Evidence of meeting #40 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was c-22.

A video is available from Parliament.

On the agenda

Members speaking

Before the committee

Saad  Chair, Privacy and Access Law Section, Canadian Bar Associaton
Surgenor  Counsel, Canadian Constitution Foundation
Hatfield  Executive Director, OpenMedia
Alqazzaz  Executive Director, Canadian Muslim Public Affairs Council
McSorley  Senior Fellow, Centre for Free Expression
Tiwari  Vice-President, Strategy and Global Affairs, Signal

The Chair Liberal Jean-Yves Duclos

Good afternoon, everyone.

I call this meeting to order. Welcome to meeting number 40 of the House of Commons Standing Committee on Public Safety and National Security.

Pursuant to the House of Commons order of reference of April 20, 2026, and the motion we adopted on April 30, 2026, we are meeting to study Bill C‑22, An Act respecting lawful access.

I would like to begin by welcoming our three witnesses. First, we have Christiane Saad, from the Canadian Bar Association. Second, we are hearing from Alexander Surgenor, from the Canadian Constitution Foundation. Third, Matthew Hatfield, from OpenMedia, is participating by video conference.

Welcome, everyone. You each have five minutes for your opening remarks.

We'll start with you, Ms. Saad.

Christiane Saad Chair, Privacy and Access Law Section, Canadian Bar Associaton

Thank you very much, Mr. Chair.

Good afternoon, honourable members of the committee.

Thank you for the opportunity to appear today on behalf of the Canadian Bar Association as chair of the privacy and access to information law section, which, with the criminal justice section and the anti-corruption team, has studied Bill C-22. We acknowledge the improvements to the bill from earlier versions, but significant concerns remain.

The CBA notes four critical gaps, but let me begin with the structure. Bill C-22 bundles two different regimes under one banner. These deserve to be debated as separate bills so neither escapes proper scrutiny.

The first gap is the absence of evidence of necessity. When government expands its power into private lives, the burden is on it to show that the expansion is necessary. The government has not demonstrated that current laws hinder investigations. Both the CSIS Act and the Criminal Code already provide for assistance orders with judicial oversight for technical capabilities. Without evidence that these tools are insufficient, expanding powers is premature. In addition, three of the Five Eyes countries mentioned have no constitutional protection against unreasonable searches and seizures. Canada does, so section 8 of the charter must remain front of mind.

The second is that Bill C-22 dramatically expands lawful access power. More parties could demand access, more information could be compelled, technical capacity requirements would be broadened and more entities would be subject to them, while judicial discretion would be reduced. This expansion has lacked adequate consultation with key stakeholders for feasibility, impact and proportionality.

The third gap is the lack of safeguards. In part 1, the bill creates the new “subscriber information” production order on the lowest threshold that our legal system recognizes—mere reasonable suspicion—yet this order compels all subscriber information a provider holds, potentially reaching what the Supreme Court calls “a biographical core”. That definition should be narrowed to information that simply identifies a subscriber.

We are equally troubled by the voluntary disclosure provisions, which appear misaligned with the court's rulings in the Spencer and Bykovets cases, and by non-disclosure orders that can last for a full year. The CBA recommends reducing this to 90 days with court approval required for extensions.

The new confirmation of service demand power allows a peace officer to demand confirmation without judicial authorization and mandates a 24-hour response time. This timeline is unrealistic, especially for smaller providers, and the CBA recommends extending it to 48 or 72 hours except in genuine emergencies.

Part 2 concerns us the most. This new act would require ESPs to build capacity for lawful access, which in plain terms would mean building back doors. These access points would become magnets for hackers. Examples from other jurisdictions show that the equivalent law created vulnerabilities that foreign actors exploited to steal data.

The issue of metadata is even more critical. Although one proposed section would impose some limits on the nature of the data retained, it is well known that the metadata includes sensitive information, and in this context, it can also include location data.

Beyond that, part 2 effectively deputizes companies as surveillance arms of the state while shifting investigative costs to the private sector without compensation and without judicial overview. The CBA recommends that these ministerial orders be removed, that the definition of “systemic vulnerability” be strengthened to expressly protect encryption and that the government bear costs and risks related to these.

As for the fourth gap, the CBA sections believe that Bill C-22 risks violating section 8 of the charter.

The CBA is not opposed to supporting law enforcement; however, the CBA opposes expanding state surveillance powers without evidence of necessity, without adequate safeguards and without sufficient judicial oversight. Further details are in our original submission.

Thank you for your consideration.

The Chair Liberal Jean-Yves Duclos

Thank you, Ms. Saad.

I now give the floor to Alexander Surgenor for five minutes.

Alexander Surgenor Counsel, Canadian Constitution Foundation

Good afternoon, Mr. Chair.

My name is Alexander Surgenor. I'm counsel with the Canadian Constitution Foundation. We are a non-partisan, donor-funded legal charity. Our work consists of education and advocacy on matters pertaining to civil liberties, the rule of law and our constitutional order more generally. This is my first time appearing, so I thank you for the invitation.

Our concern with this bill is long-standing. It dates back to really the progenitor bill, Bill C-2. While we're pleased with the evolution there and the modest amendments and changes that followed, we remain concerned, and in fact even more concerned, about Bill C-22. That's why I'm here. I don't mean to be hyperbolic, but truly it's difficult to escape the inference that Bill C-22 would establish a pretty powerful regime of surveillance and constitute a pretty severe invasion into the privacy of everyday Canadians. Our concerns are fundamentally about the intrusiveness, the vulnerability and the overall secrecy that this bill envisions.

Allow me to identify exactly what I understand this bill to require. So-called core providers may be ordered to develop, test and maintain technical capabilities for extracting information, in particular computer data. I'll get to that in a moment. This would be achieved in part by installing, using and maintaining prolonged and continued access to perhaps any given device. The concern here, of course, is that it's not just so-called core providers. It's the fact that electronic service providers, carrying an enormously broad definition, could also be required, following a ministerial order, to undertake those same acts that the so-called core providers are. Very quickly, an electronic service provider could also become a core provider. There's no reassurance to be had in really defining those two terms differently. They're one and the same, and they would be quite quickly.

What is an electronic service provider? It is any entity that provides business in this country, or conducts a portion of its business in this country, through electronic channels, be it through the Internet or perhaps through software that's installed and kept locally on a device. Internet connectivity is relevant in that case.

Now, at the heart of it here, and really the pith of it, is the concern about metadata. Metadata is information about information. While the context of a text message might not be accessible, the fact that a text message, as an example, was sent could be accessed. To whom, when, how—all of that is fair game. The fact that a phone was used on the Hill in Ottawa, two days later in a library in Corner Brook, and then on another day finds itself in a hotel room in Saskatoon—that is all fair game. With this bill, we can monitor that, keep track of that and follow that.

In other words, the entirely innocuous and inherently private comings and goings of ordinary citizens are up for grabs. Up to a year's worth of movement, communication, work and ordinary life would be preserved for review while the private citizen, of course, is kept completely oblivious as to this occurring or not. Though the bill says no such order would be made if it would introduce a systemic vulnerability, I'm not particularly sanguine about that. The notion that only the good guys will have access to this flies in the face of examples from our peer nations in the Five Eyes that have suffered data breaches of exactly the sort that would constitute a systemic vulnerability.

If the aim is to better investigate criminal activity—I have some knowledge of this, having worked as a criminal defence lawyer and having seen both sides of this—it's unclear to me why the proposed powers have to be so broad to capture basically every device in this country. The CCF would gently remind everyone of the terms “public official” and “private citizen” and the key distinction there.

The importance of privacy cannot be overstated. Privacy is about dignity and autonomy. These are the predicates of a free society. To have a truly free society, we must be free to make our choices without the sense of being monitored—and, of course, not even knowing that we're being monitored.

I see that I'm at time. Once again, I thank you for hearing our concerns and inviting me to participate in this critically important discussion.

The Chair Liberal Jean-Yves Duclos

Thank you, Mr. Surgenor.

I now give the floor to Mr. Hatfield, from OpenMedia.

Matthew Hatfield Executive Director, OpenMedia

Good afternoon.

I'm Matt Hatfield. I'm the executive director of OpenMedia, a grassroots community of 230,000 people in Canada who work together for an open, accessible and surveillance-free Internet. I'm joining you from the unceded land of the Tsawout on Salt Spring Island in B.C.

Do not let the public safety minister convince you that limited amendments will fix Bill C-22. They will not. Nothing short of striking the majority of part 2 will protect Canadian privacy.

The government's current approach is an enormous own goal against our economy and our security, and you are the only people who can stop it. I won't repeat the facts you've heard from Professors Diab and Geist and Apple, Meta and others. I'll use my time to explain why light amendments cannot do the job of making this bill safe.

In recent weeks, the minister has said the government will amend Bill C-22 to bring it in line with our allies' lawful access like America's CALEA, so let's compare. Bill C-22 can require telecom companies, online services and even hardware manufacturers to let the government install surveillance equipment on their platforms and to retain a year of metadata on every person in Canada. That isn't catching us up to CALEA. The two aren't even in the same league.

CALEA covers only telecom companies and requires no metadata retention: nothing approaching a year's data on everyone by default. Of the Five Eyes, only Australia mandates metadata retention, and there it's deeply controversial and is being reformed. I think we need to bear in mind, taking a step back, that in this threat environment we're entering, CALEA is not a success. CALEA has been in effect since the 1990s, but in recent years, the back doors required by CALEA are increasingly a key entry point for foreign hackers to compromise U.S. privacy.

In 2024, Chinese state hackers used it to compromise the systems of America's largest telecoms, affecting more than a million people. Just this February, the FBI found that CALEA's back doors had led to breaches in their systems and reported it to Congress as a major security failure.

We aren't catching up to a working global standard here. We're leapfrogging well beyond what any of our allies have done, creating a more vulnerable version of a system that's failing other governments.

What about the minister's promise that selective amendments can fix the bill?

The security and legal experts you've heard from have been clear: This bill will not protect encryption in any way that matters. The government's promise is to provide a narrow technical protection that Bill C-22 won't force a company to break encryption, but breaking encryption as a standard and defeating it are not the same thing.

A working lock is no protection if you're required by law to leave the door open. Bill C-22's capability orders can compel a provider to build in access to information before it's encrypted or while it's temporarily decrypted: at the device level, within the software or as data is being handled. None of that breaks encryption as a standard. All of it circumvents the protection that encryption is supposed to provide. That's a foundational problem of Bill C-22, not a simple definitional problem to fix.

In fact, this bill, as written, makes sure that none of its definitions can actually protect Canadian rights. Much is made of the difference between an electronic service provider and a core electronic service provider, with the strongest default obligations on core providers, although the government of course will decide who a core provider is later by regulation, but proposed subsection 7(1) lets the minister impose any obligation that a core provider faces on any service provider.

Because these orders have no gazetting requirement, counterintuitively every invasive requirement a core provider faces can be applied to any provider with less public scrutiny. In that same logic, maximal flexibility—ineffective-by-design safeguards—governs the definition of systemic vulnerability. That definition today isn't good enough, but even a strengthened good-faith version won't fix Bill C-22, because proposed paragraph 47(1)(c) explicitly grants cabinet the regulatory power to reinterpret any term in the bill.

As the case for Bill C-22 has crumbled, the minister has claimed that opposition is driven by foreign big-tech firms attacking Canadian sovereignty. That's plainly not true. Canadian tech success stories like Windscribe and Shopify have rallied against this broken bill as strongly as anyone.

OpenMedia's community has sent nearly 25,000 messages to MPs opposing Bill C-22 and Bill C-2 before it and has helped to rally more than 300 organizations against Bill C-2's privacy provisions. We don't take a dollar from big tech. Our budget comes from small donations from ordinary Canadians. The truth is that big-tech firms were late to this conversation, and it was ordinary Canadians who sounded the alarm from day one.

Now, the minister has said the government wants to have a filing cabinet of every Canadians' metadata ready for law enforcement when they need it. To that, I say that democracies do not keep a filing cabinet of every citizen's sensitive information in case it's useful to spies or police.

This process has been pushed so quickly that the system is not keeping up. We submitted our brief more than two weeks ago, on May 15, yet due to the sheer volume of input you've received, I learned today that committee members have not yet received it.

This is the symptom of a rushed, under-resourced process for a bill that has massive stakes. On behalf of our community, I urge you to take the time to receive and review all public evidence and to thoroughly reform or abandon part 2 of Bill C-22 before it moves forward.

Thank you. I look forward to your questions.

The Chair Liberal Jean-Yves Duclos

Thank you, Mr. Hatfield.

Let's turn to MP Caputo.

Jacques Ramsay Liberal La Prairie—Atateken, QC

Mr. Chair, I have a point of order.

Ms. Saad has alluded to a memoir being presented. It may be my mistake, but I can't find it.

Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC

I have it.

Jacques Ramsay Liberal La Prairie—Atateken, QC

Is it in the binder?

Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC

We received it in both official languages. Did you not receive it?

Jacques Ramsay Liberal La Prairie—Atateken, QC

Are you talking about the Canadian Bar Association's brief?

Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC

I made a mistake; I have the one from the Barreau du Québec.

3:50 p.m.

Chair, Privacy and Access Law Section, Canadian Bar Associaton

Christiane Saad

We sent you our brief last week in French and English.

The Chair Liberal Jean-Yves Duclos

According to the information I have, the French and English versions of the Canadian Bar Association's brief have indeed been submitted, but the House's translation service has to validate both versions. If I understand correctly, the validation process is still under way.

That said, I'll give the floor to Mr. Caputo for six minutes.

3:50 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

I'm sorry. I'm going to speak about this in my time because I think it's very important to speak about it.

Mr. Hatfield, I was going to ask questions about section 8, search and seizure and de facto seizures.

Just so that I'm clear, Mr. Chair, is it the policy, when a brief is submitted, that translation has to review it, even though it is translated already? Do I have that right?

The Chair Liberal Jean-Yves Duclos

[Inaudible—Editor]

3:50 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

Okay.

In the interim, though, prior to translation, can it not be disseminated, and then the translated version, the authenticated version...?

I'm trying to choose my words carefully, and I'm not trying to cast aspersions or blame. If a brief was submitted two weeks ago by OpenMedia, I guess I'm asking, what was the delay from two weeks ago to now?

The Chair Liberal Jean-Yves Duclos

Exceptionally, I can ask the clerk to provide guidance as to what happened.

The Clerk of the Committee Paul Cardegna

With regard to OpenMedia, we received their brief, and like a lot of others that we have received, it is in translation. As I explained to Mr. Hatfield earlier today, we are dealing with a large number of documents that have been submitted. Unfortunately, we are not the only committee drawing on translation resources. This has caused longer than expected or anticipated delays, which—though unfortunate—is not something that is in the purview of the committee to deal with at this time.

With regard to documents submitted in French and English, this is the rule of the committee, established by the committee. Any document that doesn't come from an MP's office, from a department or from the House of Commons and that is submitted in both official languages has to be sent to the Translation Bureau for linguistic review. Then we fall back into the same issue: The translation bureau has an enormous amount of work to do, which is causing longer than anticipated delays.

Thank you.

3:50 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

When are amendments due?

The Chair Liberal Jean-Yves Duclos

The were due yesterday.

3:50 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

I guess I'm a bit concerned because we don't know what we don't know as committee members. By that I mean I don't know how many briefs are outstanding. We have submitted our amendments. Obviously, that's on behalf of the Conservative Party. I have to ensure that His Majesty's loyal opposition is properly represented.

We know of at least two that are outstanding, and we wouldn't know about this if we were not having this meeting. It seems to me that the appropriate remedy should be to reopen the deadline for amendments. I'm not going to give away our work product, as a lawyer, but I will say that my staff, who have done an excellent job, go through these briefs; they do review them. They do look at amendments, and they do cross-reference them to the point where—I'm not telling tales out of school—there are 70 amendments we've looked at.

Mr. Chair, this is a problem, and I'm not sure how we deal with it. With the greatest of respect—and I'm not trying to throw anybody under the bus—if there are not enough resources for translation, and the government wants to have its legislative agenda passed, then you can't exactly have your cake and eat it too by saying, “Get this done, but we're not going to allocate the resources to get the translation done.”

I will resume my six minutes, if there's anything left. I'm not sure if the clerk can tell us this. What briefs are currently in that translation line, if you will? Does that make sense? What don't we have that has been submitted?

The Chair Liberal Jean-Yves Duclos

Let me summarize on three different points.

First, as we know from experience, the submission of briefs is a continual process. There were briefs several weeks ago. There were briefs submitted a few days ago. I suspect there could be briefs submitted today. There will be briefs and views submitted over a continuous time period.

The second thing is that the translation bureau, as the clerk mentioned earlier, proceeds in terms of priority. It does the work most professionally, and it does what it can to assist the members of this committee.

The third thing is that we have already committed to an agenda. Today is the last day for witnesses and we have decided that we will be moving to clause-by-clause work on Thursday. As we know, between now and Thursday there will be more work ongoing.

Having said that, I think there is more time for you, Mr. Caputo, to continue your intervention.

3:55 p.m.

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

I have to register for the record, Mr. Chair, that we still don't know what briefs are outstanding. What I would like is—and I would hope that all colleagues around the table would say this—before we move to clause-by-clause....

Amendments were already due. We know right now of two briefs that we haven't seen yet. Are there more? I think the committee has a right to know that.