Make money doing the work you believe in
Bill C-22, the lawful access bill, has been reported back from committee and is headed toward passage. There are some amendments, but many concerns remain. The updated bill with changes is at
There are two changes to metadata retention. First, the maximum retention period the government can impose drops from 1 year to 6 months. Second, it can now mandate a category of metadata only if satisfied the category and all its elements are essential to investigations.
The committee rewrote the definition of systemic vulnerability. A "substantial risk" becomes a "credible risk, based on recognized international technical standards." But it also added a carve-out: a flaw exposing only a target's data is not "systemic."
Added a new section on decryption that says nothing in the Act can be read to compel a provider to decrypt user-encrypted data, unless the provider supplied the encryption and holds the key. Borrowed from US law, but doesn't fit the same way.
Compliance with ministerial orders is now expressly subject to the systemic vulnerability exception. That addresses a contradiction in the original text, where the duty to comply appeared to be unconditional.
The original bill set no maximum duration on these ministerial orders. This now changes to a two-year cap without the open-ended review-and-extend mechanism.
The amendments will rightly leave many still concerned. Companies considering exiting Canada due to Bill C-22 are unlikely to conclude that it fully addresses their issues. Yet the government is likely to push it through the House today.