers are prohibited from even disclosing that an order exists.
These types of technical surveillance capability systems, and the vulnerabilities they create, are regularly, successfully and secretly targeted and compromised by foreign spy agencies and criminals alike. On at least two occasions, including last year, the U.S. technical surveillance capabilities system was compromised by groups linked to the Chinese government, who monitored US surveillance targets in an apparent effort to shield U.S.-based foreign spies should they become suspects. Similar surveillance capability requirements have also allowed the U.S. National Security Agency and Drug Enforcement Administration to compromise the Bahamas’ entire cellular network and record every single mobile phone call in the country while similar surveillance capability systems in Vodafone’s network were exploited by still unknown perpetrators to spy on several high level Greek government officials including the Greek Prime Minister, Minister of National Defence and others.
The government has indicated that Bill C-2 is a priority, presenting it as a response to demands from the United States as part of ongoing trade and security negotiations. Parliament is anticipated to resume its consideration in late September.
Read the letter here. Read statements from other coalitions opposing Bill C-2 here. Sign OpenMedia’s petition against Bill C-2 here.
English (Canada) 
Français du Canada