Publication

Bill C-2 “Strong Borders Act” Part 15: Digital Back Doors

Published:

July 30, 2025

Author(s):

• David Fraser

Share

Print

On June 3, the Canadian government tabled Bill C-2 in Parliament, called “An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures” but with a short title of “Strong Borders Act”. As the name implies Bill C-2 is mostly about border measures, customs matters, fentanyl and immigration. But not completely. Included in the Bill are Part 14 and Part 15 – both of which raise concerns for businesses that hold customer information.

Part 15 of Bill C-2 creates a whole new, standalone law called the Supporting Authorized Access to Information Act. The Government says this is simply to make sure electronic service providers have the capacity and capability to “share information” with “authorized persons” – but Bill C-2 goes beyond this. It’s similar to Bill C-26 from the last Parliament because it allows the government to dictate what technologies electronic service providers use. This time it is to create the capability for law enforcement to plug into service providers’ systems.

The Supporting Authorized Access to Information Act creates a framework in which the Government of Canada can require electronic service providers to facilitate law enforcement and intelligence services’ access to data and information. Much of its scope is left to regulations. In a nutshell, Part 15 of Bill C-2 has enormous impacts on electronic service providers – globally – and provides enormous power and discretion to the Minister of Public Safety and “designated persons”. It has the potential to introduce significant vulnerabilities into the systems we use every day for our most private communications and could also completely upend the practice of information-sharing that is the foundation for keeping the internet safe and secure.

Canada isn’t the first country to impose something along these lines. The United States, Australia, New Zealand and the United Kingdom have laws that impose requirements on service providers to facilitate access to data. Recently, it’s come to light that government-mandated intercept capabilities can be exploited by threat actors.  The “Salt Typhoon” hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major U.S. telecommunications companies. The stolen information included call and text message metadata and, in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures. A critical factor facilitating the Salt Typhoon incident was the very infrastructure put in place to comply with the U.S. Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, CALEA mandates that telecommunications providers build “lawful intercept” capabilities into their networks to allow law enforcement and intelligence agencies to conduct court-authorized wiretaps. While intended for legitimate surveillance, these mandated “backdoors” created inherent vulnerabilities within the telecom networks. Salt Typhoon exploited these CALEA-mandated systems, effectively turning the tools designed for lawful access into pathways for unauthorized espionage. This is what’s potentially coming to Canada.

Broad Scope 

The Bill’s regulation of “electronic service providers” means the sweep of entities that can be within the Bill’s scope is very broad:

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that

(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.

electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.

This is extremely broad and would likely capture almost all communications companies that provide any service to Canadians. It likely covers VPN – or virtual private network – providers as they provide a service that involves the transmission of information. This would also scope in text messages, emails, phone calls, voice over IP calls and video calls.  Because it also includes “storage” of electronic information, it potentially scopes in file-sharing and productivity services.

The Act will specifically target “core providers”: “electronic service provider[s] belonging to a class of electronic service providers set out in the schedule.” In the version of Bill C-2 tabled at first reading, the schedule is blank. However, we expect it will be all the major telcos and internet service providers in Canada, including significant messaging providers (like Apple, WhatsApp, Microsoft Teams and Zoom) and email providers (like Microsoft, Apple, Google). 

Ministerial Regulations For “Core Providers”

Section 5(2) of the Act empowers the government to create regulations placing obligations on core providers that relate to intercept and access capabilities and includes the installation of devices, etc. on behalf of “authorized persons”.

Importantly, a core provider isn’t required to comply with a regulation “if compliance with that provision would require the provider to introduce a systemic vulnerability in electronic protections (defined as ‘authentication, encryption and any other prescribed type of data protection’) related to that service or prevent the provider from rectifying such a vulnerability.” This would permit a regulated core provider to refuse to install a backdoor or compromise encryption, but only if that would create a “systemic” vulnerability.

Core providers can apply for an exemption for a specified period of time to have time to come into compliance. 

Orders Directed to Specific Electronic Service Providers

Under section 7 of the Act, the Minister can issue orders to any electronic service provider, regardless of whether they are a core provider, along the lines of regulations authorized under section 5(2) for a specified period of time.

The Minister, in their discretion, may provide compensation to offset some of the costs to be  incurred by the electronic service provider to ensure compliance with the order. Similar to compliance with regulations, an electronic service provider is not required to comply with a portion of an order that would “require the provider to introduce a systemic vulnerability in electronic protections related to that service or prevent the provider from rectifying such a vulnerability.”

The Minister is required to permit affected electronic service providers to make representations prior to issuing an order under section 7.

Recall that the definition of “electronic service provider” is very broad, and the government has specifically used online gaming platforms as an example of an entity that may be ordered to create intercept capabilities. 

Obligation to Assist

The Act contains a very broad and problematic obligation on all electronic service providers to provide all reasonable assistance to a range of persons to “permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.” The list of persons authorized to make this demand include the Minister, CSIS employees, police officers and civilian employees of a police force. There is no threshold and no limitation on this power. For example, there is no requirement for approval from the Minister or any other senior person. It does not have to be reasonably necessary for any purpose related to the Act. You could have a lineup of people from every municipal police department out the door of an electronic service provider and the provider must give this unlimited and unbounded assistance. 

Prohibitions On Disclosure

Section 15 of the Act contains very broad prohibitions on disclosure by electronic service providers, including:

• Whether one is subject to an order.
• The contents of an order
• Information relied upon by the Minister in making an order.
• Representations made by the electronic service provider or the Minister
• The fact that representations were made.

The parameters of these prohibitions on disclosure can be subject to regulations made pursuant to section 17 of the Act.

It might make sense to give the Minister the power to issue gag orders from time to time, where they are of the view that disclosure of the information would compromise law enforcement or national security, or a specific investigation. But in Canada, secrecy should be the exception – and should have to be justified – not the default, particularly with respect to services we use every day and our civil liberties. This is so prone to overreach and possible abuse, and all of it takes place in the shadows.

System Vulnerability. In particular, it is very problematic that all electronic service providers are prohibited from disclosing “information related to a systemic vulnerability or potential systemic vulnerability in electronic protections employed by that electronic service provider”.

Prohibition on disclosure

15 An electronic service provider and any person acting on its behalf must not disclose any of the following information except as permitted under this Act or the Canada Evidence Act: … 

(g) information related to a systemic vulnerability or potential systemic vulnerability in electronic protections employed by that electronic service provider; …

This would mean that if any electronic service provider were to discover a vulnerability in their system, it would be prohibited by Canadian law from disclosing it to anyone. This may include a prohibition on disclosure to customers who may have been affected by a past or current vulnerability, or even that company’s own contractors who carry out security audits on its systems. For example, if a telco discovers a vulnerability in a router, they will tell the manufacturer of the router and various organizations that work diligently to make sure that the entire cybersecurity community can identify and fix vulnerabilities. If a telco finds a vulnerability in a system used by all Canadian telcos (because the government will get to dictate what systems telcos use), they can’t alert the other telcos about that vulnerability. Paragraph (g) is actively harmful to Canadians, and will be a huge boon for the bad guys who look for and exploit these vulnerabilities.

Judicial Review Notice. Under s. 16, if an electronic service provider is to seek an application for judicial review of any order or decision under the Act, it is prohibited from doing so unless it gives 15 days’ advance written notice to the Minister, along with a copy of the notice of application.

Regulations. Under section 17 of the Act, the Government can make regulations respecting confidentiality and security requirements for electronic service providers and persons acting on their behalf must comply. Specifically, it authorizes regulations:

(a)  respecting the disclosure of information referred to in section 15;

(b)  establishing rules of procedure for the protection of information referred to in section 15 in administrative or judicial proceedings;

(c)  respecting requirements related to employees of electronic service providers and other persons whose services may be engaged by electronic service providers, including with respect to their security clearance and location; and

(d)  respecting security requirements with respect to the facilities and premises of electronic service providers.

The possible sweep of secrecy regulation is extremely broad and isn’t limited to confidentiality and security measures that are reasonably required in light of the purposes of the Act. Remember, “electronic service provider” is broad enough to include service providers completely and entirely outside of Canada. It potentially includes requirements for all of an electronic service provider’s facilities regardless of location – paragraph (c) even permits regulations regarding where facilities can be located and security clearances for employees.

Enforcement & Administration

The Act gives the Minister authority to designate persons (or classes of persons) to administer and enforce the Act.

Designated Person Powers. These “designated persons” are given vast powers under section 19 of the Act to enter any place (other than a dwelling) to verify compliance or to prevent non-compliance with the Act. Within such a place, they are authorized to access any records, make copies, remove records and use equipment at the place. The Act places an obligation on every owner of a place, a person in charge of the place and everyone in the place to give all assistance “reasonably required” by the designated person, including providing any document or electronic data “they may reasonably require”. In addition, in section 19(6), a designated person can bring anyone with them to assist.

Foreign Reach. This isn’t specifically limited to places in Canada but likely can’t be enforced outside of Canada.

No Limits. Again, this power is completely without limits. As drafted, the Bill would authorize a designated person to demand a company’s entire customer database and the electronic service provider must, ostensibly, comply. Even more, it would be illegal for an employee there to not assist with this demand. 

Audit Orders

Under section 21, a designated person can order an electronic service provider to conduct an internal audit “of its practices, documents and electronic data to determine whether it is in compliance with any provision of this Act or the regulations.” The electronic service provider must provide a copy of the audit to the designated person. If the audit uncovers any non-compliance, it must specify the non-compliance and measures taken or to be taken to comply with the relevant provision or order. 

Orders By Designated Persons 

Section 23 of the Act gives the designated persons order-making powers. If they believe “on reasonable grounds that there is or is likely to be a contravention of the Act or regulations”, they can issue a written, mandatory order requiring an electronic service provider to:

(a)  stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or

(b)  take any measure that is necessary to comply with the requirements of that provision or mitigate the effects of non-compliance.

These orders are subject to review by the Minister on the electronic service provider’s request. Unless the Minister otherwise orders, the electronic service provider must comply with the designated person’s order. 

Administrative Monetary Penalties & Offences

The Act, at section 27 and following, provides for a full administrative monetary penalty (AMP) regime intended to “promote compliance with this Act and not to punish”, along with penal offences at section 40 and following.

AMP. If a contravention results in an AMP, the penalty can be up to CAD $250,000. If a violation continues more than one day, each day constitutes an additional violation. The due diligence defence is available, as are common law defences.

Personal Liability. The Act provides for personal liability of corporate “directors, officers or agents or mandataries who directed, authorized, assented to, acquiesced in or participated in the commission of the violation”. A notice of violation will set out the amount of the AMP, which can be simply paid; payment is an admission of the violation. Alternatively, the alleged violator can enter into a compliance agreement with the Minister or request a review by the Minister of the acts or omissions that constitute the alleged violation, or the amount of the penalty. In a review by the Minister for a violation, the evidentiary standard is balance of probabilities and there is no prescribed appeal from the Minister’s decision. Judicial review would likely be available in the Federal Court of Canada.

Offence. Violations can also be penal offences, which are summary conviction offences with a maximum fine of $500,000. If a violation continues more than one day, each day constitutes an additional violation. As with AMPs, due diligence is a defence and officers/directors can also be convicted if they “directed, authorized, assented to, acquiesced in or participated in the commission of the offence”. It is also an offence to obstruct or make a false or misleading statement to either a person authorized to assess or test any device, equipment or other thing, or  a designated enforcement person.

Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection & Cyber Security Team @ McInnes Cooper to discuss how the Strong Borders Act will impact you.

Share

Print