Privacy Threats in Bill C-13

The introduction of Bill C-13—the “cyberbullying bill,” with extensive lawful access provisions, has generated considerable discussion on its privacy implications. 

Many have noted that Justice Minister Peter MacKay took less than a year to retreat from the government’s commitment of “any attempts that we will continue to have to modernize the Criminal Code will not contain the measures contained in C-30.” 

Now the question will soon focus on whether the new bill contains any privacy threats in need of reform.

[Editor’s note: C-30 was a bill introduced by previous Justice Minister Vic Toews that was abandoned after public outcry over measures it contained that would reduce privacy rights and increase Internet surveillance.] 

It is certainly true that the government has removed two of the most controversial C-30 provisions by excluding warrantless mandatory disclosure of basic subscriber information and the requirement for telecommunications service providers to build intercept capability within their systems. However, several provisions still featured in the bill are cause for concern. This article focuses on the new safe harbour protections for voluntary disclosure of personal information without a warrant. 

Bill C-13 establishes a new system for voluntary disclosure of personal information that is likely to lead both to increased requests without court oversight and to increased disclosures. In other words, the government may have removed the mandatory warrantless disclosure requirements, but it has inserted a provision that may expand the number of requests to preserve or disclose personal information without a warrant and created legal incentives for Internet providers and telecom companies to comply “voluntarily.”

The Criminal Code currently states the following on the ability for law enforcement to request voluntary assistance without court oversight: “For greater certainty, no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.”

Note that the provision is limited to enforcing or administering the Criminal Code or any other federal law. Now consider Bill C-13:

“For greater certainty, no preservation demand, preservation order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing.”

There is no limitation on the request being about the enforcement or administration of the Criminal Code or any other Act of Parliament. It simply opens the door to requests for voluntary assistance for any reason whatsoever.

The second part of the provision creates the incentive for the intermediary to disclose. It states: 
“A person who preserves data or provides a document in those circumstances does not incur any criminal or civil liability for doing so.”

For Internet providers and telecom companies, this amounts to powerful immunity. Those that preserve personal information or disclose it without a warrant, are immune from any criminal or civil liability (including class action lawsuits). This represents significant legal protection for intermediaries that is likely to lead to increased disclosures without court oversight. Yet even when there is court oversight for access to metadata or tracking information, the threshold is lower than for other conventional warrants as will be examined in an upcoming post.

Dr. Michael Geist is a law professor at the University of Ottawa, where he holds the Canada Research Chair in Internet and E-commerce Law.