Spy, baby, spy : How the Canadian government under Mark Carney is trying to circumvent the Supreme Court of Canada’s Bykovets (2024) through the back door, via Bill C-2 (2025)

Claudiu Popa

A pretext to spy on people

Under the pretext of responding to demands from the U.S. President, to “strengthen” border security and “the integrity of our immigration system”, Prime Minister Mark Carney's Canadian federal Liberal government introduced Bill C-2 on June 3rd, 2025, “An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures”.

This 2025 bill seeks, among other things, to enable state investigative bodies to obtain a person's IP address without a warrant, as well as other Internet subscriber related information (i.e. : “information that identifies the devices, equipment or things used by the subscriber or client in relation to the services“). This legislation circumvents the Supreme Court of Canada's 2024 decision in R. v. Bykovets, 2024 SCC 6, which stated, among other things, that the state could not obtain an individual's IP address without a warrant.

Bykovets, one of the 2024 Supreme Court of Canada's “landmark” decisions of which the Court was the proudest, was even the subject of the 52nd edition of the Gale Cup, Canada's inter-university moot court competition.

However, this decision will have been significant for only a few months, if the legislative provisions of Bill C-2 are adopted.

Michael Geist, professor of law at the University of Ottawa, made a few comments  related to the Bill C-2 (here) : 

Privacy At Risk: Government Buries Lawful Access Provisions in New Border Bill

“The government yesterday introduced the Strong Border Act (Bill C-2), legislation that was promoted as establishing new border measure provisions presumably designed to address U.S. concerns regarding the border. Yet buried toward the end of the bill are lawful access provisions [to people’s confidential information] that have nothing to do with the border. Those provisions, which raise the prospect of warrantless access to information about Internet subscribers, establish new global production orders of subscriber information, and envision new levels of access to data held by electronic service providers, mark the latest attempt in a longstanding campaign by Canadian law enforcement for lawful access legislation. Stymied by the Supreme Court of Canada (which has ruled that there is a reasonable expectation of privacy in subscriber data) and by repeated failures to present a compelling evidentiary case for warrantless access, law enforcement has instead tried to frame lawful access as essential to address everything from organized crime to cyber-bullying to (now) border safety. Much like the government’s overreach last year on online harms [Bill C-63 of 2024], Bill C-2 overreaches by including measures on Internet subscriber data that have nothing to do with border safety or security but raise privacy and civil liberties concerns that are bound to spark opposition. This post provides the background on lawful access and an overview of some Bill C-2’s provisions with more details on key elements to come.

Lawful Access Background

The pressure from Canadian law enforcement for access to Internet subscriber data dates back to 1999, when government officials began crafting proposals that included legal powers to access surveillance and subscriber information. What followed were a series of lawful access bills that sparked opposition – both in the public and effectively in the courts. For example, a 2010 lawful access bill included mandated the disclosure of Internet provider customer information, including customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers without court oversight.

That bill stalled, but in February 2012, then-Public Safety Minister Vic Toews introduced Internet surveillance legislation that once again sparked widespread criticism from across the political spectrum. […]

In 2013, then-Justice Minister Rob Nicholson announced that the bill was dead, confirming “we will not be proceeding with Bill C-30 and any attempts that we will continue to have to modernize the Criminal Code will not contain the measures contained in C-30.”

Nicholson’s commitment lasted less than a year.

By 2014, Peter MacKay, then the new federal justice minister, unveiled Bill C-13, which was marketed as an effort to crack down on cyber-bullying. Yet the vast majority of the bill brought back many (though not all) lawful access provisions found in the earlier proposal.

The lawful access campaign was effectively derailed for a decade by the Supreme Court of Canada.

In the 2014 Spencer decision, the Court ruled that there was a reasonable expectation of privacy in Internet subscriber information:

in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

There were some efforts to revive lawful access, but in 2017 the House of Commons Standing Committee on Public Safety and National Security recommended against introducing reforms:

That at this time, and following the Supreme Court of Canada’s decision in R. v. Spencer, no changes to the lawful access regime for subscriber information and encrypted information be made, but that the House of Commons Standing Committee on Public Safety and National Security continue to study such rapidly evolving technological issues related to cyber security.

Last year, the Supreme Court expanded the privacy safeguards in the Bykovets decision, ruling that “if section 8 of the Charter is to meaningfully protect the online privacy of Canadians in today’s overwhelmingly digital world, it must protect their IP addresses. An IP address is the crucial link between an Internet user and their online activity.” The case is discussed in this Law Bytes podcast episode with Vibert Jack.

This is admittedly a lot of history, but the background is essential to understanding why a 140 page border bill that is the new government’s first substantive piece of legislation includes rules pertaining to Internet subscriber data and access to communications on provider systems. The failed legislation and Supreme Court decisions should have been the end of the lawful access story.

But leveraging Prime Minister Mark Carney’s “once-in-a-lifetime” crisis opportunity, it is back yet again, now buried within the border bill.

A more detailed look at the provisions themselves will be the subject of future posts, but the core of the new lawful access approach includes several components, including a new “information demand” power for law enforcement, global production orders, and new rules on access to communications on electronic provider systems.

“Information Demands”

First, the bill creates a new “information demand” for law enforcement that does not require court oversight. This is the government’s response to the Supreme Court decisions as it seeks to carve out warrantless access to information about an Internet subscriber. It states:

487.‍0121 (1) A peace officer or public officer may make a demand in Form 5.‍0011 to a person who provides services to the public requiring the person to provide, in the form, manner and time specified in the demand, the following information:
(a) whether the person provides or has provided services to any subscriber or client, or to any account or identifier, specified in the form;

(b) if the person provides or has provided services to that subscriber, client, account or identifier,
(i) whether the person possesses or controls any information, including transmission data, in relation to that subscriber, client, account or identifier,

(ii) in the case of services provided in Canada, the province and municipality in which they are or were provided, and

(iii) in the case of services provided outside Canada, the country and municipality in which they are or were provided;

(c) if the person provides services to that subscriber, client, account or identifier, the date on which the person began providing the services;

(d) if the person provided services to that subscriber, client, account or identifier but no longer does so, the period during which the person provided the services;

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

(f) if the person is unable to provide any information referred to in paragraphs (a) to (e), a statement to that effect.


This does not involve disclosure of the data but rather information on whether the provider has relevant data. The standard for making such a request is only “reasonable grounds to suspect” that 

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the information that is demanded will assist in the investigation of the offence.

In other words, this covers reasonable grounds to suspect that an offence under any law has been or will be committed. Not only does this go beyond the border, there are no limits to the kinds of offences that are covered given that any of Act of Parliament is included.

From a privacy perspective, the Supreme Court has already ruled that there is a reasonable expectation of privacy in subscriber information and IP addresses, therefore requiring a warrant for disclosure. The government is now trying to target information about a subscriber: are they a subscriber with a particular Internet service and does the provider have data about their use of the service including where and when it was used. It is akin to law enforcement approaching a bank to demand knowing if a particular person is a client and whether there is information about their account transactions but stopping short of asking for the actual account information. There are obvious privacy implications here that is certain to result in a legal challenge should the bill pass in its current form.

Global Production Orders

While the information demand speaks to information about the subscriber, obtaining further subscriber information requires a warrant, except in exigent circumstances. Subscriber information is broadly defined to include:

(a) information that the subscriber or client provided to the person in order to receive the services, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(c) information relating to the services provided to the subscriber or client, including
(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.‍

The warrant process involves a production order on the following conditions:

487.‍0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that
(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

Once again, reasonable grounds to suspect is the standard and this order may be applied to offence under any Act of Parliament […]. In fact, the warrant process may be by-passed altogether and the subscriber data seized in exigent circumstances that make it impractical to obtain a warrant:

(b) seize any subscriber information that may be the subject of an order made under subsection 487.‍0142(1) or any data that may be the subject of an order made under subsection 487.‍016(1) or 487.‍017(1) if the conditions for obtaining an order exist but by reason of exigent circumstances it would be impracticable to obtain an order.

To top it off, the bill also includes a global production order for this information that can be applied to non-Canadian entities. The bill contains a similar production order for foreign entities:

487.‍0181 (1) On ex parte application made by a peace officer or public officer, a justice or judge may authorize a peace officer or public officer to make a request to a foreign entity that provides telecommunications services to the public to prepare and produce a document containing transmission data or subscriber information that is in the foreign entity’s possession or control when it receives the request.

(2) The justice or judge may authorize a peace officer or public officer to make the production request only if the justice or judge is satisfied by information on oath in Form 5.‍00801 that there are reasonable grounds to suspect that
(a) an offence has been or will be committed under this or any other Act of Parliament; and

(b) the transmission data or the subscriber information is in the foreign entity’s possession or control and will assist in the investigation of the offence.

There is much more to assess with each of these provisions. Indeed, the bill contains some provisions that allow for challenging orders and envisions a system to better obtain cooperation from foreign entities. Obtaining information from non-Canadian services that operate in Canada has been a significant law enforcement challenge. The question will be whether there are appropriate standards and safeguards in the new proposed rules.

“Authorized Access to Information”

Beyond subscriber information, there is another section focused on access to computer systems, particularly on networks run by “core providers”. These rules also have huge implications for network providers as they envision providing law enforcement with direct access to provider networks to test capabilities for data access and interception. The bill introduces a new term – “electronic service provider” – that is presumably designed to extend beyond telecom and Internet providers by scoping in Internet platforms (Google, Meta, etc.). Those international services are now key players in electronic communications (think Gmail or WhatsApp) […].

The definition of an ESP is:

a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that
(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.‍ 

An electronic service includes:

“a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.”

All electronic service providers are subject to obligations to “provide all reasonable assistance, in any prescribed time and manner, to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.” Moreover, all are required to keep such requests secret.

But beyond the basic obligations, the government will identify “core providers” who will be subject to additional regulations. These may include:

(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information; and

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b).



There are a host of proposed rules for core providers, which effectively grant law enforcement direct access to service provider systems for the purposes of communications access and interception. This is a revival of old proposals in which law enforcement sought access to the systems of Canada’s major telecom and Internet providers. […]

[T]he key takeaway is that Bill C-2 is far from just a border bill. The government and law enforcement are running back the warrantless access playbook by inserting extensive lawful access provisions in an unrelated bill. This approach should be roundly rejected. If there is a case for lawful access, it should be debated on its own merits, in its own bill, and with its own study.”

Adding insult to injury

To add insult to injury, not only is the Carney government attempting to diminish citizens’ privacy protections from state investigations and intrusions (Bill C-2), but it is simultaneously attempting to retroactively allow political parties to violate citizens' privacy, back to 2000, by introducing Bill C-4, the “Making Life More Affordable for Canadians Act”. Professor Geist also commented on this aspect:

What Is With This Government and Privacy?: Political Party Privacy Safeguards Removed in “Affordability Measures” Bill

“Fresh off Bill C-2 and lawful access provisions buried in a border safety bill, the government has now quietly inserted provisions that exempt political parties from the application of privacy protections in Bill C-4, an “affordability measures” bill. The provisions, which come toward the end of the bill, are deemed to be in force as May 31, 2000, meaning that they retroactively exempt the parties from any privacy violations that may date back decades. The ostensible reason for the provisions is a B.C. case that applied provincial privacy law to federal political parties. […] The government is now seeking to render that case moot and provide all political parties with an effective exemption from any privacy laws other than measures found in the Elections Act. An appeal of the B.C. case is scheduled to be heard later this month.

This is not the first time the government has tried to exempt political parties from standard privacy laws. Bill C-65, which failed in the last Parliament, contained similar provisions. However, the provisions were in a bill on the Elections Act, not buried among tax measures. Moreover, the previous approach was stronger. It included measures to address data breaches and the requirement to notify affected individuals as well as certain restrictions, including the sale of personal information. This iteration removes the data breach notification requirements, drops the sale restrictions, and renders the entire exemption retroactive to the year 2000.

The Bill C-4 removal of privacy rules starts by stating that political parties may carry out any activities in relation to personal information:

In order to participate in public affairs by endorsing one or more of its members as candidates and supporting their election, any registered party or eligible party, as well as any person or entity acting on the party’s behalf, including the party’s candidates, electoral district associations, officers, agents, employees, volunteers and representatives, may, subject to this Act and any other applicable federal Act, carry out any activities in relation to personal information, including the collection, use, disclosure, retention and disposal of personal information in accordance with the party’s policy for the protection of personal information.

Having granted full rights to collect, use and disclose personal information – and knowing that PIPEDA does not generally apply to these activities – Bill C-4 then exempts the parties from any provincial privacy laws:

When participating in public affairs by endorsing one or more of its members as candidates and supporting their election, a registered party or eligible party, as well as any person or entity acting on the party’s behalf, including the party’s candidates, electoral district associations, officers, agents, employees, volunteers and representatives, cannot be required to comply with an Act of a province or territory that regulates activities in relation to personal information, including the collection, use, disclosure, retention and disposal of personal information, unless the party’s policy for the protection of personal information provides otherwise.

In case there was any doubt, the bill for greater certainty states that parties cannot be required to disclose or correct personal information under their control.

For greater certainty, the registered party, eligible party or person or entity acting on the party’s behalf cannot be required to provide access to personal information or provide information relating to personal information under its control or to correct — or receive, adjudicate or annotate requests to correct — personal information or omissions in personal information under its control.

So what privacy safeguards are there with respect to political parties and personal information? The bill requires the parties to have and abide by a privacy policy. That policy must be in both official languages, written in plain language, and only include the following:

(a) designate a privacy officer who is responsible for overseeing the party’s compliance with the policy;

(b) include the name and contact information of the privacy officer;

(c) state the types of personal information in relation to which the party carries out its activities;

(d) explain, using illustrative examples, how the party carries out its activities in relation to personal information, such as by indicating whether it does so online or through the use of cookies; and

(e) describe the training related to the protection of personal information that is offered to the party’s employees and volunteers who may have access to the personal information that is under its control.


There are no other requirements and no limitations on the collection, use and disclosure of information. Privacy commissioners do not have the power to address violations that might arise and – as noted above – the government wants to backdate these rules by 25 years.

The combination of Bill C-2 and C-4, both introduced this week, represent a stunning assault on the privacy of Canadians. Bill C-4 significantly undermines the privacy of Canadians with respect to political parties, who have become addicted to acquiring as much data as possible. These provisions should be removed from the bill and the B.C. case permitted to proceed. The privacy rights of millions of Canadians is at stake.”