Canadian Privacy Law Blog

The Deeply Problematic Part 2 of Bill C-22: The Supporting Authorized Access to Information Act.

2026-04-20T10:03:00.002-03:00

Part 2 of Bill C-22, the Lawful Access Act of 2026, is and remains a huge problem. The outcry associated with the Strong Borders Act was principally focused on warrantless information demands and overbroad subscriber information orders. In a lot of the debate and discussion, Part 15 of that Bill was largely ignored. I really hope that the equivalent of that Part in Bill C-22 gets as much attention as it deserves.

In a nutshell, Part 2 will require a huge range of service providers – well beyond traditional telecommunications service providers – to build in real-time interception and monitoring capabilities so that cops and national security folks can just plug into the systems to access data when “authorized” to do so.

Part 2 creates a new standalone statute called the Supporting Authorized Access to Information Act or SAAIA. Section 3 sets out its purpose:

3 The purpose of this Act is to ensure that electronic service providers can facilitate the exercise of authorities to access information that are conferred on authorized persons.

So it talks about authorities that are conferred on authorized persons to access information. It doesn't say “lawful authorities”, nor does it say “judicially authorized authorities”. It just says authorities. From the discussion about Part 1, it’s clear that the police and CSIS are authorized to obtain data without a warrant by just asking for it.

The Supporting Authorized Access to Information Act has “electronic service providers” in its crosshairs. It is therefore really important to understand what an electronic service provider is. ESP is defined in the bill, as is an electronic service.

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that
(a) provides the service to persons in Canada; or
(b) carries on all or part of its business activities in Canada.‍

You will note that it says it provides an electronic service, “including for the purpose of enabling communications”. The use of the word “including” clearly signals that it is not limited to those providers who are strictly engaged in communications. It goes broader than that. We can see from the very broad definition of electronic service:

electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.‍

Hey, I am in the business of creating information in digital form. What is a YouTube video, or podcast? Or emails to my clients. My law firm is in the business of creating information in digital form. The Canadian Broadcasting Corporation, the Globe and Mail and the Canadian Press are in the business of creating information in digital form. I am not sure that any business exists in Canada that is not some way or somehow creating, processing or storing digital information. This is dramatically broad. In conversations I have had with people from Public Safety, it is clearly their intent to cover traditional telcos, internet service providers and ALSO cloud computing providers, social media providers and online game services. Again, this is dramatically broad.

The Bill is going to deal with two broad categories of electronic service providers. The first is something called a “core provider”, and there will be subcategories of core providers. The second group is the rest of the universe that could fit into the category or definition of “electronic service provider”.

The categories of core providers are to be listed in the schedule to the Act, which is currently blank, not surprisingly. So these core providers are going to be subject to a number of obligations that will be set out in the regulations. Subsection (2) describes these obligations, but note the use of the word “including” which means that the regulations and the obligations can go well beyond what is listed in subsections (a) through (d).

(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;

[This is essentially a requirement to build in the operational and technical capabilities to enable access to information on the core provider’s infrastructure or within their systems.]

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information;

[This can require core providers to install particular devices or equipment on their infrastructure.]

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b); and

[It’s not yet clear what these notices are all about ….]

(d) the retention of categories of metadata — including transmission data, as defined in section 487.‍011 of the Criminal Code — for reasonable periods of time not exceeding one year.

The requirement to retain metadata was NOT in Bill C-2, the Strong Borders Act. This is very concerning. There are some small protections about this, in subsection (4). That says:

(4) Paragraph (2)‍(d) does not authorize the making of regulations that require core providers to retain information that would reveal
(a) the content — that is to say the substance, meaning or purpose — of information transmitted in the course of an electronic service;
(b) a person’s web browsing history; or
(c) a person’s social media activities.

Ok. That’s some protection. But it does not put location information out of scope, which is concerning. The government clearly wants all cellphones to be trackable, and under this authority they can be required to save your detailed location history for a full year.

Subsection (3) lists a number of factors that the government must take into account in creating and drafting the regulations which place the specific obligations on the core providers. These include …

(a) the benefits of the regulation to the administration of justice, in particular to investigations under the Criminal Code, and to the exercise of powers and the performance of duties and functions under the Canadian Security Intelligence Service Act;
(b) the feasibility of compliance with the regulation for the core providers;
(c) the costs to be incurred by the core providers to ensure compliance with the regulation;
(d) the potential impact of the regulation on the persons to whom the core providers provide services;
(e) the potential impact of the regulation on privacy protection and cybersecurity; and
(f) any other factor that the Governor in Council considers relevant.

I am glad that they have included the potential impact on privacy and cybersecurity. I would like it if it required the government to release their analysis of all these considerations along with the regulatory impact analysis statement that will accompany the regulations when they are first published.

The only good news when dealing with core providers is that these requirements will be in a regulation that will be public. We will be able to understand, at least in general terms, what obligations are being imposed on these core providers.

There is another bit of small comfort in subsection (5) which says

(5) A core provider is not required to comply with a provision of a regulation made under subsection (2), with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.

Of course, this turns on what is a “systemic vulnerability”, which is defined in the bill:

systemic vulnerability means a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.‍

electronic protection means authentication, encryption and any other prescribed type of data protection.‍

Note that it is limited to systemic vulnerabilities in “services”. It does not include devices or processes. Just the services themselves. Professor Robert Diab has pointed out that there’s enough wiggle room in this for the Minister to say that an operating system, such as Windows or iOS is not a “service”. Firmware is a part of the device, so please root them all. (The use of the word “please” is only because we’re Canadian … it would actually be an order.)

Also, what this does NOT say is that the government is prohibited from requiring an ESP to circumvent or undermine encryption. We have been told by the government that they would never do that, but they do not seem willing to put it in the law.

The second significant power contained in the Supporting Authorized Access to Information Act are ministerial orders, set out in Section 7. Essentially, the minister of Public Safety can issue secret orders directed at any one or more electronic service providers to implement measures that could have been contained in a regulation for a core provider, but these are secret and would be limited to a defined time period. Of course this time can be extended at the discretion of the minister. These orders can also be directed at ESPs that are already core providers. Bonus requirements!

The only real protection introduced since the Strong Borders Act is in subsection (2), which says that these secret orders must be approved by the Commissioner designated under the Intelligence Commissioner Act. I think this is a real protection, principally because the intelligence commissioner has to be a former Superior Court judge who would have spent a career dealing with criminal law matters and Charter rights. He is currently entrusted with approving certain National Security orders as a form of semi-judicial oversight. This is, in my view, real progress.

Subsection (3) of Section 7 sets out the sorts of considerations that the Minister has to take into account before issuing a secret ministerial order. This parallels the considerations that the government would have to take into account in issuing regulations affecting core providers.

And subsection (5) has a parallel provision saying that

(5) The electronic service provider is not required to comply with a provision of the order, with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.

Section 14 creates an obligation for all electronic service providers to assist a range of people to do a range of things on the Minister’s request. Remember, while we review this, that my law firm, your doctor’s office and Apple are all “electronic service providers”. It reads:

14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.
Persons to be assisted
(2) Only the following persons or classes of persons may receive assistance:

(a) the Minister;
(b) an employee of the Canadian Security Intelligence Service;
(c) a person appointed or employed under Part I of the Royal Canadian Mounted Police Act or a civilian employee referred to in section 10 of that Act;
(d) a civilian employee of another police force;
(e) a peace officer, as defined in section 2 of the Criminal Code.

There is some protection in subsection (4) so that “the assessment or testing must not have the effect of granting access to personal information.”

One of the huge problems I have with these Ministerial Orders is the mandatory secrecy that surrounds them. Without exception, under section 15, an ESP is prohibited by law from revealing that they are subject to an order, the substance or contents of an order, any dialogue they’ve had with the Minister in connection with any order.

This is draconian, overbroad and frankly offensive. There’s no requirement that the Minister be satisfied that disclosure of this information would be harmful to law enforcement or to national security. There is no sunset and no means by which an ESP can challenge the gag order if they think it’s in the public interest to disclose the information. I am not sure that this provision, on its own, would survive a Charter challenge. It also means that a foreign company can’t advise their own government that they are subject to an order.

I can’t help but think of the fact that under the UK equivalent of this law, Apple was issued with a secret order to circumvent or turn off encryption on iCloud. Apple couldn’t tell anyone, yet it somehow leaked. The United States government was of the view that this was contrary to an agreement between the UK and the US, but Apple was prohibited by UK law from letting their own government know what shenanigans the US’ own ally was engaging in.

The bill does anticipate at section 17 that ESPs may seek judicial review of a Minister’s order, but the cards are again stacked in favour of secrecy, and conducting its business outside of public scrutiny.

Section 18 allows the government to make a range of regulations related to confidentiality and security. These are scaled back from the absurd scope anticipated in the Strong Borders Act. There are security and confidentiality rules for judicial proceedings provided for in subsection (b). Subsections (c) and (d) authorize regulations related to ESP employees and contractors involved with law enforcement and national security access to information, including security clearances and where they are located, and where facilities are located. As I understand it, most American service providers run this function from the US and I’m sure they will not be interested in moving that to Canada or having their employees subject to Canadian security clearances. I would imagine that some companies will just decide to not do business in Canada.

Part 2 also contains a whole regulatory oversight structure, with inspections, audits and penalties. I’m not going to get into that today.

Throughout this discussion, I can’t help but be reminded that the US has had something similar in their laws for some time, and the mandated intercept capabilities were used by Chinese hackers to get access to data.

The "Salt Typhoon" hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major US telecommunications companies. The stolen information included call and text message metadata, and in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures.

A critical factor facilitating the Salt Typhoon incident was the very infrastructure put in place to comply with the Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, CALEA mandates that telecommunications providers build "lawful intercept" capabilities into their networks to allow law enforcement and intelligence agencies to conduct court-authorized wiretaps. While intended for legitimate surveillance, these mandated "backdoors" created inherent vulnerabilities within the telecom networks. Salt Typhoon exploited these CALEA-mandated systems, effectively turning the tools designed for lawful access into pathways for unauthorized espionage.

This is what’s coming to Canada …

So let’s bring this down to earth and make it more concrete. At a technical briefing this week, the government offered only two examples for why they think we need the Supporting Authorized Access to Information Act:

“CSIS cannot track a cellphone

CSIS is trying to determine the movements of a terrorist group and has received a warrant to track a person of interest’s cellphone. The electronic service provider did not have the necessary capabilities to track the device because they are not required to. As a result, CSIS had to resort to costly and risky in-person surveillance.

With C-22: The GIC will have the authority to make regulations requiring that ESPs develop and maintain location tracking capabilities that are standard in Europe and among the Five Eyes.”

First of all, I don’t really care what they are doing in the other Five Eyes. Essentially, the UK, Australia and New Zealand don’t have a Charter of Rights and Freedoms and their surveillance laws reflect that. And the law doesn’t we’ll just do what they do in “Europe and among the Five Eyes.” I bet the Chinese security services have this capability.

Let’s take a moment to ponder this scenario and what it means. CSIS wants to be able to track any cellphone in real-time, with a warrant. That means that they want every cellphone in Canada to be a tracking device. And they want historical metadata – which includes location data – retained for one year.

The second example is equally sympathetic, but shows that the government wants everyone to be carrying a tracking device:

“Police cannot consistently obtain location information

An at-risk 16-year-old girl was reported missing. She had already been missing for 10 days when she made an emergency call. The telecommunications provider was able to confirm the call and the tower used to make the call but could not provide the last known location of the phone before it was disconnected since they are not required to have that capability.

With C-22: Core providers would be required to maintain accurate and consistent localization capabilities across the country.”

That device in your pocket will be a tracking device. And the law doesn’t say that this data can only be accessed if you’re a suspected terrorist or a missing teenaged girl. It can be tracked by ANY police agency in Canada with an order issued merely on “reasonable grounds to suspect.” Judicial authorization isn’t even required in a whole bunch of cases: There are dozens of laws that permit regulators and others to access this data without judicial authorization.

“If you build it, they will come.” And the government wants ESPs to build the surveillance infrastructure for them, to which the police and others will almost certainly come. And this is even without considering that the backdoors will be a HUGE target for cybercriminals and threat actors.

I don’t think that the government has come close to making any sort of compelling case for Part 2 of Bill C-22, and certainly not one that convinces me that the public safety interest in building all of this surveillance infrastructure outweighs the privacy and cybersecurity risk of doing so.

We should also be looking at this through the lens of what we have now. If the police or CSIS get a production order, a wiretap order or a tracking order, they can also ask the judge to issue an “assistance order”. This is an order, directed at the service provider, ordering them to give all reasonable assistance, reasonably required to give effect to the production order, wiretap order or tracking order. On every occasion when I have brought this up with “lawful access” supporters, nobody has been able to point me to any problems with this. Assistance orders are like one-off ministerial orders that are appropriately tailored to the case and circumstances, and are signed off by a judge. And they’re subject to judicial review. I’m not sure the current system is broken. It just doesn’t give the police friction-free access to the universe of data that they want collected on their behalf.

The new "Production Order for Subscriber Information" in Bill C-22, the Lawful Access Act 2026

2026-04-12T19:11:00.006-03:00

I’ve been doing a series of episodes taking a closer look at the elements of the new lawful access bill, Bill C-22. The bill contains a revamped version of something that caused a lot of controversy in the earlier Bill C-2, and is the thing most sought after by the police. That is the production order for subscriber information.

Before we dive into this new production order, a bit of background:

The Bill is in two parts. The first part is called “Timely Access to Data and Information” and the second part of the Bill creates a new statute: the “Supporting Authorized Access to Information Act”.

The two parts do wildly different things. Part one is intended to create new AUTHORITIES by which police and national security folks can require companies to provide them with information about their customers. Part two is intended to create new CAPABILITIES by which police and national security folks can require companies to provide them with information about their customers. Part one is about authorities and part two is about capabilities. The authorities under part one are mostly subject to judicial supervision and control, and I can largely live with them. The capabilities under Part Two cause me a LOT of concern.

The government has clearly tried to fix some of the biggest problems from Bill C-2. But when you look more closely, there are still some very serious issues – particularly around the legal threshold, the scope of information, and just how broadly this power can be used.

So in this episode, I’m going to do three things:

First, I’ll explain what a production order for subscriber information actually is.

Second, I’ll walk through what was proposed in Bill C-2, the Strong Borders Act.

And third, I’ll show what’s changed in Bill C-22, the Lawful Access Act of 2026 — and what hasn’t changed.

Let’s start with the baseline. What are they trying to accomplish? Let’s look at the situation described in the leading case on the topic called R v Spencer from the Supreme Court of Canada. In that case,

“The police identified the Internet Protocol (IP) address of a computer that someone had been using to access and store [CSAM] through an Internet file-sharing program. They then obtained from the Internet Service Provider (ISP), without prior judicial authorization, the subscriber information associated with that IP address. This led them to the appellant, Mr. Spencer. He had downloaded [CSAM] into a folder that was accessible to other Internet users using the same file-sharing program. He was charged and convicted at trial of possession of [CSAM] and acquitted on a charge of making it available.”

The “subscriber information” here is the customer name and address associated with the IP address that the police already had. The Court in Spencer said the police have to get a court order to get that information from the internet service provider, or there has to be a "reasonable law” that enables them to get that info.

Under the current Criminal Code, police already have access to something called a general production order. This allows them to go to a judge or a justice of the peace and, if they meet a legal threshold, compel a third party to produce records relevant to an investigation. That type of order has been available since 2004, ten years before the Spencer decision. The police could have gotten such an order, but they didn’t want to.

For General Production Orders, the police have to show that there are reasonable grounds to believe that an offence has been or will be committed.

That’s a meaningful standard. It requires evidence that would lead a reasonable person to actually believe a crime occurred. And importantly, these orders are targeted. They specify the particular records being sought. The cop has to convince the judge that the particular records sought are relevant and useful.

Now, “subscriber information” is a subset of that. This is the information that links a person to a service. The police have a phone number or an IP address and they want to know who is the particular customer who is associated with that phone number or IP address.

And as the Supreme Court of Canada has said in the leading case called Spencer, this kind of information engages a reasonable expectation of privacy. You have the right to be anonymous on the internet. The Court said the police can only get this type of information pursuant to a court order or a “reasonable law”. They currently get it using a general production order, based on reasonable grounds to believe.

So access to it generally requires judicial authorization or the more nebulous “reasonable law”.

Now let’s look at the former Bill C-2—the Strong Borders Act.

This bill introduced a new, standalone production order for subscriber information.

And it had two major features that drew a lot of criticism. First, the legal threshold was extremely low. Instead of reasonable grounds to believe, the bill required only reasonable grounds to suspect an offence. That’s a much lower standard.

It doesn’t require belief—just suspicion. And in practical terms, it’s just above a hunch.

Second, the scope of information was extremely broad. The definition of subscriber information included any information provided by the customer to obtain the service. And these orders could be directed to anyone who provides service to the public. And that’s where things got concerning.

And on top of that, the order required the production of all subscriber information—not just specific, targeted records. That could include things like banking information, credit card details, and potentially other very sensitive data.

So what you had was a combination of a very low threshold and a very broad scope. And that raised serious concerns.

Now let’s fast forward to Bill C-22. And to be fair, the government has made some meaningful changes.

The first change is to the definition of subscriber information. It’s now more constrained. It includes identifying information like name, address, and email. It includes account identifiers. It includes information about the services provided. And it includes device or equipment identifiers.

subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means

(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(c) information relating to the services provided to the subscriber or client, including

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.

But importantly, what’s been removed is that catch-all category of information provided by the customer to obtain the service.

And that’s a big deal because it likely excludes things like payment information, medical intake forms, and other highly sensitive data.

So from a scoping perspective, this is clearly an improvement, but it’s still too broad in my view.

But—and this is important—the order can still be directed at any person who provides services to the public. Not just telecommunications companies. That means banks, hotels, doctors’ offices, online platforms—really, anyone providing services to the public.

So while the type of information has been narrowed, the range of organizations that can be compelled to produce it is still very broad.

But the legal threshold has not changed. It is still reasonable grounds to suspect. Not “believe”. And that matters.

Production order — subscriber information

487.‍0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Conditions for making order

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

Because it means there is no requirement for the officer to actually believe that a crime has been committed or will be committed. Only that there are reasonable grounds that could lead someone to suspect that an offence has occurred. That is a very low bar.

Another important point is that this power is not limited to serious crimes. It applies to any offence under any Act of Parliament. That includes relatively minor regulatory offences.

So we are talking about a power that is broadly available, triggered on a low threshold, and capable of compelling disclosure of personal information from a wide range of organizations.

So what does this mean in practice?

Well, first, it makes it easier for police to connect an identifier—like an IP address, or a device—to a real person. And that’s clearly the goal.

I have a problem with the fact that the order is “to prepare and produce a document containing ALL THE SUBSCRIBER INFORMATION that relates to any information, including transmission data, that is specified in the order”. ALL the subscriber information. It’s not just the subscriber information that will identify and locate the recipient of the services. That goes beyond the “investigative breadcrumb” the police say they really need.

But even with the narrowed definition, the inclusion of things like service types and device identifiers can still be quite revealing. It can tell you what services someone uses. It can tell you what devices they rely on. And in some cases, that can paint in some details into the picture of an individual’s activities.

It can be directed to a doctor’s office with the requirement to tell the police what services the individual gets. It can include the serial number of your CPAP machine or blood glucose monitor.

It can be directed to an ISP that’s also a telco and a cable company, requiring the production of information about what cable packages you subscribe to, what your phone number is, what is the MAC address of your modem, the IMEI of your phones.

It can be directed at a company like Apple, requiring the production of your iCloud account identifier, the bluetooth device identifiers for all your airtags, your airpods, the identifiers for your MacBook, your iPhone, your iPad.

And because the threshold is lower, judges are being asked to approve these orders with less evidentiary grounding than we would normally expect.

The government is thinking that customer name and address, IP addresses and phone numbers attract a lower expectation of privacy, so can be obtained on a lower standard like “reasonable suspicion”. That may be true and the courts may agree with that point, but the inclusion of “all services” and “all devices” and “all identifiers” would be information that has a higher expectation of privacy, and presents a real risk that the order will be found to violate section 8 of the Charter of Rights and Freedoms.

So, in my view, it’s still too broad.

So stepping back, here’s the comparison.

Bill C-2 had a very, very broad definition of subscriber information, including customer-provided data, combined with a low threshold and bulk disclosure.

Bill C-22 narrows the definition and removes the most sensitive categories of information. But it keeps the low threshold, it still applies broadly, and it still allows relatively expansive disclosure.

So yes, it’s better. But the core issue—the low legal threshold for access to personal data—remains.

Bill C-22 clearly reflects an attempt to respond to the criticism of Bill C-2. And in some respects, it succeeds. But the fundamental policy choice is still there:. To allow police to obtain subscriber information AND MORE on the basis of suspicion, not belief.

And that raises a real question: Is that an appropriate balance between investigative efficiency and privacy? Or does it place the line too far in favour of the state?

That’s the issue Parliament is going to have to grapple with when this gets to committee, and then this will be decided by the courts. I think if they narrow the scope a bit further to remove information about services and devices, this may be Charter compliant. If not, there’s a real risk it’ll be struck down by the courts and the police will be back to the drawing board.

A close look at "Confirmation of service demands" in Bill C-22, Lawful Access Act 2026

2026-04-05T18:00:00.006-03:00

I have to start by giving Public Safety Minister Gary Anandasangaree credit for parking the “lawful access” parts of Bill C-2, going back to the drawing board and introducing a much improved Bill C-22, “An act respecting lawful access.”

As I said, it’s much improved. In a number of ways, it still goes way too far and least in one respect it doesn’t go far enough.

Over the course of a number of episodes, I’m going to do a bit of a deep dive into some of the main features of Bill C-22. I did a forty minute episode going over all of it, but the next ones will be shorter and focused on particular provisions.

Today I’m going to talk about the “Confirmation of Service Demand.” Yes, it is without a warrant but that doesn’t cause me any real concern. And I’ll explain why.

Before we dive into these demands, a bit of background:

Over the last twenty years, the government and police have not done a good job explaining why they need either the new authorities or the new capabilities.

To understand whether they should have new authorities and capabilities, I think we need to go through what is the current state of affairs and what the government proposes to change. And then we’ll look at what those changes are and what those changes mean.

Here is a pretty common scenario that plays out all the time. The police have evidence of some sort of online crime. It could be distribution of child abuse materials or it could be extortion. They’re confident a crime has taken place, but they don’t know who the suspect is. They may have an IP address or a phone number, but no name. Using publicly available tools, they can find out who is the internet service provider or who is the telco who first assigned the phone number. But they don’t necessarily know where the suspect may be. If it’s a Rogers, or Bell or Telus IP address, they have customers across the country. If it’s a phone number that was first assigned by Rogers, that customer may have moved provinces and thanks to number portability, the service provider may have changed in the meantime.

So they want to know who is the person – their suspect – connected to this IP address or phone number, who is the current service provider and where they are. The “where” is important, because the crime may have been brought to the attention of the RCMP in Ottawa via international law enforcement partners, but the suspect may be in Montreal, Toronto or Calgary.

But this is not a dead end using their current authorities. The RCMP in Ottawa can go to the court in Ottawa to get a general production order. They’ve been able to do this since 2004, when the Criminal Code was amended to create these third party information orders. So an RCMP constable goes to the court and says – under oath – I have reasonable grounds to believe that a crime has been committed, and here’s the basis for that belief. I also have reasonable grounds to believe that the Telco or ISP has information that will lead me to the identity of the suspect. Therefore I want an order telling the Telco to provide me with the customer name and address associated with the IP address or phone number. And the officer gets a production order that will typically order the Telco to provide the information promptly and usually no later than thirty days. The order can say a shorter time.

The telco will tell the RCMP constable the name and address that the IP address is allocated. Let’s just say it’s John Q. Public of 123 Main Street, Winnipeg, Manitoba. The RCMP in Ottawa will contact the Winnipeg police, send them their investigation file and the information received from the Telco. The Winnipeg police should pick it up from there, and off they go.

This can all be done – and is done daily – using the current authorities in the Criminal Code.

But from time to time, the response from a telco may be “that’s not our phone number” or “yes, that’s our IP address, but it’s actually serviced by a reseller of internet services so we don’t have any customer information”. This doesn’t happen all the time, but it happens.

One of the things that the police and national security folks want is a “confirmation of service demand” because they may not know whether the suspect is actually a customer of a particular telco. They want to be able to ask any telco “Hey, do you service this phone number?” And the telco would have to say “yes” or “no”. It may be an IP address, it may be a SIM card number or an IMEI (International Mobile Equipment Identity), which is a unique 15-digit number that identifies mobile devices on a network. (I should note that IP addresses and SIM card numbers are generally and reliably associated with the service provider.)

A confirmation of service demand makes a lot of sense. They can’t really do this with a current production order because they have to have “reasonable grounds to believe” that the recipient of the order has records. They may have reasonable grounds to believe that the phone number may be served by “A Telco”, but they don’t have reasonable grounds to believe that the phone number is served by any particular Telco. There are 39 registered wireless carriers and more than 100 traditional phone companies.

A yes or no answer to “Hey! Bell! Is 902-555-1212 serviced by you?” does not disclose anything meaningfully private or personal about whoever answers when you dial 902-555-1212. Essentially, for the police, it’s knowing where to send any subsequent court orders related to that number.

So in the scenario I mentioned before, the RCMP in Ottawa that got the report can ask the larger telcos whether they provide the service to the number and get a yes or no answer. Then they know where to send a court order for customer information.

When this was first introduced in Part 14 of Bill C-2, the Strong Borders Act, the “information demand” was far too broad and got a lot of pushback. If this had gone through, without a warrant, the police could demand much more than “is this your customer” and it applied to anyone who provides services to the public. That’s in paragraph (a) - do you or have you provided services. But it went further. If the answer to (a) is “yes”, they can demand whether the company has records and where the services were provided. They can demand the dates during which services were provided. They can demand information about anyone else who is known to provide services to the customer.

So the police can go to Dr. Smith, a family doctor, and say “is John Q. Public your patient, and what specialists have also provided services to your patient”? Clearly over the top.

So in the new Lawful Access Bill, Bill C-22, we have a pared back “Confirmation of service demand”.

The new section 487.‍0121 allows a peace officer or public officer to make a demand to a telecommunications service provider. It’s not just anyone who provides service to the public, but is now limited to registered, regulated telcos. That demand can require them to confirm, within the time and in the manner specified in the demand, whether or not they provide or have provided telecommunication services to any subscriber or client, or to any account or identifier, specified in the demand.

To make this demand, they just have to suspect that an offence has taken place and that the confirmation will assist in the investigation. That’s a low threshold, but defensible in light of the information being sought. Which is just a yes or a no answer.

In pulling back and fixing the former information demand, I think they may have pulled back a little too far. In the old demand, the police could demand “in which municipality do you provide these services.” That’s no longer there. And I would be OK with putting that part back in the new “Confirmation of Service Demand” because that has the potential to move investigations forward with negligible impact on customer privacy.

Going back to the scenario I mentioned earlier, where the RCMP in Ottawa receive a report from another law enforcement agency outside of Canada, but the suspect is in Winnipeg. If the confirmation of service demand included the location where services are provided, the RCMP can make the demand from the major telcos, find out that the suspect is in Winnipeg and just refer the whole file to the Winnipeg police to investigate. The Winnipeg police would then go to a local judge to get a production order for subscriber information (which I’ll get into in a subsequent episode), and carry on with the investigation.

Being able to refer the matter to the local police of jurisdiction at that stage makes sense to me, and as I said has negligible impact on privacy.

So that’s the “confirmation of service demand” in Bill C-22, the Lawful Access Act of 2026. The scaling back has certainly improved it, but in scaling it back, the police may have lost a useful bit of information that had no meaningful privacy impact.

Lawful Access is back: Part 1 is much improved but Part 2 is deeply problematic

2026-03-15T20:00:00.036-03:00

The latest attempt at so-called “lawful access” has just dropped in the Parliament of Canada. I have a few things to say about it. It’s better than the government’s last attempt, but take a moment and consider this:

If Bill C-22, the Lawful Access Act 2026 becomes the law, the government of Canada will be able to secretly order Apple to build in a capability into its infrastructure to allow Canadian law enforcement and national security folks to track every iPhone, every iPad, every Apple watch, every Apple AirPod and every AirTag in real time.

Then they’ll be able to require Apple to confirm whether they provide you any services.

Then they can go to a justice of the peace and get an order – without actually believing that a crime has been or will be committed – requiring Apple to hand over EVERY device identifier for every device you use with their services. That’s the digital ID for your iPhone, iPad, Apple watch, Apple AirPod, Apple TV and AirTag.

With that information, they can go back to the judge and get an order – again without actually believing that a crime has been or will be committed – requiring Apple to give them the moment-by-moment locations of all your devices.

Oh, and that secret order also required Apple to keep your location history for a full year, so cops can get that too. Is that a power we want Canadian police and law enforcement to have?

For literal decades, Canadian law enforcement and national security folks – working through both liberal and conservative governments – have tried to give cops and spies easier access to information about Canadians, and to plug directly into our digital infrastructure to get access to data.

You might be thinking … “Didn’t we just do this?”

Yes, that’s true. [A summary of the previous attempts at “lawful access”: https://blog.privacylawyer.ca/2025/06/past-canadian-lawful-access-attempts.html.]

In 2005 Liberal PM Paul Martin’s Justice Minister Anne Maclellan introduced Bill C-74, called the “Modernization of Investigative Techniques Act”. It didn’t pass.

In 2009, Conservative prime minister Stephen Harper’s Minister Peter Van Loan introduced Bill C-47, renamed the “Technical Assistance for Law Enforcement in the 21st Century Act”. It also did not pass.

A couple of years later, in 2011 Conservative Stephen Harper’s Minister of Public Safety Vic Toews tabled Bill C-52 in Parliament. This attempt was called the “Investigating and Preventing Criminal Electronic Communications Act”. Shocker – It did not pass.

Apparently a sucker for punishment, Minister Vic Toews then tried another kick at the can the next year with Bill C-30, which was branded as the “Protecting Children from Internet Predators Act”. Yup, you guessed it – this did not pass.

Fast forward to 2025 … The very first substantial bill of the Prime Minister Mark Carney government was tabled by Public Safety Minister Gary Anandasangaree. That was Bill C-2 called the Strong Borders Act. Almost ten years dead, “lawful access” was pulled from its grave, crammed into Parts 14 and 15 of a border bill, only to be thrown back on the trash-heap. It never made it to committee because of the backlash over privacy.

I did a couple of episodes on how problematic Bill C-2 was. (Part 14 and Part 15.) It was universally panned and it was clear that it would not make it through the minority liberal parliament. Not to be deterred – but to his credit — the Minister of Public Safety went back to the drawing board to try to find a way to make it minimally palatable for it to make it through Parliament. Notably, the current parliament is not as “minority” as it was when Bill C-2 was introduced.

I’m going to go through the Bill to let you know what it contains and what it is supposed to do. I’ll try to highlight the differences between what was attempted earlier in Bill C-2 and the changes they’ve made for Bill C-22, and I’ll also talk about what’s different from the current status quo.

The bill is in two parts, which parallel Parts 14 and Parts 15 of Bill C-2, the Strong Borders Act. In going back to the drawing board, I think the government has largely fixed the big problems with what was Part 14 related to warrantless information demands and new production order powers. But I think that Part 2 is still a HUGE issue.

Part 1 is called “timely access to data and information”.

It contains some amendments to the general search warrant provisions of the criminal code to permit the examination of computer data in conjunction with the execution of a warrant when it's authorized by a judge. The status quo, as I understand it, would require the seizure of the computer, returning to court and then getting further authorization to search it. This creates a bit of a One-Stop shop. Criminal law practitioners may have more to say about this provision.

The rest of Part 1 largely deals with new information demands and production orders. I should note at the outset that all the new information demands and production orders are equally available to the Canadian Security Intelligence Service as they are to the police. I’m just going to go through each of them once, rather than dealing with the Criminal Code and CSIS Act amendments separately.

The first significant new power that the bill conveys on law enforcement and CSIS is something called a “confirmation of service demand”. Something similar was in Bill C-2, but this has been significantly scaled back. Essentially the new section 487.0121 will allow any police officer or any public officer to make a demand to a telecommunication service provider requiring them to confirm whether or not they provide or have provided telecommunication services to any subscriber or client. This could be done using the person's name, account identifier, IP address or telephone number.

Confirmation of service demand

487.‍0121 (1) A peace officer or public officer may make a demand in Form 5.‍0011 to a telecommunications service provider requiring them to confirm, within the time and in the manner specified in the demand, whether or not they provide or have provided telecommunication services to any subscriber or client, or to any account or identifier, specified in the demand.

The conditions for making the demand are actually quite low, being “reasonable grounds to suspect” that a federal offense has taken place and that the confirmation that is demanded will assist inthe investigation of the offense.

Conditions for making demand

(2) The peace officer or public officer may make the demand only if they have reasonable grounds to suspect that

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the confirmation that is demanded will assist in the investigation of the offence.

The telecommunication service provider simply has to provide a yes or no answer. Do they or do they not provide services to that person or in relation to that identifier. This is MUCH better than what was in Bill C-2. The revised demand can only be presented to a telecommunications service provider. The Bill C-2 version could have been made to anyone who provides services to the public, including a doctor’s office or a law firm. The previous version would have required – without a warrant – producing information about the nature of the services and anybody else that the service provider knew who might also provide services to that person.

In Bill C-22, this is much more tailored and focused only on telecommunication service providers or TSPs.

I'm actually surprised that it doesn't include a requirement to confirm the municipality or location where the services are provided, because it's my understanding that a large part of the justification for this in the first place was so that not only would the police be able to determine whether this service provider is the right person to send a production order to, but also who is the local police of jurisdiction. On a daily basis, the RCMP in Ottawa receive international reports related to criminal activity in Canada, such as dissemination of child abuse imagery and that report only includes an IP address or account identifier. That information does not necessarily tell them who is the local police of jurisdiction to refer the file to. I guess the government was so sensitive to the pushback they received on Bill C-2, that they removed what seemed to be pretty innocuous information, which had a compelling justification.

While I think this is much improved, I am still very concerned that any peace officer or public officer who makes a demand is able to impose a non-disclosure condition for up to one year. That is a significant period of time. I would much prefer it if it was something short like 30 days, and the officer could go to court to get it extended.

Non-disclosure

(6) The peace officer or public officer who makes the demand may impose conditions in the demand prohibiting the disclosure of its existence or some or all of its contents for a period not greater than one year after the day on which the demand is made. The peace officer or public officer may impose the conditions only if they have reasonable grounds to believe that the disclosure during that period would jeopardize the conduct of the investigation of the offence to which the demand relates.

Not surprisingly, they have included in subsection (12), a provision that says a peace officer public officer can just ask a telecommunications service provider to voluntarily provide the confirmation, and this confirmation can be provided as long as the TSP is not prohibited by law from providing it. Then it goes on to say that the TSP that provides a confirmation in these circumstances does not incur any liability for doing so. The Bill has other, similar Safe Harbors for voluntary disclosure, but related to much more sensitive information.

Request for confirmation

(12) Despite subsection (1), no demand under that subsection is necessary for a peace officer or public officer to ask a telecommunications service provider to voluntarily provide the confirmation referred to in that subsection if the telecommunications service provider is not prohibited by law from providing it. A telecommunications service provider that provides a confirmation in those circumstances does not incur any criminal or civil liability for doing so.

The main feature in my view of Part 1 is a new “production order for subscriber information”.

Before we get into it, it's really important to note that the Criminal Code currently provides for something called a general production order by which a cop can go to a judge and if they have reasonable grounds to believe a crime has been committed or will be committed, they can get an order requiring a third party to produce records that are listed in the production order. On a daily basis, police seek and obtain subscriber information using these production orders. What is different here, mainly, is significantly lowering the threshold so that the officer only has to have reasonable grounds to suspect an offense has been committed. They don't even have to have reasonable grounds to believe it has been committed. They don’t even have to believe that a crime has been or will be committed.

Reasonable grounds to suspect doesn’t mean that they actually have to suspect a crime, it just means they have reasonable grounds that could make someone suspect a crime. This is extremely low.

So the new section 487.0142 says that on an ex parte application made by a peace officer or a public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Production order — subscriber information

487.‍0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Unlike the confirmation of service demand, this is not limited to telcos. This can involve anyone who provides services to the public. So this does include doctors offices, hotels, grocery stores and banks.

You will see that in subsection (2), it says that before making the order the Justice or judge must be satisfied by information on oath that there are reasonable grounds to suspect an offence has been or will be committed under the Criminal Code or any other Act of Parliament and the subscriber information is in the person's possession of control and will assist in the investigation of the offense.

Conditions for making order

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

You should also note that this is not limited to serious crimes. These powers can be used for any offence under federal law, such as offences under the National Parks Act, like sleeping outside of a campground.

It is also important to understand what is included in “subscriber information”, and I will note some of the differences from Bill C-2 to Bill C-22. The bill says:

subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means

(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.

In Bill C-2, subscriber information included any information provided by the customer to the service provider in order to obtain the services. This could have included banking information and passwords. It could have included medical information. Remember, such an order can be directed to a medical clinic. When you go to a clinic for the first time, you fill out a pretty detailed form related to your medical history, and that would be in the category of “information provided by the customer in order to receive the services”. Thankfully, that has been removed. The definition of subscriber information is much more scaled-back in Bill C-22, but information about the “types of services provided” along with device and equipment identifiers can be sensitive information that goes beyond mere identifying a possible suspect. For many people, their internet service provider is also their cable TV provider. Do those “services” include premium pay-per-view access? Hmm? Scaled back but still a bit too far.

This new bill also includes quirky “foreign entity information requests”. These are kind of weird because what it amounts to is an application to court to get permission to make a request, which is voluntary, to a foreign entity that provides telecommunications services.

So what they end up with is a piece of paper asking an entity to voluntarily provide subscriber information. It is not an order requiring the entity to produce the information, but it does have judicial approval in Canada. This is intended to address the question of whether Canadian orders can be enforced outside of Canada, or more accurately avoid that question entirely. It should be applicable where voluntary disclosure can be obtained and where the service provider wants to be sure that there is some third-party judicial approval. It also should mean that whatever information is obtained can be used in a Canadian court, because Canadian police have been authorized by a judge to obtain it. Personally, I think this is a really clever solution for a real issue.

Subsection 4 of this provision says that the production request can be required to include information required by the foreign entity, the foreign state or any magic words that are required by an international agreement or arrangement to which Canada and the foreign state are parties.

Earlier I mentioned the gag orders that can accompany a confirmation of service demand. Part 1 also amends the existing section 487.0191 of the Criminal Code to authorize a judge, on an ex parte application, to issue a gag order related to confirmation of service demands.

Part 1 of Bill C-22 also affects the scheme for judicial review of production orders generally, not just this new production order for subscriber information. It compresses the timeline during which the recipient of a production order is able to seek judicial review, in order to have it modified or revoked. That deadline will be “within 10 business days after the day on which the order was received”. In Bill C-2, it was way shorter – five days after the order was issued – and actually seemed to be designed to prevent the judicial review of production orders. I have seen production orders served more than five days after they are issued, so it would be too late by the time you received it. Ten business days is still pretty short, but much more reasonable than what was in the Strong Borders Act.

Part 1 of Bill C-22 also tweaks the existing provisions in the Criminal Code related to voluntary disclosure of information from any person to the police or a public officer. It says that documents or information can be provided voluntarily and it also says that no person incurs any criminal or civil liability for doing so.

For greater certainty

487.‍0195 (1) For greater certainty, no preservation demand, preservation order, keep account open or active order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving, to voluntarily keep an account open or active that the person is not prohibited by law from keeping open or active or to voluntarily provide a document or information to the officer that the person is not prohibited by law from disclosing.

No civil or criminal liability

(2) A person who preserves data, keeps an account open or active or provides a document or information in those circumstances does not incur any criminal or civil liability for doing so.

It's kind of extra weird because subsection (1) says “hey you can voluntarily provide it if a law doesn't prohibit you from voluntarily providing it”. Then subsection (2) says if you provide it, you will have no criminal or civil liability. If no law prevented them from providing it, why do they need immunity from criminal or civil liability?

This actually does NOT fix the issue that arose in the Supreme Court of Canada case of R v. Bycovets. In that case, a payment service processor voluntarily provided IP address information related to suspected fraudulent transactions, and the Supreme Court of Canada said that the police were not able to use that information or even obtain it without a production order. This does nothing to address that issue. The Bykovets issue is still there.

We then have a new subsection (3) that says:

For greater certainty, no production order or warrant, or confirmation of service demand made under section 487.‍0121, is necessary for a peace officer or public officer to receive any information from a person or a telecommunications service provider, as the case may be, who is lawfully in possession of it, and to act on the information, if the person, without being asked for it, provides it voluntarily or is required by law, including a law of a foreign state, to provide it.

There’s also a new subsection (4), which says:

This seems pretty similar to what was included in Bill C-2, and received a lot of criticism. A number of smart folks were very concerned that hacked information and data leaks are included in what would be considered information that is available to the public. Should the police have the ability to exploit data that became public unlawfully? But here they can use it willy-nilly. I share this concern.

Bill C-22 also amends the current provision in the Criminal Code related to what are called “exigent circumstances”. Police can search and demand a whole range of data without a warrant or a court order if the conditions for obtaining an order exist, but by reason of exigent circumstances it would be impracticable to obtain an order. It is not all that new, but just extends the authorities to include the new production order powers.

487.‍11 A peace officer or public officer may, in the course of their duties,

(a) exercise any of the powers described in section 487 [search warrants], 492.‍1 [tracking warrants] or 492.‍2 [transmission data recorder] without a warrant if the conditions for obtaining a warrant exist but by reason of exigent circumstances it would be impracticable to obtain a warrant; or

(b) seize any subscriber information that may be the subject of an order made under subsection 487.‍0142(1) [subscriber information] or any data that may be the subject of an order made under subsection 487.‍016(1) [transmission data] or 487.‍017(1) [tracking data] if the conditions for obtaining an order exist but by reason of exigent circumstances it would be impracticable to obtain an order.

We will see that tracking things and tracking people is a theme of this bill. Bill C-22 adds a new subsection to section 492.1 related to tracking orders. These are orders that are obtained from a judge authorizing a police officer or a public officer to obtain tracking data related to a person or a thing. Subsection (2.1) is being added to permit an authorization to track other things that might be associated with a person where that thing might not have been known to the officer at the time.

Tracking similar things

(2.‍1) A justice or judge who authorizes a peace officer or public officer to obtain tracking data that relates to the location of a thing that a person uses, carries or wears may, in the warrant, authorize the peace officer or public officer to obtain tracking data that relates to the location of any similar thing that is unknown at the time the warrant is issued if the justice or judge is satisfied that there are reasonable grounds to suspect that the person will use, carry or wear that similar thing.

Scope of warrant

(3) The warrant authorizes the peace officer or public officer, or a person acting under their direction, to install, activate, use, maintain, monitor and remove the tracking device, including covertly. The warrant also authorizes a person acting under the direction of the peace officer or public officer to obtain the tracking data that is authorized to be obtained under the warrant.

I can imagine this would include getting an order to track somebody's vehicle, and to add on authority to track their phone and maybe their smartwatch. Subsection (3) is also amended to say that an officer can authorize somebody else to obtain the tracking data authorized to be obtained under the warrant.

Parallel amendments are made to the similar Criminal Code provisions related to transmission data warrants.

So that's largely what is in Part 1 of the new Lawful Access Act, 2026. As you can see, while there are some things to quibble over, it is a significant improvement from what was in Part 14 of the Strong Borders Act.

Now we are going to look at Part 2, which I think is and remains a huge problem. The outcry associated with the Strong Borders Act was principally focused on warrantless information demands and overbroad subscriber information orders. In a lot of the debate and discussion, Part 15 of that Bill was largely ignored. I really hope that the equivalent of that Part in Bill C-22 gets as much attention as it deserves.

Currently the cops can go to a judge and get a wiretap order to intercept the communications of a suspect in real time. They can go to a judge to get an order for just about any data that currently exists.

What the cops are generally complaining about is that there isn’t a consistent interface for them to plug into and get the data among all the telcos out there. I can see that kind of sucks.

But what they’re not emphasizing is that Part 2 of Bill C-22 will likely require telcos, AND cloud providers, AND social media companies, AND ai chatbots, AND VPN services, AND chat services and the like to build in not only the capability for Canadian police to plug directly in, but Part 2 will also require them to build in additional surveillance tools and collection capabilities that go well beyond what data the company actually needs to provide you with services.

I lived in Romania just after the fall of the Iron Curtain. It was purported that the state security police had the capability to turn any landline telephone into a room bug with the flip of a remote switch. Part 2 of Bill C-22 could permit a secret order directed at telcos to create this capability. The Minister of Public Safety could order Samsung to turn your smart fridge into a listening device. The same with your Smart TV or Smart speakers. I find that worrisome.

So let’s talk about specifically what is in Part 2 of Bill C-22.

Part 2 creates a new standalone statute called the Supporting Authorized Access to Information Act or SAAIA. Section 3 sets out its purpose:

3 The purpose of this Act is to ensure that electronic service providers can facilitate the exercise of authorities to access information that are conferred on authorized persons.

The Supporting Authorized Access to Information Act has “electronic service providers” in its crosshairs. It is therefore really important to understand what an electronic service provider is. ESP is defined in the bill, as is an electronic service.

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that

(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.‍

electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.‍

The categories of core providers are to listed in the schedule to the Act, which is currently blank, not surprisingly. So these core providers are going to be subject to a number of obligations that will be set out in the regulations. Subsection (2) describes these obligations, but note the use of the word “including” which means that the regulations and the obligations can go well beyond what is listed in subsections (a) through (d).

(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;

This is essentially a requirement to build in the operational and technical capabilities to enable access to information on the core provider’s infrastructure or within their systems.

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information;

This can require core providers to install particular devices or equipment on their infrastructure.

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b); and

It’s not yet clear what these notices are all about ….

(d) the retention of categories of metadata — including transmission data, as defined in section 487.‍011 of the Criminal Code — for reasonable periods of time not exceeding one year.

The requirement to retain metadata was NOT in Bill C-2, the Strong Borders Act. This is very concerning. There are some small protections about this, in subsection (4). That says:

(4) Paragraph (2)‍(d) does not authorize the making of regulations that require core providers to retain information that would reveal

(a) the content — that is to say the substance, meaning or purpose — of information transmitted in the course of an electronic service;

(b) a person’s web browsing history; or

(a) the benefits of the regulation to the administration of justice, in particular to investigations under the Criminal Code, and to the exercise of powers and the performance of duties and functions under the Canadian Security Intelligence Service Act;

(b) the feasibility of compliance with the regulation for the core providers;

(d) the potential impact of the regulation on the persons to whom the core providers provide services;

(e) the potential impact of the regulation on privacy protection and cybersecurity; and

(f) any other factor that the Governor in Council considers relevant.

There is another bit of small comfort in subsection (5) which says

(5) A core provider is not required to comply with a provision of a regulation made under subsection (2), with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.

Of course, this turns on what is a “systemic vulnerability”, which is defined in the bill:

systemic vulnerability means a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.‍

electronic protection means authentication, encryption and any other prescribed type of data protection.‍

The only real protection introduced since the Strong Borders Act is in subsection (2), which says that these secret orders must be approved by the Commissioner designated under the Intelligence Commissioner Act. I think this is a real protection, principally because the intelligence commissioner has to be a former Superior Court judge who would have spent a career dealing with criminal law matters and Charter rights. He is currently entrusted with approving certain National Security orders as a form of semi-judicial oversight. This is, in my view, real progress.

And subsection (5) has a parallel provision saying that

(5) The electronic service provider is not required to comply with a provision of the order, with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.

14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.

Persons to be assisted

(2) Only the following persons or classes of persons may receive assistance:

(a) the Minister;

(b) an employee of the Canadian Security Intelligence Service;

(c) a person appointed or employed under Part I of the Royal Canadian Mounted Police Act or a civilian employee referred to in section 10 of that Act;

(d) a civilian employee of another police force;

(e) a peace officer, as defined in section 2 of the Criminal Code.

There is some protection in subsection (4) so that “the assessment or testing must not have the effect of granting access to personal information.”

This is draconian, overbroad and frankly offensive. There’s no requirement that the Minister be satisfied that disclosure of this information would be harmful to law enforcement or to national security. There is no sunset and no means by which an ESP can challenge the gag order if they think it’s in the public interest to disclose the information. I am not sure that this provision, on its own, would survive a Charter challenge. It also means that a foreign company can’t advise their own government that they are subject to an order.

Section 18 allows the government to make a range of regulations related to confidentiality and security. These are scaled back from the absurd scope anticipated in the Strong Borders Act. There are security and confidentiality rules for judicial proceedings provided for in subsection (b). Subsections (c) and (d) authorize regulations related to ESP employees and contractors involved with law enforcement and national security access to information, including security clearances and where they are located, and where facilities are located. As I understand it, most American service providers run this function from the US and I’m sure they will not be interested in moving that to Canada or having their employees subject to Canadian security clearances. I would imagine that some companies will just decide to not do business in Canada.

Part 2 also contains a whole regulatory oversight structure, with inspections, audits and penalties. I’m not going to get into that today.

This is what’s coming to Canada …

CSIS cannot track a cellphone

CSIS is trying to determine the movements of a terrorist group and has received a warrant to track a person of interest’s cellphone. The electronic service provider did not have the necessary capabilities to track the device because they are not required to. As a result, CSIS had to resort to costly and risky in-person surveillance.

With C-22: The GIC will have the authority to make regulations requiring that ESPs develop and maintain location tracking capabilities that are standard in Europe and among the Five Eyes.

First of all, I don’t really care what they are doing in the other Five Eyes. Essentially, the UK, Australia and New Zealand don’t have a Charter of Rights and Freedoms and their surveillance laws reflect that. And the law doesn’t we’ll just do what they do in “Europe and among the Five Eyes.” I bet the Chinese security services have this capability.

The second example is equally sympathetic, but shows that the government wants everyone to be carrying a tracking device:

Police cannot consistently obtain location information

An at-risk 16-year-old girl was reported missing. She had already been missing for 10 days when she made an emergency call. The telecommunications provider was able to confirm the call and the tower used to make the call but could not provide the last known location of the phone before it was disconnected since they are not required to have that capability.

With C-22: Core providers would be required to maintain accurate and consistent localization capabilities across the country.

I expect I’ll probably have more to say about this as Bill C-22 works its way through Parliament. I will reiterate that I’m glad the government largely went back to the drawing board and largely fixed Part 1. Part 2 is better than it was before, but I don’t think it should be passed in its current form. It is wildly problematic.

PIPEDA: Canadian Privacy Law 101 - a primer on the privacy law that regulates businesses in Canada

2026-03-04T09:25:00.001-04:00

An overview of privacy law that regulates private sector businesses in Canada (or those outside of the country who deal with personal information of Canadians): the Personal Information Protection and Electronic Documents Act (PIPEDA).

Introduction

Today I'm going to be talking about Canadian privacy law—a bit of a primer on the subject that will hopefully be useful for a range of folks.

This is intended to be general information, an overview, and a primer. This is a complicated area of the law, and it's one that is changing regularly and one that is really primed to change again in a significant way.

Look at the date on this; the information may become out of date relatively quickly. We expect that there will be a new bill presented in Parliament to completely replace our current federal privacy law. So you might ask “why do an overview of a law that’s on its way out?” Well, even if we do get a new privacy bill in the spring of 2026 and it passes, I expect it’ll be years before it is fully implemented.

And any new law will likely be very similar, a least in many significant ways.

So, what I'm going to talk about is why Canada has so many privacy laws to begin with. Then I'm going to focus specifically on Canada's federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Within that, I'm going to talk about some key concepts that are contained in the legislation. I'll talk about the 10 principles that PIPEDA, the federal privacy law, includes. I'm going to talk about how the legislation is enforced, and then I'm going to finally talk about data breach notification as it exists in the Personal Information Protection and Electronic Documents Act. Throughout, I’ll touch on some of the similarities and differences between our various privacy laws.

The Canadian Privacy Landscape

So, what's the current privacy law landscape in Canada? Well, we have a mosaic of privacy laws, or you could even say we have a mess of privacy laws. Canada is a federal country, and unfortunately, I’ll have to talk a bit about federalism.

But across the country from coast to coast to coast, pretty well all government activity is subject to one form of privacy law or another. All private businesses operating in Canada are subject to a variety of privacy laws. The healthcare sector is subject to privacy laws in varying ways in different provinces. And the private sector workplace is really not subject to much regulation other than what's called a federal work undertaking (your business within federal jurisdiction) or private sector workplaces in British Columbia, Alberta, and Quebec.

Canada is a federal country. We have a federal government, and we have provinces and we have territories. And the Canadian Constitution gives certain jurisdictions, or certain forms of jurisdictions, certain powers. So it's divided between the federal government and the provinces. The territories are within federal jurisdiction.

Within our constitution, provinces have exclusive jurisdiction to legislate over what's called "property and civil rights," and this generally includes privacy. And so the provincial governments have exclusive jurisdiction over privacy when it's a matter of property or civil rights. The federal government has jurisdiction over something called "general trade and commerce," which is actually less general than you might think it is. And the federal parliament also has jurisdiction over federal works, undertakings, or businesses. Those are telecommunications companies, federally chartered banks, airlines, inter-provincial works, and things like that.

Only the provinces can pass “true” privacy laws, but the federal government can regulate how businesses manage personal information. So what we end up with is overlapping or potentially overlapping jurisdiction for privacy.

In Canada, we don't have federal supremacy where the existence of a federal law will automatically override a similar or identical provincial law. So we have a situation where the federal government has jurisdiction over certain things, and privacy can be characterized as a matter of regulating the general trade and commerce in Canada, and provinces have jurisdiction over privacy as a matter of property and civil rights. And so the two have to find a way to co-exist. It's not that elegant, but generally, it works in Canada.

Each provincial and federal government can clearly regulate themselves—there's no doubt about that under the Canadian Constitution. And the provincial public sector also includes what we sometimes call the MUSH sector: Municipalities, Universities, Schools, and Hospitals. So provincial and federal governments and their Crown corporations, for example, and their agencies are subject to federal or provincial public sector privacy laws.

Some provinces have specific statutes for the health sector, and I'm not going to get into that too much.

At least in the private sector, we have a possibility of overlapping and contradictory jurisdiction since the provinces can regulate privacy as a matter of civil rights, and the federal government can regulate how businesses collect, use and disclose personal information. When the federal Personal Information Protection and Electronic Documents Act was passed, only one province – Quebec – already had a private sector privacy law. Quebec is very protective of its jurisdiction, so to try to avoid fights, the federal parliament built in a mechanism by which the federal government could cede jurisdiction for privacy in a province that has a substantially similar law.

Currently, Quebec, Alberta and British Columbia have general private sector privacy laws that are deemed to be substantially similar, so the federal law does not apply in those provinces where the provincial law applies. The same has been done for a number of health privacy laws, like the ones in Ontario, Nova Scotia, New Brunswick, Prince Edward Island, and Newfoundland and Labrador.

Development of PIPEDA and the CSA Model Code

Though we could have just looked at the European Data Protection Directive that was enacted in 1995, Canada did its own "made in Canada" solution. In the 1990s, the Canadian Standards Association (CSA), which sets standards for electrical devices and business processes, did a very broad consultation and came up with what was intended to be a self-regulatory code for privacy in Canada. It’s called the Canadian Standards Association Model Code for the Protection of Personal Information. This was adopted in 1996 as a national standard of Canada.

Importantly, it was developed with a wide range of consultations across a large number of industries. There was also general consensus that it was pretty good. If you have an international background in privacy, you'll see that it has a significant kind of overlap and echoes of the OECD guidelines from the Organization for Economic Cooperation and Development. Now the OECD guidelines have eight guidelines; the CSA model code has 10 general principles. I'm going to go through each of those 10 principles and talk about how they're implemented within Canada.

So how was PIPEDA developed? In the 1990s, when the government of Canada wanted to use the general trade and commerce power to implement a privacy law. Rather than coming up with one from scratch or poaching the European Data Protection Directive, the then federal government just decided to implement the CSA model code. We have this great code, there’s a lot of consensus around it and we want to come with a privacy law. Why look further afield?

And so PIPEDA is an unusual statute in a bunch of ways. It has two parts: one part related to personal information protection, the second part related to electronic documents. Essentially, the “Personal Information Protection Act” and the “Electronic Documents Act”, but they jammed them both into one Act. Part one covers privacy, but they slapped the CAS Model Code for the Protection of Personal Information onto the back of it, and says that those organizations that are subject to these rules have to follow the CSA model code.

Now there are quite a few exceptions. The legislation has also been updated a couple of times. The most significant revamp was with the Digital Privacy Act a number of years ago, which put in place data breach notification requirements that I'm going to talk about later on, and also implemented an exception to the consent rule related to certain kinds of business transactions.

Now PIPEDA was designed to be adequate for the purposes of the European Data Protection Directive for cross-border data transfers out of Europe. Even though PIPEDA is really, really old, its adequacy was just renewed in January of 2024.

Key Concepts: Commercial Activity and Personal Information

So how does PIPEDA work? What organizations and activities does it apply to?

A key concept that one needs to understand in order to understand PIPEDA and how it works is the concept of "commercial activity". PIPEDA is based on the general trade and commerce power that the federal government has over within the Canadian Constitution. And PIPEDA was designed to go as far as federal jurisdiction would permit it to do. So PIPEDA applies to the collection, use, and disclosure of personal information in the course of commercial activity. It also applies to workplaces and employee personal information but only for federal works, undertakings, and businesses. Those are the kinds of enterprises that are within exclusive federal jurisdiction. (Think airlines, federally chartered banks, telecommunications and the like.)

We also have to talk about a key concept called "personal information". The statute is all about personal information. If you're not talking about personal information, this statute does not regulate it. And personal information, in short, means any information about an identifiable individual, excluding certain business contact information when that business contact information is used to contact an individual in their business role. But it's a very broad definition, so it's any information related to an identifiable individual. So if you can identify the individual from that information, it is going to be personal information.

If it's reasonable that you could identify an individual from that information, or you could correlate that information to an individual, it will also be considered to be personal information. And so that clearly includes somebody's name, their address, their income, health information, demographics, Social Insurance Number, their image, their photograph, biometrics, and things like that. So it's quite a broad definition. If information is adequately anonymized so there's no reasonable possibility of connecting it to an individual, then it would be out of scope of the legislation and the law would not apply to it.

Now an important thing—and this mainly comes up with dealing with American companies and American lawyers—is that whether information is personal information and therefore subject to regulation doesn't matter whether it's "private" information. It doesn't matter whether that information is publicly known or publicly shared. It really has nothing to do with your expectation of privacy in that information. If it is information about an identifiable individual, it is in scope of the legislation and regulated. There may be some consent exceptions related to publicly available information, but those actually seldom come into play because they’re so narrowly tailored.

PIPEDA also has a baseline "reasonableness" requirement. So an organization can only collect, use, or disclose personal information for purposes that a reasonable person would consider are appropriate in the circumstances. And that’s regardless of whether there’s consent.

This provision was seldom used until recent Privacy Commissioners started to look more closely at whether or not the purposes for which certain businesses collect, use, or disclose personal information are reasonable. They sometimes call these “no go zones”. Again, if the purposes are not reasonable, it does not matter whether you have the individual's consent; this is an absolute kind of guardrail sort of provision. Now of course, what is reasonable in the circumstances could differ significantly from one person's point of view to another, and I draw the line in a different place than the Commissioner often does, but this has to be understood as a baseline principle.

The 10 Principles of the CSA Model Code

Recall that the law essentially says: “Behold the CSA Model Code! If you’re engaged in commercial activity, thou shalt follow it!”

Now all 10 principles can be found to greater or lesser degrees in all privacy laws in Canada. Also in the Privacy Act, which regulates the federal government and its agencies. So the CSA model code has 10 principles, and I'm going to walk through all 10 and talk about how they are implemented within the Canadian PIPEDA framework.

Principle 1: Accountability

The first principle is called accountability.

This says an organization is responsible for personal information under its control and has to designate an individual or individuals who are accountable for the organization's compliance with the 10 principles of the CSA model code. That doesn't mean that that individual or those individuals are personally liable. They’re not the folks who get arrested by the privacy cops in dawn raids.

But what it means is that an organization has to appoint a privacy officer. There has to be somebody or a group of somebodies who are responsible within the organization for making sure that these rules are followed, so there's internal accountability. The Code doesn’t say they have to have a particular title, but they’re generally also the privacy spokesperson for the organization, the liaison for customers, and the person who deals with our privacy regulators if necessary.

What it also means is that the organization remains accountable for personal information that it has collected, used, or disclosed, even if it transfers that information to another party to handle it on its behalf.

This is similar to the notion of "controllers" and "processors" in Europe. We do not use the exact same language, but the principle is applicable. If you are the organization that is facing the customer and you have collected personal information from that customer for your purposes, and then you give it to a contractor to manage on your behalf, the first organization remains legally responsible for it and has to make sure that there are contracts in place with their service providers so that the contractors will handle it only on their behalf and will do all the necessary things to remain compliant with the law.

If the contractor screws up, the responsibility remains with the original organization. You can’t contract out of ultimate responsibility under Canadian privacy law.

There is a very important distinction between a "transfer" and a "disclosure". An organization can transfer personal information to a contractor without consent where the contractor is only going to use it as a processor on behalf of the original organization. If it is shared with another organization so that the recipient organization can use it for their own purposes, then that’s a disclosure. A disclosure requires consent, and the company that gets the personal information becomes legally responsible for managing it and protecting it.

Principle 2: Identifying Purposes

The second principle is called identifying purposes. I think this is one of the most important of the ten principles.

The CSA model code says the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. This has two parts:

(1) the organization has to identify – and hopefully document – what it proposes to do with the personal information; and
(2) the organization has to communicate those purposes to the individual before it collects their personal information.

And it really should be noted that privacy policies seldom satisfy this requirement. Because the purposes have to be identified to the individual at or before the time the information is collected, just having a privacy policy on your website does not provide any assurance that the customer or the individual has read, understands, or knows what those purposes are.

One exception may be, for example, on account creation where an individual is required to flip through the privacy statement prior to creating an account and then clicks "I agree".

So what this means in practice is that every organization has to document internally what are all the purposes for which they collect, use, or disclose personal information. Those documented purposes have to be communicated to the individual at or before the time the personal information is collected. Now that can be done orally or it can be done in writing, but the important thing is that it has to be done.

And employees who collect personal information on behalf of a company need to be able to explain the purposes to individuals. This information needs to be provided in a manner that you could have some reasonable confidence that they understand what those purposes are, they understand what it is that they're agreeing to.

Principle 3: Consent

Principle 2 is linked very closely with Principle 3. Principle 3 is the consent principle, and this says the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Now notice that I've struck that out—"except where inappropriate" no longer applies. The only exceptions to the consent rule are contained in the statute itself in Section 7.

That may have made some sense when the CSA Model Code was designed to be a voluntary code and the organization could determine when it was not appropriate. But under PIPEDA, organizations don't get to choose whether or not it's inappropriate to seek consent. Consent is the only basis upon which personal information is collected, used, or disclosed, unless those exceptions apply. And those exceptions are significant outliers.

So unlike in Europe where there are other grounds for processing personal information in the private sector, consent is the principle that is at play in Canada.

This consent has to be informed consent; that’s why Principle 2 (identifying purposes) is so important. The individual has to be told at or before the time the information is collected what the purposes are for the collection, use, or disclosure of personal information. And those “purposes” are the parameters for the consent obtained.

The principle also says that the form of the consent is going to be dependent upon the sensitivity of the information. So the more sensitive the information, the greater the burden of consent. Expectations also come into play. If the consumer expects you to use it for the obvious purposes, consent can be implied.

So you can have opt-out consent where the information is really not sensitive. Opt-in consent would be preferred in most cases. If you're dealing with sensitive information—health information, information about somebody's intimate life or family life or things like that—you would want to make sure that they expressly agree that their information can be collected, used, or disclosed for that purpose.

Written consent should be used in a range of cases, particularly where you’re going to want a record of the consent and a clear record of what was consented to.

This principle also says you cannot require that an individual consent to a collection, use, or disclosure of personal information that's not necessary to fulfill the explicitly stated and legitimate purposes.

Individuals can withdraw consent. This is similar to the European "right of erasure" but not identical. So an individual can withdraw consent at any time, but the organization has the obligation of telling the individual what are the consequences of that withdrawal of consent. For example, the organization might not be able to provide services to the individual if the individual does not consent to the collection, use, and disclosure of personal information that's necessary for the provision of those services.

And the consent of an individual is only valid if it is reasonable to expect that the individual would understand the nature, purposes, and consequences of the collection, use, or disclosure of the personal information to which they're consenting. This highlights the importance of being clear to the individual what those purposes are and having confidence that the individual does in fact understand what those purposes are.

Principle 4: Limiting Collection

Principle 4 is closely aligned with Principle 5, and both of them link back to Principle 2 of identifying the purposes. So Principle 4 says the collection of personal information shall be limited by that which is necessary for the purposes identified by the organization.

So you can only collect personal information that's reasonably necessary for the purposes that you've identified. You cannot collect any more personal information if it's not reasonably necessary for those purposes. And information shall be collected by fair and lawful means, so no use of deceit or trickery or anything else like that.

Note again, this loops back to the purposes identified in Principle 2. Those purposes set the guardrails.

Principle 5: Limiting Use, Disclosure, and Retention

And then Principle 5 leads us to: “you can only use personal information or disclose personal information for the purposes that have been identified.” Again, so much of this comes back to clearly identifying the purposes to the individual. And those purposes create significant guardrails around that information. That information cannot be used for any other purpose unless you go back to the individual, you identify the new purposes, and you get new consent for that.

There's also a requirement to limit the retention of personal information. Personal information shall only be retained as long as is necessary for the fulfillment of those purposes. So the organization needs to clearly document what the purposes are and what the lifecycle of the data is.

The law doesn’t specifically say you need a written document retention plan, but you really should have one. When it is no longer necessary for the purposes that are identified, that information has to be destroyed. Notably, it also says it can be made anonymous; if it's made anonymous, then it's no longer personal information and no longer subject to the legislation.

Principle 6: Accuracy

Principle 6 is the accuracy principle, and this says that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. And so again, it ties back to the purposes that have been identified to the individual.

This principle really only comes into play when personal information is used to make a decision about somebody. And so an organization needs to make sure that the information is as accurate as it needs to be for those purposes, probably taking into account what are the consequences of that decision to the individual. But information should not routinely be updated "just because".

Principle 7: Safeguards

Principle 7 is a key principle, it's entitled "Safeguards". Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. And it goes on to say that personal information must be protected from many threats: loss, theft, unauthorized access, unauthorized disclosure, copying, use, modification. And this obligation exists regardless of the format in which it is held.

Now you'll note that this is principles-based. This requires an organization to use safeguards that are reasonable and appropriate in light of the sensitivity of the information. So we don't have prescriptive rules that say this sort of information must be encrypted or this sort of information must be kept under lock and key.

This is designed to be technologically neutral and so that it would survive over time. So this was written in the late 1990s, became law in 2001, and so what are “reasonable safeguards” now would differ substantially from what would be reasonable safeguards in 2001. It's intended to be flexible and fluid.

What I generally tell my clients is that you need to implement at least the "state of the art" of security safeguards that are prevalent in your industry—not just in Canada, but also look internationally. And try to do one better than that.

This doesn't require a standard of perfection. The safeguards need to be reasonable and appropriate in the circumstances. A company is NOT expected to spend a million dollars to protect a hundred dollars worth of personal information. And as information technology systems get more complicated, safeguarding that information gets more complicated and more difficult.

Principle 8: Openness

Principle 8 is called openness. An organization shall make readily available to individuals specific information about its policies and practices related to its management of personal information. So this essentially means the organization has to have a privacy policy. The privacy policy is not about identifying the purposes in order to get consent; the privacy policy is in order for the organization to be open and transparent.

That privacy policy has to have contact information for the privacy officer—doesn't have to name them, but has to have the contact information. It has to tell the individual how they can exercise their access rights.

It has to educate the individual with the general account of what personal information the organization routinely collects, uses, and discloses, and how it is used. This can be done through brochures or through the website or other things like that. And the organization also has to let the consumer know what personal information is made available to related organizations.

The Privacy Commissioner Canada has also said the privacy statement should include information about what personal information may be stored outside of Canada, transferred outside of Canada, or accessed from outside of Canada. That is not in the statute, but that certainly is a best practice. The Alberta and Quebec privacy laws make those disclosures mandatory.

Principle 9: Individual Access

Principle 9 is individual access. So upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. In that process, an individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. So this is a data subject access right. The organization has to respond within 30 days.

And the organization needs to let the individual know to whom their information may have been disclosed. So organizations effectively have to keep a record of how they use personal information and to whom it's been disclosed.

This access should be at minimal or at no charge, and the information provided needs to be comprehensible to the individual, so abbreviations and technical terms may need to be explained.

There are some limitations and some exceptions to this access right, such as confidential business information, third party personal information and information that is privileged.

What is interesting is that this right is not exercised as often as you think it might be in Canada.

Principle 10: Challenging Compliance

The final principle is called challenging compliance. And this says an individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals who are accountable for the organization's compliance.

This is just common sense. The organization will want to hear complaints first before the individual goes to the regulator. The organization will probably want to have an opportunity to address them and to fix them before an individual chooses a more formal path of recourse. And must have a method to receive complaints, address them properly, and need to let the individual know that they have a right to complain to the appropriate authority.

Enforcement Powers

So now I'm going to talk about enforcement powers under Canadian privacy laws. The Personal Information Protection and Electronic Documents Act is overseen by the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Canada, sometimes referred to as the OPC.

The Privacy Commissioner of Canada is an ombudsman. The Commissioner doesn't have the ability to levy fines or issue orders. Only the Federal Court of Canada can issue orders or award damages. What the Commissioner does is the Commissioner deals with complaints first and foremost. Any individual can send a written complaint to the Privacy Commissioner of Canada. The Commissioner can also initiate complaints of his own accord.

I should note that the Alberta, British Columbia and Quebec Privacy Commissioners can issue orders, and the Quebec commissioner also has considerable financial penalty powers.

But back to the federal Commissioner: After a complaint is received, the Commissioner investigates the complaint, and there's minimal involvement on the part of the complainant in most cases.

During that investigation, the Commissioner has very strong powers. So for example, the Commissioner can compel evidence, can issue essentially subpoenas, can administer oaths, and accept evidence under oath. The Commissioner can also accept and review evidence that ordinarily would not be admissible in court. The Commissioner can also enter any premises other than a dwelling and review any documents in there.

So far we've never had any "dawn raids" by the Privacy Commissioner of Canada. I don't think that any of these particularly intrusive powers have ever been used until relatively recently. It's always been my experience in speaking for myself and speaking with colleagues that those who are the subject of the complaint tend to cooperate, at least in the course of the investigation.

The end product of the investigation is a report. It's called a Report of Findings. The Commissioner has to issue a Report of Findings with respect to an investigation within one year from the day the complaint is filed. Now in my experience, that's seldom the case; they usually take more than a year. But that may reflect the complexity of cases that I generally deal with.

The finding says here’s what the Commissioner found, essentially. Here's what the person complained about, here is what I investigated, here is what I found.

If the Commissioner found non-compliance, the report will include recommendations, and those recommendations will generally be communicated to the organization in the course of the investigation, so the organization can implement those prior to the conclusion of the investigation.

Though the Commissioner does not have order making powers nor can he levy penalties, the "naming and shaming" is a significant incentive for businesses to cooperate. Some of the findings are published—but not all. And for high-profile investigations, particularly those involving large American tech companies, there tends to be a lot of fanfare that goes along with the issuance of a report of findings, including press conferences and things like that.

Many organizations do not want to be the subject of naming and shaming like this, so will do what they can to be compliant to ultimately resolve the complaint to the satisfaction of the complainant and the Commissioner.

Those findings will fit into a number of categories:

Not well-founded: which means that the complaint was not made out, the Commissioner did not find any violations of Canadian privacy laws.
Well-founded and resolved: meaning that ultimately there was an issue, but it was resolved in the course of the investigation.
Well-founded and conditionally resolved: so the organization has been asked to report back with changes that it has made over a medium-term or longer-term.
Well-founded and unresolved: and those are relatively rare.

Organizations tend to want to resolve the matter during the investigation stage. And if it's unresolved, then the Commissioner can in fact take the organization to court, or the complainant can.

Court Hearings

Court hearings are essentially where the enforcement rubber hits the road. Some people suggest that the Commissioner's lack of an ability to issue fines or issue orders is a bug with the legislation, and the process of going to court is somewhat cumbersome. I tend to think it's more of a feature that, when it comes to these sorts of measures, it's best reserved to a court, particularly where the resolution turns on the interpretation of the statute.

In these court hearings, a complainant—but not the organization—can start an application in our federal court for a hearing. And it is notable that the organization does not have any automatic ability to take the Commissioner to court to have the Commissioner’s report reviewed or appealed or overturned.

In fact, what happens in court is not an appeal at all; it's what's called a de novo proceeding. The court starts from scratch. The Commissioner might be a party with the cooperation of the complainant. It may in fact be the Commissioner who's carrying the bag on all of it in going to court, but it's not a review of the Commissioner's finding; they start from scratch. And this can only be done once the report from the Privacy Commissioner has been finalized and delivered.

There is a way to get into court in the course of an investigation on something called a "judicial review" if there are jurisdictional issues or other things that might need to be considered by the court, but generally, it's only after the report of findings is issued.

Perhaps not surprisingly, the court has pretty broad remedial powers—that's what courts do. The courts are empowered to order the organization to correct their practices in order to comply with the provisions of the act. Can also require the organization to publish a notice of actions that they have taken in order to correct their practices—so, I guess, a "double naming and shaming". And finally, the court can award damages, including damages for humiliation that the complainant might have suffered.

It should be noted that there is no mechanism through PIPEDA for a class action to be brought within this process. You have an individual complainant, you have the Privacy Commissioner, and you have a case before a judge.

Commissioner Audits

The Commissioner also has the power to audit organizations.

The Commissioner can initiate one of these if, on reasonable grounds, the Commissioner believes the organization is contravening a provision of Division 1 or Schedule 1 of the act. And during the course of an audit, the Commissioner has pretty well the same powers that the Commissioner has in an investigation: take evidence, enforce attendance, and have the powers of a superior court of record. He can enter any premises other than a dwelling house, examine any records or extracts of records.

To my knowledge, the federal Privacy Commissioner of Canada has not initiated any audits of any private businesses. The Commissioner has, at least on one occasion, requested that the organization obtain a third-party audit and provide the report of that audit to the Commissioner. But the Commissioner would not be able to order that.

As I understand it, the Commissioner doesn't feel that their office has sufficient resources in order to go about auditing organizations. One thing that they have asked Parliament for is a power to order audits of organizations and their information handling practices.

So the key “stick” that the Commissioner actually has is this power of publicity. Because within the act, the Commissioner is specifically empowered to make public any information related to the personal information management practices of an organization if the Commissioner considers that it's in the public interest to do so.

Data Breach Notification

In 2015, Parliament amended PIPEDA to bring in data breach notification requirements.

We now have data breach reporting to the Commissioner, data breach notification to the affected individuals, and a record-keeping requirement embedded in these amendments.

It should also be noted that there may be a common law duty to notify affected individuals if their personal information has been compromised in a way that could affect them, particularly if giving them notice and warning would give them an opportunity to mitigate harm that could happen to them.

But we're going to focus on the statutory requirements.

As with any data breach law, you always have to be very careful about the definition of what is a "breach". So what triggers this whole process? In PIPEDA, it is a "breach of security safeguards", which means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in Clause 4.7 of Schedule 1 (so that's Principle 7) or from a failure to establish those safeguards.

The notice and reporting obligations become triggered if there is a breach of security safeguards where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. This particular provision talks about the personal information being under the control of an organization. So this says to me that the obligation to report to the Commissioner is only on the part of a data controller, not a data processor.

As between any data processor and the controller, there should be a clear contract that says the processor will notify the controller so that the controller can report any data breach that they have to the Privacy Commissioner, and so that they can notify affected individuals.

Subsection 2 talks about what has to be in the report, and I'll get into that in just a moment. And Subsection 3 talks about notification to affected individuals.

Again, the definition—what is a breach of security safeguards—refers back to Principle 7, “Safeguards”. And so what this principle requires is that an organization implement reasonable security safeguards to protect against a list of risks that is appropriate and commensurate with the sensitivity of the information at issue. So it's not unduly prescriptive; it's what's reasonable in the circumstances.

And again, this comes back to the concept of sensitivity. So we don't have strictly defined categories of what is sensitive personal information. Personal information can be more sensitive or it could be less sensitive depending upon the circumstances, depending upon the context in which the information is collected.

We do have some helpful guidance or wording in the CSA model code to help determine what information is more sensitive or less sensitive. Certainly information about somebody's private life, their intimate life, their family life, information about their race, ethnicity, religion, those sorts of things, financial information, health information would all be considered to be at the more sensitive end of the spectrum.

But somebody's name can be less sensitive or more sensitive depending upon the circumstances. So if your name appears on a list of people who attended a hockey game, for example, that's not particularly sensitive. If your name appears on a list of people who have upcoming appointments with a psychiatrist, that would be sensitive information, because the context in which that information appears tells you information about that person's private life, their mental life, their health conditions, or things like that.

Real Risk of Significant Harm

The triggers of notification and reporting relate to "real risk of significant harm".

This is a two-part test: you look at the real risk and then you look at the possible significant harm. And real risk depends upon the sensitivity of the personal information involved and the probability that the personal information has been, is being, or will be misused. And there may also be other prescribed factors, but we haven't seen new factors to consider.

So you're looking at what's the likelihood that mischief will take place; what are the circumstances in which the breach took place?

One example may be a lost hard drive and there's no information to suggest that it was stolen by a bad guy. It was just misplaced. You don't have any real sense that mischief is afoot. That seems low risk of harm.

But if somebody breaks into your network and exfiltrates information, you already know that there's a bad guy involved, or a "threat actor" as the cool kids say. That tells you there’s a high risk that bad things are likely to happen. Or at least bad things are more likely to happen in a scenario like that.

The second part of the analysis is “significant harm”, and that requires you to ask “what could go wrong?” You ask “What could this information be used for? How could this information be abused?”

The legislation specifically talks about certain kinds of harm being significant: “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business, or professional opportunities, financial loss, identity theft, negative effects on the person's credit record, and damage to our loss of property.”

It ties pretty closely to the concept of sensitivity.

In some jurisdictions, reporting is based simply on the type of data involved – more often tied to risk of fraud and impersonation.

The significant harms that are at play and have to be considered in Canadian privacy legislation are much broader than that, and relate to kind of “softer elements” of privacy and personal life.

Reporting Requirements

For a report to the Commissioner, the legislation prescribes what has to be contained in that report. Not surprisingly, the Privacy Commissioner of Canada has a form on his website that contains this information to fill out and report.

They generally want to know:

who was the organization,
what was the nature of the information,
what were the circumstances of the breach,
when was it discovered,
how many people are affected,
what steps have you done to mitigate, to stop the breach and to mitigate the risk of harm, and
who is able to be a point of contact for the Privacy Commissioner.

The Commissioner can initiate an investigation based on a report, but most of these are just received with thanks and that's largely the end of it. The notice to individuals is generally quite similar to the information that has to be provided to the Commissioner, though the organization is also required to tell the individual if there are steps that that individual could take to mitigate any harm to themselves.

Record-Keeping Requirements

Now one additional thing that's notable is there's also a “record-keeping” requirement. This says, regardless of whether or not there's a real risk of significant harm to the individual, every organization must create a record related to every breach of security safeguards, regardless of how trivial.

That record has to contain essentially the same sort of information that you would include in a report to the Commissioner. It should also include information to substantiate the conclusion that there was not a real risk of significant harm to the affected individuals, so that no report was required.

These reports have to be kept by the organization for two years. And they have to be provided to the Privacy Commissioner of Canada on request. So this does create a discoverable paper trail in the event of litigation.

It should also be noted that the Privacy Commissioner has in fact, on his own accord, conducted surveys of organizations requiring them to provide to his office and his investigators all of these breach records in order to make sure that they are being created and maintained appropriately.

Importantly, it's an offense to not create these records, and to not maintain them for the period of two years. It’s also an offense to not provide them to the Commissioner.

Conclusion

So, I hope this has been a useful, informative overview about Canadian privacy law. As I said, it was mainly intended for a general audience of folks who may have a need to know the basics of Canadian privacy laws.

Privacy, Online Fraud, and What You Can Do About It

2026-02-01T19:00:00.008-04:00

This past week, I was invited to speak with a client’s employees for International Data Privacy Day about “Privacy, Online Fraud, and What You Can Do About It”. There were a few hundred people on the call and I’m told it was well-received. So I’ve decided to take that presentation and turn it into an episode for this channel / podcast.

In my practice, I get to do some really awesome things with really great people who bring innovative products to consumers and business customers. But I also see some pretty shady, horrible stuff that takes place online.

I don’t know what the proportion is between people who are awesome and innovative, and people who are horrible and innovative. There are a lot of horrible people out there who are really crafty, and have found the internet and digital tech to be a great avenue to take your money from you.

So what I want to do today is raise awareness about privacy, explain how it connects directly to online fraud, and walk through the kinds of scams and misuse of personal information I’m seeing most often. I’ll also spend some time on practical, concrete steps individuals can take to protect themselves.

What Is Privacy — and Why Does It Matter?

Privacy is a weird thing. It’s very personal, so it varies from person to person. It also is culturally informed. At the end of the day, privacy expectations vary enormously.

Different countries — and even different generations — have very different norms around personal information.

You’ll often hear people say that “young people don’t care about privacy”. That hasn’t been my experience at all.

Young people care deeply about privacy — but they’re very intentional about “audience”. I often point to examples like people having multiple social media accounts on the same platform: one instagram account for close friends, another that’s more public and curated. That’s not a lack of concern for privacy; it’s a sophisticated understanding of it.

Privacy also depends on context. People post different things on LinkedIn than they do on Facebook, and different things again on Instagram or in a private group chat. The audience matters, and expectations matter.

Privacy as a Legal and Compliance Issue

In workplaces, privacy most often shows up as a legal and compliance issue.

In Canada, privacy laws differ by jurisdiction. In this context, jurisdiction can mean province to province, and it can mean between provinces and the federal government. It can also mean between the health sector and other sectors. But these laws generally share a common structure. But today I’ll focus on the privacy laws – federal and provincial – that govern what personal information businesses can collect, use or disclose, and the parameters around that.

Very broadly, these laws say that organizations may only collect, use, or disclose personal information:

for purposes that are reasonable;
that have been explained to the individual;
that the individual understands; and
that the individual has consented to, subject to limited exceptions.

Those purposes are critical. They are the thread that runs through privacy law.

Organizations can only collect information that is necessary for the stated purposes. They can only use it for those purposes. If they want to use it for some other purpose, they generally have to go back to the individual and obtain new consent.

And once the information is no longer needed, it should not be kept indefinitely. Retention has to be tied to legitimate purposes, such as legal requirements or risk management. If you don’t need it anymore for the “purposes”, get rid of it.

Privacy laws also require organizations to protect personal information using safeguards appropriate to its sensitivity.

The more sensitive the information, the higher the expectation of protection.

A lot of privacy complaints and mistrust come down to expectations. People feel unsettled or “creeped out” when information is used in ways they didn’t expect, disclosed to people they didn’t expect, or wasn’t protected to the level they expected.

The law doesn’t talk about being “creeped out,” but that reaction is often a sign that expectations were not properly set or respected. It means you haven’t clearly identified the purposes and gotten their OK.

Privacy Harms

Canadian privacy law now explicitly recognizes a range of harms that can result from misuse of personal information, including:

bodily harm;
humiliation or embarrassment;
damage to reputation or relationships;
loss of employment, business or professional opportunities;
financial loss;
identity theft;
negative impacts on credit records; and
damage to or loss of property.

Even information that seems relatively innocuous — like an email address — can create real risk when taken out of context.

For example, if someone obtains an email address from a particular organization, they know the individual has a relationship with that organization. That makes phishing attacks far more convincing. For example, a bad guy gets a customer list for a business. The bad guy can send emails to the customers pretending to be someone from the business, asking them to “update their billing information” or something. The fact that it looks like it comes from someone they know makes it more likely that the recipient will act on that email.

The Scale of Online Fraud

Online fraud is enormous in scale. According to the Canadian Anti Fraud Centre, they had more than 33 thousand reports in the first three quarters of last year, with more than half a billion dollars lost — and that’s almost certainly an understatement, because many victims never report what happened.

Fraud affects individuals, families, businesses, schools, hospitals, and governments. While large organizations often make headlines, individuals frequently suffer the most direct harm.

The Canadian Anti-Fraud Centre has an enormous catalog of the types of fraud that get reported and it’s worth taking a look at it to help understand all the different varieties of scams and frauds that are out there.

As I said, it’s enormous but I’ll go through some of the most common fraud types that I’m seeing and then will provide some pointers on how to protect yourself.

Common Fraud Scenarios I’m Seeing

Email Account Intrusions and Business Email Compromise

One of the most common starting points is an email account compromise.

If someone gains access to your email, they often gain access to much more: documents, shared drives, financial systems, and internal platforms. There’s a lot in your email inbox that a bad guy can use to cause harm.

In many cases, the harm that they can cause is impersonating the person whose email they’ve taken over. I’ve seen far too many cases where attackers simply watch — waiting for the right opportunity to inject themselves into a conversation.

I’ve seen situations where attackers impersonate trusted employees and send emails redirecting payments or requesting urgent action. Because the email comes from a real, trusted account, it’s very convincing.

Funds Transfer and Payroll Fraud

A classic example is funds transfer fraud. An attacker impersonates a vendor or employee and provides “updated” banking information. Payments or payroll deposits are quietly redirected to fraudulent accounts, sometimes for weeks before anyone notices.

I’ve seen many cases where a company is about to make a big sale, and some bad guy lurking in their system impersonates the sales person or a person from finance and tells them the payments for the widgets should be made to a particular bank account. That’s not the company’s actual bank account, but one that the bad guy has access to.

Another, smaller scale example is a bad guy who knows that a person is employed with a particular company and gets the contact information for the payroll department of that company. One email that convincingly looks like it comes from the employee sent to HR saying “I’ve switched banks, so please have my direct deposit go to this new account ….” In the grand scheme of online fraud, that’s relatively small potatoes, but a bad guy that does that A LOT will make a lot of money. And leave a lot of frustrated employees in their wake.

Tech Support Scams

Many people have received calls claiming to be from Microsoft or their internet provider, warning about suspicious activity.

The goal is to convince the victim that they have to make changes to their computer, which is really to install remote access software. Once that happens, the attacker might as well be sitting at your computer. They can block you from using it, they can control the computer, access saved passwords, log into online banking, and move money.

I’ve seen cases where victims were locked out of their own computers while attackers logged into online banking and emptied accounts in real time.

I’ve also seen cases where bad guys have used remote access software to just watch everything the person was doing on the computer, waiting until they can extract the most cash.

Grandparent and Family Emergency Scams

This increasingly common scam targets grandparents, which is one of the most heartless, reprehensible scams out there. It targets pensioners and exploits the best intentions of these victims.

Attackers impersonate grandchildren or other family members using information found on social media, claiming they’ve been injured, arrested, or stranded. They create urgency and demand immediate payment.

In some cases, AI is now being used to mimic actual voices, making these scams even more convincing. In other cases, the scammer pretends to be a lawyer, telling the grandparent or family member that a loved one has been arrested and requires immediate bail money.

Fake Renewals, Refunds, and Overpayments

These include fake subscription renewals, refund scams, and overpayment schemes on online marketplaces.

In some cases, you’ll get a text message or an email saying that some service is about to renew for a huge sum, and “click here” to cancel the renewal. That click takes you to a fake site that is looking for your Amazon, Netflix or other online credentials. With that information, they can impersonate you and perhaps your payment information.

In an overpayment scam, for example, a buyer sends a cheque or bank draft for more than the agreed amount. They say it was a mistake or was intended to cover processing charges, and then asks the seller to refund the difference — before the original payment is discovered to be fake. Before the cheque or bank draft is found to be fake by the seller’s bank, the seller has already sent actual, non-refundable funds to the scammer.

Fraudulent legal notices

There’s a pretty common scam, usually via text message or email, that purports to be a legal notice saying that you have an outstanding fine or other sort of payment that needs to be made to a government authority. Last year I got one that purported to be from the “Ministry of Transportation of Canada” that said my license would be revoked, my vehicle registrations would be blocked and there could be further action if I didn’t pay a parking ticket using the link below.

Some of them will refer to overdue taxes and penalties. Yeah, it’s just fraudulent.

Ransomware and Data Theft

Ransomware attacks lock people and organizations out of their systems and often involve theft of sensitive data. Using a number of means, including malware infected email attachments or installing remote access software I discussed before, a bad guy gets into a computer system and installs software that will encrypt all the data on the system or the network.

They will then blackmail the victim to pay some amount in bitcoin to get the decryption key.

Once companies realized that having good backups out of reach of the bad guys would mean they didn’t have to pay for the decryption key, the bad guys started to download all the data they could get their hands on before encrypting it.

So even organizations with good backups may feel pressure to pay to prevent stolen data from being leaked or misused.

So many of the cybercrime stories that hit the headlines are ransomware, as they will often shut down a business for days or even weeks before things get sorted out.

Sextortion targeting young people

In my book, if you go after pensioners and whatever savings they have, you’re an absolute horrible person. But words fail me in describing the grotesque and vile people who target young people with sextortion.

In this type of crime, fraudsters create fake profiles on social media, discussion boards and dating websites. Impersonating the persona they’ve adopted, they reach out to people – often young people – and lure them into a relationship. Using a whole range of manipulative tactics, they coerce the into taking intimate images of themselves or performing sexual acts on camera. The victims sincerely believe that they are in a relationship with the bad guy. Then he records the session and threatens to send the image or video to other people – like family members or friends – unless they pay or provide more sexual content.

It prays upon young people’s vulnerability and exploits shame. Many victims have died by suicide and the horrible perpetrators go onto the next victim.

So What Can You Do to Protect Yourself?

There is no such thing as perfect security, but there are practical steps that can significantly reduce risk.

Try to Slow Down

Scammers rely on urgency. If someone is pushing you to act immediately, that alone should raise red flags. The bad guys want you to act immediately so you don’t have a chance to reflect on what’s really going on. Take a deep breath, step back and remember that very few things require an immediate decision – particularly for a situation that comes out of the blue.

Verify things Independently

Never rely on contact information provided in a suspicious email or call. Use a trusted number or address you already have.

For example, if your “bank” calls you and asks for information, hang up and call the number on the back of your bank card.

Never let a stranger tell you to do anything on your computer or your phone

No legitimate company will cold call you and tell you to do anything on your computer or phone, or tell you to install software. If that happens, hang up.

Use Two Factor Authentication

Two factor authentication adds a critical layer of protection. Even if someone gets your password, they still can’t log in without the second factor. Many forms of two-factor authentication, like SMS, are not perfect, but they’re all better than most alternatives.

Never Reuse Passwords

Credential theft is widespread. Reusing passwords means a low risk breach can quickly turn into access to your bank or email.

A lot of companies are hacked on a regular basis, with the bad guys going after customer login information. If you used the same password to order a pizza as you use for your online banking, if that pizza place is hacked, bad guys will likely try that user name and password in other places. A lot of the emails and texts you may get saying that your Netflix has expired are hoping that the login information you put into their fake website will also work on your bank.

Be careful about What You Share Publicly

Be mindful of what you post on social media, especially travel plans and family details. Police report that burglars use vacation posts to choose houses to break into. And the grandparent scams I mentioned before often rely on determining relationships between people from social media sites.

Use a Family Verification Question

For family emergency scams, have a simple verification question that only real family members would know. I’ve told the seniors in my family that if they ever get a call purporting to be from any of my kids, they should ask them for the name of a particular animal that was important to them when they were growing up and that they’d never forget. That name is not on any social media site and anyone who can’t answer that question immediately is an impersonator.

Never buy gift cards at someone else’s direction

One of the most common ways that scammers try to get “money” from victims is having them purchase gift cards. Once the cards are bought and the scammer gets the numbers from the back of the cards, they can use the value from those cards. Actual government agencies will never, ever, ever ask for payment via iTunes or Amazon gift cards. If anyone mentions any sort of a gift card, red flags should go up and alarm bells should start ringing.

Set Alerts and Limits

You should set alerts on your financial accounts so you’re notified when money moves. Someone may have picked your wallet out of your pocket, or taken your credit card number. If you get alerted as soon as a transaction happens, you can immediately contact your bank to have it addressed.

And lower your daily transaction limits if you don’t need higher ones. Scammers who get into your online banking will use money transfer services to send money to other accounts. If you rarely Interac e-transfer more than a couple of hundred dollars per day, set your limit that low. If you have an unusually large payment to make, you can contact your bank to temporarily increase that limit.

Closing

I think it’s worth taking some time to go into your “spam folder” in your email and your text messages to see some of the examples of scam messages that were sent to you that you didn’t see. It’ll help, I think, raise your awareness and sensitivity to what is sketchy and should raise red flags for the future.

We live in a world where personal information is incredibly valuable and increasingly easy to misuse.

Unfortunately, there are a lot of really horrible people who are very creative in trying to separate you from your money. Awareness, skepticism, and a few practical habits can reduce the risk of becoming a victim.

BC Privacy Commissioner finds city's use of public surveillance cameras unlawful ... off to court

2026-01-18T20:32:00.001-04:00

The Information and PrivacyCommissioner of British Columbia just found that the City of Richmond in the BC lower mainland broke the law when it installed ultra-high-definition cameras in public places that capture faces, licence plates, and other identifiers. The Commissioner recommended that they take down the cameras and delete all the recordings. The City said “nope”, so the Commissioner issued a binding order for them to stop collection, delete recordings, and disband the system.

This is definitely going to court. The City of Richmond issued a statement saying they think it is lawful and appropriate, and are looking to have the legality of all of this determined by the Courts. I think that’s a good thing … the more clarity we have from the superior courts on the interpretation of our privacy laws, the better.

I should note that while these laws are generally consistent from province to province, there is a big variation on how police services are delivered. Not all of the conclusions of this finding will necessarily be applicable in all other provinces or municipalities.

The City of Richmond in British Columbia began field testing its “Public Safety Camera System” – or PSCS – in early 2025 at the intersection of Minoru Boulevard and Granville Avenue.

The City’s stated sole purpose was to collect and disclose video footage to the RCMP to assist in identifying criminal suspects. That point—sole purpose—is central to the Commissioner’s analysis. There was no other rationale for the City of Richmond to put up these cameras in these locations.

Operationally, the system involved multiple high-resolution cameras capturing:

licence plate numbers,
high-definition images of vehicle occupants,
pedestrians,
vehicle identifying features, and
location/time information tied to the intersection.

The cameras recorded continuously, and the City retained footage for 48 hours before deletion.

The field test included capabilities like licence plate recognition, pan-tilt-zoom variants, panoramic/multi-sensor configurations, and other detection features; the City confirmed it did not use facial recognition or built-in audio recording during field testing, though some cameras had those capabilities.

The City’s goal for the field test was essentially procurement-and-design: evaluate camera tech, decide numbers and placement, assess performance in different conditions, and confirm the PSCS could generate “usable” footage for law enforcement use later.

Under BC FIPPA, public bodies can’t collect personal information just because it seems useful. Collection has to fit within a listed authorization—most importantly here, s. 26.

The Commissioner situates that within a broader privacy-protective approach: privacy rights are treated as quasi-constitutional, and public bodies should only compromise privacy where there’s a compelling state interest.

Richmond relied on three possible authorities:

s. 26(b) (law enforcement),
s. 26(c) (authorized program/activity + necessity),
s. 26(e) (planning/evaluating a program/activity).

The Commissioner rejected all three, finding there simply was not legal authority for the collection of personal information – and without legal authority, there’s no lawful collection.

Richmond first said they were authorized under s. 26(b):

26 A public body may collect personal information only if
(b) the information is collected for the purposes of law enforcement,

Note the use of the word “only”. Unless section 26 permits it, a public body cannot collect personal information.

Richmond’s theory was straightforward: the definition of “law enforcement” includes policing, and the PSCS was meant to support policing by helping identify suspects—so it’s “for law enforcement.” That was their alleged purpose.

The Commissioner accepted there’s a connection: the information might be used by the RCMP in policing. But the Commissioner says that’s not the end of the inquiry, because the collector is the City—and the City must have a law enforcement mandate of its own to rely on s. 26(b).

This is a recurring theme in Canadian privacy oversight: a public body can’t bootstrap a law-enforcement collection power merely because another entity with a law-enforcement mandate might find the data useful.

The City may pay for law enforcement, and it may provide resources to law enforcement but they do not have a lawful law enforcement mandate.

The report describes three arguments Richmond advanced:

RCMP mandate should be imputed to the City (because the City “provides” policing by contracting with the RCMP to do it).
The City has a mandate to collect information for the RCMP.
The City has its own independent mandate to police through the cameras.

The Commissioner’s response is pretty technical: under the Police Act and the Municipal Police Unit Agreement framework, municipalities fund and resource policing, but policing authority and law enforcement functions remain with the police, operating independently of the municipality.

He underscores that the Police Act sets out specific ways a municipality provides policing—such as establishing a municipal force or contracting with the RCMP—and “running a surveillance camera system for the police to use” is not among those statutory options.

He also points to the RCMP’s peace-officer functions and the Municipal Police Unit Agreement structure as vesting law enforcement responsibilities in the RCMP, not the City, and he reads the legislative set-up as intentionally keeping policing independent from municipal control.

So this argument advanced by the City failed: the City lacked the necessary law-enforcement mandate, so it could not collect under s. 26(b)—even if the police might later use the footage.

Section 26(c) is the classic “public body operational authority” provision: even if a statute doesn’t explicitly say “collect this kind of personal information,” a public body can collect personal information if it is both:

directly related to an authorized program or activity, and
necessary for that program or activity.

Richmond framed its program as essentially: an intersection camera program to identify criminal suspects following criminal incidents, pointing to broad service powers under its Community Charter.

But the Commissioner rejected that program characterization as “authorized,” because—again—of the Police Act structure. In the Commissioner’s view, “collecting evidence to identify criminals that the RCMP may rely on” isn’t part of how the City is authorized to provide policing services or resources under the Police Act framework.

So, the analysis fails at the first step: if the underlying “program” isn’t authorized, 26(c) can’t save the collection.

The report goes further and addresses necessity. The Commissioner emphasizes that the City’s record was limited in establishing that: (a) unresolved crime was “real, substantial, and pressing,” (b) existing measures were ineffective, or (c) less intrusive means had been seriously examined.

He characterizes the intrusion into privacy as “vast,” relative to the limited evidentiary foundation offered to justify necessity.

The net effect was that the Commissioner was not satisfied that the City demonstrated that mass capture of high-definition identifying footage from “tens of thousands of people each day” who had nothing to do with any sort of crime was necessary for the purported municipal activity.

Richmond also argued: the field test is just planning and evaluation, and s. 26(e) specifically authorizes collection necessary for planning/evaluating a program.

The Commissioner’s treatment of 26(e) is crisp: 26(e) presupposes that the program being planned or evaluated is otherwise authorized. You can plan or evalue an authorized program, but if the program ain’t authorized, you can’t collect personal information to plan or evaluate it. Richmond itself largely accepted that proposition, and the Commissioner agreed.

Because the Commissioner had already found the PSCS was not authorized under 26(b) or 26(c), Richmond could not rely on 26(e) to do “planning” for an unauthorized program.

It makes sense that you can’t use the planning/evaluation clause as an end-run around the core requirement of lawful authority. Otherwise, everything under the sun could be said to be for planning or evaluation.

FIPPA generally requires notice of purpose and authority when collecting personal information. Richmond tried to avoid notice by invoking s. 27(3)(a)—the idea that a notice is not required where the information is “about law enforcement.”

The Commissioner gives two responses.

First: the City couldn’t rely on law enforcement as its underlying authorization in the first place—so that alone undermined the attempt to rely on the exception.

Second, and more fact-specific: during the field testing phase, the City had confirmed it was not using the information for actual public safety or enforcement purposes—only to test and evaluate camera technical capabilities.

So even reading “about law enforcement” broadly, the Commissioner questioned whether the testing-phase collection qualified as “about law enforcement,” because it would not be used to enforce any laws, and there was no compelling enforcement purpose weighing against notice.

Richmond did install signs, but the Commissioner describes them as a “courtesy” and finds them legally inadequate.

The sign said “PUBLIC SAFETY CAMERA TESTING / FIELD TESTING IN PROGRESS AT THIS INTERSECTION” with contact information for the City’s Director of Transportation.

The Commissioner’s critique is twofold:

First there was a Content deficiency: the signs did not clearly notify people that cameras were recording and collecting personal information, and did not include the purposes and legal authority for collection as required by s. 27(2).
And secondly there was a Placement deficiency: signage was vehicle-focused, placed for eastbound and westbound approaches, but did not address entries from other directions and did not notify pedestrians—despite the system’s capacity to capture pedestrians and pan widely, including multi-direction recording.

The Commissioner’s conclusion is direct: the City did not adequately notify individuals when it collected their personal information during field testing.

The report notes that disclosure under s. 33(2) generally depends on lawful collection in the first place, and because the collection lacked authority, the City could not rely on “consistent purpose” disclosure to the RCMP for evaluation.

On security, the Commissioner acknowledges the City described a reasonably robust set of safeguards, and that even where collection is unlawful, the City still has a duty under s. 30 to protect personal information in its custody or control.

But safeguards don’t cure lack of authority. They are necessary, not sufficient.

The OIPC’s recommendations were blunt:

stop collecting personal information through the PSCS,
delete all recordings, and
disband the equipment.

Richmond advised it would not comply, and the Commissioner issued Order F26-01, requiring immediate compliance and written evidence of compliance by a specific date.

My takeaway is that the Commissioner’s reasoning is primarily structural and jurisdictional: the City tried to create a surveillance-for-police capability, but the Commissioner reads BC’s legal framework as drawing a hard line between municipal services and police law-enforcement authority—particularly when the activity is mass surveillance in public space.

If you’re a public body contemplating “pilot projects” with high-capability cameras, the report is a reminder that planning provisions don’t let you pilot an unauthorized program, and that “law enforcement adjacent” doesn’t equal “law enforcement authorized.”

For a public body, every collection of personal information has to be directly authorized by law. It’s worth noting that the “law enforcement” provision in most public sector privacy laws is wide enough to drive a truck through. The RCMP in Richmond could have paid for and put up those cameras all over the place, since they have a law enforcement mandate.

Criminal courts are pretty adept at dealing with privacy invasions on a case-by-case basis using section 8 of the Charter, but we actually need a better way to to evaluate proportionality, necessity and appropriateness when it comes to proposed police programs that hoover up data on hundreds, thousands or maybe millions of innocent people in the name of “law enforcement”.

It’ll be interesting to see how the courts deal with this.

Canada's new proposed law to outlaw explicit deepfakes: Bill C-16

2026-01-11T18:30:00.003-04:00

A number of years ago, the Parliament of Canada amended our Criminal Code to create a criminal offense related to the non-consensual distribution of intimate images. Last month, the Government of Canada proposed to further amend the Criminal Code to include so-called deepfake intimate images, and to create an offence of threatening to disclose intimate images, deepfake or not.

Section 162.1, which was added to the Criminal Code in 2014, makes it an offence to publish, distribute, transmit, sell, make available or advertising an intimate image without the consent of the individual depicted in the image.

And a number of provinces have put in place laws that create civil remedies for the non-consensual distribution of intimate images.

With some variation, they generally have the same definition of “intimate image”, but they really haven’t kept up with an explosion of synthetic, AI-generated intimate imagery. Synthetic images are created by generative AI systems that can “learns” what a person looks like and can use that information to create new images that resemble that person.

If you look at the definition of what is an intimate image, it clearly presupposes that it is a recording of an actual person and that the actual person was involved, or at least present at its recording.

Criminal Code – 2014 Amendments Definition of intimate image (2) In this section, intimate image means a visual recording of a person made by any means including a photographic, film or video recording, (a) in which the person is nude, is exposing his or her genital organs or anal region or her breasts or is engaged in explicit sexual activity; (b) in respect of which, at the time of the recording, there were circumstances that gave rise to a reasonable expectation of privacy; and (c) in respect of which the person depicted retains a reasonable expectation of privacy at the time the offence is committed.

It refers to an image or recording where the person “is exposing” certain body parts or “is engaging” in explicit sexual activity. It talks about “reasonable expectations of privacy” at the time the image is recorded and at the time the offence is created.

This definition would not capture synthetic, “deep fake” intimate images.

The province of British Columbia has the newest provincial statute to create a civil framework to provide civil remedies for the non-consensual distribution of intimate images. The definition there is clearly modeled on the definition from the Criminal Code of Canada, but does include images where the person is depicted as engaged in a particular activity, also regardless of whether the image has been altered. So the BC law would cover a situation where an actual image of a person has been altered, in any way, to depict the person as engaging in certain acts or nude.

Intimate Images Protection Act (British Columbia) “intimate image” means a visual recording or visual simultaneous representation of an individual, whether or not the individual is identifiable and whether or not the image has been altered in any way, in which the individual is or is depicted as (a) engaging in a sexual act, (b) nude or nearly nude, or (c) exposing the individual's genital organs, anal region or breasts, and in relation to which the individual had a reasonable expectation of privacy at, (d) in the case of a recording, the time the recording was made and, if distributed, the time of the distribution, and (e) in the case of a simultaneous representation, the time the simultaneous representation occurred;

But this updated definition does not cover purely synthetic images, meaning images that are original and are not simply alterations of existing images. You may recall a little while ago when AI generated sexualized images of superstar Taylor Swift were posted online. If I recall correctly, these were images that were not alterations of existing images but were rather the result of the AI image generator having ingested many, many images of Taylor Swift and “knowing” what she looks like. Those images would not have been captured by the current Criminal Code or even the newer definition in the British Columbia intimate images law.

In December, the Government of Canada introduced Bill C-16, called the “Protecting Victims Act”, that makes a number of amendments to Canadian criminal and related laws. Included in Bill C-16 are proposed amendments that will expand the existing definition of “intimate image” to include synthetic deepfakes.

So here’s the new definition from Bill C-16, but it’s more helpful to compare it to the existing language of the Criminal Code. I’ve crossed out what’s being removed and underlined what’s being added. So we see in subsection (2)(a)(i), where it deals with what has to be in an image or recording to be considered an “intimate image” – they’ve removed “his or her genital organs or anal region or her breasts” and have replaced it with “their sexual organs”.

Bill C-16 Proposed amendments (redline)

Definition of intimate image
(2) In this section, intimate image means

(a) a visual recording of a person made by any means including a photographic, film or video recording,

(i) in which the person is nude, is exposing ~~his or her genital organs or anal region or her breasts~~ their sexual organs or is engaged in explicit sexual activity,

(ii) in respect of which, at the time of the recording, there were circumstances that gave rise to a reasonable expectation of privacy, and

(iii) in respect of which the person depicted retains a reasonable expectation of privacy at the time the offence is committed; or

(b) a visual representation that is made by any electronic or mechanical means and that shows an identifiable person who is depicted as nude, as exposing their sexual organs or as engaged in explicit sexual activity, if the depiction is likely to be mistaken for a visual recording of that person.

That change doesn’t really do what it appears it will do because they’ve added a new defined term in section 150 of the Code, which defines specific terms for Part V of the Code which deals with sexual offences.

“sexual organs” include breasts that are or appear to be female breasts and the anal region;

So this isn’t really a material change, as far as I can see.

Subsection (2)(b) is where they scope in deepfakes:

(b) a visual representation that is made by any electronic or mechanical means and that shows an identifiable person who is depicted as nude, as exposing their sexual organs or as engaged in explicit sexual activity, if the depiction is likely to be mistaken for a visual recording of that person.

So this part doesn’t depend on the reasonable expectation of privacy in the image or recording. Which makes sense. An actual image of an actual person will be associated with that actual person’s expectations of what would happen with that image. A purely made-up image doesn’t have that.

The key parts are that it is a visual representation that depicts the same sorts of body parts or conduct as in subsection (2)(a)(i), and that it has to be sufficiently realistic that the depiction “is likely to be mistaken for a visual recording of that person.”

It can’t be cartoon-ish or of such poor quality that you’d know immediately that it is not really that person.

The scope of what could be an intimate image could be broader, but we have to be mindful of freedom of expression. Unfortunately, as of January 10 when I’m recording this, no Charter statement related to Bill C-16 has been released by the Canadian Department of Justice. (It’s been more than a month since the Bill was tabled in Parliament, so should have been released by now.)

The creation and distribution of intimate images is an expressive act and would be protected by the freedom of expression provision in section 2(b) of the Charter of Rights and Freedoms. But protected expression can be subject to “reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society”. In order to justify the limitation, the goal of the legislature has to be pressing and substantial. i.e., is the objective sufficiently important to justify limiting a Charter right? And then there has to be proportionality between the objective and the means used to achieve it.

This has three parts: first, the limit must be rationally connected to the objective. There must be a causal link between the measure and the pressing and substantial objective.

Second, the limit must impair the right or freedom no more than is reasonably necessary to accomplish the objective. The government will be required to show that there are no less rights-impairing means of achieving the objective “in a real and substantial manner”.

Third, there must be proportionality between the deleterious and salutary effects of the law.

I think there is some risk that this expanded definition of “intimate images” may be vulnerable to being struck down as an unjustified infringement of freedom of expression. The law doesn’t create an offence of creating explicit deepfakes for “personal use”, so that’s not an issue. Though there is a defence related to “serving the public good” in section 162.1(3), I don’t think it’s broad enough to address the potential use of deepfakes in political satire and commentary.

Whether you like it or not, and regardless of whether you think it’s tasteful, AI generated imagery is being used to produce political commentary and satire. And yes, some of it does veer into depicting body parts and activities that can be captured in the new definition of “intimate image.” And you generally can’t outlaw expression just because it’s tasteless. At the end of the day, I don’t think the existing defence of “serving the public good” shields such political expression and leaves this provision vulnerable to a successful Charter challenge.

Before I wrap up, I should note that the Protecting Victims Act also proposes to create an offence of threatening to publish or distribute an intimate image. This is the new section 162.1(1.1):

Everyone who, with the intent to intimidate or to be taken seriously, knowingly threatens to publish, distribute, transmit, sell, make available or advertise an intimate image of a person knowing that the person depicted in the image would not give their consent to that conduct, or being reckless as to whether or not that person would give their consent to that conduct, is guilty of an offence.

This goes beyond what is typically described as “sextortion”, where a bad guy threatens to release intimate images in exchange for more such images or money. “Sextortion” is captured in the general offence of extortion. This new offence would capture a threat even where the person making the threat doesn't expect or demand anything in return. It’s a reasonable addition to the criminal law.

When student data is hacked & stolen: Regulators’ lessons from the PowerSchool data breach

2025-12-14T18:30:00.001-04:00

You may recall hearing about a significant cybersecurity breach affecting school boards from the end of last year and the beginning of this year: the PowerSchool cybersecurity incident. In the past little while, the Information and Privacy Commissioners of Ontario and Alberta have released their reports of findings into the incident. (Ontario, Alberta) There is some interesting stuff in there that I think is worth chatting about. I’ll note that the Information and Privacy Commissioner of Saskatchewan also released a report of findings in August of this year.

This incident affected millions of students, parents, and educators across the country, involved sensitive personal information, and raised questions about outsourcing, cybersecurity, and accountability in the public sector. But many of these issues will be relevant for the private sector. You simply can’t outsource accountability for protecting data.

One thing to be sensitive to is that school boards are chronically under-resourced and have a very hard time meeting their privacy and security obligations under existing budgets. Personally, I think the provinces should take a much more active role in working with school boards and their contractors to ensure the highest levels of cybersecurity. We’re seeing that with health information systems, and should expect it for student information systems.

Before I get into the main point of this episode, one digression … At least in Canada, we always have to ask “what privacy law applies?” When the incident came to light, it was completely clear that at least in Canada, public school boards and their students were affected. Every school board is subject to a provincial public sector privacy law. So there’d be no doubt that a provincial Information and Privacy Commissioner would have jurisdiction to investigate the incident.

It was interesting that the federal commissioner jumped in there. The federal commissioner has jurisdiction under the federal Personal Information Protection and Electronic Documents Act – or PIPEDA – where there is a collection, use and disclosure of personal information in the course of commercial activity.

In this case, the collection, use and disclosure of personal information was in the course of the school boards’ non-commercial activities. Just because the contractor – in this case PowerSchool is doing this for commercial purposes – should not give the federal commissioner jurisdiction. While both public and private sector privacy laws contain obligations to safeguard data, they work in very different ways. If a public sector privacy law applies to the school board, while the private sector law applies to the contractor with respect to the same information, it is unworkable. The two categories of laws are simply not compatible.

Regardless, the federal Office of the Privacy Commissioner of Canada also started making inquiries with PowerSchool, first announced on January 20. On February 11, the federal Commissioner announced they had launched an investigation and noted that they’d remain in close contact with provincial and territorial counterparts on the incident. There was no mention on the basis of his jurisdiction to investigate.

In July, the federal Commissioner announced that they’d negotiated a number of commitments from PowerSchool regarding cybersecurity upgrades, certification and monitoring. It’s worth noting that the letter of commitment specifically says that the Commissioner was of the view that PIPEDA applied in this case, PowerSchool did not agree, and reserves all future rights. And rightly so. At some point, we really need a court to step in to clearly lay down the lines between privacy laws in Canada.

Thanks for indulging me for this digression. Now onto the main part of this episode, where I plan to cover four things:

The background to PowerSchool and how schools use it
What happened in the cyberattack
What the Ontario and Alberta regulators investigated and concluded
Where their findings align — and where they differ

PowerSchool is a major education technology provider. Across Canada, school boards use PowerSchool’s Student Information System, or SIS, to manage day-to-day education operations. That includes:

Student enrollment and attendance
Grades and academic records
Contact information for students and parents
Medical alerts, accommodations, and special needs
Staff and educator information

In many provinces, PowerSchool hosts this data in cloud-based environments that are largely operated and managed by PowerSchool itself, not the school boards. Of course, it’s done on the school boards’ behalf.

Crucially, under Canadian privacy laws, school boards remain legally responsible for the personal information — even when a third-party service provider is handling it. That legal principle becomes very important once something goes wrong.

THE INCIDENT: WHAT HAPPENED?

The cyberattack was discovered in late December 2024.

Here’s what investigators from Ontario and Alberta determined happened. A threat actor obtained valid credentials belonging to a PowerSchool support contractor. These credentials had elevated privileges, meaning they could access PowerSchool’s internal support portal called PowerSource. PowerSource exists so that PowerSchool staff can provide remote technical support to customer school boards.

Once inside PowerSource with these credentials, the attacker was able to access multiple school boards’ Student Information System environments — effectively stepping through the front door.

From there, the attacker accessed student and educator databases, exfiltrated large volumes of personal information and copied data rather than encrypting systems. This was data theft, not ransomware in the traditional “systems locked” sense that we often see.

The compromised data included:

Names, dates of birth, and contact details
Student ID numbers
Medical alert fields and accommodations
Guardianship or custody indicators
Educator contact and employment details

In Alberta, some school boards reported that social insurance numbers were also involved.

After the breach was discovered, PowerSchool paid a ransom, reportedly believing that the data would be deleted. Months later, a second extortion attempt occurred involving the same stolen data — a reminder that once data is taken, control is largely lost.

Paying the ransom might have been a very sensible thing to do in the circumstances, but it’s no guarantee that the data’s been deleted and will never re-surface.

THE REGULATORY RESPONSE

Because public bodies were involved, this triggered investigations by provincial privacy regulators.

In Ontario, the Information and Privacy Commissioner investigated 20 school boards and the Ministry of Education.
In Alberta, the Information and Privacy Commissioner investigated 33 school boards, charter schools, and a francophone authority.

In both provinces, the regulators focused on a central legal question: Did the public bodies take reasonable measures to protect personal information, as required by their respective privacy statutes?

ONTARIO FINDINGS

The Ontario Commissioner concluded that, as a group, the institutions did not meet their statutory obligations under FIPPA and MFIPPA. That’s the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act.

There were three major themes in the Ontario findings: (1) Inadequate Security Safeguards, (2) Weak Contracts and Oversight, and (3) Data Minimization and Retention Failures.

1. Inadequate Security Safeguards

The Commissioner identified multiple weaknesses with Security Safeguards

PowerSchool accounts with excessive privileges - The rationale for the principle of least privilege is to reduce security and privacy risk by limiting the damage that can result from human error, malicious insiders, or compromised accounts. It should be implemented by granting users, systems, and applications only the specific permissions required to perform defined tasks, using restrictive defaults, role-based or task-based access controls, time-limited elevation of privileges, and regular access reviews to remove unnecessary or outdated permissions.

No mandatory multi-factor authentication for PowerSource access - This is one of the most important and effective measures for preventing unauthorized use of purloined credentials.

“Always-on” remote maintenance access - This meant that a bad guy with the credentials could get access to the maintenance tools, rather than only at the invitation of individual school boards.

Short log-retention periods, which limited detection of earlier suspicious activity

While PowerSchool operated the systems, Ontario emphasized that the school boards were still responsible for ensuring reasonable protections were in place.

2. Weak Contracts and Oversight

Ontario was particularly critical of how school boards managed their contracts with PowerSchool.

Many agreements:

Lacked meaningful audit rights
Did not require detailed security reporting
Had limited enforcement mechanisms
Did not clearly address subcontractors

Even more importantly from the OIPC’s point of view, the boards did not actively monitor PowerSchool’s compliance with those contracts. In other words, contractual promises existed — but verification did not.

3. Data Minimization and Retention Failures

The Ontario Commissioner also focused on data minimization and retention failures. The Commissioner found that many institutions simply collected more data than necessary and retained data far longer than required.

That significantly amplified the harm when the breach occurred. If you don’t need it, don’t collect it. If you no longer need it, don’t retain it. If you fail on either one of those – or both! – you have more data that you have to protect and more data that’s affected if things go wrong.

The Ontario Commissioner also found that breach response planning was inconsistent and, in some cases, inadequate.

ALBERTA FINDINGS

Alberta reached a similar conclusion, but approached the analysis somewhat differently.

The Alberta Commissioner found that the educational bodies failed to comply with section 38 of the FOIP Act, which requires reasonable security arrangements.

Key aspects of Alberta’s findings included (1) A lack of internal policies and guidance, (2) treating PowerSchool as an “employee”, and (3) an emphasis on the sensitivity of children’s data.

1. Lack of Internal Policies and Governance

Alberta placed strong emphasis on the fact that many educational bodies did not have adequate privacy or vendor-management policies, they could not point to documented procedures for assessing or monitoring service providers and they simply relied heavily on PowerSchool’s assurances.

From the Alberta OIPC’s perspective, privacy compliance begins with governance.

2. PowerSchool Treated as an “Employee”

One notable legal point in Alberta’s report is that, under FOIP, a service provider performing services for a public body is legally treated as an “employee”. That meant PowerSchool’s actions were attributed directly to the school boards themselves. This reinforces the idea that outsourcing does not reduce accountability.

3. Strong Emphasis on Sensitivity of Children’s Data

Alberta was particularly explicit in recognizing that children’s personal information is inherently highly sensitive, especially medical and accommodation data.

That sensitivity raised the expected standard of protection — and Alberta concluded that PowerSchool’s safeguards fell below that standard.

KEY DIFFERENCES BETWEEN ONTARIO AND ALBERTA

The conclusions in Ontario and Alberta were broadly aligned, but there are some differences in emphasis.

1. Governance vs. Contracting Focus

Ontario focused heavily on contracts, oversight, and vendor management failures.
Alberta focused more on internal policies, governance frameworks, and statutory accountability.

2. Sensitivity of Information

Alberta placed stronger, more explicit weight on the heightened sensitivity of children’s data.
Ontario addressed sensitivity, but framed much of the analysis around risk amplification through retention and over-collection.

Despite these differences, both regulators reached the same core conclusion: The public bodies did not meet their legal obligations, and outsourcing did not excuse that failure.

BROADER LESSONS

There are several broader takeaways from these investigations.

First, outsourcing does not outsource accountability. Public bodies remain legally responsible for personal information, regardless of who hosts it. This is the same in the private sector for outsourcing. Accountability does not shift under Canadian privacy laws.

Second, contracts alone are not enough: Oversight, auditing, and verification matter.

Third, data minimization is a security control: Retaining unnecessary data simply increases breach impact.

And finally, children’s data demands higher standards. Regulators are very clear on that point.

CONCLUSION

The PowerSchool incident may be just another cybersecurity story, but like most such stories there are lessons to be learned or reminders of things we should already know.

It’s a case study in public-sector procurement, privacy governance, and risk management.

Ontario and Alberta both sent a clear message: If you rely on third-party platforms to manage sensitive data — especially data about children — you must actively govern those relationships, not simply trust them.

In the backdrop to all of this is the simple fact that most school boards are chronically under-resourced and have a very hard time meeting their privacy and security obligations under existing budgets. This is particularly the case for smaller – often rural – school boards. The same can be said for smaller municipalities. Personally, I think the provinces should take a much more active role in working with school boards and their contractors to ensure the highest levels of cybersecurity. For a system as widely used as PowerSchool, provincial departments of education should enter into master services agreements with all the appropriate security terms, and the provincial departments of education should actively oversee at least the security and audit portions of the delivery of services.

One final thing to note – just because school boards are 100% accountable to their students for personal information they collect, use and disclose doesn’t mean that PowerSchool is necessarily off the hook. PowerSchool – and any contractor for that matter – can be liable to their customers for any contractual failings when it comes to safeguarding personal information. And depending on the contract terms, the contractor may be liable for the cost of any lawsuits that students and parents might bring against the school boards. And I can imagine some more extreme cases where students, parents and teachers could have a viable claim directly against PowerSchool. I understand there is one putative class action pending, started by a Calgary law firm. And this would be in addition to the at least 55 class action lawsuits filed in the United States by American plaintiffs.

What digital sovereignty? How a Canadian Court is forcing a French company to break French law

2025-12-05T17:00:00.001-04:00

Just recently, I heard about a very significant new decision from the Ontario Court ofJustice, where a judge in Ottawa ordered OVHcloud in France and its Canadian subsidiary to hand over user data stored in France, the UK, and Australia. While Canada is focusing a lot of attention on “data sovereignty”, this decision should get a lot more attention, particularly because the Canadian court is ordering the French company to violate a French law that is designed to protect France’s data sovereignty.

I regularly deal with situations like this in my law practice, where I assist companies in responding to police demands for user data. But rarely does it get to this point, and I’m afraid this sets a very negative precedent.

This case touches on jurisdiction, cross-border data, foreign blocking statutes, and the limits of Canadian investigative powers. It also relies heavily on the controversial Brecknell decision from British Columbia — and I have some things to say about that.

Let’s walk through the case, and then I’ll explain why I think the analysis in the decision goes off the rails.

This case arises out of a national security investigation. The RCMP obtained a Production Order under the Criminal Code s. 487.014, requiring two companies to produce customer information linked to four IP addresses. The two companies are OVH Group SA (a French company that provides cloud computing services globally, OVH’s Canadian subsidiary, Hebergement OVH Inc.

All of the IP addresses were hosted outside Canada — in France, the UK, and Australia. The data sought included subscriber information and metadata, but not the content of any communications.

They argued that they did not have the data. It was held by the French parent company. They are the operating company in Canada that apparently runs servers here for the global business. They don’t manage global accounts or have access to the records that the police were looking for. OVH Canada did not oppose the order as it applied to OVH Canada on any jurisdictional basis. They are a company that has offices, employees and facilities that operates within Canada.

The real issue was the attempt to compel the French parent company — a company with no physical presence in Canada — to produce data stored entirely abroad, and that is subject to foreign laws.

The parent company said:

● “We don’t operate in Canada.

● We don’t store this data in Canada.

● OVH Canada doesn’t control this data.

● French law — specifically the French blocking statute — prohibits us from producing it. (more about that blocking statute later)

OVH also pointed out that the proper, internationally-recognized channel for this type of request is through Mutual Legal Assistance — the MLAT process — which France said it would expedite. Yes, Canada and France have a treaty under which both countries have agreed to manage situations like this. It’s slower because it contains checks and balances. First Canada has to determine if the request is appropriate, and then France reviews the request before getting a French order to provide the data.

The Crown responded that:

● OVH Parent has a “virtual presence” in Canada, and based on the Brecknell case from BC, and cases following that, a “virtual presence” is enough.

● The company “presents itself” as a unified global enterprise on its website

● OVH Canada has previously responded to production orders about foreign IP addresses

● The French blocking law is rarely enforced

With those facts on the table, the Court had to decide: Does a Canadian criminal court have jurisdiction over OVH’s French parent? And even if it does, should the order be revoked because of conflicting French law or because MLAT is the proper mechanism?

The Court framed five issues:

Did OVH Canada have “possession or control” of the data?
Did the Court have jurisdiction over OVH Parent?
Would French law prohibit disclosure, triggering s. 487.0193(4)(b) - which justifies varying or revoking a production order where the data is “otherwise protected from disclosure by law”?
Should MLAT be required in these circumstances?
If French law applies, should the Court exercise its discretion to revoke or vary the order?

The first Question is whether OVH Canada has “Possession or Control” of the data

With respect to possession or control, the Court found that OVH Canada had enough of a connection to the information — including prior instances where it assisted police, and the ability to preserve data — to justify the authorizing judge’s conclusion that it had “possession or control.”

The second question was whether there was jurisdiction over OVH Parent

Regarding jurisdiction over OVH Parent, relying heavily on the Brecknell, Love, and textPlus decisions, the Court held that:

● A company may be subject to Canadian jurisdiction without physical presence

● A “virtual presence” or “real and substantial connection” can be enough

● OVH operates data centres in Canada

● OVH’s website presents itself as a unified global business

● Therefore, the French parent was sufficiently connected to Canada

The third question was about the effect of the French Blocking Law

The Court accepted French government statements that the French blocking law applied, but it found it could be largely disregarded because (a) The law has been rarely enforced, (b) There is no “real risk” of prosecution, and (c) Courts in other countries have treated it as an “empty vessel”. Yup. It’s a law but let’s largely ignore it.

The next question was whether the police should go through the mutual legal assistance process instead of a production order. The judge held that the MLAT is not mandatory, it can be slow and it is not mutually exclusive with domestic orders. The police can choose door A or door B. Their call.

In the final step, about discretion, the judge upheld the production order against both OVH Canada and the French parent, concluding that: (a) OVH Parent has a real and substantial presence through its “virtual presence” in Canada; (b) The risk under French law is minimal, and (c) The national security interest outweighs comity concerns.

In a nutshell, that’s what the court decided. And I think it’s deeply flawed.

There are, in my humble opinion, major problems with this decision. And they don’t just affect OVH Parent. It will have a big impact on Canada’s own attempts to assert data sovereignty.

The first problem is following the BC Court of Appeal decision called Brecknell

The Court relies on Brecknell as though it stands for a broad doctrine that Canadian courts can compel any foreign service provider operating online to disclose foreign-hosted data as long as the company is “virtually present” in Canada.

Brecknell is a 2018 case from the British Columbia Court of Appeal. In that case, the police wanted some data from Craigslist. They contacted Craigslist, who said “come back with a production order and we’ll happily give you the data.” So the police go to the court to get their production order and the court says that it can’t issue a production order directed at a company outside of Canada. So the police go to another court and get the same answer. So the police appeal that, and end up in the British Columbia court of appeal. The British Columbia Court of Appeal said that Canadian courts can issue production orders naming companies outside of Canada, as long as they have a “virtual presence in Canada.”

But in the Brecknell case, Craigslist — the target of the order — had already agreed it would comply with Canadian court orders. Through counsel, Craigslist said: “If we get an order, we will respond.”

This is not a small detail. This is the very foundation of jurisdiction in that case.

In other words: Craigslist voluntarily accepted Canadian jurisdiction.

With that fact, jurisdiction really should not have been an issue. Craigslist said “we have the data, just bring us a production order.”

This is not the situation with OVHcloud. OVH France explicitly said:

● We do not accept jurisdiction

● And we are prohibited by foreign law from producing it

OVH Cloud also said, we have the data and we will preserve it for you so you can get it through the established, diplomatic, country-to-country channels.

I am of the view that Brecknell was wrongly decided and this entire line of cases is problematic. We’ve gotten here, I think, they are largely “ex parte” appeals. Craigslist was not at the hearing for the production order. They were not at any level of court. Until the court of appeal, it was just the cops and the prosecution arguing for jurisdiction. At the court of appeal, an amicus was appointed who did a commendable job.

This line of cases also reaches the conclusion that this is the sort of situation that production orders are designed to address. And they are partially right, but again they suffer from generally only hearing from prosecutors on these questions.

The idea behind a production order is that the court can order someone to hand over data or produce data. It is distinct from a search warrant, where the court clearly has to have jurisdiction over the place to be searched and the police need authority as police officers to search the place. Places are physical. There is no way under recognized international law for a judge in Ontario to give the RCMP in Ontario a warrant to search premises in France for these records. If they were to show up in Paris with their warrant, they’d likely be arrested by French police for trespassing. And we’d have an international incident. It would be the same as sending the RCMP to France to arrest someone without the cooperation of the French government. It’s just not done.

Production orders were created so that a person or entity within the court’s jurisdiction can be ordered to produce a record that is under that person’s control. And that generally operates regardless of where the record is. But this depends on the person being within the court’s jurisdiction. It’s a great alternative to a search warrant because it’s not based on the police searching for something, but telling a person to provide data that they control.

A key principle of international law as applied in Canada is that Canadian law does not operate extraterritorially unless Parliament explicitly provides for it. The B.C. Court of Appeal in Brecknell did note this at paragraph 23, but failed to identify any parliamentary signal indicating that production orders were intended to have effect on persons wholly, physically outside of Canada.

[23] The need to interpret the section in light of restrictions placed on extraterritorial effects is uncontroversial. The fundamental principles were canvassed in R. v. Hape, 2007 SCC 26. There, Justice LeBel identified a number of settled but important principles. First, customary international law, which has been adopted domestically, limits the actions a state may legitimately take outside its borders. Customary international law is based on respect for the sovereignty and equality of foreign states. Sovereign equality commands non‑intervention and respect for the territorial sovereignty of foreign states. Nonetheless, Parliament may legislate “extraterritorially” in violation of those principles provided it does so expressly: see paras. 35‑46.
...
[30] The section is silent on issues to do with extraterritoriality, and it is silent on any question dealing with the location of the documents. Section 487.019(2) may offer some assistance by stipulating that, unlike search warrants, the order has effect throughout Canada without requiring endorsement if executed in another jurisdiction. The section reads:
487.019(2) The order has effect throughout Canada and, for greater certainty, no endorsement is needed for the order to be effective in a territorial division that is not the one in which the order is made.
It appears to me that this section is addressing a difference between search warrants and production orders. It does not directly deal with extraterritorial issues.

The only mention of territoriality in the Criminal Code production order provisions is confined to saying that they operate throughout Canada. That seems to me to be a signal in the other direction. That’s parliament saying this is confined to Canada.

The notion of a "virtual presence" was an invention of the Court of Appeal and is contrary to existing principles of international law. Even under the more flexible civil rules, the Supreme Court of Canada has cautioned that "carrying on business" requires some form of actual, not only virtual, presence in the jurisdiction. And public international law - such as criminal jurisdiction - is different from private international law such as determining where a plaintiff can bring a lawsuit.

The Brecknell court wrongly disregarded the inability to enforce the order against a company like Craigslist. The issuance of a production order extending outside Canada is an exercise of enforcement jurisdiction, which violates international law and Canadian domestic law absent clear authority from Parliament. The difference between an “order” and a “request” is the ability to put someone in the defendant’s dock for not following it. A Canadian production order directed at a non-Canadian company has a real potential to offend comity and the other country’s sovereignty.

So what about Mutual Legal Assistance Treaties (called MLATs)? These are the existing, agreed-upon mechanism for Canadian police to obtain data from non-Canadian companies. In circumstances where an order might offend comity and sovereignty, MLATs are how countries decide to deal with the issue.

The effect of privacy laws or blocking laws were not at issue and were not considered – but probably should have been – by the Brecknell court.

In the OVH case, the court refers to the case of The Queen and Love from the Alberta Court of Appeal (R v Love, 2022 ABCA 269), which was a case dealing with the admissibility of data that had been produced by Facebook from the US pursuant to a production order. It was not an application to vary or revoke an active production order. The Love court followed Brecknell. Again, what’s missing is the fact that Facebook provided the data pursuant to that order. Their policy – like most big US tech companies – is that they will follow Canadian legal processes voluntarily where they can do so consistent with their obligations under US law. By and large, Facebook’s voluntary cooperation should have made jurisdiction a non-issue in that case.

The OVH judge also refers to a case involving TD Bank from Quebec (Banque Toronto Dominion c. Cour du Québec, 2025 QCCS 2094). In that case, a big issue was whether TD Bank in Canada could be ordered to produce records held by one of its foreign subsidiaries. The Court concluded it had sufficient control over the subsidiary to require the production of the records. That’s the inverse of the relationship between OVH Canada and OVH Parent. A subsidiary does not control the parent company.

So to use Brecknell as if it resolved this question is — frankly — a misreading of the case.

Problem 2 — The Court Treats Ordinary Corporate Structure as a Legal Fiction

In addition, the decision disregards the fundamentals of second year law school “Business Associations” to treat OVH as effectively one entity, leaning heavily on:

● OVH’s branding

● The fact “it” has data centres in Canada

● The “collaborative language” on its website

● Shared legal services

● The appearance of a global enterprise

But this misunderstands how multinational cloud companies operate and how corporate law applies.

I sometimes think that some practitioners who spend all their time focused on criminal law forget the fundamentals of corporate law.

Corporations are separate legal persons. Subsidiaries are not automatically global agents of the parent company. And cloud marketing — “our global infrastructure,” “our data centers around the world” — is not a legal admission of control. It’s marketing.

Corporations are separate legal persons and this corporate separateness is generally only disregarded where there is actual fraud going on.

If courts treat branding copy as determinative of “control,” then:

● Any cloud provider operating in Canada

● With foreign infrastructure

● Could be compelled to produce foreign data

● Regardless of its actual legal authority to do so

This collapses corporate separateness in a way that is deeply inconsistent with both Canadian corporate law and international norms. Which leads directly to the next problem.

The Court points to a previous investigation where OVH Canada provided subscriber information for a German-hosted IP address to suggest that OVH Canada effectively has access and control over it.

But OVH explained — and this is common across the industry — that:

● The Canadian subsidiary assisted because doing so was legally safe

● There was no blocking law that stood in the way

● The foreign affiliate voluntarily cooperated

This demonstrates cooperation, not control.

Access that is permitted by a foreign affiliate is not evidence of legal authority to compel access.

If you need a particular tool for a project, and I don’t have one but my parents do, I may facilitate YOUR borrowing it from MY parents. That doesn’t mean I have control over that tool.

OVH Canada receives a production order for data that is under the control of its parent company. Rather than say “go to France”, OVH Canada facilitates the parent company producing the data in circumstances where it is lawfully able to do so. It’s called being helpful, and should not lead to the conclusion that the subsidiary has any possession or control of data that’s entirely in the possession and control of the parent company.

By treating occasional past cooperation as proof of control, the Court dramatically expands what “possession or control” means. After this, it would be prudent for the Canadian subsidiary of a foreign corporation to tell Canadian police to just go pound sand, rather than facilitate matters through internal channels.

This is perhaps the most troubling aspect of the decision: The Court Minimizes Foreign Law Because It’s “Not Enforced”

The Court acknowledges that the French blocking law applies. The French government — through the “Service de l’information stratégique et de la sécurité économiques” (SISSE) — which administers and enforces this French law explicitly said so.

But the judge concluded it doesn’t really matter because the French law is apparently rarely enforced, the Canadian prosecutors said there’s no “real risk” of prosecution and other courts have treated it as an “empty vessel”.

I think this approach is dangerous.

The rule of law depends on courts respecting what the law is, not how often a prosecutor decides to enforce it. A foreign state’s policy choices about enforcement:

● Do not change the meaning of the statute

● Do not change OVH’s legal obligations under French law

● Do not give Canadian courts authority to override foreign legislation

A law is a law. I know dozens of Canadian laws that are rarely enforced, but they still need to be followed. Remember, this is a Canadian court shrugging off a law duly enacted by an allied country, France.

If Canada wants foreign law to bend, the proper channel is MLAT — a mechanism built through mutual consent — not unilateral judicial action.

International comity is built on reciprocity. If Canada orders French companies to violate French law, then:

● Other countries may order Canadian companies to violate Canadian law

● Canada will have no principled basis to object

● Global cloud providers will face impossible conflicts

● And privacy for Canadians abroad will be weakened

Remember, this is happening at the exact time that the Canadian government is focused on Canadian “Digital Sovereignty”. We would find it incredibly offensive if a French or Chinese court were to order a Canadian company, in Toronto, to violate Canadian law.

MLAT exists precisely for situations where:

● The data is located abroad

● A foreign statute prohibits disclosure

● And the foreign state must authorize or supervise the production

France explicitly told Canada it would expedite the MLAT request. Refusing to use MLAT because it might be slow is not a justification for disregarding foreign law. In this case, there is no doubt that the data exists, that France will provide it via the MLAT and will do so speedily. Ordering OVH in France to break French law is unnecessary, unreasonable and – in my view – gratuitous.

This decision is important, but in my view, it’s also misguided.

By stretching Brecknell beyond its facts, by treating global branding as evidence of legal control by a local subsidiary, by using past cooperation as proof of present authority, and by dismissing binding French law because it’s “not vigorously enforced,” the Court has weakened the principles of comity, corporate separateness, and legal certainty.

While Canada is getting excited about “digital sovereignty”, the RCMP, these prosecutors and the court are disregarding France’s explicit law about its own “digital sovereignty.” This is a dangerous precedent to set. After this, why would France give a toss about Canadian laws designed to protect Canadian data?

There is a lawful path — MLAT, letters rogatory, diplomatic channels — and international cooperation depends on states using those channels rather than overriding each other’s laws.

And one important thing to remember: OVH is not suspected of committing any crime. It simply has records about someone that may be relevant for a Canadian investigation. It is not hiding behind a veil of French law to shield itself from liability. It is an entirely innocent third party that is getting dragged into a Canadian investigation, and is now being ordered to violate the law in the country where they are based. And that order is entirely unnecessary, since France and Canada have already negotiated a clear path to get access to this data without violating anyone’s laws.

I understand the case is being appealed – and rightly so. I’ll be keeping an eye on it.

Is Lawful Access Back? With comments on the govt's' disinformation-filled attempt to revive it

2025-11-22T18:00:00.004-04:00

On November 19, senior government MPs on the “crime file” held an unexpected press conference that suggests the government is looking to pull lawful access back from the grave. This press conference was full of misinformation and half-truths about the current state of the law and the government’s proposals.

You may recall that the government introduced Bill C-2, the Strong Borders Act as its very first substantive bill in Parliament following the recent election. It seemingly came out of the blue and its proposed changes to the law related to law enforcement and national security access to information were roundly condemned. As a result, the bill has languished and has not been referred to committee.

In another strange move, the government tabled a new bill (Bill C-12) that essentially was the Strong Borders Act but without the lawful access parts, apparently so they can fast track the other parts of Bill C-2. The new Bill C-12 is currently being considered by the House of Commons Standing Committee on Public Safety and National Security.

Most of us assumed that was the end of lawful access. Apparently not.

Earlier this week, Public Safety Minister Gary Anandasangree, Transport Minister Steve McKinnon, Secretary of State for Combatting Crime MP Ruby Sahota held a press conference defending “lawful access” and calling for the Conservatives to get onboard. If it hadn’t been for Michael Geist’s eagle-eyed attention to this topic, it might have been completely missed. The full press conference is on YouTube and I’ll link to it below.

The press conference was filled with misinformation about their own proposals and about the current state of the law. There are some things that are defensible, but they just can’t get out of their own way. Having watched it a couple of times, it was like they really don’t know much about their own bill or how law enforcement currently operates.

Everything said in the press conference seemed to relate to the provisions in Part 14 of Bill C-2, which are principally new demands and orders for customer information. I did not hear anything said that was a clear reference to Part 15 of Bill C-2, which would create a whole new law called the “Supporting Authorized Access to Information Act”. And what’s also weird about that is the politicians there are associated with the Department of Public Safety, which we are told is the author of Part 15. Part 14 of Bill C-2 was written by and is the responsibility of the Department of Justice, which was absent from the press conference.

The press conference was full of confused political puffery. And some statements were entirely incorrect and would leave any viewer misled. They accused others of engaging in dispensing misinformation, which is just rich.

They repeatedly said that the new tools for law enforcement have judicial oversight. Here is Secretary of State for Combatting Crime MP Ruby Sahota:

“They have also made it extremely clear that these tools are not warrantless surveillance. They are used with judicial authorization and clear legal thresholds, including modernized production and (...) preservation orders, clarified duties for surveillance providers, and access to basic subscriber information only on judicial order with strong safeguards.”

I assume instead of “surveillance providers”, she meant to say “service providers”.

“Bill C2 gives police the tools they need with oversight Canadians expect.(...) Judicial authorization,(...) clear legal thresholds, strict limits on what can be accessed and when, and no warrantless surveillance full stop.(...)”

The WARRANTLESS information demand is just that. No warrant. No judicial authorization required.

They said that we’re just talking about getting customer names and addresses, so no big deal.

“We're trying to connect phone numbers to names and addresses, and then judicial authorization would have to get involved even further in order if that person was a suspect and we needed further information. So it's not about encrypted, you know, data or information. It is about connecting a name or an IP address to a phone-- to an-- I mean, an IP address or a number to a name and an address. That's all this is about.”

This also is incorrect and significantly misleading. Customer names and addresses from telcos are certainly “in scope”, but these provisions are not at all limited to telcos. This applies to anyone who “provides services to the public.” You know who also provides services to the public? Your doctor. It can be used with telcos, and it can be used with your doctor’s office.

And it’s not limited to “customer names and addresses”. Creates a mandatory disclosure of “subscriber information” that is defined so broadly that it includes ALL “information that the subscriber or client provided to the person in order to receive the services”. Yes, that’s the medical history form you filled out when you first visited the clinic. It includes the types of services the clinic provided to you and information about any specialists you were referred to. The scope of this is breathtaking. It does require judicial authorization, but with the lowest burden of proof our legal system has. Something just more than a hunch. And the judge can’t say “hey, all you need is a name and address” so we’ll limit the order to that. Nope, the order is for all SUBSCRIBER INFORMATION.

And there was also some horrific misinformation about the tools the police currently have to do their jobs.

“The regime we have today is unacceptable. So I'd like to share some examples so that I can bring the issue to light. I find that there's not been a lot of coverage on extortion, but you've definitely been hearing about it in the House. That's because many of our communities are suffering from these cases. And what's unacceptable right now is it taking six months for the police to be able to get judicial authorization, to be able to connect a phone number to someone who's extorting an individual in my riding, who has been out of their home because their home has been shot up and it's dangerous for their kids to live there. They can't go to school in a regular routine. They can't operate their business. And that's unacceptable. And I believe in Canada, our law enforcement should have the capabilities of being able to track down violent criminals such as these.”

I am sorry. If it is taking the police six months to get a warrant after a house has been shot up … the police simply are not doing their jobs and are not using the tools they currently have. A police officer in a squad car can pick up the phone and get a production order, if circumstances exist for dispensing with the formalities of a personal appearance before a justice of the peace.

The Honourable Ruby Sahota is the MP for Brampton North Caledon in Ontario. The local police of her jurisdiction is the Peel Regional Police. I’ve seen many production orders obtained by officers in the Peel Regional Police. I really, really doubt that it takes six months of effort to get a production order. Most of them are issued within a very short period of time from the alleged offence. Just for illustration purposes to find something on the public record, I did a really quick search in a public legal database and found a case from Brampton that will illustrate the current process. The case is called R v Owen, 2017 ONCJ 729.

The investigation began on March 23, 2015 of an unknown individual suspected of downloading images of child abuse. They had an IP address connected with the suspected crime, but didn’t know who it was connected to. They could determine the internet service provider. After some investigating, the Peel Police sent a preservation demand to the internet service provider, requiring the ISP to preserve the account information while they got a production order. On April 7, they applied for a production order to get the customer name and address from the internet service provider. The order was issued the next day. Less than a week later, on April 17, the internet service provider provided the information. Three days after that, on April 20, the police had a warrant to search the home. (I should note that the reason why the Owen decision goes into so much detail was that the production order and the search warrant were thrown out because the police misled the court in getting them.)

But setting that aside, that’s nowhere near six months. The laws in effect in 2015 are essentially the same laws we have now, that the government wants the police to be able to side-step. Suggesting it takes six months to get a production order is an outrageous statement from the “Secretary of State for Combatting Crime.” It’s so outrageous that I assume it’s an outright lie.

Here’s what’s currently in the criminal code, which authorizes the cops to go to a judge and get an order for customer name and address – or any other information – if they have reasonable grounds to believe an offence has been committed and the addressee of the order has the data. What’s proposed in Bill C-2 is an order based solely on a hunch – reasonable grounds to suspect an offence has taken place. And the scope of the production is much broader. Fewer grounds and more information.

Look, if the government thinks their proposal has merit and should proceed through parliament, they should be prepared to actually justify the new powers. And they should do it with facts and not political puffery or straight BS.

I will assume – at least for now – that the Minister of Public Safety is being honest when he acknowledges that the current bill is flawed and is willing to listen to feedback to make it acceptable:

“Um, it is not a perfect piece of legislation. So, we are open to to uh to feedback from uh from our partners, from uh uh from civil liberties groups, from other uh entities that may have an interest um in this area. And we will work across party lines to make sure that we have consensus on on having a lawful access regime that is acceptable to Canadians.”

I’ll link below to my previous episodes where I discuss, in some depth, Part 14 and Part 15 of Bill C-2, in case you want the straight goods on what’s in the Bill. So far, nobody has accused me of making stuff up.

My previous video on Part 14 of Bill C-2: https://youtu.be/wOgo4TuoJec

My previous video on Part 15 of Bill C-2: https://youtu.be/E1LV2fcD9Bs

Online reviews and privacy claims: Lessons from RateMDs v Bluler (BCCA)

2025-11-16T10:10:00.004-04:00

Can a doctor claim a privacy violation because a website creates a profile for them using public information, hosts anonymous reviews, and ranks them against their peers?

The British Columbia Court of Appeal says no in RateMDs Inc. v. Bleuler, 2025 BCCA 329. Let’s walk through what happened — and what this means for privacy in Canada.

Let’s start with the background to this case.

RateMDs.com is a website where people can look up health professionals, read and post reviews, and compare ratings. You’ve probably seen it — you search for a physician, and you get their name, their contact information, their ratings, and often a long list of anonymous comments.

Dr. Ramona Bleuler, a BC physician, discovered that RateMDs had created a profile for her. She didn’t ask for it. She didn’t consent to it. And she couldn’t remove it.

The platform listed her name, her professional contact information, a list of reviews from anonymous users and a comparative ranking of doctors in her specialty and geographic region.

RateMDs also offers paid subscriptions that allow physicians to hide a limited number of reviews. Dr. Bleuler wanted to start a class action on her own behalf and on behalf of other physicians in Canada who had listings on RateMDs.

Class actions – at least in Canada – have specific procedures, which require that the class action be certified before it can go ahead. There are a number of things the court must look at pursuant to the Class Proceedings Act, but the most important question for our analysis here is whether the pleadings disclose a cause of action. When you read the pleadings, and assume that the facts are true and provable, is there an actual legal claim there? This is a screening function to weed out any legal claims that are bound to fail, and the court is only supposed to examine the facts alleged in the statement of claim.

This case principally turns on whether the legal claims made by the representative plaintiff are viable.

So the plaintiff sued RateMDs and its parent company under the provincial Privacy Act. She said that by creating a profile for her, hosting reviews, and ranking her relative to her peers, RateMDs violated her privacy.

She wasn’t claiming that specific reviews contained private information. She wasn’t arguing defamation. Her claim was broader: she said the very act of aggregating, hosting, and ranking health professionals without their consent violated privacy law. In particular, the plaintiff was relying on the statutory privacy torts created by the legislatures of British Columbia, Saskatchewan, Manitoba and Newfoundland. The proposed class would be physicians who reside in those provinces. The plaintiff also tried to rely on Quebec’s privacy statute, but that part wasn’t allowed to proceed in the lower court.

She relied on two sections of the British Columbia Privacy Act, and their equivalents in the other provinces.

First, section 1, which creates a tort — actionable without proof of damage — where a person ‘wilfully and without claim of right’ violates the privacy of another.

Violation of privacy actionable
1 (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

Second, section 3(2), which prohibits the unauthorized use of someone’s name or portrait for the purpose of advertising or promoting the sale of goods or services.

Unauthorized use of name or portrait of another
3 (2) It is a tort, actionable without proof of damage, for a person to use the name or portrait of another for the purpose of advertising or promoting the sale of, or other trading in, property or services, unless that other, or a person entitled to consent on the other's behalf, consents to the use for that purpose.

Her argument was that RateMDs is a commercial enterprise. The profiles draw traffic, the reviews attract users, and the rankings keep people engaged. Because this commercial model depends on using doctors’ names and contact information, she said this amounted to both a privacy violation and commercial exploitation of identity.

The BC Supreme Court agreed the case should go forward. The judge certified the class action. I have to emphasize that this was only based on the pleadings and the court was essentially saying that the claims looked viable, but that didn’t mean the plaintiffs would win at any eventual trial.

But RateMDs appealed. And at the Court of Appeal, everything changed.

The Court of Appeal approached the case by asking the basic but crucial question: Even assuming all the facts in the claim are true, is there a viable cause of action under the privacy statutes?

Again, this is a threshold question in class action certification. You don’t look at evidence. You look at the pleadings. You ask whether the claim has a reasonable chance of success.

A claim can be novel — that’s okay. But if it’s doomed to fail, the court must strike it.

Here’s the heart of the Court of Appeal’s reasoning:

At least for the purposes of a civil claim, privacy starts with identifying private information. And the claim failed at this starting point.

The Court of Appeal said:

● A doctor’s name is not private.

● Professional business contact information is not private.

● Reviews written by patients about a doctor’s professional services are not private.

● Rankings based on those reviews are not private.

The Court emphasized that privacy law protects reasonable expectations of privacy. And when someone is carrying out professional, public-facing work, the threshold for privacy protection is different.

The Court relied on earlier BC cases — including Niemela v. Malamas — which held that complaints about how a lawyer performs their work do not attract a reasonable expectation of privacy. Professional reputation is not the same thing as privacy.

The doctor tried to frame her privacy right as a right to control how information about her was used. But the Court said: control only exists if there’s a privacy interest in the underlying information. If the information is not private, there is nothing to control. Or at least privacy torts don’t leap in to give you that control.

For privacy lawyers, this is an important clarification: The BC Privacy Act protects privacy, not reputation, and not personal preference about the use of publicly available professional information.

The Court concluded that because there was no reasonable expectation of privacy in the information posted on RateMDs, the privacy claim under section 1 was bound to fail.

The Court also noted an important distinction: This case wasn’t about whether any particular review contained sensitive information. The plaintiff expressly disclaimed that argument. She said the content didn’t matter — only the existence of the profile and the ranking system did.

The Court said that privacy law doesn’t work that way. You can’t claim a violation based on a website compiling publicly available information unless there’s some private content involved.

So the broad theory — that creating a profile and ranking professionals without their consent is itself a privacy violation — was rejected. There would have to be something more … and in this case, there was not.

The BC Supreme Court judge had relied in part on the rules governing how health professionals can advertise. For example, doctors can’t use testimonials. They can’t compare themselves to colleagues. The judge below thought this regulatory context created a privacy interest.

The Court of Appeal disagreed.

Those rules regulate doctors. They do not regulate third-party websites. They do not create privacy rights. And they do not convert publicly available information into private information. The Court of Appeal wrote at paragraph 98: “However, the interest of provincial regulators in restricting advertising by health professionals has no obvious connection to the respondent’s asserted privacy interest. The regulatory concern is to protect the public, not to protect the privacy of health professionals. That regulatory interest has nothing to do with the plaintiff’s reasonable expectation of privacy.”

So the regulatory framework could not be used to manufacture a privacy interest where none otherwise existed.

Next, the Court examined the claim under section 3(2) — unauthorized use of name or portrait for advertising.

This is the ‘misappropriation of personality’ tort. It typically covers: (a) using someone’s name or image in an ad, (b) using a person’s likeness to promote goods or services or (c) endorsements without consent.

RateMDs wasn’t using doctors’ identities to advertise or sell anything in the sense required by the statute. It was running a platform where reviews are posted and accessed. Running a commercial website that uses names in this manner doesn’t cut it. That’s not the kind of commercial exploitation section 3(2) is meant to capture.

So the Court of Appeal found that the claim under section 3(2) was also doomed to fail.

With both privacy causes of action rejected at the threshold stage, the Court of Appeal allowed the appeal, set aside the certification order and dismissed the action entirely. This was a complete win for RateMDs.

What are the broader implications?

First, the Court drew a clear boundary around privacy law: You can’t use privacy torts to challenge the existence of a professional review platform.

Second, the decision reinforces that privacy torts require a reasonable expectation of privacy in identifiable, specific information. That expectation must be grounded in: (a) the nature of the information, (b) the specific context, and (c) established privacy norms.

Third, platforms that rely on publicly available, professional information to generate profiles or rankings are, at least under BC’s statute and its equivalents, unlikely to face successful privacy claims — unless they publish actually private or sensitive data.

Fourth, the Court left open — deliberately — that if a review leaks confidential information or medical information, that could be a privacy violation. But that’s not what this case was about.

Finally, this is a reminder that privacy law is not a catch-all remedy for online reputational harm. Other legal avenues may exist such as defamation — but the privacy tort has a defined scope.

A last thing to note, which is important, is that this decision was made in the context of privacy torts – civil claims for invasion of privacy or use of image and likeness. Under our more general privacy statutes, such as the Personal Information Protection and Electronic Documents Act, whether information is “personal information” – and thus whether the statute applies to it – does not depend on whether the information is “private” or the “confidentiality” of the information.

A person’s name is subject to those laws, but may simply be less “sensitive”. Though a lot of the same principles may be in play, one should always be cautious about assuming that what a court says in the tort context will apply directly to our commercial privacy laws.

Nova Scotia's new Freedom of Information and Protection of Privacy Act (Bill 150)

2025-11-09T20:48:00.001-04:00

In just the past month, kind of unexpectedly, the Nova Scotia government introduced and passed a new public sector privacy and access to information law that completely replaces the existing Freedom of Information and Protection of Privacy Act (known here as “FOIPOP") with a new law that will come into effect in April of 2027.

This isn’t completely out of the blue because the Nova Scotia government has been “reviewing” FOIPOP since 2022, but unlike in most provinces it has been “behind the scenes”. Unlike other provinces, which have public consultations, Nova Scotia’s consultation on transparency was behind closed doors.

I wrote to the then Minister of Justice seeking to participate on behalf of the Nova Scotia branch of the Canadian Bar Association’s Privacy And Access Law Section. The CBA was never invited to chat. I wonder who else commented. We were told that the results of this review would be made public, but they never were. All we got was Bill 150, dropped in the legislature on September 26 and passed on October 3. There was no real opportunity given for privacy and access to information experts to appear in committee with their comments.

In this episode, I’m going to do a relatively high-level overview of what’s changing with the new FOIPOP that will come into effect in 2027. There’s some good, some bad and some changes that I’m indifferent to. I hope I can provide a relatively unbiased view of it, given that I do legal work for applicants who are seeking access to records, for public bodies who have to comply with the law and third parties whose records held by public bodies are sometimes the subject of access requests.

There’s a big change to the purposes clause of the law. The original FOIPOP was relatively unique among access to information laws in Canada in that it clearly had as its intent full transparency, accountability and access – as fundamental to how democracy should work.

The purpose clause in the current act includes:

2. The purpose of this Act is …

(b) to provide for the disclosure of all government information with necessary exemptions, that are limited and specific, in order to
(i) facilitate informed public participation in policy formulation,
(ii) ensure fairness in government decision-making,
(iii) permit the airing and reconciliation of divergent views;

That part is gone. Just removed. The leader of the opposition made a motion to have it returned, but the motion was defeated.

That’s too bad. The purpose clause is important in how regulators and courts approach the law, and future governments will be able to say it was removed for a reason and that should influence how it is interpreted. That’s a real step backward.

As I said, the new Act fully repeals and replaces the earlier statute. It restructures the entire Act into clear Parts (e.g., Part I – Freedom of Information; Part II – Protection of Privacy; Part III – Reviews and Appeals; Part IV - Information and Privacy Commissioner), and has a number of standardized definitions for consistent terminology (like “access request,” “correction request,” etc.), and procedural timelines are now measured in business days rather than calendar days. This will draw out access requests. Previously, the public body had thirty days; now it’s thirty business days. That’s thirty five percent longer. Easier on the public body, to be sure, but it will mean it takes longer to get requested information from public bodies.

An important change in the new FOIPOP is that it will include municipalities. The Commissioner's jurisdiction is significantly expanded through the consolidation of provincial and municipal regulation. Specifically, the new Act repeals Part XX of the Municipal Government Act and integrates municipalities and municipal bodies into the general FOIPOP framework. Part XX of the MGA was generally a mirror of FOIPOP, but with some significant differences. Bringing municipalities into FOIPOP means the Commissioner now has explicit and uniform jurisdiction to conduct reviews and investigations involving municipal units. The Review Officer's previous roles in handling appeals related to access and correction requests are maintained, but the new Act formalizes two new categories of complaint investigation called Privacy Reviews. These reviews can be initiated by individuals who believe their personal information was collected, used, or disclosed in contravention of the Act, or proactively by the Commissioner if there are reasonable grounds to suspect a contravention.

One of the most important changes is that the former “review officer” is now the Information and Privacy Commissioner of Nova Scotia, and will be an officer of the Nova Scotia House of Assembly. While still appointed by the Governor-in-Council, this position is much more independent of government than under the present Act. A big miss, at least as far as critics are concerned, is that the Commissioner does not have the ability to issue binding orders on public bodies. That position still just issues recommendations, and it’s up to applicants to go to court to get orders.

The 2027 Act introduces or revises numerous definitions, including “Personal information” which now explicitly includes IP addresses, biometric data, and genetic characteristics, while excluding business contact information.

In the part of the Act related to the right of access to public body records, changes clarify that the right of access extends to records in custody or control of a public body, but not to duplicates or exact copies. It says that part of a record that can be withheld and can be reasonably severed, access must be provided to the remainder of the record.

Not surprisingly, the amendments made earlier this year related to frivolous, vexatious and unduly repetitive requests have been continued in the new FOIPOP. The Commissioner must approve a request from a public body to disregard a request, with defined criteria and 14-business-day timelines for both application and decision. It does provide applicants with a right to appeal to the Supreme Court of Nova Scotia if their request is disregarded.

Almost all the timelines in FOIPOP have been extended. All procedural periods are now in business days (such as giving a public body 30 business days to respond to an access request). It also introduces an explicit suspension of time calculations while fees are being negotiated or reviews are underway (s. 20).

The government gets to set a standard application fee pursuant to the regulations, and also sets service-based fees but exempts requests for one’s own personal information and provides 3 free hours of work time. Public bodies can charge additional fees if the request will take more than three hours. When presented with a fee estimate, applicants may narrow their requests accordingly. Once the request is being processed, a public body can provide a “revised fee estimate” that the applicant can either accept or revise their request. Fee estimates and revised fee estimates can be referred to the Commissioner.

There remains a possibility for fee waivers where disclosure serves a public interest (e.g., environment, public health, or safety), or if the applicant can’t afford to pay the fee.

One thing that is interesting and progressive: The new FOIPOP specifically says that public bodies must provide electronic records in “an electronic form that is capable of re-use”. This is positive. If the record is an Excel spreadsheet, the spreadsheet itself should be provided and not just a photocopy of the spreadsheet. (There are few things as useless and opaque as a print-out of an excel spreadsheet full of formulas.)

There are a number of changes that will restrict public and journalistic access to records. The first is an expansion of the definition of “legal privilege” to specifically include settlement privilege. And at section 86(2), the Information and Privacy Commissioner will not be able to inspect a record that is alleged to be privileged to determine if it actually is privileged. Only the Court can do that, and the process to get there can be set out in the regulations.

The second major restriction on the right to know is essentially excluding any right of access to any record that is defined as an “Executive Council record”, going well beyond what was traditionally “cabinet confidences.” To make it worse, in section 32(2), a head of a public body is prohibited from disclosing Executive Council records. There’s no discretion.

The new Act expands the privacy sections substantially and in a good way, but most of the details will have to wait until we get to see the regulations.

Every public body will have to have a privacy policy and has to publicly disclose its internal privacy-complaint process.

Once the Act comes into effect, every public body will have to carry out a privacy assessment for any new or substantially changed “project, program, system or other activity involving the collection, use or disclosure of personal information”. The details for what must be in a privacy assessment will be determined in regulations.

The new Act defines “Data-linking” programs – where two or more data sets are combined, either temporarily or permanently, and requires them to be carried out only in accordance with the yet to be seen regulations.

There are some tweaks to the rules that permit a public body to collect, use or disclose personal information. These public sector privacy laws are generally not based on consent so these rules set the guardrails for public bodies. There are new rules related to inter-agency data sharing, research, and public-interest exceptions.

There’s a new explicit authorization for disclosure to protect individuals from intimate-partner violence or human trafficking.

The new Act introduces obligations to contain, assess, and notify affected individuals and the Commissioner of privacy breaches that pose a real risk of significant harm — aligning Nova Scotia with federal PIPEDA and other provincial models.

There is a weird new provision in s. 79 that authorizes a public body to go to court if “personal information in the custody or under the control of a public body has been stolen or has been collected by or disclosed to a third party other than as authorized by this Act”. They can get an order to return or destroy the personal information, or any other order the court considers appropriate to protect the personal information.

If you’ve been reading or watching my stuff, you may recall that in 2020, the Government of Nova Scotia went to court to try to identify people who may have read unredacted Workers Compensation Appeal Tribunal decisions that were mistakenly given to the Canadian Legal Information Institute, known as CanLII, and they were posted online. I was one of the people they identified, and I was contacted by the government as part of their damage control. (Here's a video I did on that on my YouTube channel: https://youtu.be/XETVLvkksj0.)

There’s also an interesting, quirky new section that essentially says that a public body is deemed to have not “collected” personal information if it does not relate to a program or activity of the public body, and they either delete it, return it or transfer it to another public body or federal government institution if it’s relevant to the other public body or institution’s programs or activities.

Individuals still have a right to access their own information, and public bodies have an obligation to retain any information that has been used to make a decision directly affecting an individual for at least one year so the individual can exercise their access right. And also in such circumstances, the public body has to make every reasonable effort to make sure the information is accurate and complete.

While the former Privacy Review Officer Act existed separately, the new Act integrates and strengthens the privacy review powers directly within the consolidated statute, giving the Commissioner an explicit mandate to conduct Privacy Reviews. This authority can be used to investigate complaints that personal information has been improperly collected, used, or disclosed, and allows the Commissioner to proactively initiate an investigation if they have reasonable grounds to believe a contravention has occurred.

Finally, on the privacy side, the new FOIPOP revokes and replaces the Personal Information International Disclosure Protection Act or PIIDPA. That law generally prohibits a public body from allowing personal information to be stored outside of Canada or to be accessed from outside of Canada, subject to some exceptions. Under the new FOIPOP, a public body will only be allowed to store or permit access from outside of Canada in accordance with specific regulations, which we haven’t seen yet.

While the new independent Information and Privacy Commissioner is not granted the ability to issue orders or levy penalties in connection with access, correction or privacy reviews, the Commissioner does have broad powers in connection with carrying out such a review. The Commissioner can summon witnesses and compel records (other than records that are claimed to be privileged). The Commissioner can initiate a privacy review without a complaint or request if the “Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene this Part”.

The Commissioner also has an important role to play in requests that a public body thinks is trivial, frivolous, vexatious or abusive. The public body has to seek the approval of the Commissioner to disregard such requests, which is an important check to prevent the overuse of these new provisions.

Individual complainants, exercising access, correction and privacy rights, still have recourse to the Supreme Court of Nova Scotia. In most cases, that will be following a review by the Information and Privacy Commissioner, but individuals do have the right to skip the Commissioner and go straight to the Supreme Court of Nova Scotia. Once you’re in the Court, it is what’s called a “de novo” proceeding meaning that the Court will determine the matter from the very beginning. And the court can issue binding orders.

Finally, the new FOIPOP expands the number and kind of offences that can result in charges and prosecution: this includes (a) willfully collecting, using or disclosing personal information in contravention of the Act, (b) willfully attempting to gain access to personal information in violation of the Act, (c) obstructing the Commissioner and (d) destroys, alters or falsifies a record to evade a request for access to records.

So this represents a significant change to the privacy and access to information landscape in Nova Scotia. It repeals the old Freedom of Information and Protection of Privacy Act, the Privacy Review Officer Act, the Personal Information International Disclosure Protection Act and Part XX of the Municipal Government Act, replacing all of them with a new Freedom of Information and Protection of Privacy Act. As I said, it comes into effect in April 2027.

This has been a relatively high-level overview of the new Act. Each time I read it, I find something new. I would encourage folks in Nova Scotia who have an interest in access to information and privacy to review the legislation, and let the government know if it raises any concerns. Though the process to get here has been the opposite of transparent, there is an opportunity before April 2027 to amend it before it comes fully into effect.

Canada's Privacy Regulators vs. TikTok: A critical overview

2025-10-19T13:01:00.001-03:00

(This post is largely a transcript of the YouTube and podcast episode above.)

On September 23, 2025, the Federal Privacy Commissioner and his provincial counterparts in British Columbia, Alberta and Quebec issued a joint report of findings into TikTok. This is a big one. It raises some interesting — and troubling — questions about jurisdiction, children’s privacy, reasonableness, consent, and what it actually means to protect privacy.

In my view, the Commissioners have imposed an almost impossible standard on TikTok — one that, ironically, could actually reduce privacy for users. Let’s unpack what they found, and why I think they may have gone too far.

I’ll note that the finding is more than thirty pages long, with almost two hundred paragraphs. This should be treated as an overview and not a deep dive into all of the minutiae.

TikTok Pte. Ltd., a Singapore-based company owned by ByteDance, operates one of the most popular social-media platforms in the world. In Canada alone, about 14 million monthly users scroll, post, and engage on TikTok.

The investigation examined whether TikTok’s collection, use, and disclosure of personal information complied with PIPEDA, Quebec’s Private Sector Act, and the provincial privacy statutes of Alberta and B.C.

A key preliminary issue was jurisdiction.

The British Columbia Personal Information Protection Act is a bit quirky. It says

Application
3 (1) Subject to this section, this Act applies to every organization.
(2) This Act does not apply to the following: (c) the collection, use or disclosure of personal information, if the federal Act applies to the collection, use or disclosure of the personal information;

TikTok argued that because of this, only one of the Federal Act or the British Columbia Act could apply.

In my view, the response to this argument by the Commissioners is facile. They said:

[22] Privacy regulation is a matter of concurrent jurisdiction and an exercise of cooperative federalism, which is a core principle of modern division of powers jurisprudence that favours, where possible, the concurrent operation of statutes enacted by the federal and provincial levels of government. PIPA BC has been “designed to dovetail with federal laws” in its protection of quasi-constitutional privacy rights of British Columbians. The legislative history of the enactment of PIPEDA and PIPA BC and their interlocking structure support the interpretation that PIPEDA and PIPA BC operate together seamlessly.
[23] PIPA BC operates where PIPEDA does not, and vice versa. In cases such as the present, which involve a single organization operating across both jurisdictions with complex collection, use, and disclosure of personal information, both acts operate with an airtight seal to leave no gaps. An interpretation of s. 3(2)(c) that would deprive the OIPC BC of its authority in any circumstance the OPC also exercises authority is inconsistent with the interlocking schemes and offends the principle of cooperative federalism.

In my view, this has nothing to do with “cooperative federalism”. In this case, they’re waving their hands instead of engaging in helpful legal analysis. The British Columbia legislature chose to say that if PIPEDA applies, PIPA will not. This is not about constitutional law. The Commissioners could have articulated a much more clear and straightforward response to this argument: TikTok collects personal information across Canada, in BC and elsewhere. PIPA applies to “the collection, use and disclosure of personal information that occurs within the Province of British Columbia” (This is from the federal regulation regarding PIPEDA’s application in British Columbia.) So in this joint investigation, BC’s PIPA applies to the personal information of British Columbians and PIPEDA applies to the personal information of individuals outside of British Columbia. They could have said that, but they didn’t. They did say it was about “overlapping protections” and not “silos”. I think this is incorrect. The British Columbia Act and the Federal Regulation clearly say: this is “the BC Commissioner’s silo”, and this is “the Federal Commissioner’s silo.”

So, the investigation moved forward jointly, setting the stage for three major questions:

Were TikTok’s purposes appropriate?
Was user consent valid and meaningful?
Did TikTok meet its transparency obligations — especially in Quebec?

The first issue asked whether TikTok was collecting and using personal information — particularly from children — for an appropriate and legitimate purpose.

TikTok’s terms forbid users under 13 (14 in Quebec), but the Commissioners found its age-assurance tools were largely ineffective. The platform relied mainly on a simple birth-date gate at signup, plus moderation for accounts flagged by other users or automated scans.

As a result, TikTok said that it removes around half a million under-age Canadian accounts each year — but regulators concluded that many more likely go undetected.

It seems to me that terminating half a million accounts a year because they think the user may be underaged is a pretty strong sign that the company is sincere in its desire to NOT have kids on their platform.

They also noted TikTok already uses sophisticated facial- and voice-analytics tools for other purposes, like moderating live streams or estimating audience demographics, but not to keep kids off the platform. The regulators want TikTok to re-purpose these tools for age estimation.

The Commissioners found that TikTok was collecting sensitive information from children — including behavioral data and inferred interests — without a legitimate business need. In their view, that violates the “reasonable person” standard under PIPEDA s. 5(3) and the comparable provisions in the provincial laws.

This part makes my head hurt a bit. The regulators said:

[67] In light of the above (as summarized in paragraphs 64 to 66), we determined that TikTok has no legitimate need or bona fide business interest for its collection and use of the sensitive personal information of these underage users (in the context of PIPEDA, PIPA AB and PIPA BC), nor is this collection and use in support of a legitimate issue (in the context of Quebec’s Privacy Sector Act). It is therefore our finding, irrespective of TikTok’s assertion that this collection and use is unintentional, that TikTok’s purposes for collection and use of personal information of underage users are inappropriate, unreasonable, and illegitimate, and that TikTok contravened subsection 5(3) of the PIPEDA, section 4 of Quebec’s Private Sector Act, sections 11 and 14 of PIPA BC and sections 11 and 16 of PIPA AB.

It’s clear that TikTok does not want children on its platform and takes active steps to keep children off its platform. The regulators were clear that they didn’t think the measures taken were adequate, but I didn’t see them say that TikTok was insincere about this. So they find that TikTok’s purposes for collecting personal information from children was not reasonable.

But TikTok had no purposes for collecting personal information from children. If kids make it through the age-gate and don’t have their account deleted, TikTok still does not want that data. They essentially said: “Your collection of personal information that you do not want and do not try to get is unreasonable.” Ok. I guess that’s their view.

The second issue focused on consent — whether TikTok obtained valid and meaningful consent for tracking, profiling, targeting, and content personalization.

The Commissioners said it did not.

They found that TikTok’s privacy policy and consent flows were too complex, too long, and lacked the up-front clarity needed for meaningful understanding. In particular:

Key information about what data was being collected and how it was used wasn’t presented prominently.
Important details were buried in linked documents.
The privacy policy was not available in French until the investigation began.
And users were never clearly told how their biometric information — facial and voice analytics — was used to infer characteristics like age and gender.

Even for adults, the Commissioners said consent wasn’t meaningful because users couldn’t reasonably understand the nature and consequences of TikTok’s data practices.

And for youth 13–17, TikTok mostly relied on the same communications used for adults — no simplified, age-appropriate explanations of how data is collected, used, or shared.

Under the Commissioners’ reasoning, because the data involved is often sensitive — revealing health, sexuality, or political views — TikTok needed express consent. They found the platform failed that standard.

[81] Additionally, while users might reasonably expect TikTok to track them while on the platform, which they can use for “free”, it is our determination that they would not reasonably expect that TikTok collects the wide array of specific data elements outlined earlier in this report or the many ways in which it uses that information to deliver targeted ads and personalize the content they are shown on the platform. Many of these practices are invisible to the user. They take place in the background, via complex technological tools such as computer vision and TikTok’s own machine learning algorithms, as the user engages with the platform. Where the collection or use of personal information falls outside of the reasonable expectations of an individual or what they would reasonably provide voluntarily, then the organization generally cannot rely upon implied or deemed consent.

The Commissioners’ reasoning is generally coherent, but I’m not sure that it directly leads to a requirement for express consent. Consent can be implied where the individual understands what information is being collected and how it will be used, and it makes sense to take into account whether the individual expects the collection and use. The main issue here is that there was collection and use of information outside the reasonable expectations of the individual. TikTok’s data practices are part of its “secret sauce” that has led to its success. Following the reasoning of the Commissioners … if TikTok had better calibrated the expectations of its users, it could have relied on implied consent.

The Quebec Commissioner took things even further. Under Quebec’s Private Sector Act, organizations must inform the person concerned before collecting personal information.

The CAI found TikTok failed to highlight key elements of its practices and was using technologies like computer vision and audio analytics to infer users’ demographics and interests without adequate disclosure.

The CAI also found that TikTok allowed features that could locate or profile users without an active opt-in action, violating Quebec’s rule that privacy settings must offer the highest level of privacy by default.

Now here’s where I think the Commissioners overreached.

They’re effectively holding TikTok — and by extension, every global digital platform — to a near-impossible standard.

First, on age verification: to exclude all under-13 users, TikTok would need to collect more information from everyone — things like government-issued ID or facial-age scans. That’s exactly the kind of sensitive biometric data privacy regulators have previously warned against.

So in demanding “better” age assurance, the Commissioners are actually requiring more surveillance and more data collection from all users — adults and teens alike. While it may be “protecting the children”, like so many age assurance tools it is actually privacy-invasive.

Second, on consent and transparency: privacy regulators have long said privacy policies are too long, too legalistic, and too hard to read. Yet here, they criticize TikTok for not providing enough detail — for not being even longer and more comprehensive.

So which is it? We can’t reasonably expect the average user to read a novel-length privacy policy, yet that’s what these findings effectively require.

And third, the Commissioners’ reasoning conflates complexity with opacity. TikTok’s algorithms and personalization systems are complex — that’s the nature of modern machine learning. Explaining them “in plain language” is a noble goal, but demanding a full technical manual risks burying users in noise.

In my view, this decision reflects a growing tension in privacy regulation: between idealism — the desire for perfect transparency and perfect protection — and pragmatism — the need for solutions that actually enhance user privacy without breaking the internet.

The regulators seem to be demanding a standard of perfection in a messy and complicated world. These laws can be applied reasonably and flexibly.

One final thing to note: The regulators say that information provided to support consent from young people (over the age of 13 or 14) has to be tailored to the cognitive level of those young people. That means it has to be subjective, in light of the individual. But the Privacy Commissioner of Canada is arguing in the Supreme Court of Canada against Facebook that consent is entirely objective, based on the fictional “reasonable person” (who is NOT a young person). They should pick a lane.

So, where does this leave us? TikTok has agreed to implement many of the Commissioners’ recommendations — stronger age-assurance tools, better explanations, new teen-friendly materials, and improved consent flows.

But whether these measures will truly protect privacy — or simply demand more data from more users — is a question regulators and platforms alike still need to grapple with.

The words “use” and “loss” in privacy laws may not mean what you think in a cyber-security incident

2025-09-21T21:00:00.004-03:00

I want to talk about a recent decision from the Ontario Divisional Court that affirms the Information and Privacy Commissioner’s very expansive view of what counts as a “use” or “loss” of personal information under Ontario’s privacy laws. Spoiler alert: it probably doesn’t mean what you think it means.

This case came out of ransomware attacks on two organizations: the Hospital for Sick Children in Toronto, known as SickKids, and the Halton Children’s Aid Society. Neither organization’s investigation found that hackers had actually looked at, copied, or stolen personal information. But both were still found by the Information and Privacy Commissioner of Ontario—the IPC—to have breached their obligations to notify individuals. And when the case went to court, the judges deferred to the regulator. Let’s look at what happened.

In 2022, both SickKids and Halton were hit by separate ransomware attacks. If you’re not familiar, ransomware is malicious software that encrypts systems and data so that they can’t be accessed unless a ransom is paid to get the decryption key.

Here, the attackers encrypted the systems at the container level—think of it like changing the lock on a filing cabinet. The files inside were untouched, unviewed, and un-exfiltrated, but temporarily unavailable.

Both SickKids and Halton promptly investigated, brought in cybersecurity experts, and concluded that there was no evidence of any data being accessed or stolen. They even notified the IPC, though they argued this was just a courtesy because the legal requirement to notify individuals wasn’t triggered. SickKids went further, posting public updates on its website and social media. But they didn’t include the mandatory line about the right to complain to the Information and Privacy Commissioner.

The IPC saw things differently. In 2024, it issued two decisions (Sick Kids, Halton CAS) . It found that both organizations had experienced a privacy breach involving an unauthorized “use” and “loss” of personal information. The trigger is an unauthorized “use” or an unauthorized “loss” of personal information. They concluded that the information was “used” and “lost” in an unauthorized manner, triggering the requirement to report to the Commissioner and to notify affected individuals. And to advise them of their right to complain to the Commissioner.

Why? The IPC reasoned that encrypting the containers “handled” or “dealt with” the personal information inside them, making it inaccessible to authorized users. That, it said, was enough to count as a “use.” And because the information was unavailable for a period of time, that was also a “loss.”

It should be noted that encryption at the container level did not expose any personal information and did not create any sort of risk to the affected individuals once remedied.

For Halton, the IPC ordered notice to affected individuals—though by way of a website posting rather than direct notification. For SickKids, since it had already gone public, no remedial order was made.

Both SickKids and Halton challenged the IPC’s decisions in court. The Ontario Hospital Association even intervened to support them, arguing that this interpretation of “use” and “loss” would lead to pointless over-notification and compliance burdens.

Now, this is where what we lawyers call the “standard of review” becomes important. When a court reviews an administrative decision, like one from the IPC, it doesn’t just substitute its own view of the law. Under a framework established by the Supreme Court of Canada in a case called Vavilov, the default standard is “reasonableness.” That means the court will defer to the regulator’s decision so long as it is “reasonable”, meaning it is internally coherent, justified, and within the bounds of the law.

In other words, unless the regulator really went off the rails, the court won’t step in.

The Divisional Court—Judges Sachs, Lococo, and Kurke—dismissed both the judicial reviews and Halton’s appeal.

They held that the IPC had reasonably interpreted “use” to include encryption that denied authorized users access to information, even if no one else ever looked at it. They also upheld the IPC’s finding that this was a “loss” of information, again because of the temporary unavailability.

The Applicants had argued that notification should only be required where individuals’ privacy interests were actually affected—where there’s a real risk of harm, like theft or misuse. The Court rejected that. Ontario’s Personal Heath Information Protection Act and Child, Youth and Family Services Act, 2017 don’t contain a “risk of significant harm” threshold. The statutes just say notify if information is “used” or “lost.” That’s the threshold.

The Court emphasized that words like “use” don’t necessarily carry their ordinary, common-sense or dictionary meaning. Instead, they take on the meaning given by the regulator, so long as that interpretation is reasonable.

I’ll be blunt: I don’t agree with this outcome. I understand why the Court deferred to the IPC, but I don’t agree with the IPC’s interpretation of those words. Encrypting a server at the container level is not, in any meaningful sense, a “use” of personal information. In any ordinary sense of the word, it was not “used”. Nobody viewed it, nobody copied it, and nobody exfiltrated it. The information was never actually touched. Ones and zeroes are moved around hard drives every minute of every day, and we don’t think of that as data being “used”.

And calling this a “loss”? At best, it was a temporary disruption. To me, that’s not what “loss” means. Putting it on a thumb drive and misplacing it would be a “loss”. If there was a temporary power cut to their data centre and the information was not accessible for an hour, we would not think that there’s any real unauthorized “loss” of the data. There was no risk of identity theft, no misuse, no real risk of harm to the individuals involved.

Here’s where I think the problem lies: Ontario’s PHIPA and the CYFSA don’t have a risk-based threshold. They require notification if there’s a “use” or a “loss,” regardless of whether there’s any actual risk to the individual. Compare that to the federal private sector law, PIPEDA. Under PIPEDA, an organization has to notify affected individuals and report to the federal Privacy Commissioner only if there’s been a “breach of security safeguards” that creates a “real risk of significant harm”.

That’s a sensible threshold. It filters out situations like this one, where the systems were disrupted but no one’s privacy was actually at risk. In my view, the PIPEDA standard is better. It focuses on the individual’s actual risk, rather than forcing organizations to notify just because a breach happened. Without a risk filter, you end up with over-notification, unnecessary costs, and notice fatigue, which ultimately makes people take these notices less seriously.

Because Ontario’s statutes don’t include a “real risk of significant harm” threshold, regulators like the IPC are free to take a very broad approach to words like “use” and “loss.” And courts, applying the deferential reasonableness standard, are not going to interfere.

So what does this mean for organizations in Ontario? It means that a word like “use” doesn’t always mean what you think it means. Regulators may adopt broader, purposive interpretations—especially in the context of cyberattacks. And courts, applying the reasonableness standard, will generally defer to those interpretations.

It also reinforces to me that privacy law is not really a practice area that one can just dabble in. Words in the statutes don’t necessarily mean what you’d think they mean. They have meanings given to them by the regulators, and the courts will generally defer to that interpretation.

The lesson is this: don’t rely on common-sense definitions of terms like “use,” “loss,” or “disclosure.” And don’t assume that the risk-based federal standard applies provincially. Look at how regulators are interpreting these terms in practice, because that’s what will stand up in court.

Recording conversations -- using AI gadgets and otherwise -- and the law in Canada

2025-09-14T19:52:00.003-03:00

One of the most common questions I get is about recording conversations. Can you do it? Is it legal? And maybe just as importantly … is it a good idea?

The answer is … complicated. And sometimes, even if it’s legal, it can be hostile or problematic.

A quick production note: I started a privacy law blog in 2004, and then started a YouTube channel at the end of 2021. In order to make this as accessible across multiple media, I’ve started a podcast that takes the audio and makes it available via Apple Podcasts, Spotify and the others. If you’d like privacy content while in the car or mowing the lawn, just look for “privacylawyer” in your favourite podcast app.

Now back to recording conversations and the law in Canada …

I’ll try to break it down.

Before we get into the traditional scenarios, let’s start with something very new: AI wearables.

You might have heard of something called the “Humane Pin”. The Humane AI Pin was a screenless, AI-powered wearable device designed by the American startup Humane. They somehow thought it could replace smartphones. After shipping in April 2024 to overwhelmingly negative reviews, Humane was acquired by HP, which discontinued the device's service in February 2025. Famously, Marques Brownlee - an incredibly influential YouTuber and product reviewer called it the worst product he’d reviewed. The Humane Pin flopped, but that wasn’t the end of “AI wearables.”

A more recent device is a thing called “Bee”. It’s a small wrist-worn gadget with microphones built in. The idea is kind of simple and a logical extension of a lot of what generative AI has to offer: You slap it on your wrist and it listens to what’s going on, it transcribes, and it helps you keep track of what’s said throughout your day. Think of it as a memory assistant. You can review conversations later, get reminders of “to-dos,” or even have it summarize meetings.

That sounds useful for productivity and accessibility. Imagine if English isn’t your first language, or if you’re hard of hearing, have a bad memory or if you simply want a perfect record of a complex meeting.

I’ve had relatives dealing with dementia, and something like this could be helpful, assistive technology when memories are fading and failing.

The catch is that they’re “always listening.” They’re not just catching your thoughts — they’re catching the people around you, likely without their knowledge. And that can raise privacy concerns.

Now, the law hasn’t changed because of gadgets like these. The same rules apply (which I’ll get into in greater detail): if you’re a party to the conversation, recording isn’t automatically illegal. But the scale and permanence are different. Instead of someone taking really detailed notes, now you have a verbatim transcript — stored in the cloud, maybe analyzed by AI, and potentially vulnerable to misuse or breach.

You may recall Google Glass, originally launched in 2014. It was pretty cool and likely ahead of its time. What caused privacy regulators heartburn was that it had an integrated camera. Though it was not recording all the time, the regulators really wanted it to have a red light on the front so that people around would at least be aware of whether it is recording. These new wearables are even less conspicuous and people whose voices can be captured likely have no knowledge that they’re being picked up.

Let’s dig into the law that applies to recording conversations in Canada, whether you do so on an old timey reel-to-reel recorder, your smartphone or an AI wearable. And these rules are the same whether you’re face-to-face, on a phone call or in a Teams meeting.

If we’re talking about conversations that begin and end in Canada, the first place to look is the Criminal Code of Canada. Part VI of the Code is actually titled “Invasion of Privacy,” and it makes it illegal to intercept a private communication unless you have authorization — like a warrant — or unless one of the legitimate parties to the conversation consents.

The Criminal Code makes it a hybrid offence (meaning that it can be prosecuted either as an indictable offence or a summary offence) to “knowingly intercept a private communication”. The maximum penalty is up to five years in prison. There’s a saving provision which says the offence does not apply to “a person who has the consent to intercept, express or implied, of the originator of the private communication or of the person intended by the originator thereof to receive it”.

This is often called “one-party consent.” In simple terms, if you’re part of the conversation, you can record it. But if you’re not part of the conversation, you can’t secretly bug the room, leave a phone recording on the table, and walk away. That would be illegal eavesdropping.

You’ll note that consent can be implied. I haven’t seen any cases on this point, but I’d think having a loud conversation in a public place within earshot of others may be “implied consent” for the conversation to be “intercepted.” But I would not want to be the test case.

While you might see CCTV surveillance cameras all over the place, they should NOT be recording audio. This would likely be illegal “interception of a private communication” and I don’t think signs like this one will get the requisite consent. Many consumer grade surveillance cameras that we’re now seeing all over the place also have a capability to record audio. If you’re using one of these cameras and they’re positioned where someone might be having a conversation, disable the audio collection.

So, if you’re a lawful participant in the conversation, the Criminal Code is not triggered. But if it’s someone else’s conversation, you can’t intercept it or record it.

But that’s not the end of the story. In Canada, we also have privacy laws: PIPEDA federally, plus provincial laws in Alberta, BC, and Quebec.

Here’s the key: these laws don’t apply to purely personal or domestic activities. So if you’re recording a conversation for your own memory, or for journalistic purposes, or to make a record of something for your own personal purposes, you’re not subject to PIPEDA when you’re doing that. The same applies for the provincial privacy laws of Alberta, BC and Quebec. Those laws generally apply to businesses and “organizations”.

But if you’re recording for commercial purposes — say, recording customer service calls — then privacy law kicks in. In those cases, you generally need to tell the person and get their consent. You’ll notice most companies start their customer service lines with: “This call may be recorded for quality assurance and record keeping purposes.” That’s why. The idea is that you’re on notice that it will be recorded and if you stay on the line, your consent to the recording is implied.

(Technically, the company has to list all the purposes for the recording and I think many are not doing a full job. For example, you can’t just say it’s for “quality assurance” purposes when you’re also keeping the recordings for record keeping purposes.)

And there’s more: even if a recording doesn’t violate the Criminal Code or privacy statutes, you may still face claims under provincial privacy torts, or common law actions for unreasonable invasion of privacy. This is a bit of a stretch for a conversation that the recorder is lawfully a part of, but I can certainly see a possible claim if the conversation was clearly of a private nature and the recording is made public.

Now let’s shift to the workplace. This is where the issue gets interesting — and frankly, tricky.

I was at a labour and employment law conference not long ago, and almost everyone in the room had a story about employees secretly recording conversations. Sometimes they recorded meetings with their supervisors, sometimes with colleagues. And in every anecdote I heard, it was a case where the other party to that conversation would not have agreed to the recording and people got really upset when the recording became known.

If the employee is a lawful party to the conversation, it’s not illegal under the Criminal Code. But does that make it okay? Not really.

Secretly recording a conversation is almost always seen as a hostile act. It signals distrust, it poisons the relationship, and it creates a “gotcha” culture.

Employers are within their rights to regulate this. I’ve heard of cases where an employee steps out of a meeting, but leaves their phone in the room, recording. The employee may be wondering if their colleagues talk about them when they’re not around. Well, that’s eavesdropping and a crime. If they secretly record meetings they’re attending, it may not be criminal — but it can still be problematic, and it may be against workplace policy. Employers should have policies about this.

Beyond ordinary workplaces, I’ve advised hospitals and health authorities about audio recording. Doctors and psychologists often feel uneasy when patients pull out a recorder. It can feel adversarial.

But sometimes recording is legitimate — even helpful. I remember when my father was diagnosed with cancer, my mother took detailed notes at every doctor’s appointment. There was so much information and all of it was overwhelming. If smartphones had been as common then as they are now, I would have suggested that she record these conversations, just to make sure she captured all the important information in such a stressful moment.

I’ve also spoken with psychologists where patients wanted to record therapy sessions. At first, practitioners felt uneasy. But when we explored it, recording actually improved therapy in some cases: patients could revisit the conversation, reinforce insights, and strengthen the therapeutic relationship. Once this was understood, the psychologists were concerned about whether the patients would adequately protect the recordings of these very sensitive conversations. Once the client walks about, that’s not really on the psychologist, but they can talk to their clients about this. I think in this scenario, it’s important for everyone to be on the same page.

So it’s not always hostile. Sometimes it’s accommodation. Sometimes it’s simply practical.

There’s also a new one that’s come up a lot recently: AI-enabled recording and transcription services that are built into or added onto video calls. You’ve probably seen them in Zoom or Microsoft Teams — a little box pops up saying “Recording and transcription is on.” I’ve seen people send their little ai companions to calls that they can’t attend personally.

These tools can be fantastic. They create a really good record of meetings, which can help with minutes, accountability, or accessibility — for example, if someone in the meeting is hard of hearing, or if English isn’t their first language. I’ve used automatic captions in a number of cases because it can be very helpful, and this is enabled by AI “interception.” Automatic transcription can also let people go back and confirm exactly what was said.

But they can also make people nervous. Suddenly, everything you say in a meeting is not just heard in the moment — it’s captured, stored, maybe even analyzed. That can change the vibe and how people participate.

It also creates a very detailed record that can be subject to discovery in litigation, which is its own risk.

From a legal standpoint, the rules haven’t really changed. If you’re part of the conversation, recording or transcribing isn’t illegal. In many ways, it’s not that different from someone taking very detailed and accurate notes. The real difference is scale and permanence: instead of one person’s notes, it’s a verbatim transcript that might live on a server indefinitely. It also creates a reliable record that is likely more credible in a hearing or a trial than any one person’s recollection or notes may be.

I think it’s a best practice for organizations to have a clear policy about the use of these tools. Decide when it’s appropriate, make sure everyone in the meeting knows what’s happening, and have rules around how those recordings and transcripts will be used, stored, and eventually deleted. I’m on the board of one volunteer organization, and it was decided that recording and AI transcription could be used but only to help the meeting’s secretary prepare the final minutes. Once the minutes were final, the recording and the transcript were deleted. The minutes are the official record.

And be careful about confidentiality. You may be fine with recording most of a meeting, but want to turn it off during any “in camera” period. And you’ll want to make sure that the recordings are securely stored in accord with the company’s records keeping policies.

Before I wrap up, I’ll mention two additional scenarios that are related to the legal system itself. First, under the rules of professional conduct for lawyers in Canada, there are requirements for a lawyer to notify a client or another legal practitioner of their intent to record a conversation. Rule 7.2-3 from the Law Society of Ontario Rules of Professional Conduct says

“A lawyer shall not use any device to record a conversation between the lawyer and a client or another legal practitioner, even if lawful, without first informing the other person of the intention to do so.”

So this requires notice, not consent. Essentially, you can’t do it secretly.

The second scenario related to the legal system is court hearings. As a general rule, you cannot record a court hearing without the permission of the presiding judge. I’ve been at hearings where reporters present are allowed to record, but the recordings can only be used to check the accuracy of their notes, and the recordings cannot be further disseminated or broadcast.

Privacylawyer content now available as a podcast

2025-09-08T08:30:00.001-03:00

I'm a longtime podcast listener and I watch a lot of YouTube. For some time, I've wanted to be sure that anyone who may be interested in my original content can get it wherever they want it. (That's one reason why I generally post the text of my YouTube videos here on the blog. Some people like to read words rather than watch a talking head.

From now on, my YouTube content will also be available as a podcast so you can just subscribe in your podcast app of choice.

The standalone page for the podcast can be found here: Privacylawyer - Canadian privacy and technology law with David Fraser.

Ontario privacy finding: Hidden biometrics in on-campus vending machines

2025-09-08T08:24:00.000-03:00

On August 27, 2025, the Information and Privacy Commissioner of Ontario released a revised finding against the University of Waterloo. The initial report was issued in June this year and I should have done an episode on it then. The case involved what looked like a pretty ordinary thing on campus — vending machines. Except these weren’t just any vending machines. They were “intelligent vending machines,” installed by a third-party service provider, and they secretly used biometric face detection technology.

That sounds creepy and the University was found to have violated Ontario’s public sector privacy law. It’s not as cut and dried, but there are some interesting takeaways from that decision.

Nobody on campus was aware that these vending machines use face detection technology until one of the machines malfunctioned and flashed an error message on its screen — basically outing itself as running “FacialRecognition.App.exe.” Understandably, students complained. It got a lot of media coverage and some buzz on Reddit.

The Information and Privacy Commissioner of Ontario investigated.

At the outset, the University of Waterloo challenged whether the Commissioner even had jurisdiction here. The University argued that this wasn’t really about Ontario’s Freedom of Information and Protection of Privacy Act — instead, they said it was governed by the federal Personal Information Protection and Electronic Documents Act or PIPEDA. Their reasoning? Selling snacks through vending machines is a commercial activity. And PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity. And that meant the federal law applied, not the provincial law.

They also argued that if the vending machines didn’t actually capture personal information — as the manufacturer claimed — then there was nothing for the Commissioner to investigate. And finally, Waterloo tried to limit its responsibility by pointing out that it never contracted for biometric collection in the first place. In their view, if the vendor went off and deployed face detection technology, that wasn’t for them, they didn’t ask for it and they should not be on the hook for it.

The Commissioner rejected all of those jurisdictional arguments. The decision emphasized that under FIPPA, Ontario institutions like universities are responsible for personal information collected by vendors operating on their behalf — even when those vendors are engaged in activities with a commercial character. The Commissioner leaned on the “double aspect” doctrine in our constitutional jurisprudence: both federal and provincial laws can apply at the same time. In other words, even if PIPEDA could cover some of the activity, that doesn’t oust FIPPA.

So the bottom line on the jurisdiction question was that the University of Waterloo couldn’t escape the Commissioner’s oversight just by pointing to federal law or saying “we didn’t know.” Once personal information was being collected on its campus by machines it authorized, the University was on the hook under FIPPA

On the merits, the Commissioner concluded that the machines were capturing facial images, even if only for milliseconds. Not surprisingly, these facial images qualify as “personal information” under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA).

The collection wasn’t authorized by law, wasn’t necessary for selling chips and chocolate bars, and no notice was given.

Therefore, in the IPC’s view, Waterloo had violated FIPPA.

In order to find Waterloo at fault, or in violation of FIPPA, the IPC asks and answers three questions:

The IPC asked: “Did Waterloo “collect” personal information?” The Commissioner said yes. Even though the vendor claimed the system only processed images in real time, the machines captured full facial images in memory to estimate age and gender. That’s enough to count as a collection of personal information.

But really? Was it really Waterloo who “collected” personal information? Legally, yes. They had a vendor who was supplying goods and services on their behalf and the University is responsible for that.

Then the IPC asked: “Was the collection compliant with FIPPA?” No. Section 38(2) of FIPPA says you can only collect personal information if it’s expressly authorized, needed for law enforcement, or necessary to carry out a lawful activity. Selling snacks doesn’t need biometric data. It might be “helpful” for marketing — but helpful isn’t the same as “necessary.” And also, no notice was given that personal information was being collected and why.

Finally, the IPC asked: “Did Waterloo have reasonable measures to protect personal information?” The Commissioner said they had decent contract clauses, but they fell down in procurement. They didn’t do the privacy risk assessment that could have flagged the biometric capability. That failure meant they didn’t exercise enough due diligence, and so they’re responsible.

Here’s where I think the finding is problematic. Waterloo had no knowledge of the biometric functionality. They weren’t using it, they didn’t ask for it, and their contract didn’t mention it. The vendor who responded to the RFP for vending machines apparently wasn’t aware of this functionality in some of the machines they provided. That other supplier embedded this capability, and at the time nobody was aware of it.

Due diligence usually asks the question with reference to what a reasonably prudent person would have done in the same circumstances. Without the benefit of hindsight, I think the University met that standard. But they could have done better, so the University is still on the hook for a privacy violation. It seems to be holding them to a higher standard, based on what we know now.

It could have been enough to just give them a gentle slap upside the head, saying it’s 2025 and we need to assume that anything that uses electricity – and particularly if it’s a “connected device” – has the potential to collect personal information. You need to check. Even vending machines.

Think about what this means in practice:

Does every university, hospital, or government office now need to disassemble or reverse-engineer every piece of technology it procures? Almost.

Do they need to anticipate hidden biometric features in a vending machine?

Or test for surveillance capabilities in every piece of software?

That’s a pretty heavy burden — one that goes far beyond what most organizations reasonably do. I guess the standard for reasonable diligence has to be raised.

Yes, we want institutions to take privacy seriously. Yes, procurement processes should involve risk assessments. But here, it feels like the University is being faulted for not uncovering something that was essentially hidden. I’m not sure we can fault them for not asking at the time whether a vending machine used biometrics. We know now, but I don’t think they should be expected to have known to ask back then.

While the vendor was not in the cross-hairs of the IPC’s investigation, vendors need to be mindful. If you build a product with biometric capabilities, you should have to disclose it — clearly and up front. If it’s an “internet of things” connected thing, it should be clearly identified as such. There probably is a boilerplate term in contracts that put the vendor on the hook if they cause the customer to violate any applicable law.

In the end, a finding of having violated FIPPA isn’t like a criminal charge. The IPC issued two recommendations, which the university agreed to implement. First was to review their policies to make sure that future collection of personal information complies with FIPPA. Second was to implement practices to carry out necessary due diligence to identify, assess and mitigate any potential risks to personal information throughout the entire procurement process, including during the planning, tendering, vendor selection, agreement management and termination phases.

There’s a lesson here for everyone: I guess it’s time to update all your procurement and vendor documentation to ask about any connected or biometric features. Ask detailed questions about every bit of gear being installed and fully understand their capabilities. And I’d include reps and warranties in my contacts allowing for the termination of agreements if there has been any misrepresentation about the possible collection of personal information.

One thing also to note is I think this would have gone differently for the university if the vendor wasn’t the university’s service provider. As I mentioned before, the university is on the hook for all personal information collected by their service providers, whether they wanted the information collected in the first place. But if the university had structured the arrangement differently, they likely would have avoided that direct responsibility. For example, if the agreement was more like the bare rental of space for the placement of vending machines on campus, the element of custody or control of the data likely would not have been there. Imagine the university enters into a lease with Starbucks to put a coffee shop in the library atrium. In such a scenario, you wouldn’t really see the University as being responsible for Starbucks’ collection of personal information as part of the Starbucks Rewards loyalty program. Or maybe the privacy commissioner would take a different view? I kind of hope not.

In any event, there are more than a few lessons to learn from this finding.

Bill C-2 "Strong Borders Act" - Supporting Authorized Access to Information Act (Part 15)

2025-07-16T10:42:00.001-03:00

On June 3, the new Canadian government tabled Bill C-2 in Parliament, called “An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures” but with a short title of the “Strong Borders Act”.

Once again, following in the footsteps of past conservative and liberal governments, it contains a trojan horse that revives what has come to be known as “Lawful Access”. I’m really getting tired of these sorts of bills. (See Canadian Privacy Law Blog: Past Canadian "lawful access" attempts, both by Liberal and Conservative governments.)

In my last episode, I discussed Part 14 of the Bill, which creates new law enforcement authorities to get customer information, either without a warrant or court order, or with an order but based on a very low standard. In this episode, I’ll go over Part 15, which creates a standalone “Supporting Authorized Access to Information Act”. The government says this is simply to make sure that electronic service providers have the capacity and capability to “share information” with “authorized persons”.

I think it goes beyond this. It is similar to Bill C-26 from the last Parliament, as it allows the government to dictate what technologies electronic service providers use. This time is to create the capability for law enforcement to plug into service providers’ systems.

Throughout this discussion, I can’t help but be reminded that the US has had something similar in their laws, and the mandated intercept capabilities were used by Chinese hackers to get access to data.

The "Salt Typhoon" hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major U.S. telecommunications companies. The stolen information included call and text message metadata, and in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures.

This is what’s coming to Canada …

The Supporting Authorized Access to Information Act creates a framework in which the Government of Canada can require electronic service providers to facilitate law enforcement and intelligence services’ access to data and information. Much of its scope is left to regulations. The sweep of what entities can be in scope of the Bill if very broad by regulating “electronic service providers”:

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that

(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.‍ (fournisseur de services électroniques)

This is extremely broad, and would likely capture almost all communications services that provide any service to Canadians. It likely covers VPN – or virtual private network – providers as they provide a service that involves the transmission of information. This would also scope in text messages, emails, phone calls, voice over IP calls and video calls.

The Act specifically will target “core providers”, who are “electronic service provider[s] belonging to a class of electronic service providers set out in the schedule.” In the version of the Bill tabled at first reading, the schedule is blank. I guess “to be determined”, but I expect it’ll be all the major telcos and internet service providers in Canada. It may include the significant messaging providers, like Apple, WhatsApp, Microsoft Teams, Zoom and email providers like Microsoft, Apple, Google.

It is very, very broad in its possible scope.

Ministerial regulations for “core providers”

The Act, in s. 5(2), empowers the government to create regulations placing obligations on core providers which relate to intercept and access capabilities and includes the installation of devices, etc. on behalf of “authorized persons”.

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information; and

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b).

Importantly, a core provider is not required to comply with a regulation “if compliance with that provision would require the provider to introduce a systemic vulnerability in electronic protections (defined as ‘authentication, encryption and any other prescribed type of data protection’) related to that service or prevent the provider from rectifying such a vulnerability.” This would permit a regulated core provider to refuse to install a backdoor or compromise encryption if that would create a systemic vulnerability.

Core providers can apply for an exemption for a specified period of time, in order to have time to come into compliance.

Orders directed to specific electronic service providers

Per s. 7, the Minister is able to issue orders to any electronic service provider, regardless of whether they are a core provider, along the lines of regulations authorized under s. 5(2) for a specified period of time. In making the order, the Minister must consider:

(a) the benefits of the order to the administration of justice, in particular to investigations under the Criminal Code, and to the performance of duties and functions under the Canadian Security Intelligence Service Act;

(b) whether complying with the order would be feasible for the electronic service provider;

(d) the potential impact of the order on the persons to whom the electronic service provider provides services; and

(e) any other factor that the Minister considers relevant.

The Minister, in their discretion, may provide compensation to offset some of the costs incurred in paragraph (c). Similar to compliance with regulations, an electronic service provider is not required to comply with a portion of an order that would “require the provider to introduce a systemic vulnerability in electronic protections related to that service or prevent the provider from rectifying such a vulnerability.”

The Minister is required to permit affected electronic service providers to make representations prior to issuing an order under s. 7.

Obligations to assist

The Act contains a very broad and problematic obligation on all electronic service providers to provide all reasonable assistance to a range of persons to “permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.” The list of persons authorized to make this demand include the Minister, CSIS employees, police officers and civilian employees of a police force.

There is no threshold and no limitation on this power. For example, there is no requirement for approval from the Minister or any other senior person. It does not have to be reasonably necessary for any purpose related to the Act. You could have a lineup of people from every municipal police department out the door of an electronic service provider, the they have to provide this unlimited and unbounded assistance.

Prohibitions on disclosure

The Act contains, at s. 15, very broad prohibitions on disclosure by electronic service providers, including whether one is subject to an order, the contents of an order, information relied upon by the Minister in making an order, representations made by the electronic service provider or the Minister, the fact that representations were made. This is ridiculous. It may make sense to give the Minister the power to issue gag orders from time to time, where they are of the view that disclosure of the information would compromise law enforcement or national security.

In this country secrecy should be the exception – and should have to be justified – not the default, particularly with respect to services we use every day and our civil liberties. This is so prone to overreach and possible abuse, and all of it takes place in the shadows.

It is very problematic that an electronic service provider is prohibited from disclosing “information related to a systemic vulnerability or potential systemic vulnerability in electronic protections employed by that electronic service provider”. This would mean that if any electronic service provider were to discover a vulnerability in their system, it would be prohibited by Canadian law from disclosing it to anyone. This may include a prohibition on disclosure to customers who may have been affected by a past or current vulnerability, or even that company’s own contractors who carry out security audits on its systems. For example, if a telco discovers a vulnerability in a router, they will tell the manufacturer of the router and various organizations that work diligently to make sure that the entire cybersecurity community can identify and fix vulnerabilities.

If a telco finds a vulnerability in a system used by all Canadian telcos (because the government will get to dictate what systems telcos use), they can’t alert the other telcos about that vulnerability.

Paragraph (g) is actively harmful to Canadians, and will be a huge boon for the bad guys who look for and exploit these vulnerabilities. It really, really has to go.

The parameters of these prohibitions on disclosure can be subject to regulations made pursuant to s. 17 of the Act.

Under s. 16, if an electronic service provider is to seek an application for judicial review of any order or decision under the Act, it is prohibited from doing so unless it gives fifteen days’ advance written notice to the Minister, along with a copy of the notice of application.

Under s. 17, the Government can make regulations respecting confidentiality and security requirements for electronic service providers and persons acting on their behalf must comply. Specifically, it authorizes regulations:

(a) respecting the disclosure of information referred to in section 15;

(b) establishing rules of procedure for the protection of information referred to in section 15 in administrative or judicial proceedings;

(c) respecting requirements related to employees of electronic service providers and other persons whose services may be engaged by electronic service providers, including with respect to their security clearance and location; and

(d) respecting security requirements with respect to the facilities and premises of electronic service providers.

This is extremely broad, and is not limited to confidentiality and security measures that are reasonably required related to the purposes of the Act. Remember, “electronic service provider” is broad enough to include service providers completely and entirely outside of Canada.

It potentially includes requirements for all of an ESP’s facilities regardless of location, and paragraph (c) even permits regulations regarding where facilities can be located, and security clearances for employees.

This is clear overreach. None of it is limited to protecting the security of the lawful intercept and information gathering capabilities dictated by the Act.

Enforcement and administration

The Act gives the Minister authority to designate persons (or classes of persons) to administer and enforce the Act. These designated persons are given vast powers under s. 19 to enter any place (other than a dwelling) to verify compliance or to prevent non-compliance with the Act. Within such a place, they are authorized to:

(a) examine anything found in the place, including any document or electronic data;

(b) make copies of any document or electronic data that is found in the place or take extracts from the document or electronic data;

(d) use or cause to be used any computer or data processing system at the place to examine or copy electronic data; and

(e) use or cause to be used any copying equipment at the place to make copies of any document.

The Act places an obligation on every owner of a place, a person in charge of the place and everyone in the place to give all assistance that is “reasonably required” by the designated person, including providing any document or electronic data “they may reasonably require”. In addition, in 19(6), a designated person can bring anyone with them to assist.

This is not specifically limited to places in Canada, but likely cannot be enforced outside of Canada. Again, this is completely without limits. The designated person can say “I want your entire customer database” and the ESP ostensibly needs to comply. Even more, it would be illegal for an employee there to not assist with this outrageous demand.

Audit orders

Under s. 21, a designated person can order an electronic service provider to conduct an internal audit “of its practices, documents and electronic data to determine whether it is in compliance with any provision of this Act or the regulations.” A copy of the audit must be provided to the designated person, and if the audit uncovers any non-compliance, it must specify the non-compliance and measures taken or to be taken to comply with the relevant provision or order.

Orders by designated persons

The Act, at s. 23, gives the designated persons order-making powers. If they believe “on reasonable grounds that there is or is likely to be a contravention of the Act or regulations, they can issue a written, mandatory order requiring an electronic service provider to:

(a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or

(b) take any measure that is necessary to comply with the requirements of that provision or mitigate the effects of non-compliance.

These orders are subject to review by the Minister, on request of the electronic service provider. Unless otherwise ordered by the Minister, the order issued by the designated person must be complied with.

Administrative monetary penalties and offences

The Act, at s. 27 et seq, provides for a full administrative monetary penalty (AMP) regime that is intended to “promote compliance with this Act and not to punish”, along with penal offences at s. 40 et seq.

If a contravention results in an AMP, the penalty can be up to CAD $250,000, and if a violation continues more than one day, each day constitutes an additional violation. The due diligence defence is available, as are common law defences.

The Act provides for liability by corporate “directors, officers or agents or mandataries who directed, authorized, assented to, acquiesced in or participated in the commission of the violation”. A notice of violation will set out the amount of the AMP, which can be simply paid, which amounts to an admission of the violation. Alternatively, the alleged violator can enter into a compliance agreement with the Minister or request a review by the Minister of the acts or omissions that constitute the alleged violation, or the amount of the penalty.

In a review by the Minister for a violation, the evidentiary standard is balance of probabilities and there is no prescribed appeal from the Minister’s decision. Judicial review would likely be available in the Federal Court of Canada.

Violations can also be penal offences, which are summary conviction offences with a maximum fine of $500,000. If a violation continues more than one day, each day constitutes an additional violation. As with AMPs, due diligence is a defence and officers/directors can also be convicted if they “directed, authorized, assented to, acquiesced in or participated in the commission of the offence”. It is also an offence to obstruct or make a false or misleading statement to (a) a person authorized to assess or test any device, equipment or other thing, or (b) a designated enforcement person.

In a nutshell, this part of Bill C-2 has enormous impacts on electronic service providers – globally – and represents a huge overreach with enormous power and discretion given to the Minister and “designated persons”. It has the potential to introduce significant vulnerabilities into the systems we use every day for our most private communications and also may completely upend the practice of information sharing that is the foundation for keeping the internet safe and secure.

This “Supporting Authorized Access to Information Act” should be taken out of Bill C-2 so it can get the attention, discussion and scrutiny it deserves. I am really, really afraid that it’ll be jammed through Parliament under the guise of strengthening our border to appease the current US government. And we know that once governments get powers, they never surrender them.

Bill C-2 "Strong Borders Act" - New demands and orders for customer information (Part 14)

2025-07-16T10:13:00.001-03:00

As the name implies, it’s mostly about border measures, customs stuff, fentanyl and immigration. But once again, following in the footsteps of past conservative and liberal governments, it contains a trojan horse that revives what has come to be known as “Lawful Access”. The Bill contains a number of search, seizure and surveillance measures that have nothing to do with the border or fentanyl. In the past, governments have tried to introduce similar measures under the guise of fighting terrorism, child abusers and cyberbullies. Now it’s apparently border security.

I’m really getting tired of these sorts of bills and for a brief moment, I was hopeful that this new government would take a different route. Apparently not. I am completely confident that the lawful access provisions of his bill have been sitting in a drawer at the Department of Public Safety, desperately waiting for an opportunity to put it in a slightly relevant bill. Sigh.

For now, I’m going to focus on Part 14 of Bill C-2 which amends the Criminal Code in a bunch of ways. Part 15 creates a whole new law called the “Supporting Authorized Access to Information Act”, which I’ll have to cover in another episode.

Part 14 creates a new police order or “information demand”, without judicial oversight or control, to require service providers to hand over basic information about customers. It dramatically truncates the response time for production orders and unrealistically gives service providers only five days to challenge a production order. It amends the law to clarify that cops can just ask for information and service providers can just hand it over. It may also permit the cops to use illegally hacked and leaked data in their investigations.

It creates a new production order for subscriber information that police can get with only “reasonable grounds to suspect” an offence has taken place, not the usual “usual grounds to believe” an offence has taken place. And it’s broader than most general production orders I’ve seen for “basic subscriber information”.

The Bill creates a puzzling new warrant that allows a judge to authorize a peace officer or public officer to obtain tracking data or transmission data that relates to any thing that is similar to a thing in relation to which data is authorized to be obtained under the warrant and that is unknown at the time the warrant is issued. So if the cops get a warrant to track a certain thing, and then discover it's related to another thing that can also track the person, they can get data from the second thing. Hmm.

Finally, Part 14 includes a weird judicial authorization to make a request for data from a foreign entity.

The new “information demands”.

This new section 487.0121 of the Criminal Code authorizes a “peace officer or public officer”, without judicial authorization, to make a demand of any person who “provides service to the public” requiring them to provide any of the following information in this list.

Information demand

487.‍0121 (1) A peace officer or public officer may make a demand in Form 5.‍0011 to a person who provides services to the public requiring the person to provide, in the form, manner and time specified in the demand, the following information:

(a) whether the person provides or has provided services to any subscriber or client, or to any account or identifier, specified in the form;

(b) if the person provides or has provided services to that subscriber, client, account or identifier,

(i) whether the person possesses or controls any information, including transmission data, in relation to that subscriber, client, account or identifier,

(ii) in the case of services provided in Canada, the province and municipality in which they are or were provided, and

(iii) in the case of services provided outside Canada, the country and municipality in which they are or were provided;

(c) if the person provides services to that subscriber, client, account or identifier, the date on which the person began providing the services;

(d) if the person provided services to that subscriber, client, account or identifier but no longer does so, the period during which the person provided the services;

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

(f) if the person is unable to provide any information referred to in paragraphs (a) to (e), a statement to that effect.

Paragraphs (a) and (b) are clearly intended to deal with the situation where the police have a phone number, and want to go to Rogers or Bell and ask “is this number serviced by you”? And if so, where is the service provided and whether they have customer records. That tells them enough information to refer the case to the local police where the customer is. Regularly, the RCMP in Ottawa receive information from a foreign police agency that’s just associated with an IP address. They may know it’s a Rogers IP address, but they don’t know where the potential suspect is. Now Rogers will have to tell them, without a warrant or court order, “yes, that’s our customer and they live in Montreal.” No directly identifying information is supposed to be shared.

I don’t have a big problem with this. I am concerned about paragraph (e), however.

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

So if the service provider knows that the customer in question gets services from anyone else, that also has to be disclosed. So if the Eastlink customer has a Hotmail address on file, I think they have to disclose that the person is also a Microsoft customer. What could be more problematic is if a company that supports OAuth logins (like using your Microsoft account to log into other services), this may require disclosing where those logins take place.

The threshold for making such a demand is that they have “reasonable grounds to suspect” (a very low threshold) that (a) an offence has been or will be committed under any Act of Parliament and (b) the information demanded will assist with the investigation of the offence. The peace officer or public officer can impose a non-disclosure order.

The person receiving the order has only 5 days to seek to have the demand varied or revoked, and has to give notice to the peace officer or public officer of its intent to have the demand varied or revoked. Five days is not much, in my view. The threshold for varying or revoking a demand is if “(a) it is unreasonable in the circumstances to require the applicant to provide the information; or (b) provision of the information would disclose information that is privileged or otherwise protected from disclosure by law.” Demands like these seem unlikely to disclose privileged information.

The next significant thing in Part 14 of Bill C-2 is a “production order for subscriber information”. Unlike in previous “lawful access” attempts, this does require judicial authorization, but the threshold is very, very low. It’s just above the police having a “hunch”.

We have a new section 487.0142, which creates a new production order for subscriber information with a very low threshold of simply “reasonable grounds to suspect” that (a) an offence has been or will be committed under the Criminal Code or any other Act of Parliament; and (b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Unlike a General Production Order, this order requires the production of “all the subscriber information” in the recipient’s possession. The General Production Orders that I see on a regular basis name the specific data being sought. These orders are for “all subscriber information”, which is broadly defined:

subscriber information means, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person,

(a) information that the subscriber or client provided to the person in order to receive the services, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services. (renseignements relatifs à l’abonné)

Look at (a): it likely also includes billing information. If it’s a paid service, like a cell phone, bank account or credit card information would have been provided when the account was set up. I do not regularly see this in general production orders for subscriber information.

It is worth pointing out that these orders can be obtained to investigate any “offence” in any Act of Parliament. This is not limited to the Criminal Code or the Controlled Drugs and Substances Act or the Customs Act. This includes the Canada National Parks Act.

And I really must emphasise that “reasonable grounds to suspect” is a very low threshold. It is the lowest in our legal system, since our system doesn’t recognize “hunches” or “spidey senses”.

This is in direct response to the Supreme Court of Canada’s decision in R. v. Spencer where the court said that the police can’t just ask for subscriber information, but it must be on the basis of exigent circumstances or in accord with a “reasonable law”. The government clearly thinks this is a “reasonable law” that gets them there.

Next up are Applications for requests of transmission data or subscriber information from a foreign entity.

The new s. 487.0181 is a bit unusual, as it creates a power to authorize a “request” (not an order) directed at a “foreign entity that provides telecommunications service to the public.” The request is approved by a judge on an application by a peace officer or a public officer.

487.‍0181 (1) On ex parte application made by a peace officer or public officer, a justice or judge may authorize a peace officer or public officer to make a request to a foreign entity that provides telecommunications services to the public to prepare and produce a document containing transmission data or subscriber information that is in the foreign entity’s possession or control when it receives the request.

The request is limited to transmission data or subscriber information.

The threshold for issuing such a request is again “reasonable grounds to suspect that (a) an offence has been or will be committed under this or any other Act of Parliament; and (b) the transmission data or the subscriber information is in the foreign entity’s possession or control and will assist in the investigation of the offence.”

It is really weird. So the police go to a judge to get an authorization to make a non-compulsory request to a foreign entity. Essentially all this does is make sure that the cop swears in front of a judge that they have reasonable grounds to suspect, and the judge concurs with this. But it’s not compulsory.

I expect that this is in response to the controversy surrounding the Breknell case from British Columbia that questioned whether production orders can be issued naming entities physically outside of Canada.

This may also be intended to take account of arrangements like a CLOUD Act agreement, contemplating the inclusion of information that may be necessary under the laws of a foreign state:

Form

(4) The production request is to be in Form 5.00803 and may include any information that is required by the foreign entity, by the foreign state in which the foreign entity is located or under an international agreement or arrangement to which Canada and the foreign state are parties.

Again, these are not court orders, but are issued like a court order. What the cop sends to the foreign service provider is the request, and a copy of the authorization.

I think this will cause a lot of confusion. A large number of non-Canadian service providers will respond to general production orders, particularly where the investigation relates to a person they identify as being in Canada. For some such entities, their privacy policies say they’ll only disclose information where “required by law”, and if they are following PIPEDA with respect to Canadian customer data – as they should – “required by law” is one of the exceptions that allows a disclosure to police. These requests don’t trigger the “required by law” exception in our privacy law. Also, some US service providers require that the thresholds largely align with the American “probable cause” standard. Reasonable grounds to suspect does not meet that threshold.

So cops may think they just have to send a request and the foreign service provider may say that’s not sufficient, we want a production order. So back to the judge.

I note these can be combined with an order of non-disclosure, which is binding at least under Canadian law. Whether it can really bind a foreign company is not clear.

What’s also puzzling is that officials from the government, during the technical briefing on the Bill, said none of our “five eyes partners” (meaning the US, UK, Australia and New Zealand) require an order for police to get subscriber information. That’s not my experience.

Now onto “exigent circumstances”...

Clause 167 of the Bill codifies what I understand to be the common law related to “exigent circumstances.” Just so we’re on the same page: “Exigent circumstances” exist where (a) there is imminent threat to the public or public safety; or (b) a risk of loss or destruction of evidence.”

The Code has generally permitted peace officers to search and seize in “exigent circumstances” if the conditions for obtaining a warrant exist, but exigent circumstances mean it would be impracticable to obtain a warrant. The provision, s. 487.11 of the Code, is being replaced to scope in powers that are available under certain production orders. The underlined portions are what have been added to the existing s. 487.11.

Essentially, this means that a peace officer or public officer may make a demand that has the force of law without a court order where exigent circumstances make seeking the order impracticable.

It is unclear to me whether a demand under (b) would have the same force and effect as a production order for the same data, and whether non-compliance could result in the same penalties.

Bill C-2 amends section 487.0193 to dramatically and problematically truncate the window of time to commence a review to revoke or vary a production order issued under sections 487.014 to 487.018 of the Criminal Code. The new timeframe is FIVE DAYS after the date of the Order. It was previously prior to the deadline referred to in the order, which is generally 30 days.

This is unworkable in my view. I regularly see production orders that were delivered to the service provider days after they were issued. I sometimes interact with cops who already have an order and want to know where to send it. After this amendment, the clock is ticking rather loudly. If a cop gets an order on a Thursday before a long weekend, delivers it on a Friday, it may not come to anyone’s attention until Tuesday. And making a decision to challenge a production order isn’t usually made by the person in corporate security who first review it. It’ll have to go up a chain of command. By the time a decision-maker gets their eyes on it, the window will have closed. And they can’t even make an application unless they get ahold of the cop to tell them that it will be challenged.

In my experience, this will be completely unworkable for most service providers.

For some time, s. 487.0195 of the Code has contained provisions that say a police officer can always ask for information that would otherwise be subject to a production order, and to obtain that information where the person is not prohibited by law from disclosing. Clause 164 Bill C-2 amends this section to add subsections that clarify that this includes data that could be the subject of an information demand under the new section 487.0121.

The section appears intended to provide immunity to a service provider who voluntarily provides information that would otherwise be subject to a production order. So a cop asks a bank or a telco to “voluntarily” provide customer data, and the bank or telco says “sorry, we can’t because privacy laws prohibit it and we’ve agreed with our customers that we’ll only provide data where required by law.” The cop can point to this section and say “so what? They can’t successfully sue you and you have no civil or criminal liability for providing the data”. I’d respond saying that our privacy laws are not about criminal or civil liability, come back with a warrant.

And paragraph (4) says that cops can always use information that is “available to the public.” I’ve heard some raise concerns that this would include data that is publicly leaked via hacking or other nefarious means. So they can go trolling through the Ashley Madison leaks, I guess.

I’ll have to save the deeply Supporting Authorized Access to Information Act for another episode, so stay tuned for that.

Overall, I really hope that the government gets a lot of shaming for putting this trojan horse in the border bill. These expanded law enforcement powers are consequential and deserve to be appropriately discussed and debated. I think that’s why the government decided to go this route, to avoid the huge outcry we’ve seen in the past related to prior lawful access attempts.

Discussion with Michael Geist about the part of Bill C-2 that is not getting enough attention

2025-06-30T16:59:00.002-03:00

Past Canadian "lawful access" attempts, both by Liberal and Conservative governments

2025-06-26T16:58:00.004-03:00

2005 (Lib - Paul Martin - Minister Anne Maclellan) - C-74 (38-1) - LEGISinfo - Parliament of Canada - Short title: Modernization of Investigative Techniques Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-74

2009 (Con - Stephen Harper - Minister Peter Van Loan) - C-47 (40-2) - LEGISinfo - Parliament of Canada - Short title: Technical Assistance for Law Enforcement in the 21st Century Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-47

2011 (Con - Stephen Harper / Minister Vic Toews) - C-52 (40-3) - LEGISinfo - Parliament of Canada - Short title: Investigating and Preventing Criminal Electronic Communications Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-52

2012 (Con - Stephen Harper / Minister Vic Toews) - C-30 (41-1) - LEGISinfo - Parliament of Canada - Short title: Protecting Children from Internet Predators Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-30

2013 (Con - Stephen Harper / Minister Peter MacKay) C-13 (41-2) - LEGISinfo - Parliament of Canada - Short title: Protecting Canadians from Online Crime Act (Passed)

Library of Parliament Legislative Summary for Bill C-13

Materially misleading statements in the Charter Statement for Bill C-2's Lawful Access provisions

2025-06-23T15:35:00.007-03:00

The government of Canada – specifically the Minister of Justice – just released its “Charter Statement” regarding Bill C-2, the Strong Borders Act. I’m particularly focused on the “lawful access” provisions in the Bill, and I read it with interest to see how the government thinks the expanded government access to data is compatible with Section 8 of the Charter. Section 8 prohibits unreasonable searches and seizures.

In the Charter Statement, the Minister significantly mischaracterizes his own bill in a manner that makes it appear more Charter-compliant. It could be a handful of honest mistakes, but I’m getting more cynical as my hair gets more grey. (The two may be connected, now that I think about it.)

Anyways, it’s not a huge “GOTCHA!”, but they should acknowledge the mistakes and fix them.

Some background on what Charter Statements are about can be found in the Charter Statement itself:

Section 4.2 of the Department of Justice Act requires the Minister of Justice to prepare a Charter Statement for every government bill to help inform public and Parliamentary debate on government bills. One of the Minister of Justice’s most important responsibilities is to examine legislation for inconsistency with the Canadian Charter of Rights and Freedoms. By tabling a Charter Statement, the Minister is sharing some of the key considerations that informed the review of a bill for inconsistency with the Charter. A Statement identifies Charter rights and freedoms that may potentially be engaged by a bill and provides a brief explanation of the nature of any engagement, in light of the measures being proposed.

So in this particular Charter Statement, there are a couple of troubling and significant mis-statements about the Lawful Access provisions which – surprise! surprise! – make it appear more Charter-compliant.

When discussing the new production order for Subscriber Information, it says:

The judge would have to be satisfied that an offence has or will be committed and that there are reasonable grounds to suspect that the information will assist in the investigation of an offence.

This is not true. Not even close. The conditions for issuing an order are set out in the new, proposed subsection 487.0142(2), which says:

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that
(a) an offence has been or will be committed under this Act or any other Act of Parliament; and (b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

The judge only has to be satisfied based on a cop’s sworn say-so that there are reasonable grounds to suspect an offence has been or will be committed, and they have reasonable grounds to suspect the subscriber information will assist in the investigation. This is far from the judge having to be “satisfied” that an offence has been committed. The cop swearing the application doesn’t even have to be satisfied that an offence has been or will be committed. It’s enough that the judge believes that there are reasonable grounds to justify the cop’s tingling “Spidey sense”.

In the next paragraph about the production order for subscriber information, the Charter Statement says that this power will be used to “generate leads”, which sounds like a fishing expedition to me. I don’t think that’s a mistake.

We’ve been told that this power is to be used if the police have an IP address associated with someone they suspect is victimizing children, so they can identify THAT person, do an investigation and then get a search warrant. That’s not “generating leads”, as far as I understand that terminology.

The next material misstatement is in the last sentence of that paragraph, which says “if [the judge] chooses to issue an order, the judge would have discretion as to what information is specified in it.” I’m pretty sure that’s incorrect.

The new order power says it is for

ALL the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

ALL the subscriber information that relates to the identifier that is specified in the order. The form of the order, which is prescribed in the Act, does exactly that. The order is for ALL subscriber information, which is horribly broadly defined. I’m not seeing any discretion here.

I have some issues with the way certain things are characterized, like saying that information that can be subject to a warrantless demand by a cop is not sensitive information.

The way this provision is drafted, it can include going to a family doctor and saying “Do you provide services to David Fraser? What specialists (like psychiatrists) also provide him with services?” I would say I have a high expectation of privacy in that information. They can go to your bank and the definition of subscriber information can compel them to provide a list of all companies you do business with. That merely identifies the client and the services the client receives. But that’s sensitive information and goes well beyond going to a telco and asking “Do you provide service to this number, and what city does the customer live in?”

This is either sloppy or intended to be deceptive. If the government thinks this is defensible, they should defend it on its own actual, honest merits. In just about every lawful access provision in the Bill, they are lowering the bar to make it easier to get information, while widening the net to capture more information than they say they need.

I’ve said it before and I’ll say it again: Parts 14 and 15 need to be taken out of the Bill, put in their own Bill so we can discuss them. I want to have an honest debate with someone who is interested in an HONEST debate. Think about this …. Bill C-2 is the FIRST substantial bill that Mark Carney’s new government introduced in the House of Commons after getting elected. Correct me if I’m wrong – but I’m pretty sure I’m not – no liberal candidate or the present Prime Minister campaigned on any of the new police and national security powers mentioned in Parts 14 and 15 of Bill C-2.

Alberta's privacy law unconstitutionally violates freedom of expression -- again -- in a decision that has implications for All Canadian privacy laws

2025-05-17T19:00:00.006-03:00

You may have seen some headlines that said that Alberta’s privacy law has been declared unconstitutional. Yup, it’s true that at least part of it was and here’s why …..

This case involves Clearview AI Inc. ("Clearview"), a U.S.-based facial recognition company, challenging an order issued by Alberta’s Information and Privacy Commissioner. The order, based on findings from a joint investigation by Canadian federal and provincial privacy regulators, required Clearview to cease offering services in Alberta, stop collecting, using, and disclosing images and biometric data of Albertans, and delete the relevant data already in its possession.

Clearview sought judicial review of the order on a number of grounds, including that it is not subject to the jurisdiction of Alberta and that the Personal Information Protection Act (aka “PIPA”) does not apply to it, the Commissioner adopted an unreasonable interpretation of the words “publicly available” in PIPA and the Personal Information Protection Act Regulation (the “PIPA Regulation”), and the Commissioner’s finding that Clearview did not have a reasonable purpose for collecting, using, and disclosing personal information is unreasonable. Clearview further asserted that the Commissioner’s interpretation of PIPA and the PIPA Regulation is unconstitutional contrary to Charter s 2(b) which guarantees freedom of expression. That last argument is the one we’re going to focus on.

One thing that is really interesting about the case is that the Court did not really have to address the Charter issues. The Commissioner found that Clearview’s purposes were not reasonable, which is necessary for a company to even collect, use or disclose personal information. The Court agreed, and could have just said “not reasonable!” – don’t have to decide the Charter question – just go follow the Commissioner’s order. But the Court delved into the Charter question as well.

It’s also notable that this is the second time that the Alberta statute has been declared to violate the Charter based on “publicly available information” in the Act and the Regulations as being too narrow. That was done by the Supreme Court of Canada in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, when the Act was being applied to video recording by a union at a picket line.

The company at issue in this case, Clearview AI, has been the subject of many privacy investigations around the world. They collect facial images from publicly accessible websites, including social media, and use them to create a biometric facial recognition database, marketed primarily to law enforcement. In 2020, privacy commissioners from Alberta, B.C., Quebec, and Canada investigated Clearview’s operations and concluded in a joint report that its practices violated privacy laws.

In December 2021, Alberta’s Commissioner issued an order directing Clearview to cease operations in Alberta, based on violations of PIPA. The Commissioner essentially said that Clearview must do for Alberta what they agreed to do in setting a lawsuit in Illinois (which is notorious for its biometric laws).

Clearview AI then brought an application for judicial review in the Court of King’s bench, contesting:

Jurisdiction of Alberta’s Commissioner,
The reasonableness of the Commissioner's interpretation of "publicly available" under PIPA,
The constitutionality of PIPA's consent-based restrictions on the collection, use, and disclosure of personal information.

It should be noted that the British Columbia Commissioner issued a similar order, which was upheld by the Supreme Court of British Columbia last year.

In Alberta, as far as the jurisdiction argument went, the Court upheld the Commissioner’s jurisdiction, finding a "real and substantial connection" between Clearview’s activities and Alberta. Clearview had marketed its services in Alberta and its database included images of Albertans. The bar for jurisdiction in Canada is pretty low.

On the statutory interpretation issue, the Court accepted as reasonable the Commissioner’s interpretation that images scraped from the internet, including social media, are not "publicly available" within the meaning of the PIPA Regulation. The Commissioner employed a purposive approach, interpreting the relevant provisions narrowly in light of the quasi-constitutional status of privacy rights.

PIPA, like other privacy regulatory regimes in Canada, provides that consent must be obtained to collect and use “personal information” unless certain exceptions apply. One of the exceptions provided for in PIPA is that the information is “publicly available.” PIPA uses the term “publicly available,” but the definition for those words is found in PIPA Regulation section 7(e). PIPA Regulation s 7(e) provides:

7 ... personal information does not come within the meaning of ... “the information is publicly available” except in the following circumstances: ... (e) the personal information is contained in a publication, including, but not limited to, a magazine, book or newspaper, whether in printed or electronic form, but only if (i) the publication is available to the public, and (ii) it is reasonable to assume that the individual that the information is about provided that information.

The private sector privacy laws of Alberta, British Columbia and Federally have similar, but not identical definitions of what is “publicly available” information that does not require consent for its collection and use. There are other categories, but this decision turned on information in a publication. Here are the three different definitions:

In Alberta, it says

the personal information is contained in a publication, including … but not limited to … a magazine, book or newspaper, whether in printed or electronic form, but only if (i) the publication is available to the public, and (ii) it is reasonable to assume that the individual that the information is about provided that information;

In British Columbia, it does not use “including but not limited to”:

personal information that appears in a printed or electronic publication that is available to the public, including a magazine, book or newspaper in printed or electronic form.

Under PIPEDA’s regulation, the analogous provision reads:

personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

Canadian privacy regulators have interpreted “publication” to exclude social media sites like Facebook and LinkedIn, where Clearview harvests much of its information.

Clearview argued that this narrow interpretation under the Alberta statute and regulation violated its freedom of expression rights under section 2(b) of the Charter of Rights and Freedoms, and could not be saved as a reasonable limitation under section 1 of the Charter.

The Court agreed that:

Clearview’s activities (compiling and using data to deliver a service) were expressive. The consent requirement effectively operated as a prohibition on expression where obtaining consent was impractical.

This amounted to a prima facie infringement of s. 2(b) of the Charter.

I should note that the Alberta Commissioner – ridiculously in my view – argued that the Charter wasn’t even engaged. Here’s what the Court said.

[107] The Commissioner submits that if Clearview’s activity is expressive, it should be excluded from constitutional protection because “the method – mass surveillance – conflicts with the underlying s 2(b) values.” Clearview’s activity, according to the Commissioner, conflicts with the purposes of Charter s 2(b) including the pursuit of truth, participation in the community, self-fulfillment, and human flourishing. The Commissioner offered no authority to support the position that expressive activity could be excluded from protection based on a conflict with underlying constitutional values. Short of violence, all expressive activity is protected by Charter s 2(b).

It’s just a dumb argument to make, in my view.

So once a prima facie infringement is made out, the burden shifts to the government to justify it as a reasonable limitation, prescribed by law that can be justified in a free and democratic society. This follows something called the Oakes test:

The test involves a two-stage analysis: first, the objective of the law must be pressing and substantial; second, the means used to achieve that objective must be proportionate, which requires

a rational connection between the law and its objective,
minimal impairment of the right or freedom, and
a proportionality between the law’s benefits and its negative effects on rights.

In this case, the Court found that there was a Pressing and Substantial Objective: Protecting personal privacy is valid and important. The Court also found that the requirement of consent is logically connected to privacy protection, and thus rationally connected.

The law failed on the “minimal impairment” part of the analysis. The dual requirement of consent and a reasonable purpose, without an exception for publicly available internet data, was overly broad.

In a nutshell, the court has to consider what expressive activities are captured – how broadly the net is cast – and whether everything that is caught in that net is necessary or rationally connected to the pressing and substantial objective.

The Court summarized Clearview’s argument at paragraph 129:

“Clearview asserts that people who put their personal information on the internet without protection do not have a reasonable expectation of privacy. Where there is no reasonable expectation of privacy, the protection of privacy is not a pressing and substantial state objective.”

The Court noted that the way the net is being cast by the Act and the regulations not only captures Clearview’s web-scraping, but it also captures legitimate indexing by beneficial search engines. The Commissioner’s interpretation would exclude search engines, meaning that they would have to get consent for all collection, use and disclosure of personal information obtained from websites.

Here’s what the Court said at paragraph 132 of the decision:

[132] A difficulty with the PIPA consent requirement for personal information publicly available on the internet is that it applies equally to Clearview’s search technology used to create a facial recognition database and regular search engines that individuals use to access information on the internet. … For the most part, people consider Google’s indexing of images and information to be beneficial. And certainly, Albertans use Google and similar search engines for expressive purposes. But according to my interpretation of PIPA and the PIPA Regulation and the Commissioner’s interpretation of those same instruments, Google and similar search engines cannot scrape the internet in Alberta for the purpose of building and maintaining an index of images of people without consent from every individual whose personal information is collected.

The Court then went on to say at paragraphs 136 and 137:

[136] PIPA and the PIPA Regulation are overbroad because they limit valuable expressive activity like the operation of regular search engines. There is no justification for limiting use of publicly available personal information by regular search engines just as there was no justification to limit use of publicly available personal information for reasonable purposes by the union in UFCW Local 401.

[137] Alberta has a pressing and substantial interest in protecting personal information where individuals post images and information to websites and social media platforms subject to terms of service that preserve a reasonable expectation of limited use. This pressing and substantial interest, however, does not extend to the operation of regular search engines. A reasonable person posting images and information to a website or social media platform subject to terms of service but without using privacy settings expects that such images and information will be indexed and retrieved by internet search engines; indeed, that is sometimes the point of posting images and information to the internet without using privacy settings.

Then, at paragraph 138, the court concluded that the “publicly available” exception was too narrow because it specifically would capture general search engines, which do not engage the “pressing and substantial limitation”

[138] The public availability exception to the consent requirement in PIPA and the PIPA Regulation is source-based, not purpose-based. Because it is source-based, it applies to regular internet search engines that scrape images and information from the internet like Clearview even if they use images and information for a different purpose. I find that PIPA and the PIPA Regulation are overbroad because the definition of “publication” in PIPA Regulation s 7(e) is confined to magazines, books, newspapers, and like media. Without a reasonable exception to the consent requirement for personal information made publicly available on the internet without use of privacy settings, internet search service providers are subject to a mandatory consent requirement when they collect, use, and disclose such personal information by indexing and delivering search results. There is no pressing and substantial justification for imposing a consent requirement on regular search engines from collecting, using, and disclosing unprotected personal information on the internet as part of their normal function of providing the valuable service of indexing the internet and providing search results.

The court essentially concluded that it was OK to limit what Clearview is doing, but it is NOT OK to limit what search engines are doing. The law, as written, does not distinguish between the “bad” and the “good”, and as a result, the law did not “minimally impair” this important Charter right.

On the final balancing, the Court concluded that the harm to freedom of expression was not outweighed by the benefit to privacy.

The Court declared that PIPA ss. 12, 17, and 20 and PIPA Regulation s. 7 unjustifiably infringed s. 2(b) of the Charter and could not be saved under s. 1 of the Charter, to the extent that they prohibited the use of publicly available internet data for reasonable purposes.

The Court upheld the Commissioner’s jurisdiction and found her statutory interpretation reasonable. However, the impugned provisions of PIPA and the Regulation were declared unconstitutional insofar as they infringed freedom of expression by unduly restricting the use of publicly available information online.

I fully expect that this decision will be appealed, and I don’t know if the British Columbia decision has been appealed.

In the big picture, though this decision is not binding on the Federal Commissioner, it pretty strongly stands for the proposition that PIPEDA’s publicly available information exception is also unconstitutional. This has implications for “the right to be forgotten” and for collecting data for training AI models, both of which are currently before the federal commissioner.

Drones and trespass law in Canada: You don't own your airspace over your property

2024-12-01T11:34:00.003-04:00

A legal question that sometimes comes up for drone pilots is whether you can legally fly over private property and whether a property owner has any recourse against a drone pilot. It comes up on a daily basis for folks like DJAudits in the UK on his YouTube channel, where he educates property owners and security guards on this issue, whether they want to know or not.

I’m a recreational drone operator. I’ve advised other operators and have experience with investigations by Transport Canada related to RPV/UAV activities. I’ve been an invited speaker on this topic at various drone expos and to media lawyers. I would not call myself a drone lawyer, but I think I know more about this than most lawyers. I have another YouTube channel where I post my drone videos, mostly of Beautiful Nova Scotia. I’ll put a link below.

And I should note what I’m about to talk about is applicable to Canada only. The law may be similar in other places, but I only practice Canadian law.

Any legal claims like this would be governed by the common law, which is the body of law applied and interpreted by judges. There are no statutes passed by parliament or provincial legislatures that we can look to for the answer. And we really don’t have any reported cases in Canada that deal with trespass claims involving drones.

The one case that comes the closest is Reynolds v Deep Water Recovery Ltd from the Supreme Court of British Columbia. In that case a drone operator and environmental activist was sued by a ship breaking company for trespass and nuisance, among other claims. It started when she sued the company alleging that they stole her drone and returned it damaged. She also alleged assault and harassment. The company filed a counterclaim alleging trespass, nuisance, invasion of privacy and the illegal operation of a drone.

She then applied to have the company’s claims thrown out as a “strategic lawsuit against public participation.” The Court didn’t address whether flying the drone over her property was actually trespassing. Assuming this goes to trial, we’ll have to wait and see for this first of a kind decision.

But that doesn’t mean that the courts haven’t considered whether a property owner “owns” the airspace over the property. There’s a case called Didow v. Alberta Power Limited, which was between a property owner and a power company. The power company constructed a power line on the municipal road allowance along the side of the plaintiff’s land. The poles themselves were two feet outside the property line, but the cross-arms conductors and attaching wires at the top of each pole protruded six feet into the airspace above the plaintiff’s land. It went to the Alberta Court of Appeal, where the only question was whether that intrusion above the plaintiff’s property was a trespass.

If you’re interested in geeking out about this question, the court of appeal decision is FOR YOU! Justice Haddad had to go through all the old authorities and started with this really old “legal maxim”. I won’t try to pronounce the latin, but it means “whoever's is the soil, it is theirs all the way to Heaven and all the way to Hell”. Essentially, if you own the land, you own the skies above it and the dirt below it.

It has been traced back to the 13th century, long before there was any kind of aircraft. Since then, there has been much litigation that has ultimately scaled back the principle from the latin maxim.

The Alberta court of appeal favourably quoted from a 1977 English case called Bernstein v Skyviews. Though it’s from decades ago, it did deal with a case where the defendant flew over the plaintiff’s country house for the explicit purpose of taking photos of the property. In this case, the English Court of Queen's Bench said:

“… The problem is to balance the rights of an owner to enjoy the use of his land against the rights of the general public to take advantage of all that science now offers in the use of air space. This balance is in my judgment best struck in our present society by restricting the rights of an owner in the air space above his land to such height as is necessary for the ordinary use and enjoyment of his land and the structures on it, and declaring that above that height he has no greater rights in the air space than any other member of the public.”

So your exclusive rights to the airspace over your property only extend as high as is necessary for your usual enjoyment of your land and whatever’s built on it.

If you currently have bare land and then build a five storey structure and put up a windmill, then the airspace that you exclusively control goes up.

The Alberta Court of Appeal also quoted from a 1946 decision of the Supreme Court of the United States called United States v Causby. In this case, a farmer's farm was located close to an airport and the planes flying over the farm were hurting – even killing – his chickens. Here’s what the Supreme Court of the United States said:

“The landowner owns at least as much of the space above the ground as he can occupy or use in connection with the land. … The fact that he does not occupy it in any physical sense-by the erection of buildings and the like - is not material. … While the owner does not in physical manner occupy that stratum of airspace or make use of it in the conventional sense, he does use it in somewhat the same sense that space left between buildings for the purpose of light and air is used. The superadjacent airspace at this low altitude is so close to the land that continuous invasions of it affect the use of the surface of the land itself. We think that the landowner, as an incident to his ownership, has a claim to it and that invasions of it are in the same category as invasions of the surface.”

The court concluded that if you permanently erect something above someone’s property at a height they might use the space, then that IS trespassing. “In any event, they serve to make clear that intrusion by an artificial or permanent structure into the airspace of another is forbidden as a trespass.”

The part that matters for drone operators is transient use of airspace at a height unlikely to affect the landowner is NOT a trespass. The door is still open for consideration of intrusions at lower altitudes. I think the cases would lead to the conclusion flying a drone above someone’s property at a low level – like below the roofline – would be a trespass.

But it can be something called a “nuisance”. A nuisance is interfering with someone’s enjoyment of their property. The interference has to be substantial, and I think it would have to be pretty outrageous or regularly repeated.

I can imagine a scenario in which someone has a backyard pool with a privacy fence around it. If someone hovered a drone over the pool while people are sunning themselves, the presence of the drone could interfere with the usual enjoyment of the pool.

And the nuisance can be more than just the mere presence there; a court could take into account the noise made by the drone. I’m pretty sure if I installed a dozen of these drone hangars in my back yard and ran drone sorties from them 24/7, my neighbour would have a case that I’ve created a nuisance.

It should also be noted that serious interference with someone’s lawful enjoyment of their property can also be a criminal code offence of mischief. I think it would have to be pretty serious and I can’t find any cases that have considered drones as causing the mischief.