Public Safety Committee on May 5th, 2026

Thank you, Mr. Chair and honourable members of the committee, for having us here today.

My name is Mike McGuire. I'm the director general of international and border policy at Public Safety Canada. I'm pleased to be here with colleagues, as was just mentioned, from the Department of Justice, the Department of Public Safety, the RCMP and CSIS to answer technical questions on Bill C-22, an act respecting lawful access.

Lawful access is a familiar issue that has been studied by Parliament in the past, most recently by the National Security and Intelligence Committee of Parliamentarians, which issued a special report last year calling for lawful access legislative reform.

Bill C‑22 seeks to address fundamental and well-documented gaps in Canada's lawful access framework. The online environment has facilitated, if not fostered, the communication, coordination and concealment of criminal activities and those of threat actors. The widespread use of mobile devices, Internet-based communications, messaging platforms and other emerging technologies has fundamentally transformed how crimes and threats to national security are planned, executed and investigated.

At the same time, Canadian police services and CSIS face increasing challenges in obtaining information critical to investigations in a timely manner. Bill C‑22 seeks to address these challenges while maintaining strong safeguards, including respect for the Canadian Charter of Rights and Freedoms and the protection of Canadians' privacy.

The provisions in Bill C-22 are grouped under two key themes. First, part 1 of the bill modernizes Canada's legal authorities to support police and CSIS in obtaining timely and lawful access to digital information needed for investigations, with each tool carefully designed to take into account the type of information that will be collected and the privacy interest it engages.

This includes the creation of a new confirmation of service demand, which would allow police to confirm whether a telecommunications service provider offers or has offered service in relation to a specific identifier, for example a specific telephone number or IP address. The scope of this tool has been deliberately limited to a yes-or-no confirmation, and it pertains only to telecommunications service providers.

Part 1 would also create a new production order from narrowly defined subscriber information, such as name, address and basic information about the services provided, and update existing search warrant powers to better reflect computer searches.

In addition, it would establish new authorities to facilitate lawful requests from Canadian law enforcement to foreign electronic service providers and enhance international co-operation in criminal matters involving electronic data.

These measures are intended to ensure that where lawfully authorized, investigators are able to act in a timely and effective manner, bearing in mind that delays can result in serious and ongoing harm to victims in particular cases and circumstances.

Part 2 of the bill establishes a clear and modern legislative framework to ensure electronic service providers have the technical capacity to effectively respond to lawful access requests, meaning access already approved under existing legislation, such as the Criminal Code or the Canadian Security Intelligence Service Act.

Canada is the only western democracy without a comprehensive legal framework requiring electronic service providers to develop and maintain such technical capabilities. With the exception of an antiquated licensing regime dating back to the 1990s, collaboration in this area remains largely voluntary and uneven.

Part 2 of Bill C‑22 sets for core providers minimum technical capability requirements aligned with international standards and provides the Minister of Public Safety with the authority to issue targeted and flexible ministerial orders when specific capabilities are required to meet operational needs.

Safeguards related to this new framework are embedded in the bill. For example, ministerial orders would be subject to approval by the intelligence commissioner and would be proactively reported to NSIRA. Privacy and cybersecurity considerations are explicitly included in the legislation. Data retention obligations are restricted, and public annual reporting is required.

This part does not create new powers for law enforcement or CSIS to intercept communications or obtain information, nor does it allow direct government access to electronic service providers' systems. It also explicitly prohibits the creation of systemic vulnerabilities, to ensure that a regulation or ministerial order does not weaken encryption or create back doors.

Finally, part 2 establishes tools to promote compliance, including inspections and administrative monetary penalties.

Together, these mechanisms aim to ensure Canadian law enforcement and intelligence agencies have the tools they need to do their important work while maintaining strong accountability and transparency.

Mr. Chair and members of the committee, my colleagues and I would be happy to answer your questions.

Thank you very much for the question. I'm Shannon Hiegel, director general of national security policy at Public Safety Canada.

The bill is in fact encryption-neutral. We want to make sure that, where encryption is used.... There are different ways encryption can be used and different ways in which companies employ it. Therefore, we don't want to leave out the possibility for those companies that may employ encryption where there are keys available and it can be decrypted in a simple fashion.

Some companies already employ a type of encryption where they have the key. We're not asking for keys to be made if a company already has one.

Yes.

Are you talking about somebody coming up to a level where they don't even have encryption? That's what I'm hearing you say.

Absolutely.

If a company has end-to-end encryption as part of its business service and its model, we are not forcing the company to decrypt that communication.

I think we want to be a bit flexible when we talk about encryption. I apologize if the front part of my answer wasn't clear, but there are different types of encryption. If we talk about encryption without any qualifiers, that means that when companies do have keys and could decrypt for the purposes of an investigation where there's a warrant and a production order being provided, they could in fact still use those keys for that purpose.

No. If there are no keys and there's no way to decrypt it, and that's its business model, then the expectation is that this would be a systemic vulnerability for the entirety of its system, and there would have to be some discussion with government. The end of it is that we would not force it to put into its system a systemic vulnerability.

I'll start off and, if you don't mind, I'll turn it over to my colleague, Fenton. Then, if you'll give me a few minutes, I'll turn to the RCMP and maybe CSIS to explain how important metadata can be in their operations.

As you can see within the bill as it currently stands, we have not given a lot of specificity to what elements of metadata we plan on regulating. That's because we need to take the time to assess that with our investigative bodies and speak with industry about the ability to retain various types and for how long. We certainly do not assume.... Where we note that it's up to a period of one year, the expectation is not that all metadata points will be kept for up to one year. That's why there's a time period.

We've looked at international comparisons on this front, and we've come in about the middle. Australia holds its metadata for two years, and the U.K. holds it for about a year. There's always a bit of small print there, but generally that's what it is.

Through that process, we expect to narrow down what very specific types of metadata are the most important for investigations and then apply a timeline to that within the regulatory process. We will do our charter challenge at that point.

Fenton, is there anything you might like to add?

Thank you.

I think the key idea here is that we're linking the metadata to capabilities that will support law enforcement. That's how we actually generate and derive what we need. The whole thing is that, as Shannon was saying, we'll be working very directly with law enforcement and with CSIS to determine what fields and how they support investigations, so that we can basically have a good, strong argument for why that is proportionate and why that's necessary to keep.

I have one quick operational point.

What we're talking about here is a better understanding of the pattern of communications, essentially. Through regulations, we'll work through the specific details of the types of metadata we'd be capturing. Generally speaking, from our perspective, the reason we would be doing that is to establish patterns of communication, in a warranted way, to be a building block for an investigation. Obviously, there are many other elements, but that's the sort of pattern we'd be looking for on our side.

The confirmation of service demand is very front-end, at the beginning of an investigation, to enable us to gather basic information to pursue an investigation. We have very little information—for instance, a phone number or an IP address. Just that yes-or-no confirmation from a telecommunications service provider gives us the ability to verify that this person is with this company. Then, we can start doing investigative work around that to get enough grounds to bring forward a production order to get subscriber information as a next step. We still have to build those investigative grounds in order to bring forward a production order to get subscriber information from a justice.

Although there are various ways that law enforcement and intelligence folks are able to get that information traditionally, that confirmation of service demand codifies that process and makes it disclosable. We have to document a confirmation of service demand. It goes on our file, is disclosed in court and can be questioned. We have reasonable grounds to suspect and to ask for the confirmation of service. Once it's obtained, then we still have to build investigative capacity around a production order to go to a justice or a judge.