The 90-day period in Bill C-59 applies to the specific situation of the collection of datasets by CSIS. In a model where it's conceivable that more information may be required at the front end, but an exercise is required to funnel this to less information at some point, it's important that this period of analysis not be too long so as to give time to security agencies to do the analysis they need to do.
Ninety days strikes me as a very reasonable period. Should it be 90 days throughout regardless of whether it's CSIS, CSC, or others? We would have to look at it, but 90 days is a good rule of thumb.