In early 2026, the Canadian government introduced Bill C-22, formally titled the Lawful Access Act. The legislation marks a definitive, modernized push by federal authorities to reshape the intersection of digital privacy, law enforcement capabilities, and national security infrastructure. Sponsored by the Minister of Justice and Attorney General of Canada, Bill C-22 represents the government’s latest effort to hand police forces and the Canadian Security Intelligence Service (CSIS) a distinct toolkit for intercepting data and tracking digital footprints.
However, the bill has instantly ignited fierce constitutional, legislative, and technical debates across the country. Legal organizations, privacy advocates, and security analysts warn that the proposed changes could profoundly impact Canadians’ Charter rights, network cybersecurity, and individual privacy.
1. The Legislative Architecture: Part 1 vs. Part 2
Bill C-22 is structurally split into two core divisions, each originating from different administrative nodes of the federal government. This dual-track framework attempts to balance the legal standards required to seize digital information with a structural requirement for technology firms to comply.
Part 1: Gathering and Producing Data
Authored by the Department of Justice, Part 1 focuses on amending the Criminal Code, the Canadian Security Intelligence Service Act, and the Mutual Legal Assistance in Criminal Matters Act. Its goal is to fast-track how law enforcement gathers and acts on data during time-sensitive investigations.
Notably, Part 1 completely removes the highly controversial, warrantless “Information Demand” power originally proposed in its legislative predecessor, Bill C-2. Instead, it shifts to a staged judicial oversight approach.
Part 2: Enacting the Supporting Authorized Access to Information Act (SAAIA)
Authored by the Department of Public Safety, Part 2 establishes a brand-new regulatory regime. The SAAIA mandates that electronic service providers (ESPs)—ranging from massive telecommunications giants like Rogers, Bell, and Telus to smaller independent internet firms—must actively build and maintain the technical infrastructure needed to respond to lawful state interception commands.
2. New Power Frameworks and Lowered Evidentiary Standards
While the federal government cites the preservation of judicial oversight as evidence of the bill’s balance, legal experts and privacy scholars have raised red flags about the specific mechanisms for accessing data.
“`
+———————————————————————————–+
| THE TWO-STEP INVESTIGATIVE ROUTE |
+———————————————————————————–+
| |
| [Step 1: Confirmation of Service Demand] |
| Allows police to demand that a telecom provider verify within 24 hours whether |
| a specific account or target is an active subscriber on their network. |
| |
| v |
| |
| [Step 2: Subscriber Information Production Order] |
| Forces the provider to hand over deep subscriber metadata. It relies on a low |
| “reasonable grounds to suspect” evidentiary threshold. |
| |
+———————————————————————————–+
“`
Bill C-22: The Low Threshold Challenge
Legal expert Michael Geist notes that while Bill C-22 technically keeps the courts involved, it anchors the new subscriber information production order to the standard of “reasonable grounds to suspect.” This is the lowest evidentiary threshold in Canadian criminal law. It requires significantly less hard proof of wrongdoing than the traditional criminal standard of “reasonable grounds to believe,” making it much easier for authorities to sweep up identifying metadata.
Furthermore, the bill introduces a “greater certainty” clause regarding publicly available information and voluntary disclosure. It clarifies that law enforcement does not require a warrant to access data that is already public or handed over voluntarily.
Organizations like The Citizen Lab argue that this approach ignores decades of Canadian Charter jurisprudence. Canadian courts have consistently held that individuals can still have a reasonable expectation of privacy in public spaces or in compiled digital profiles, meaning public data shouldn’t be automatically stripped of protection under Section 8 of the Charter.
3. Systemic Cybersecurity and the Risk of “Secret Spying.”
The technical obligations laid out in Part 2 of Bill C-22 have sparked intense pushback from the cybersecurity sector. By forcing electronic service providers to remain “intercept ready,” the government is requiring private companies to engineer internal surveillance plumbing.
The Problem with Built-In Access
Civil liberties groups and tech sector advocates warn that creating these mandatory, uniform access pathways fundamentally undermines network security. Building a specialized gateway for law enforcement inadvertently leaves a target for malicious actors, sophisticated hacking syndicates, or hostile nation-states to exploit.
The “Vulnerability” Definition Loophole
While Bill C-22 explicitly states that companies cannot be ordered to introduce “systemic vulnerabilities” that compromise user security, there is an alarming catch: the federal government retains the power to redefine exactly what qualifies as a systemic vulnerability through future regulations.
Secret Ministerial Orders
Another flashpoint involves the expansion of administrative powers. Bill C-22 grants the Minister of Public Safety the authority to issue ministerial orders directly to providers, forcing them to retrieve data, track devices, or modify their systems. To address initial backlashes, the Liberals amended the bill so that these orders must be approved by the Intelligence Commissioner—a quasi-judicial oversight body.
Even with that addition, organizations like the Canadian Constitution Foundation (CCF) warn that because these orders can be issued entirely in secret, they risk creating a cloaked surveillance apparatus completely hidden from public debate.
4. The Canadian Bar Association Weighs In
The Canadian Bar Association (CBA) has formally critiqued the sweeping scope of Bill C-22, delivering several warnings and recommendations to parliamentarians. The CBA’s core concerns emphasize human rights safeguards and operational realities:
The 24-Hour Compliance Crunch: Section 487.0121(5) gives service providers just 24 hours to comply with a confirmation of service demand. The CBA warns that this is deeply unrealistic for smaller independent providers and has urged an expansion to 48 or 72 hours.
Excessive Gag Orders: The bill allows law enforcement to place non-disclosure gag orders on telecommunications companies, blocking them from telling anyone about an information request for up to a year. The CBA recommends capping these gag orders at 90 days.
Lack of “Purpose Limitation”: The CBA is pushing for explicit statutory language mandating that any digital data seized under this act can only be used for the exact, specific investigation it was pulled for, explicitly blocking secondary data-mining down the line.
5. Current Parliamentary Status and the Road Ahead
As a newly introduced government bill in 2026, Bill C-22 is at the starting line of a grueling legislative journey through the House of Commons and the Senate. The government views the legislation as an indispensable update for an era dominated by globalized, sophisticated, and digital crime networks. For law enforcement agencies, the bill fixes a long-standing operational blind spot where tech companies lacked the technical capability to fulfill valid warrants.
However, opposition parties are preparing for a massive battle. The New Democrats have raised sharp concerns regarding systemic cybersecurity risks and the potential exposure of ordinary Canadians’ private data. Meanwhile, civil liberties advocates are actively mobilizing to demand deep structural amendments.
As Bill C-22 progresses toward committee hearings, parliamentarians face a monumental task: deciding whether the bill successfully protects public safety in the digital age, or whether its lower evidentiary standards and hidden ministerial powers steer Canada too close to a surveillance state.
