ARTICLE
7 July 2025

Bill C-2: Strong Borders Act Introduces Lawful Access And Data Disclosure Regime

F
Fasken

Contributor

Fasken logo
Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
Explore Firm Details
Lexpert Firm Profile
On June 3, 2025, the Government tabled Bill C-2, the Strong Borders Act (Bill)[1]. Bill C-2 addresses a range of national security, border control, and information-sharing measures.
Canada Media, Telecoms, IT, Entertainment
Christopher Ferguson,Leslie Milton,Nareg Froundjian
+2 Authors
 Your Author LinkedIn Connections

On June 3, 2025, the Government tabled Bill C-2, the Strong Borders Act (Bill)1. Bill C-2 addresses a range of national security, border control, and information-sharing measures.

While earlier parts of the bill focus on customs, controlled substances, and financial security, Parts 14 and 15 address "lawful access". Part 14 clarifies and expands the authority for data-production orders, exigent-circumstance disclosures, tracking-data requests, and cross-border data production. Part 15, for its part, introduces the Supporting Authorized Access to Information Act (SAAIA), which focuses on specifying electronic service providers' (ESP) obligations to assist law enforcement and intelligence services (i.e., CSIS) when seeking judicial orders or other authorized information requests.

Part 14 - Expanded Lawful Access to Data and Information

The Bill identifies amendments to the Criminal Code and Canadian Security Intelligence Services Act (CSIS Act) to provide for expanded lawful access to information in the possession of "any person who provides services to the public", including without a warrant.

For example, the amendments permit any peace or police officer or member of CSIS to issue an information demand to "a person who provides services to the public, or any subscriber to the services of such person" requiring the person to provide the following information:

  • whether the person provides or has provided services to any specified subscriber, client, account, or identifier;
  • if the person provides or has provided services to that subscriber, client, account or identifier,
    1. whether the person possesses or controls any information, including transmission data, in relation to that subscriber, client, account or identifier,
    2. information on the geographic area in which services are or were provided,
    3. the time period during which services were provided.
  • the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to above in relation to that other person and that subscriber, client, account or identifier; and
  • if the person is unable to provide any information referred to above, a statement to that effect.

In addition, the Bill establishes a new lawful access order mandating any person that provides services to the public to prepare and produce a document containing all subscriber information in its possession that relates to any information, including transmission data, that is specified in the order. In exigent circumstances, lawful access to this information does not require a warrant. Subscriber information is defined as "in relation to any client of a person who provides services to the public or any subscriber to the services of such a person,

  1. information that the subscriber or client provided to the person in order to receive the services, including their name, pseudonym, address, telephone number and email address;
  2. identifiers assigned to the subscriber or client by the person, including account numbers; and
  3. information relating to the services provided to the subscriber or client, including
    1. the types of services provided,
    2. the period during which the services were provided, and
    3. information that identifies the devices, equipment or things used by the subscriber or client in relation to the services."

There is also provision for orders to cover similar but unknown tracking devices and means of telecommunications and for expanded access to computer data.

These amendments substantially increase the scope of warrantless access to subscriber information, as well as for lawful access orders to obtain information in the possession of entities that provide services to the public.

Part 15 - Supporting Authorized Access to Information Act

This new Act is the first attempt since 2009 to establish a general legal framework requiring telecommunications and other service providers to facilitate the exercise of lawful access requests. Previous attempts to legislate in this area never made it into law.

Historically, the Criminal Code and the CSIS Act have empowered police and CSIS to compel communications or data from ESPs, but the frameworks have not always kept pace with technological and market changes (e.g., emergence of global digital platforms, end-to-end encryption). Technological evolutions, such as cloud computing, strong encryption, and cross-border data flows, have outpaced older Criminal Code provisions. Law enforcement has signalled challenges obtaining data from modern platforms, while some ESPs cite privacy or technical barriers to providing such data.

The proposed new law applies to "electronic services" and "electronic service providers", defined broadly as:

electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that: (a) provides the service to persons in Canada; or (b) carries on all or part of its business activities in Canada.

All electronic service providers are subject to a general obligation to provide "reasonable assistance ... to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information."

In addition, SAAIA would permit the Governor in Council to establish regulations setting out the obligations of "core" electronic service providers to: 1) develop, implement, test and maintain operational and technical capabilities to extract, organize and provide information and access to information pursuant to lawful access requests; and, 2) install, use, operate, test and maintain any device, equipment or other thing that may enable an authorized person to access information. "Core" ESPs are to be identified by class in a Schedule to the legislation.

The Minister of Public Safety and Emergency Preparedness (the Minister) is also granted authority to make an order in respect of any ESP. In making such an order, the Minister is directed to consider the benefits of the order to the administration of justice, the feasibility and costs of complying with the order, the potential impact of the order on customers of the ESP, and any other factor that the Minister considers to be relevant. An order may also include compensation to the ESP. The Minister must consult with the ESP and the Minister of Industry before issuing an order under SAAIA. Orders are confidential but are subject to judicial review.

ESPs are not required to comply with provisions in regulations or orders that would require the ESP to introduce a systemic vulnerability in electronic protections related to that service or prevent the provider from rectifying such a vulnerability. Electronic protections are defined to mean authentication, encryption and any other prescribed type of data protection. The Governor in Council, however, may make regulations on the meaning of "systemic vulnerability" (or indeed of any term in the SAAIA), and as such the scope of this limitation regarding electronic protections is to be determined.

Audit and Enforcement

The Minister may appoint inspectors who have broad powers to verify compliance with SAAIA obligations. Inspectors may inspect ESPs and require ESPs to conduct internal audits. Violations such as failing to assist inspectors or breaching confidentiality can lead to administrative monetary penalties (AMP). The maximum penalty for a violation is set at $50,000 for an individual and $250,000 for any other entity, such as a corporation, and a violation that is committed or continued on more than one day constitutes a separate violation for each day.

Implications and Preparing for SAAIA

In the absence of any detail on what ESPs will qualify as "core" providers, the types of capabilities, equipment and assistance that may be required and the availability of compensation, it is not possible to assess the practical impact of this legislation. However, the legislation is broadly drafted, and provides the legal basis for imposing material and potentially costly obligations on telecommunications and other ESPs to implement lawful access capabilities. Previous attempts to legislate in this area have failed, in part because of cost concerns.

Parties doing business with ESPs or core providers — either upstream as suppliers or downstream as clients — should be equally attentive to the evolution of Bill C-2 given their own obligations related to privacy and confidentiality of information. ESPs and providers to ESPs should anticipate a variety of changes to their agreements and relationships. These adjustments could include modifications to Service-Level Agreements (SLAs) that establish new expectations for lawful access, impacting data retention, restoration guarantees, and response times. Furthermore, contracts will need to clarify the allocation of new liability associated with SAAIA, for example determining which party is responsible for costs associated with law enforcement requests for data. Businesses, particularly those in regulated sectors like finance and healthcare, will also need to review encryption and data-sovereignty clauses to ensure that an ESP's compliance with SAAIA does not conflict with their own regulatory obligations, which may necessitate stipulations for client-side encryption or the use of Canada-only data centers. ESPs should also be mindful of regulations or orders that would introduce systemic vulnerabilities. Finally, to ensure ESPs are prepared for SAAIA, highly regulated customers may seek enhanced audit rights or other compliance assurances, such as security attestations or the ability to review redacted logs of lawful access requests, especially in anticipation of "core provider" designations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Christopher Ferguson
Christopher Ferguson
Photo of Leslie Milton
Leslie Milton
Photo of Alex Cameron
Alex Cameron
Photo of Nareg Froundjian
Nareg Froundjian
Photo of Benjamin Surmachynski
Benjamin Surmachynski
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More