Any substantive changes in this Legislative Summary that have been made since the preceding issue are indicated in bold print.
On 1 November 2010, Bill C-52, An Act regulating telecommunications facilities to support investigations (short title: Investigating and Preventing Criminal Electronic Communications Act), was introduced in the House of Commons by the Minister of Public Safety (the Minister), the Honourable Vic Toews. It died on the Order Paper when the 40th Parliament was dissolved on 26 March 2011.
The bill deals with very specific aspects of the rules governing lawful access. Lawful access is an investigative technique used by law enforcement agencies and national security agencies that involves intercepting private communications1 and seizing information where authorized by law. Rules and conditions relating to lawful access are set out in a number of federal statutes, in particular the Criminal Code, the Canadian Security Intelligence Service Act and the National Defence Act.2
Bill C-52 revives many of the essential provisions of two previous bills that died on the Order Paper. Bill C-74, the Modernization of Investigative Techniques Act, was introduced during the 1st session of the 38th Parliament in November 2005, and died on the Order Paper on 29 November 2005, when the 38th Parliament was dissolved. Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act, was introduced during the 2nd session of the 40th Parliament in June 2009 and reproduced many of the fundamental provisions of the former Bill C-74. Bill C-47 later died on the Order Paper when Parliament was prorogued in December 2009.3
Bill C-52 addresses a concern expressed by law enforcement agencies that new technologies, particularly Internet communications, often present obstacles to lawful communications interception. The bill permits the following:
Bill C-52 is part of a series of bills introduced during the 3rd Session of the 40th Parliament that aims to create a lawful access regime in Canada. This series includes:
A third, related piece of legislation is Bill C-29, the Safeguarding Canadians' Personal Information Act. Bill C-29 amends the Personal Information and Electronic Documents Act to broaden the range of purposes for which law enforcement authorities may request the provision of personal information from private entities without the consent of the individual concerned. The amendments also would expand the range of uses and permissible disclosure, without consent, by law enforcement of private information obtained under lawful authority, such as that provided under Bill C-52.5
In addition, amendments introduced in Bill C-29 and in Bill C-52 would restrict the circumstances under which individuals may be informed that the government has requested or received their personal information.6
Since 1995, law enforcement agencies have called for legislation that requires all telecommunications service providers to have technical means in place to enable police services to carry out lawful interceptions on their networks.
Currently, the procedures governing access to subscriber information held by Internet service providers (ISPs) are perceived by some to slow investigators' access to vital information in today's fast-paced, near-borderless digital world. It has been argued that the technical inability to isolate or intercept communications in real time may impede investigators and prosecutors. What is more, strong encryption techniques can prevent law enforcement and national security officials from accessing information unless they also have the power to access the decryption key.7
The Canadian national security community has argued that legislative amendments enabling reliable, fast and secure access to data held by telecommunications service providers, including subscriber information, are required in order for Canada to identify networked machines responsible for sophisticated cyber-attacks on strategic targets, and to actively defend valuable information and networks in Canada.8
Following the development of a strategic framework in 2000, officials from Justice Canada, Industry Canada and the Solicitor General of Canada9 held public consultations in 2002.10 A summary of the results of the consultations was made public in 2003 and Bill C-54, the Modernization of Investigative Techniques Act, was introduced in November 2005.11 Further consultations were held by Public Safety Canada in 2007, including consultations with those from the telecommunications industry, civil liberty groups and victims' rights groups. The Minister of Public Safety subsequently introduced Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act.
Both Bill C-54 and Bill C-47 died on the Order Paper.
During and since the consultations, debate has centred on whether there is a need for lawful access legislation, the appropriate level of protection for individual privacy rights, and the propriety and costs of imposing technical interception standards on private businesses.12
Bill C-52 represents a step towards harmonizing the tools available to counter cybercrime at the international level, particularly regarding the interception capabilities of telecommunications service providers.13 Canada signed the Council of Europe's Convention on Cybercrime in November 2001, as well as its Additional Protocol on hate crime in July 2005.14 The Convention requires states that are party to the treaty to create offences under their domestic law criminalizing certain uses of computer systems, and requires the adoption of legal tools adapted to deal with new technologies, such as orders to produce "subscriber information."
The Convention does not specify the exact mechanisms that must be used to meet these obligations, leaving these choices up to the states that are party to the treaty. Such choices include determining whether a judicial warrant or other authorization is needed prior to accessing information. In addition, the domestic criminal procedures that states are required to adopt under the Convention relate only to law enforcement activities - the Convention does not require states to create procedural mechanisms permitting the interception of private communications and/or the disclosure of private information for broader national security purposes. Finally, the Convention requires states to respect all relevant national and international human rights obligations when implementing their obligations under the treaty.15
At present, no Canadian legislation compels all telecommunications service providers to use apparatus capable of intercepting communications. Only licensees that use radio frequencies for wireless voice telephony services have been required, since 1996, to have equipment permitting such interceptions.16 There is no similar requirement for other telecommunications service providers.
Telecommunications service providers may legally intercept private communications in four cases:
In order to intercept the content of private communications, law enforcement and national security agencies require prior legal authorization, usually in the form of a judicial warrant.18 Bill C-52 will not alter these requirements.
On the other hand, Bill C-52 requires all telecommunications service providers (including, for example, ISPs) to possess the technical capacity to allow law enforcement and national security agencies to intercept communications sent via the service provider, once the relevant legal authorization has been obtained.
Within six months of the date on which the bill comes into force, telecommunications service providers will have to submit a report to the Minister stating their capability to respond to the interception requirements set out in the bill (clauses 30 and 70).
Under Bill C-52, telecommunications service providers must use apparatus that enable law enforcement and national security agencies to intercept, for example, subscribers' email and Internet protocol (IP) addresses, the date and time of communications and the types of files transmitted (telecommunications data),19 and the substance of messages (content-related data).
Once a law enforcement or national security agency has obtained the necessary legal authorization, the telecommunications service provider must provide all communications that have been lawfully intercepted (clause 6(1)). If possible, the telecommunications service provider must provide the intercepted communication in the form specified by the requesting agency, which includes decrypted communications if the telecommunications service provider has the technical capacity to provide this. However, telecommunications service providers are not required to develop specific decryption techniques themselves (clauses 6(4) and 6(5)).
Bill C-52 requires that telecommunications service providers keep interception processes and requests confidential (clauses 6(2) and 23).
A key feature of Bill C-52 is the requirement that all telecommunications service providers have specific technical capacities to allow them to intercept communications transmitted through their networks. Specific capabilities required under the bill include:
Telecommunications service providers also must have the capability to allow multiple law enforcement and national security agencies to intercept communications transmitted at the same time by more than one user.20
The bill requires telecommunications service providers to meet the new technical standards for interception when updating their systems. Thus, any transmission apparatus acquired or software installed after clauses 10 and 11 come into force must comply with the new standards. In other words, there is no requirement under the bill for a service provider to update systems simply to comply with the new standards. However, at the request of the Commissioner of the Royal Canadian Mounted Police (RCMP) or the Director of the Canadian Security Intelligence Service (CSIS), the Minister has the power to order a telecommunications service provider, before upgrading, to acquire communications interception capability that meets the new technical standards (clauses 14(1)(d) and (e)).
At present, in most circumstances, private organizations must disclose personal information about clients to law enforcement and national security agencies, without the consent of the individual concerned, only if the relevant agency has judicial or other legal authorization to compel the production of the information. In other circumstances, the disclosure of personal information is not mandatory. In practice, telecommunications service providers in Canada tend to disclose clients' personal information voluntarily only in circumstances permitted under their subscriber agreements, and generally only in order to minimize an imminent danger to life or property.21
Recent legislation has, however, imposed a requirement that ISPs report pro-actively to police if they have reasonable grounds to believe that the services they provide are being used to transmit child pornography.22
The legality of police requests for voluntary disclosure of subscriber information by telecommunications service providers (disclosure in the absence of a warrant) has been an issue before the courts, challenged as a violation of the right to be free from unreasonable search or seizure under section 8 of the Canadian Charter of Rights and Freedoms, which protects individual privacy from intrusion by the state. The Supreme Court of Canada has held that individuals have a reasonable expectation of privacy in information that tends to reveal intimate details about their lifestyle and personal choices.23 Judicial decisions as to whether a warrant is needed to access subscriber information, therefore, generally turn on whether the individual concerned had a reasonable expectation of privacy in such information.
Whether individuals currently have a reasonable expectation of privacy in subscriber information remains somewhat unclear and the case law is highly fact-specific. A number of lower court decisions have held that subscribers do not have a reasonable expectation of privacy in relation to such information.24 However, a reasonable expectation of privacy has been found in certain other cases.25 Recent case law suggests that the more that subscriber information tends to reveal patterns of use of telecommunications equipment that could expose intimate details about lifestyle or personality, the greater the likelihood that individuals would have a reasonable expectation of privacy in that information.26
Bill C-52 aims to provide clarity with respect to the types of information that may be disclosed to law enforcement or national security agencies without a warrant.
Bill C-52 establishes a process that enables designated people within law enforcement and national security organizations to request and obtain certain subscriber information from a telecommunications service provider, without a warrant or other legal authorization (clause 16(1)).27 The bill also establishes certain safeguards.
Only specific types of information associated with the subscriber's services and equipment can be obtained without a warrant:
The bill does not require telecommunications service providers to gather information other than that already collected in the normal course of business. Nor are they required to verify the accuracy of this information (for example, the accuracy of a subscriber's name or postal address).
Requests for subscriber information may be made, in writing, only by individuals who perform duties related to the protection of national security or law enforcement, and who are designated by the Commissioner of the RCMP, the Director of CSIS, the Commissioner of Competition or their chief of police (“designated persons”) (clause 16(3)).
Each organization may designate a limited number of employees: a maximum of 5% of the agency's employees or, where an organization has 100 or fewer employees, five persons (clause 16(4)).
Designated members of police services may request, in writing, information that relates to any police function, including the enforcement of any federal or provincial laws, or the laws of a foreign state. Designated members of CSIS and the Commissioner of Competition may only request information relating to their functions under their relevant enabling legislation (clause 16(2)).
Information obtained through these requests can be used only for the purposes above, or for a use consistent with these purposes, unless the individual in question has given consent to broader use (clause 19).29 Service agreements between telecommunications service providers and customers, which normally are contracts of adhesion,30 could incorporate a consent clause allowing for broader uses of information obtained pursuant to the bill.31
All police officers, whether or not they are designated persons under the bill, would have the power to require the disclosure of subscriber information by telecommunications service providers in urgent situations if:
Subsequently, a designated person at the same agency must provide a written record of the request to the telecommunications service provider (clauses 17(3) and (4)).
Requests for information must be made in writing, and the reasons for the request and the information obtained must be recorded (clause 18).
The Commissioner of the RCMP, the Director of CSIS, the Commissioner of Competition or a chief of police will be required to take measures to verify, on a regular basis, that the requests made by their respective organization comply with the provisions in Bill C-52 and its regulations (clause 20(1)).
If the relevant agency head or police chief is of the opinion that anything arising out of his or her audit should be brought to the attention of the responsible minister, he or she must report the information and any corrective action proposed or taken without delay (clause 20(2)). Therefore, the bill establishes a subjective standard for reporting.
Depending on the agency in question, the audit report also must be provided to an independent review body: the Privacy Commissioner of Canada (in the case of the RCMP or the Commissioner of Competition), the Security Intelligence Review Committee (in the case of CSIS) or the provincial public officer responsible for privacy protection (in the case of a provincial or municipal police service). There is no requirement that reports be furnished to other provincial accountability bodies that have review and/or oversight functions in relation to municipal or provincial police forces (clause 20(3)).
The Privacy Commissioner of Canada and the Security Intelligence Review Committee have the power to conduct external reviews of requests for subscriber information provided for in the bill (clauses 20(4) to 20(5)). The Privacy Commissioner also must report annually on the powers of provincial privacy officers to conduct external audits in relation to provincial and municipal police forces (clause 20(6)). Currently, not all provincial privacy officers have the power to conduct the type of external audits envisioned in the bill.33
There is no specific power in the bill authorizing the RCMP Public Complaints Commission, which has the power to initiate investigations into the conduct of any member of the RCMP or other person employed under the Royal Canadian Mounted Police Act, to access all information related to internal or external audits. The RCMP Complaints Commission currently does not have the power to compel the production of information or documents, unless a public hearing is held in relation to a specific complaint.34
The Minister may designate any person to verify compliance with the provisions of the bill. Such individuals may enter any place owned by a telecommunications service provider to examine documents, information and telecommunications facilities; use computer systems to search and examine information; or use any other telecommunications device in that location. However, if the place in question is a dwelling house - a structure that is occupied as a permanent or temporary residence - then a designated person must obtain a judicial warrant in order to first gain access.35 Without obtaining a judicial warrant, designated persons may create and remove copies of any information found, and are authorized to enter and pass through private property, other than a dwelling house, in order to exercise these powers (examples of such privately owned property could include office buildings, stores, yards, etc.) (clauses 34, 35 and 36).
Telecommunications service providers must provide all necessary assistance during such compliance visits (clauses 34(3), 38).
The bill provides for two types of contraventions: violations and offences. The scheme of the bill suggests that violations are considered to be less serious infractions than offences. The bill sets out fines for both types of contraventions. No provision is made for imprisonment.
The Governor in Council will determine, by regulation, which contraventions of the bill constitute a violation (clause 39). The regulations will also establish the maximum fine that may be imposed for each violation. Fines range up to $50,000 in the case of an individual and up to $250,000 in the case of a corporation or any other entity (clause 64(1)(p)(ii)).
An administrative procedure allows persons served with notices of violation to dispute their liability by making representations to a person designated by the Minister (clause 43). Decisions made under this procedure may be appealed to the Minister (clause 44(1)) and the Minister’s decision on appeal is subject to judicial review.36
The summary conviction procedure set out in the Criminal Code applies to offences, with fines ranging between $15,000 and $250,000 for an individual and between $15,000 and $500,000 for a corporation. The bill provides for four categories of offences (clauses 55, 56(1), 56(2), 57):
The consent of the Attorney General of Canada is needed before a prosecution may be initiated in respect of the first two categories of offences (clause 58).
The bill will apply to all telecommunications service providers operating a transmission facility in Canada, subject to specified complete and partial exemptions contained in Schedules 1 and 2. The Governor in Council may amend these schedules by regulation to add or delete a class of telecommunications service providers (clause 5(4)). The bill also sets out temporary exemptions for maximum periods of two or three years, depending on the case.
The bill does not apply to private networks; that is, to persons who provide telecommunications services primarily to themselves, their household or their employees, and not to the public. Nor will the bill apply to telecommunications service providers that provide telecommunications services intended principally for the sale or purchase of goods or services other than telecommunications services to the public. Finally, the provisions of the bill will not apply to the core functions of financial institutions, registered charities, educational institutions (except post-secondary institutions), hospitals, places of worship, retirement homes, telecommunications research companies, and broadcasters.
Post-secondary educational institutions, libraries, community centres, restaurants, hotels, condominiums and apartment buildings will be required to provide information about their telecommunications facilities to law enforcement agencies, but will not be subject to the other obligations under the bill.
Telecommunications service providers that transmit communications on behalf of other telecommunications service providers without modifying communications or authenticating the users (known as intermediaries) will not be subject to the obligations regarding interception capability, unless they are made subject to these requirements by order of the Minister (clauses 14(1), 14(2)).
The bill provides the Minister with the power to exempt telecommunications service providers from any obligation relating to interception capability, on application by the provider. The bill also allows the Governor in Council to create regulations that exempt certain categories of telecommunications providers from significant obligations, including those relating to interception capability and subscriber information. Both types of exemptions may be subject to conditions and may be valid for up to three years (clauses 13, 32).
The bill also grants a three-year exemption for service providers with fewer than 100,000 subscribers. However, they must provide a physical connection point permitting law enforcement agencies to intercept communications (clause 69).
The bill provides for three situations in which a law enforcement or national security agency must compensate a telecommunications service provider:
The definition of what constitutes "specialized telecommunications support," as well as the amount of and criteria for compensation, will be set out in the regulations.38
The bill contains a number of coordinating amendments that would have come into force had bills C-29 and C-50 also been passed by Parliament (clauses 71, 72).
The bill provides for parliamentary review of the enforcement of its provisions five years after the day on which it comes into force (clause 67).
* Notice: For clarity of exposition, the legislative proposals set out in the bill described in this Legislative Summary are stated as if they had already been adopted or were in force. It is important to note, however, that bills may be amended during their consideration by the House of Commons and Senate, and have no force or effect unless and until they are passed by both houses of Parliament, receive Royal Assent, and come into force. [ Return to text ]
© Library of Parliament