On June 3, 2025, the Government of Canada tabled Bill C-2, a comprehensive border protection bill entitled the Strong Borders Act. Included in Part 15 of the Bill is a new piece of proposed legislation, called the Supporting Authorized Access to Information Act (SAAIA). The SAAIA establishes a legal framework that empowers the Government of Canada to compel electronic service providers to support law enforcement and intelligence agencies in accessing information.

The scope of the SAAIA is broad, and its most impactful requirements will largely be defined by future regulation. The Act grants significant discretion to the Minister of Public Safety and designated officials in enforcing new requirements, potentially creating significant disruptions in the operations of service providers and introducing vulnerabilities in their systems. The lack of clear definitions and transparency in the legislation as drafted raises concerns about privacy, cybersecurity, and the integrity of information-sharing practices that underpin internet safety.

To help you understand the SAAIA, we have prepared this guide that outlines the scope, requirements, enforcement mechanisms and penalties proposed in the SAAIA.

We have identified the following areas of greatest concern in the draft legislation, and a number of proposals to improve the SAAIA.

General comments

  1. Separate bill:

    Part 15 (SAAIA) should be removed from Bill C-2 and introduced as a separate bill. This would allow for proper scrutiny of its broad and complex implications.

  2. Unclear scope:

    The bill grants overly broad regulatory powers, particularly by leaving key definitions like “core providers” and “systemic vulnerability” undefined. This heavy reliance on regulation creates uncertainty for stakeholders.

  3. Ministerial discretion & due process:

    The Minister has broad discretion to make regulations and issue orders without oversight. Many obligations lack guaranteed recourse to courts or review bodies, and warrantless entry is permitted for non-dwellings.

  4. Overbroad application of stringent obligations:

    The bill could apply to nearly all service providers due to vague definitions. “Core service provider” is undefined and could include service providers across industries, including telecoms, messaging apps, search engines, and more.

  5. Compensation uncertainty:

    Compensation for compliance costs incurred by regulated entities is left to the Ministerial discretion, with no clear criteria. This prevents regulated entities from planning for potential regulatory and financial burdens.

  6. Excessive sanctions:

    Penalties are high, and include administrative monetary penalties that can increase each day of non-compliance, rapidly escalating costs and risks. Corporate officers may face personal liability, creating a harsh and unpredictable enforcement environment.

  7. Cyber risk & systemic vulnerability:

    The concept of “systemic vulnerability” is undefined, making protections against creating backdoor vulnerabilities vague and unreliable. Poorly defined regulations could undermine cybersecurity and increase industry risk.

  8. Threats to collaborative protection:

    The ban on disclosure of information about system vulnerabilities prevents entities from collaborating on cybersecurity. It hinders industry-wide information sharing needed to identify and address shared threats.

  9. Threats to transparency:

    Disclosure bans may stop organizations from informing users or foreign regulators about vulnerabilities. This undermines user trust and complicates cross-border compliance.

Specific proposals

  1. Define “systemic vulnerability”

Clearly define "systemic vulnerability" to provide a consistent understanding of obligations and prevent arbitrary interpretation of the term when regulations are drafted.

  • Providing a precise definition prevents the creation of backdoors or weak points through compliance measures.

  1. Define “core providers”

Define "core provider" directly in the legislation, even through an amendable schedule.

  • Defining this critical term provides clarity for regulated entities about how the law applies to them, reducing ambiguity and risk.

  • Including the definition in the statute limits the ability of future governments to expand the scope through regulation without oversight or consultation, ensuring accountability.

  1. Statutory timeline for compliance with orders

Establish a statutory timeline for compliance following the issuance of an order, allowing regulated parties to plan resources and actions effectively, ensuring timely responses to regulatory orders.

  • A defined timeline ensures that enforcement actions are reasonable and transparent, preventing arbitrary deadlines to come into compliance that could unfairly burden regulated entities.

  1. Factors when issuing orders – systemic vulnerability

Introduce a requirement for the Minister to consider whether an electronic service provider can comply with an order without creating a systemic vulnerability.

  • Requiring the Minister to assess potential systemic vulnerabilities before issuing an order helps prevent actions that could unintentionally weaken critical infrastructure or introduce security risks.

  • Mandating this consideration promotes balanced, risk-aware decisions that account for the broader impact on digital ecosystems and public safety.

  1. Mandatory compensation

Require compensation for costs incurred by regulated entities to comply with an order.

  • Mandatory compensation protects regulated entities from bearing the full financial burden of compliance orders, particularly when compliance involves significant operational changes or resource allocation.

  • Guaranteeing cost recovery fosters a collaborative regulatory environment, making it more likely that entities will respond promptly and effectively to orders without fear of undue financial hardship.

  1. Disclosure prohibition 

Remove subsection 15(g) to allow electronic service providers to disclose information about security vulnerabilities. 

  • Allowing electronic service providers to share information about security vulnerabilities enables industry-wide collaboration to identify, address, and prevent threats across interconnected systems.

  • Disclosure empowers users, partners, and regulators to make informed decisions and reinforces public confidence in how providers manage and respond to cyber security risks.

  1. Judicial Review – improving access to recourse

Remove the requirement in section 16 to provide 15-day notice to the Minister when seeking judicial review.

  • Requiring a 15-day notice period before seeking judicial review could delay legal challenges, undermining prompt and effective judicial oversight of ministerial decisions.

  • In fast-moving or high-risk situations, delays caused by mandatory notice could expose service providers to operational, legal, or security risks.

  1. Authority to enter – no warrantless search

Require a judicial warrant to search any premises, rather than permitting warrantless searches of premises other than dwellings.

  • Requiring a warrant to enter non-dwelling premises ensures that regulatory enforcement respects the legal rights of businesses and individuals, preventing arbitrary or intrusive actions.

  • A warrant requirement introduces an essential check on government power by ensuring that entry is justified and reviewed by an independent authority before being carried out.

  1. Compliance – no confidential business information

Permit electronic service providers to withhold confidential business information from reports that may be required following the implementation of compliance measures.

  • Allowing electronic service providers to withhold confidential business information prevents the disclosure of trade secrets or proprietary data that could harm their market position.

  • Sensitive business information, if disclosed, could be improperly accessed or used, posing security, legal, and reputational risks to the electronic service provider and its clients.

For more information on Bill C-2 (including the SAAIA) and its potential implications for your organization, please reach out to the authors or a member of our Cybersecurity & Data Protection Group.