The federal government has a renewed focus on border security and is proposing sweeping changes to several federal statutes, including the Criminal Code, the Customs Act, the Controlled Drugs and Substances Act, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, to name a few.

On June 3, 2025, the federal government introduced Bill C-2, An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures. While the title suggests a focus on border security, the Bill’s implications extend far beyond and will affect a range of businesses. This article summarizes the notable access and privacy ramifications that would result from the proposed amendments.

Facilitating access to “subscriber information”

  1. Expanding the definition of “subscriber information”

      If passed, Bill C-2 would define the term “subscriber information” under the Criminal Code. As currently drafted, the term is broadly defined as consisting of the following information related to client of a person who provides services to the public (“service provider”), or any subscriber to the services of such a person:  

      • Information that the subscriber provided to receive services (e.g. name, pseudonym, address, telephone number, email address),
      • Identifiers assigned to the customer (e.g. account numbers), and
      • Information relating to the services provided (e.g. type of service(s) provided, period of time during which the service was provided, and information identifying devices, equipment or things used by the subscriber in relation to the services).

      This definition is broader than that established through Supreme Court of Canada jurisprudence, which has traditionally been limited to the name, address, and phone number of a customer associated with a particular IP address.[1] This is notable as it expands the scope of information that may be accessed pursuant to subscriber information warrants, also called “Spencer warrants” today.

      2. (Warrantless) information demands

        Proposed amendments to the Criminal Code would allow law enforcement to issue information demands for basic customer information held by service providers. Given how the term “service provider” is defined, these demands – which do not require a warrant or other form of judicial authorization – could be made to a variety of enterprises, including Internet Service Providers, streaming platforms, telecom companies, and other service providers that have customers or subscribers with IP addresses.

        The following types of customer information can be subject to these warrantless demands:

        • Whether the service provider supplied services to a particular subscriber, client, account or identifier and, if so,
          • whether the service provider has any information related to the subscriber, client, account or identifier,
          • the province and municipality in which the services were provided in Canada, or the country and municipality in which the services were provided outside of Canada,
          • the date on which the services began or, if services are no longer being provided, the period during which services were provided, and
        • The name or identifier of any other service provider who provides or has provided services to that subscriber, client, account or identifier.

        The threshold for being able to issue these demands is low: So long as there are reasonable grounds to suspect[2] that a federal offence has been or will be committed and the information will assist in the investigation of the offence. Given this low bar, we anticipate that these would become an often used investigative tool for law enforcement agencies.

        Additionally, service providers are to be given a minimum of 24 hours to respond, meaning that in some cases, service providers may only be given 24 hours to do so. If a service provider is unable to provide the above information, it would need to provide a statement to that effect.  As such, service providers would need to implement procedures to receive and respond to information demands in an expedient manner.

        Similar amendments are proposed to the Canadian Security Intelligence Service Act, which would grant CSIS similar powers to issue information demands.

        Notably, these warrantless demands cannot be made for all types of customer information, which accords with the Supreme Court of Canada’s rulings that individuals have a “reasonable expectation of privacy” in their subscriber information.[3] However, the information that can be obtained without prior judicial authorization would permit law enforcement to obtain certain information that can subsequently be used to seek a judicially authorized production order, as discussed below. Considering precedent from the Supreme Court of Canada regarding individuals’ reasonable expectations of privacy online, and the low threshold of suspicion, rather than belief, required to make these information demands, we anticipate that these proposed amendments will be challenged if the Bill passes into law.

        3. Production orders for detailed subscriber information

        Further amendments to the Criminal Code would allow authorities to seek court-issued production orders for detailed subscriber information held or controlled by service providers. These orders require service providers to prepare and produce a document containing “all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order” (emphasis added). In other words, these orders could be used to require production of information ranging from IP addresses to metadata – which, as noted above, is broader than what is typically obtained through Spencer warrants seeking production of subscriber information today.

        As with the warrantless information demands discussed above, the onus for obtaining a production order is low; they can be sought where there are reasonable grounds to suspect that an offence has been or will be committed, and the information will assist in the investigation. As such, these too are likely to be an commonly used investigative tool.

        For both production orders and information demands, service providers are only afforded the ability to apply for a review within 5 days of receipt. It does not appear that any such reviews can be brought after that timeframe. This underscores the importance of service providers ensuring that they have processes in place to receive and assess information demands and production orders in a timely fashion.

        4. Facilitating extra-territorial requests for subscriber information

        Bill C-2’s proposed amendments would also facilitate cross-border data sharing through a few new mechanisms. First, amendments to the Criminal Code would allow law enforcement in Canada to seek a judicial authorization to request that a foreign telecommunications service provider produce transmission data or subscriber information that is in the foreign entity’s possession or control. Again, there is a low threshold for seeking such productions requests – there need only be reasonable grounds to suspect that an offence has been or will be committed, and the requested information will assist in the investigation. As this would extend the reach of Canadian law enforcement beyond national borders, some pushback on the basis of jurisdictional overreach from foreign telecommunications service providers can be expected.

        Additionally, if Bill C-2 is passed, the Mutual Legal Assistance in Criminal Matters Act would be amended to facilitate adherence to and enforcement of foreign requests for transmission data or subscriber information within Canada.

        5. New statutory obligations to implement and maintain systems to facilitate compliance with access requests

        The proposed Supporting Authorized Access to Information Act would provide a framework for compelling, or otherwise ordering, electronic service providers to install and/or maintain technical capabilities and devices that enable law enforcement to access or extract information that they are authorized to access (for example, through the other proposed amendments in Bill C-2), so long as to do so would not introduce a systemic vulnerability in the service providers’ electronic protections. While the details are left to be set out in yet undrafted regulation, electronic services providers can expect this new law, if passed, to require some upfront investment to ensure their systems and processes are compliant.

        Implications for businesses

        If Bill C-2 is passed with these proposed amendments, law enforcement is expected to use their expanded access powers as common investigative techniques. This will likely significantly increase the volume and scope of requests that service providers receive and need to respond to. In addition to meeting that increased burden, service providers may also need to implement new (and potentially costly) technical solutions to comply with access obligations.

        Other amendments related to privacy matters

        1. Expanded ability to collect and use of personal information without consent for the purpose of detecting and deterring money laundering and related criminal activities

          Bill C-2 proposes amendments related to the collection and use of personal information under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”), with related amendments under the Personal Information Protection and Electronic Documents Act. These amendments provide for new purposes for which entities covered by the PCMLTFA may collect and use personal information without an individual’s knowledge and consent, and are aimed at enhance information sharing across institutions involved in identifying and preventing money laundering and related criminal activities. In particular, they allow for covered entities to collect and use personal information disclosed to them by the RCMP or another prescribed government department, agency, institution, or law enforcement body, for purposes related to detecting or deterring money laundering, terrorist activity financing, or sanctions evasion, where doing so with the individual’s knowledge or consent would compromise the detection or deterrent activity.

          2. Canada Post’s expanded ability to inspect letters

          Bill C-2 would expand Canada post’s authority to open any mail where it has reasonable grounds to suspect that certain prescribed conditions are met. In contrast, Canada Post’s current authority to inspect mail expressly excludes the application of this inspection authority to letters.

          What’s Next?

          At the time of publication, Bill C-2 was in its second reading before the House of Commons. We will continue to watch the Bill closely as we anticipate that it will encounter rigorous parliamentary debate and committee review throughout the legislative process.

          [1] R v Bykovets, 2024 SCC 6 at para 2 citing R v Spencer, 2014 SCC 43 at para 11.

          [2] This is a lower threshold than provisions that require there to be “reasonable grounds to believe” than an offence has been or will be committed.

          [3] R v Bykovets, 2024 SCC 6, and R v Spencer, 2014 SCC 43.

          For more information on this topic, please contact Jaime Cardy or other members of the Dentons Privacy and Cybersecurity group.

          Subscribe and stay updated
          Receive our latest blog posts by email.
          Stay in Touch
          ,
          Jaime Cardy

          About Jaime Cardy

          Jaime Cardy is a senior associate in the Privacy and Cybersecurity group in Dentons’ Toronto office. She has particular expertise in providing risk management and compliance advice under various legislative privacy regimes, including in both the public and healthcare sectors.

          Full bio

          RELATED POSTS