ChannelLife Canada - Industry insider news for technology resellers
Canada
Flux result c1cfeefb e312 456d b2ca 36f99c38d1a5
#
Data Protection
#
Encryption
#
ERP

On the table: Bill C-22 revives Canada's lawful access debate

Wed, 15th Apr 2026
Author image
By Jake MacAndrew, Interview Editor

The Carney government tabled Bill C-22, the Lawful Access Act, 2026, in the House of Commons on March 12, 2026, formally separating years of contested digital surveillance policy from omnibus legislation and presenting it as a standalone bill for the first time.

The legislation is divided into two structurally distinct parts with very different implications for Canadian telecommunications operators, internet service providers (ISPs), and enterprise software companies.

Part 1: Subscriber access and the end of warrantless demands

When the government first attempted to introduce lawful access provisions in Bill C-2, a border security bill tabled in June 2025, the Information Demand power would have allowed police to obtain a broad range of subscriber information from any service provider in Canada without judicial approval. More than 300 civil society organisations, including OpenMedia, the Canadian Civil Liberties Association, and the Canadian Internet Policy and Public Interest Clinic (CIPPIC), demanded its withdrawal, and the government shelved those provisions in October 2025.

"Bill C-2 is anti-privacy, anti-rights, and anti-Canadian. It solves border problems that don't exist; and breaks rights that do," said Matt Hatfield, Executive Director of OpenMedia, in a release from June 18 last year.

Public Safety Minister Gary Anandasangaree argued at a press conference on March 12 that Bill C-22 "is not about surveillance of Canadians going on about their daily lives. It is about keeping Canadians safe in the online space." Nor is it the same as Bill C-2, he added.

Bill C-22 replaces that mechanism with two narrower tools. The first is a confirmation of service demand: police may ask a telecom, for example, whether a named individual is a customer, and the telecom is obligated to confirm or deny without a warrant. The second is a new subscriber information production order under section 487.0142 of the Criminal Code, requiring judicial sign-off before more detailed records, such as name, address, device identifiers, and account history, can be compelled.

Michael Geist, Canada Research Chair in Internet and E-Commerce Law and Professor in the Faculty of Law at the University of Ottawa, says the bill is a departure from prior Supreme Court decisions that established an expectation of internet privacy.

R. v. Spencer in 2014, for example, examined the legality of voluntary warrantless disclosure of basic subscriber information to law enforcement. In a unanimous decision, the Supreme Court granted the right to anonymity and clarified regulations governing law enforcement's ability to obtain a warrant for subscriber information from ISPs.

"The current standard right now is reasonable grounds to believe which is a higher standard. The bill would establish this lower standard of reasonable grounds to suspect. So two changes: One, warrantless access, just to confirm the person's a subscriber. Second, court oversight - but lowering the threshold from reasonable grounds to believe to reasonable grounds to suspect at the access to the subscriber [information] side."

Additionally, Part One introduces mandatory metadata retention obligations for core providers: companies designated under the bill would be required to retain location and transmission data for one year. Secrecy requirements can last up to one year for subscriber information demands, and up to three years for computer data search warrants, during which affected parties have no right to notify customers that their records were accessed.

In a second reading of Bill C-22 on April 13, Bloc Québécois MP for Rivière-du-Nord, Rhéal Éloi Fortin, emphasised that regulating access to information in a fast-changing digital landscape is difficult.

"I understand that we need to get up to speed with what is being done elsewhere in the world. That is an argument that has come up a few times. However, when we take a closer look, it is not necessarily clear that Canada is in such a bad position compared to what is being done in the United States, Australia, the United Kingdom or elsewhere in the world. We therefore need to examine this closely. Would Bill C-22 not put us in a position that is abusive - or at the very least excessive - compared to what is being done elsewhere? That may or may not be the case," he said.

Conservative MP for Kamloops - Thompson - Nicola, Frank Caputo, raised R. v. Spencer and R. v. Bykovets, a Supreme Court case addressing whether an internet protocol (IP) address attracts a reasonable expectation of privacy.

"As I understand it, the bill's intent is to require that metadata be kept. That can include location services, but it is not meant to include the content. That is my reading of the bill. I think this needs to be closely scrutinized," he said.

Part 2: The SAAIA and the surveillance infrastructure mandate

The second part of the bill enacts an entirely new statute: the Supporting Authorized Access to Information Act (SAAIA). The government frames SAAIA as a technical modernisation, noting that Canada's current legal framework for lawful interception relies on a 1995 licence condition that covers only voice telephony and that, outside of legacy phone calls, compliance with lawful access orders by digital service providers is entirely voluntary.

In 2016, the Court of Justice of the European Union ruled that data retention infringed on a citizen's privacy. With respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained," the release stated. "The Members States may not impose a general obligation to retain data on providers of electronic communications services." 

SAAIA establishes a class of designated "core providers" who will be required to build and maintain permanent technical capabilities to facilitate government interception and data retrieval under existing authorities under the Criminal Code and the CSIS Act. It also allows the Minister of Public Safety to issue company-specific Ministerial Orders requiring individual electronic service providers to develop interception capabilities, subject to the Intelligence Commissioner's approval before issuance.

The bill explicitly states that SAAIA does not require providers to introduce "systemic vulnerabilities" into their systems. 

"It's [data] going back in time for up to a year. Now, that might well be useful in context of a criminal investigation. The problem is, they are saying that they want this information retained for every Canadian, or at least 10s of millions of Canadians, the vast majority of whom, there's no reason to believe any suspicion of any criminal activity. So, for the benefit of having some of this data in the odd circumstance where it's needed, every Canadian is now going to be subject," said Geist.

Related stories
Cork Cyber adds automated mapping to Vantage platform
Opera launches Browser Connector for ChatGPT & Claude
How Atomgate uses education and partnership to drive successful SonicWall upgrades
Tether backs Drift Protocol relaunch with GBP £150m
SAS names Deloitte, Microsoft & Intel as partner winners

Top stories

FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
Anthropic shifts enterprise billing to token-based pricing
HiDock launches P1 AI voice recorder with HiNotes 3.0
IWF & Cyacomb launch workplace abuse material scans