Bill C-12 would make it easier for Internet service providers, email hosts and social media sites to voluntarily share personal information about customers with authorities, possibly including private security firms.
The legislation could also effectively impose a gag on the Internet companies, preventing them from telling customers their personal details have been shared.
"It broadens the conditions under which law enforcement can resort to this voluntary sharing regime," said Tamir Israel, staff lawyer at the University of Ottawa's Canadian Internet Policy and Public Interest Clinic.
"It definitely reduces even further any accountability for it."
Government House leader Peter Van Loan recently signalled the little-noticed bill could come up for second-reading debate as early as Wednesday.
Currently, under the federal privacy law covering businesses, Internet providers may voluntarily hand over information about subscribers without consent to assist police or intelligence officers with the enforcement of Canadian laws, as well as matters of national security, defence or international affairs.
Bill C-12 would expand the list of conditions under which such voluntary sharing is allowed to include cases where personal information is requested to perform "policing services."
Israel said that could allow an Internet service provider to hand over personal information about its customers to a curious private security firm.
A legislative summary of the bill prepared by the Library of Parliament says it is unclear what the provision means.
"This new exception for policing services appears to add an open-ended and undefined circumstance related to law enforcement to this list," says the legislative summary.
The term "policing services" is not defined in either the bill or the federal privacy law, the summary adds.
Israel said Bill C-12 also waters down an existing element of the law that limits the release of personal information to police to occasions when they have demonstrated "lawful authority" to request it.
The current provision obligates service providers to assess police demands for customer data with a bit of skepticism, he said. It means a request for vast amounts of data — such as all of a person's emails — would likely be refused.
Bill C-12 appears to broaden the concept of "lawful authority" to the point where simply flashing a police badge might be enough to meet the demands of the law, Israel said.
Other changes would prevent service providers from telling customers their information has been divulged to investigators in a wide range of scenarios, including if a government institution requests the information under the national security, law enforcement or policing services exemptions, says the legislative summary.
If a provider wished to inform a customer of information-sharing, it would have to seek permission from the police service or other organization that requested the data. In many cases the requester would have the power to say no, keeping the customer in the dark.
Internet service providers say that, even now, they comply with the vast majority of requests from police and intelligence services for subscriber information.
Israel cited statistics indicating providers hand over data in response to 94 per cent of RCMP requests.
However, he said he's troubled by the "voluntary sharing" regime — which C-12 would expand — because it skirts the sort of oversight and tracking generally associated with police surveillance, such as court-approved warrants or production orders.
"At the very least it needs a rethink, and definitely more oversight and accountability," Israel said.
Laws should not prevent authorities from obtaining information, but must force them to be targeted and specific in their requests, he added.
"It's easier sometimes to cast that wider net," Israel said. "And that's what happens without that legal framework."
Industry Minister Tony Clement introduced Bill C-12 more than a year ago — the government's long-awaited response to a parliamentary review of the privacy law governing businesses.
The likely re-emergence of the bill comes eight months after a storm of outrage over another, highly publicized Conservative attempt to boost Internet surveillance.
Bill C-30 alarmed civil libertarians because it would allow authorities access to Internet subscriber information — including name, address, telephone number and email address — without a warrant in cases where companies refused to provide it voluntarily.
The government indicated the bill would go directly to committee, skipping the customary second reading, to allow for amendments. Little has been heard since.
Also on HuffPost