The new Liberal government’s first bill tabled in early June 2025, the Strong Borders Act (Bill C-2) grants new enforcement powers partly in response to pressure from the Trump administration. However, opposition parties and privacy advocates have been critical of its vast expansion of search powers unrelated to the border, with one member of Parliament describing them as “a massive poison pill.”
Collectively, these “lawful access” provisions reprise failed legislative efforts over the past two decades to make it easier for police to obtain private data. The impetus for including them in Bill C-2 may relate to a pending data-sharing agreement with the United States under its CLOUD Act, or from pressure to gain similar powers held by other Five Eyes partners.
Much of the debate over Bill C-2’s search powers has focused on the new production order for subscriber information on less onerous grounds and warrantless “information demands” about user accounts. Less attention has been paid to an entirely new statute within C-2, the “Supporting Authorized Access to Information Act,” which would grant police and intelligence agents direct access to personal data held by commercial third parties.
Comparing these powers with similar frameworks in Australia, Britain and the United States brings them into sharper relief and highlights key shortcomings in the bill.
The new Access Act contained in C-2 gives the minister of public safety the power to issue a variety of technical orders to “electronic service providers,” defined broadly to include any service in Canada that stores, creates or transmits data. The most obtrusive power allows for temporary “installation…of any device, equipment or other thing that may enable an authorized person to access information.” A subclass of “core providers” can be made to do this indefinitely.
Both the Australian and Canadian acts explicitly prohibit forcing companies to build a backdoor to encryption — or so it seems.
The Australian law after which these powers are modelled lends a sense of how they might be used. Under the Assistance and Access Act of 2018, the Australian director-general of security can issue a “technical assistance notice” to order a service like Gmail to provide a decrypted copy of an email using a stored password. Under a “technical capability notice,” the director-general can order a service like Signal to “build a functionality,” such as a version of the application that sends copies of messages to police as they are sent — and to keep this functionality concealed.
Drawing from Australia’s Example
Canada follows Australia in imposing notable limits on powers in the act. First, the minister must consider whether issuing an order would be reasonable, practicable and proportionate in terms of its impact on a user or provider. Additionally, “authorized persons” who gain access can only be those acting with lawful authority, such as with a warrant — and in Canada’s case, only those acting under the Criminal Code or the Canadian Security Intelligence Service Act.
More crucially, both the Australian and Canadian acts explicitly prohibit forcing companies to build a backdoor to encryption — or so it seems. Canada’s act states that an order need not be followed “if compliance…would require the provider to introduce a systemic vulnerability in electronic protections related to that service.” Yet the term “systematic vulnerability” is not defined in C-2. Australia’s act defines it as “a vulnerability that affects a whole class of technology” rather than only “a particular person.” Instead, Canada’s minister can make regulations “respecting the meaning of any term,” including “encryption” and “systemic vulnerability.” In that case, why not simply use Australia’s definition?
In broad terms, Canada follows Australia in taking a middle path between approaches in the United States and the United Kingdom. The Communications Assistance for Law Enforcement Act (1994) in the United States sets out rules that govern how internet service providers and other providers should design systems to ensure that law enforcement can access data where authorized, but does not provide for more specific orders. The United Kingdom’s Investigatory Powers Act 2016 served as the model for the Australian bill, but goes further by not explicitly ruling out a backdoor to encryption. Apple is currently challenging an order in the United Kingdom to this effect.
But despite Canada choosing a middle ground in Bill C-2, ministerial powers and police action here still lack crucial safeguards. The companies subject to orders under the Australian, British and Canadian bills can challenge them in court as unreasonable or impracticable. Despite that, most of what Canada’s minister can order a company to do under the act — and the rights to challenge it — are subject to sweeping confidentiality provisions, opening the door to abuse. Further misuse of these powers through data sharing with the United States under an imminent CLOUD Act agreement also seems inevitable.
Canada’s act should include two oversight mechanisms found in the Australian bill: first, an annual report from the minister on how powers in the act have been used; and, second, a review by an independent entity equivalent to Australia’s Commonwealth Ombudsman.
But even if these measures were added, the new act would erode our sense of privacy online and likely compromise the security of every Canadian’s data.
