Evidence of meeting #36 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was metadata.

A video is available from Parliament.

On the agenda

Members speaking

Before the committee

McGuire  Director General, International and Border Policy, Department of Public Safety and Emergency Preparedness
Hiegel  Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness
Ho  Director, Intelligence Policy, Department of Public Safety and Emergency Preparedness
Nashef  Director General, Canadian Security Intelligence Service
Burchill  Director General, Technical Investigation Services, Royal Canadian Mounted Police
LeBel  Counsel, Criminal Law Policy Section, Department of Justice
Gibner  Deputy Assistant Deputy Minister, Policy Sector, Department of Justice
Gary Anandasangaree  Minister of Public Safety
Sean Fraser  Minister of Justice
Giles  Deputy Director, Canadian Security Intelligence Service

Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC

[Inaudible—Editor] your assessment. How much do you think they'll be solicited with the adoption of Bill C‑22? As you know, they tabled their annual report, which contains a record 14 decisions. Now, I wonder if there will be a lot of decisions. Did you assess the number of decisions the commissioner might have to issue?

4:30 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

His role is specific to the ministerial order approval process. He will be reviewing all of the information that was given to the minister when the minister made his or her decision on a ministerial order, which is a very specific request to put in place certain capabilities for a company that would not be included as a core provider.

Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC

That means it's exceptional. It's not going to be common. There aren't going to be a lot of decisions. The intelligence commissioner isn't going to be overwhelmed with decisions.

4:30 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

No, and he has confirmed that. We gave him some initial numbers around how many ministerial orders would come to him, and he was sufficiently satisfied that he could manage it.

Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC

Okay.

I know his office's budget wasn't increased to meet its obligations in Bill C‑22, so I was wondering what the workload would be like.

You may not have time to answer this, but why didn't you include in part 2 a clear definition of “core provider”?

4:35 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

For a core provider, we do have a definition. What we expect to do is run through the regulatory process, where there will be classifications or classes—

Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC

There is none in the bill, Ms. Hiegel. It'll be dealt with in the regulation.

4:35 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

Yes, it will be in regulation.

The Chair Liberal Jean-Yves Duclos

Unfortunately, I have to cut you off there. I apologize.

Mr. Caputo, you have the floor for five minutes.

4:35 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

Thank you very much.

It's been helpful to have the officials. One thing I will say at the outset is that I feel like we need three hours with you. I don't say this in jest. This is a highly technical bill. We can't rush this. I have a list of about eight things I want to ask you about.

I'm looking up case law further to Madame DeBellefeuille's earlier point about the threshold of “reasonable grounds to suspect” versus “reasonable grounds to believe”. I haven't studied reasonable grounds to suspect in years. With regard to reasonable grounds to believe, I'm familiar with the Storrey decision that a person must subjectively believe that what they're doing is reasonable and that it must be objectively reasonable.

That probably means nothing to a lot of people, but these are difficult things to comprehend. When we're wrapping our heads around this, I think having you here for only one hour prior to clause-by-clause consideration is inadequate. I think we need you here a whole lot more, to be very candid. I'll leave that with you and with the chair and with my Liberal colleagues, because we have lots of questions, and I know I've just burned a minute here.

This is an important question that comes to the requirement for an electronic service provider to retain data for one year. Is that a de facto seizure that runs contrary to section 8? I understand that a search warrant is required, and that would be the search aspect. Normally there's the search and then the seizure. Is the compulsion to retain data a seizure in itself?

4:35 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

I'll attempt to just simply say that we have not equated the expectation of the retention by a company to a seizure within the context of an investigation, because there has been no production order or warrant approved by a judge. That would be my simple assessment of the scenario.

Do any of you have thoughts?

4:35 p.m.

Director General, Technical Investigation Services, Royal Canadian Mounted Police

Richard Burchill

As you said, we need a judicial authorization in order to access that data. The timeliness of it is.... There are companies that already retain this metadata. There's not a consistent application of how that happens among telecommunication providers, which is what security and law enforcement would look for. When we're looking to access that data, the reason for the timeliness is that if they keep it for three days but you're one week into a kidnapping investigation, that data is gone, whether you are judicially authorized or not, whereas some companies will have it readily available.

4:35 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

I understand that. I'll tell you where I'm coming from on this. In this instance, the state or the government is compelling an action, and that action relates to information over which there is a reasonable expectation of privacy. That's why you need a warrant. The moment you say to provider A that they need to keep this, there's a reasonable expectation of privacy over what must be kept. Is everybody with me so far? Okay.

Does that not engage section 8? I might be out to lunch here, but I've been asked this question, so it's something I'm looking to explore.

4:35 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

Just as a point of clarity, when you say section 8, do you mean with regard to part 2 of the bill?

4:35 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

Yes.

4:35 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

Fenton, do you want to jump in?

May 5th, 2026 / 4:35 p.m.

Director, Intelligence Policy, Department of Public Safety and Emergency Preparedness

Fenton Ho

Obviously, we've had discussions around charter statements and stuff about that. Part of the analysis on that point will be how we actually circumscribe our use of metadata. In this case, we are clearly not looking.... The maximum is one year. We're not saying it's blanket retention. In the process of developing the regulations, we would have to prove that they're necessarily in proportion with that amount of time. At that point, we can come to an understanding of what charter obligations arise from that.

4:35 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

Let's go along that line here. The one year is kind of the benchmark. Are you saying...? We could talk about this for the next 15 minutes—this is, again, very important—and I have 33 seconds. What you're saying is that one year is the maximum. It's not the minimum. It's not just the drop-dead date. It's only one year. Obviously, any date is arbitrary. Why is it a year? Why is it not nine months or 15 months or two years?

Can you offer anything to help out this committee in terms of why a year was picked?

4:40 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

As I mentioned earlier, we have done a lot of country comparisons within our analysis. One year was actually quite common in being the average. As I said, Australia is on the higher end, with two years.

We also want to make sure that we're clear that what we are expecting to retain within the metadata context still needs to be defined. The expectation is that there is some level of rationale. Maybe the metadata of me speaking with Fenton is really important, because now I know who was talking to whom, so it would be kept for a year, while something around—

The Chair Liberal Jean-Yves Duclos

I'm sorry to interrupt, Madame Hiegel.

We need to move to MP Housefather for five minutes, please.

Anthony Housefather Liberal Mount Royal, QC

Thank you, Mr. Chair.

It's always fascinating to listen to my colleague Mr. Caputo.

First of all, let me start by saying thank you so much for being here.

Obviously, I'm strongly in favour of this bill. As I said in the House, I think we need a modern access regime. I think we need to deal with Bykovets and Spencer and have proper legislation that allows us to deal with things like that.

I also had a couple of questions, if that's okay, with respect to the way systemic vulnerabilities interplay in this bill, in proposed subsections 5(5) and 7(5) of the bill versus proposed sections 12 and 13. Basically, what I understand from proposed subsections 5(5) and 7(5) of the bill is that a provider is not required to comply if a systemic vulnerability would be created. I think I have that right. However, proposed section 12 says, “An electronic service provider that is subject to an order made under subsection 7(1) must comply with it.” Then proposed section 13 specifies that orders take primacy over the regulations that will be made.

I don't really understand, personally, the interplay here, where we're saying that somebody is not required to comply if it creates a systemic vulnerability, but then if there's an order, they're required to comply with it, and then the order supersedes regulations.

Can you talk me through this so that I understand how 5(5) and 7(5) actually work?

4:40 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

Sure. I'll start off, and then I'll turn to my expert, Fenton.

We have to consider this as a bit of a continuum, where the baseline has to be that you as a core provider—if it's regulation or if you're being tapped through a ministerial order—need to comply with this. Then there is the exception. If, as we go through this process with you to determine how to get that information off your networks, it is determined that it is a systemic vulnerability, then there is the right for a company to push back and say, “No, we can't give you the information you need because of a systemic vulnerability.”

Anthony Housefather Liberal Mount Royal, QC

If we want to say that, why would the bill itself not...? Right now, we agree that an order is paramount, and they must comply with the order. Is that correct?

4:40 p.m.

Director General, National Security Policy Directorate, Department of Public Safety and Emergency Preparedness

Shannon Hiegel

Yes. That is the baseline.

Anthony Housefather Liberal Mount Royal, QC

If the company believes that it would create a systemic vulnerability, under what circumstances is the company then able—unless it convinces the minister or representatives of the minister—to push back and say, “No, this would create a systemic vulnerability”? How come the bill as drafted doesn't say that the order must be complied with except to the extent that the company believes that, using reasonable commercial efforts, it cannot do this without creating a systemic vulnerability, or something like that?

If the company believes this, but the minister's office is not accepting that argument, what happens to the company?