Canada Introduces Bill C-22 to Modernize Police Digital Access Laws

On March 12, 2026, Public Safety Minister Gary Anandasangaree and Justice Minister Sean Fraser tabled Bill C-22 — the Lawful Access Act — in the House of Commons, marking the federal government's third attempt in less than a year to expand how Canadian police and intelligence services access digital information [1][2]. The legislation arrives freighted with the political baggage of its predecessors and the fundamental tension at the heart of modern democracy: how to equip law enforcement for a digital age without building a surveillance state.

"It's about ensuring that when police have the legal grounds and the judicial authorizations to obtain information, the system works in a way that reflects the speed and complexity of modern crime," Justice Minister Fraser said in introducing the bill [3].

But for digital rights organizations, legal scholars, and opposition parliamentarians, the question is not whether police need updated tools — it's whether this bill goes too far.

A Troubled Legislative Lineage

Canada's struggle to modernize its lawful access regime stretches back more than two decades. The Criminal Code provisions governing the interception of communications were first adopted in 1974, and while amendments in the 1980s and 1990s added references to computer systems, the framework has never undergone a comprehensive overhaul to address the realities of encrypted messaging, cloud computing, and social media [4].

The most significant recent judicial landmark came in June 2014, when the Supreme Court of Canada ruled in R. v. Spencer that law enforcement officers need a search warrant before accessing subscriber information from Internet service providers — a decision that invalidated longstanding police practices and underscored the constitutional stakes of any legislative reform [5].

The current bill represents the government's third run at the issue in the 45th Parliament alone. In June 2025, the Liberals buried sweeping lawful access provisions within Bill C-2, the omnibus Strong Borders Act. Privacy advocates were incensed. University of Ottawa law professor Michael Geist accused the government of trying to slip surveillance powers through under the guise of border security [6]. Over 300 civil society organizations — including OpenMedia, the Canadian Civil Liberties Association (CCLA), and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) — demanded the provisions be withdrawn [7].

Conservatives vowed to block the bill unless the lawful access sections were removed. By October 2025, the government capitulated, shelving Bill C-2 and introducing a replacement border bill, C-12, that omitted the contested surveillance powers entirely [8]. But within weeks, officials signaled the lawful access agenda was far from dead [9].

What Bill C-22 Actually Does

The legislation is divided into two distinct parts, each with dramatically different implications.

Part 1: Timely Access to Digital Information

Part 1 amends the Criminal Code and the CSIS Act to create new tools for law enforcement and intelligence agencies to identify and track suspects in the digital environment. Its key provisions include:

Confirmation of Service Demands. Police and CSIS would be able to compel telecommunications service providers to confirm whether they provide service to a specific individual or account number — without a warrant. This is framed as a preliminary investigative step: officers must have reasonable grounds to suspect a crime has been or will be committed, and the information is limited to confirming whether a service relationship exists [1][2].

Updated Production Orders. The bill revises existing search warrant powers for computer searches and creates new production orders allowing police to seek transmission data and subscriber information. The timeline for challenging these orders in court would be extended from five to ten business days [2].

Foreign Service Provider Access. In what officials describe as a critical modernization, the bill would allow Canadian police to seek court authority to request data from foreign electronic service providers including Google, Meta, and OpenAI — companies that increasingly hold the communications and metadata of Canadian users but are not currently subject to Canadian production orders [1][3].

Subscriber Record Access. Police could obtain subscriber records based on a "reasonable grounds to suspect" standard — a lower threshold than the "reasonable grounds to believe" standard required for many existing warrants [10].

Critically, the government emphasizes that Bill C-22 does not authorize the search or seizure of content information such as browsing history, social media activity, or message content [2].

Part 2: The Supporting Authorized Access to Information Act

It is Part 2 that has become the lightning rod for opposition. This section — which privacy advocates say is substantively unchanged from its Bill C-2 predecessor — would create a legal framework requiring electronic service providers (ESPs) to build and maintain the technical capability to allow law enforcement and CSIS to access communications they are already legally authorized to intercept [11].

Under Part 2, the Minister of Public Safety could issue orders to any ESP operating in Canada — not just traditional telecom companies, but messaging apps, cloud services, email providers, and social media platforms — requiring them to develop surveillance capabilities within their infrastructure [7][11].

The government has introduced some guardrails compared to the original Bill C-2 version. Ministerial orders would now require approval from the Intelligence Commissioner, a retired judge (currently former Federal Court justice Simon Noël). Companies could request extended implementation timelines. Metadata retention would be capped at one year. And the minister would be required to publish annual reports within 60 days [11].

But the fundamental architecture remains: secret orders, issued to private companies, requiring them to engineer access points into their systems — with criminal penalties for non-compliance and prohibitions on companies disclosing the existence of the orders to their users [7].

Source: GDELT Project

Data as of Mar 13, 2026CSV

The Privacy Fault Line

The debate over Bill C-22 has split Canadian politics and civil society along familiar lines, but with unusual intensity.

The Law Enforcement Case

Police leaders have advocated for lawful access modernization for years. The Canadian Association of Chiefs of Police (CACP) frames the issue as one of basic investigative capability: in a world where criminal communications have migrated from wiretappable telephone lines to end-to-end encrypted messaging platforms, officers armed with valid court orders increasingly find that service providers cannot — or will not — produce the data those orders authorize [12].

"Effective enforcement begins with the ability to obtain digital evidence," the CACP has stated. "A charge must be laid, which in many cases, relies on lawful access to electronic evidence that can only be acquired by updating antiquated lawful access legislation" [12].

Both CSIS and the RCMP have documented the growing "going dark" problem: traditional interception techniques have become less useful as encryption has become more widespread, enabling threat actors to evade discovery, investigation, and prosecution [4]. The government cites the use of digital tools in child sexual exploitation, human trafficking, money laundering, and the planning of terrorist attacks as justification for the expanded powers [1].

The Civil Liberties Counterargument

Privacy advocates acknowledge the "going dark" challenge but argue that Bill C-22's Part 2 creates dangers that far outweigh its benefits.

OpenMedia executive director Matt Hatfield has been among the most vocal critics. "Our government has not done the work to make Bill C-22 safe for Canadians," Hatfield said upon the bill's introduction [7]. While crediting "real" improvements in Part 1 — "The changes to Part 1 are real — we'll take them," he acknowledged — Hatfield called for Part 2 to be stripped from the legislation entirely [7].

The core technical argument is straightforward: once a surveillance capability is engineered into a platform's infrastructure, it doesn't exist only for Canadian law enforcement. It becomes a permanent architectural vulnerability that foreign intelligence services and criminal hackers can seek to exploit [7]. OpenMedia drew a direct parallel to Apple's 2025 dispute with the United Kingdom, where the company resisted similar government demands to weaken encryption, arguing that compliance would compromise the security of all users globally [7].

The Electronic Frontier Foundation (EFF) raised international alarm about the earlier Bill C-2, warning that Canadian lawful access provisions could "open the floodgates to U.S. surveillance" given the extensive intelligence-sharing arrangements within the Five Eyes alliance [13]. Those concerns carry over directly to Bill C-22.

Michael Geist, who has tracked lawful access legislation for over a decade, offered a more measured but still cautionary assessment. He credited the government with "significantly limiting the scope" of warrantless powers in Part 1, but warned that the requirement for telecom companies to build surveillance infrastructure remains "largely unchanged from the original proposal." Geist cautioned that "once established, the network surveillance capabilities will be there to stay, so they will require careful study and potential amendments" [14].

Political Opposition

The NDP has opposed the bill's expansion of warrantless surveillance, arguing it threatens privacy and Charter rights. The Conservatives, whose opposition helped sink Bill C-2, have signaled they will scrutinize the legislation closely, though their response to the revised version has been less categorical than their blanket rejection of the predecessor bill [3].

The Five Eyes Context

Bill C-22 does not exist in a vacuum. Canada's four allies in the Five Eyes intelligence-sharing alliance — the United States, United Kingdom, Australia, and New Zealand — have all grappled with similar tensions between law enforcement access and digital privacy, and their varying approaches provide important context [15].

The United Kingdom's Investigatory Powers Act empowers the government with tools that some analysts consider unmatched in the democratic world, including "technical capability notices" that require private companies to provide new product designs to the government in advance [15]. Australia, uniquely among the Five Eyes, legally compels internet service providers to log data on their users [15].

Canada has historically positioned itself as more privacy-protective than its anglophone allies. The question now is whether Bill C-22 brings it into alignment — or capitulation.

The intelligence-sharing dimension adds another layer of concern. Under the Five Eyes framework, there is no domestic legislation governing intelligence-sharing between member nations, meaning that surveillance capabilities built into Canadian infrastructure could, in theory, be leveraged by partner intelligence services with minimal oversight [15].

The Technical Stakes: Encryption and Backdoors

At the heart of the Part 2 debate lies a question that has divided technologists and policymakers worldwide: can you build a backdoor that only the "good guys" can use?

Cryptographers have consistently argued that you cannot. Any access mechanism engineered into an encrypted system creates a vulnerability — a skeleton key that, if discovered, compromised, or misused, could expose the communications of millions. The Chamber of Progress, a U.S.-based technology advocacy group monitoring Canadian developments, warned that "small tweaks won't fix" the fundamental security risk of mandating surveillance capabilities in commercial systems [16].

The government has pushed back on this characterization. Senior officials have insisted that Bill C-22 does not mandate weakening encryption and that compliance requirements can be met through targeted solutions that preserve overall system integrity [11]. But critics note that the legislation's text is technology-neutral in a way that could encompass encryption-undermining measures, and that the secrecy provisions surrounding ministerial orders would prevent public scrutiny of exactly what companies are required to build [7].

What Happens Next

Bill C-22 is currently at second reading in the House of Commons [17]. If it passes second reading, it will proceed to committee, where witnesses from law enforcement, privacy organizations, the technology sector, and legal academia will testify.

The bill includes a mandatory parliamentary review three years after enactment and annual reporting requirements [11]. But for privacy advocates, these post-hoc accountability measures are insufficient safeguards against powers they consider inherently dangerous.

The political arithmetic remains uncertain. The Conservatives' willingness to support a revised version — or to demand further changes — will likely determine the bill's fate. The NDP's opposition could complicate passage, particularly if the government faces a minority Parliament scenario.

What is clear is that the fundamental debate underlying Bill C-22 — how democracies balance security and privacy in the digital age — will not be resolved by a single piece of legislation. Canada's three attempts in under a year testify to the difficulty of the undertaking and the depth of the disagreement.

As Michael Geist observed: "The interests of Canadians and their privacy are essential and cannot be overlooked" [14]. Whether Bill C-22 overlooks them is the question that Parliament must now answer.