Public Safety Committee on May 7th, 2026

Chair and members of the committee, thank you for the opportunity to appear today.

By my count, Bill C-22 represents Canada's ninth attempt to enact lawful access legislation. That alone should give us pause. For over a decade, successive governments have recognized the same problem. Our laws have not kept pace with the realities of modern criminal and national security threats or the tools required to address them. The result is a growing gap between Canada's lawful access framework and the central role that electronic data plays in investigating and prosecuting crime.

At the same time, the Supreme Court of Canada has been clear that even basic identifiers can reveal deeply personal information and are therefore protected under section 8 of the charter. As the court recently reaffirmed, an IP address is often the first digital bread crumb that can lead the state on the trail of an individual's Internet activity.

The government and this committee have a difficult task to address the existing operational gap in a way that is consistent with the charter. Bill C-22 is a meaningful improvement over past efforts at reform. It reflects the hard work done by officials at Public Safety Canada to engage with stakeholders and revise earlier proposals. It is more carefully structured and, in my view, capable of getting us to a workable, lawful access regime, but it is not there yet.

Let me briefly highlight three areas where targeted amendments would significantly strengthen the bill.

First is the subscriber information production order. The bill introduces a new tool that allows police to obtain subscriber information on a reasonable suspicion standard. In my opinion, that standard is constitutionally defensible, but the bill as drafted goes too far in another respect. It requires service providers to produce all subscriber information, as defined, tied to an identifier, regardless of whether each category of data is relevant to the investigation.

This new power applies to anyone who provides services, not just telephone service providers, creating a risk of overcollection of private information that does not meet the legal threshold set out in the bill. The fix is straightforward: Amend the provision to give police the discretion to request and judges the discretion to authorize only specific types of subscriber information for which the standard has been met. If the standard for a production order is going to be suspicion, then the scope of what is authorized must be narrowly targeted.

Second is risk to individuals in foreign jurisdictions. The bill allows Canadian authorities to request data directly from foreign service providers. This power is important, but it carries risk. There is currently no requirement for a judge to consider whether such a request could expose the target to mistreatment in another country, and that is a gap. I recommend adding a clear obligation for judges to assess whether there is a substantial risk of mistreatment and to refuse the order where such a risk exists. This would align the regime with Canada's broader human rights commitments and what is already obligated for RCMP officers under the Avoiding Complicity in Mistreatment by Foreign Entities Act.

Third and most critically is part 2, or the SAAIA, which is what I'm going to call it. Requiring companies to build interception capabilities and retain data that they would not otherwise keep inevitably creates cybersecurity risks. Every additional access point and every new repository of data are potential targets. The question is not whether the bill creates new risks. It does. The question is whether the bill adequately mitigates those risks and strikes the correct balance between the risks and the public safety imperative. As currently drafted, I don't think that it does.

Three changes are essential.

First, strengthen the definition of “systemic vulnerability” and prohibit the GIC from weakening that definition through regulation.

Second, prohibit blanket data retention. I believe that the current authority engages the right to privacy, is overly broad and creates a significant cybersecurity risk. The current one-year framework departs significantly from existing 90-day preservation limits, and I've yet to hear a compelling argument for the need for a blanket retention obligation not tied to any specific collection authority or subset of offences such as serious crime. Any retention regime must be necessary for investigative purposes and must be reasonable and proportionate to the offence or threat under investigation.

Third, make explicit that law enforcement and CSIS cannot directly collect or intercept personal information or private information from service providers' systems. Control over access to providers' data and systems must remain with providers. They alone should flip the switch. This is critical for privacy, security and legal clarity.

In conclusion, I believe deeply that Canada needs lawful access reform, but the task is not simply to expand access. It is to ensure that any expansion is necessary, reasonable and proportionate, and that it does not undermine constitutional protections or create undue security risks for Canadians.

Bill C-22 is a meaningful improvement, but targeted amendments are still required to get this right.

Thank you.

Thank you, Chair and members of the committee, for the opportunity to speak with you today about Bill C-22, an act respecting lawful access, and why policing leaders across Canada strongly support its passage.

Policing in Canada has changed dramatically over the past decade. Crime is no longer confined to physical spaces or geographical borders. Today, organized crime networks appear across jurisdictions using encrypted applications, anonymous accounts and digital platforms to coordinate activities such as drug trafficking, human trafficking, firearms smuggling and cybercrime, yet the laws that govern how police access critical information were largely designed before the digital reality existed.

Bill C-22 is about closing that gap. It proposes practical, measured updates that would allow investigators to access certain information more efficiently, always with lawful authority, judicial oversight and a full respect for the charter and the privacy protections Canadians expect.

This is not about expanding unchecked powers. It is about ensuring that when police have lawful grounds to act—

Okay.

How's that?

No, that's good. Thank you.

This is not about expanding unchecked powers. It is about ensuring that when police have lawful grounds to act, they can do so in a timely way, especially when lives are at risk.

We are experts in this area. Last year alone, the Thunder Bay Police Service investigated 184 cyber-related cases. This involved more than 140 production orders, 80 search warrants, and over 1,370 devices being seized for examination. These efforts led to 20 victims being identified, and more than 240 charges laid. This is impressive for a five-person unit.

However, this is not about statistics. It's about protecting people. Bill C-22 will help services like ours, facing increasing demands with limited resources, reach victims more quickly. Let me illustrate this in a more realistic scenario.

Imagine a missing 14-year-old girl: Shawna. Her parents report that she has been communicating online with someone they believe is exploiting her. Investigators identify a username linked to a messaging platform. Time is critical. Under the current framework, confirming which service provider holds that account information and obtaining the basic subscriber data needed to proceed can take valuable hours or even days due to fragmented processes and outdated legal pathways.

Meanwhile, evidence suggests the suspect may be attempting to move Shawna across provincial or international borders. Every hour matters. Under Bill C-22, investigators could more quickly confirm the service provider tied to the account and proceed with the appropriate judicial authorization to obtain further evidence. In urgent circumstances, they could request limited emergency access to data to prevent imminent harm, while remaining fully accountable to strict legal thresholds and oversight. That time saved could mean locating Shawna before she is moved, before further harm occurs and before critical evidence disappears.

This is the reality police services face every day. We have multiple examples in Thunder Bay where we have youth as young as 14 being exploited and coming to our community from southern Ontario. The Canadian Association of Chiefs of Police has endorsed Bill C-22 because it strikes the right balance. It streamlines access to essential information, improves emergency data sharing and clarifies voluntary disclosures, while maintaining strong judicial and privacy safeguards. The Ontario Association of Chiefs of Police has also consistently called for modernizing lawful access tools.

Our members see first-hand how individuals and organized crime group networks have exploited legislative gaps. These actors are sophisticated and constantly evolving.

To keep communities safe, policing must evolve as well. Lawful access tools are not about surveillance overreach. They're about public protection. They allow investigators to understand criminal networks, prevent violence and rescue victims. Whether it's locating a missing youth, disrupting fentanyl trafficking, dismantling human-trafficking networks or combatting online exploitation, clear legal frameworks and modern tools are essential.

Bill C-22 represents an important step forward. It acknowledges that modern crime requires modern solutions. It ensures police can act quickly in urgent situations, while remaining firmly grounded in judicial authorizations, privacy laws and the Charter of Rights and Freedoms. At its core, the legislation is about protecting Canadians, especially the most vulnerable among us.

I urge you to support the timely passage of Bill C-22.

Thank you.

Thank you, members of the Standing Committee on Public Safety and National Security, for the invitation to join you today.

The Toronto Police Service, along with the broader policing community in Canada, has long advocated for reforms that put public safety first, including reforms related to lawful access. We believe that Bill C-22, an act respecting lawful access, is a step in the right direction. It would provide additional tools for our officers to move investigations forward more quickly, hold offenders accountable and prevent harm.

Preventing harm often requires the ability to intervene early, including in cases involving violent extremism.

The Toronto Police Service is the biggest municipal police service in Canada. Policing in Toronto is extremely complex. In addition to all the unique aspects of the city, we often see trends here before they begin to appear in other areas. We see the ripple effects of geopolitics and a rise in hate crimes. We see frontline situations rooted in the complexity of mental health, addiction and unmet social needs.

Toronto is home to the majority of consular offices in Ontario. The city is host to many major international events. We are seeing more young people becoming involved in violence and often communicating anonymously about potential targets through digital platforms.

Addressing these issues requires support and collaboration across the broader justice system, including through legislative reform. In many ways, new technology and communication enhancements have made our lives easier, but they have also made it easier for criminals to plan their activities and avoid justice. We are seeing bad actors use digital tools for all kinds of crime, including drug trafficking, extortion, child pornography, hate crimes, extremism and other serious offences.

Our role is to prevent these offences, bring offenders to justice and provide a voice for victims who have experienced some of the most difficult of circumstances. However, because technology has evolved so quickly in recent years, we are encountering roadblocks in some of these investigations.

Take, for example, the issue of confirming which telecommunication service provider has information that will assist in an investigation. Presently, this process is time-consuming and potentially leads to loss of evidence. Bill C-22 would streamline our processes and allow police to advance investigations in a timely manner.

As the criminal world evolves, law enforcement and the justice system must keep pace. It is important to note that some of these tools are already available in other Five Eyes countries. The Toronto Police Service strongly believes that lawful access would reduce delays in accessing critical information and, in doing so, enhance public safety.

Thank you. We look forward to continuing our work with all levels of government to ensure the justice system upholds accountability and protects our communities.

As I read the bill, there is no means by which the government could say that you have to force open your encryption if you don't already have the capabilities.

I say that because, both for the regulations and for the ministerial orders, it says that you cannot comply with an order or regulation if it requires instituting a “systemic vulnerability” into your system, and the way that systemic vulnerability is currently defined includes encryption, because of the definition of “electronic protection”.

My concern is more over the fact that there could be other forms of systemic vulnerabilities built into the hardware or operating system that don't get captured by the definition of “systemic vulnerability”. That's where I see a gap.

That's correct. However, because we don't know who a core provider would be and who could be captured by this act, there could be hardware providers, for example, that could be service providers that would be captured, and the definition of “systemic vulnerability”, as it stands, wouldn't capture their activities.

I know you're going to hear from Professor Diab later. He also has thought about this as well, so I would turn to him for more on that.

That's my understanding, yes.

My understanding is that they would still have to be an electronic service provider. However, the definition of “electronic service provider” is fairly broad, so it could capture people who provide hardware services, for example.

Yes.

If there were a ministerial order to have that capability, that ministerial order would have to be reviewed by the IC and approved, and then, yes...but with consultation. There's consultation built in to require that consultation—with Apple, in this case. If that approval were still done, then there would be JR.

However, you have to layer on top the fact that nobody could access that lawfully without a warrant for interception. Just because the service provider would have the capacity doesn't necessarily mean that law enforcement would then, all of a sudden, have access. In that case, you wouldn't really be instituting a new vulnerability because they already had the capacity. Really, you're just giving law enforcement the capacity to tap into something that already existed, if they had lawful authority.

That's my understanding.