Bill C-22, An Act respecting lawful access, is one of the most significant public-safety and technology bills currently before Parliament.
The bill, also titled the Lawful Access Act, 2026, is the latest development in bill tracking in Canada, would update Canada’s lawful-access framework by creating new tools for police and national security agencies to obtain digital information, while also introducing new obligations for certain electronic service providers.
The government says the bill is needed because criminal investigations increasingly depend on digital evidence and because existing processes can be too slow or unclear for modern online crime. Supporters point to child exploitation, human trafficking, fraud, extortion, organized crime, terrorism, foreign interference and other offences where digital identifiers, subscriber information or metadata may help investigators identify suspects and protect victims.
Critics argue that parts of the bill are too broad and may create privacy, cybersecurity, business and constitutional risks. The most debated issues include encryption, metadata retention, ministerial orders, the scope of affected service providers and the strength of independent oversight.
The bill is now before the House of Commons Standing Committee on Public Safety and National Security, where MPs have heard from ministers, federal officials, police services, legal experts, privacy scholars, child-protection organizations, business representatives, technology companies and national-security oversight bodies.
The debate is not about whether police can ever obtain digital evidence. They already can, with the appropriate legal authority. The central question is how far Parliament should go in requiring private-sector service providers to retain, produce or technically enable access to information in support of lawful investigations.
What Bill C-22 Would Do
Bill C-22 has three main components.
Part 1 would amend several existing statutes, including the Criminal Code, the Canadian Security Intelligence Service Act, the Mutual Legal Assistance in Criminal Matters Act, the Controlled Drugs and Substances Act and the Cannabis Act. These amendments are intended to modernize tools for gathering and producing information during investigations.
Part 2 would enact the Supporting Authorized Access to Information Act. This is the most controversial portion of the bill. It would create a framework requiring certain electronic service providers to facilitate authorized access to information.
Part 3 would require a parliamentary review of Parts 1 and 2 during the third year after the provisions come into force.
At a practical level, the bill would introduce or modify several lawful-access mechanisms.
Confirmation of Service Demands
One proposed tool is the confirmation of service demand.
This would allow police or CSIS to ask a telecommunications service provider whether a particular identifier is associated with that provider’s service. The identifier could be a phone number, account, device, username, email address or other digital marker.
The purpose is to help investigators determine which provider they should approach before seeking more detailed information.
For example, investigators may have an online identifier connected to suspected criminal activity but not know which company controls the relevant account. A confirmation of service demand would allow them to ask a narrow question: does this identifier relate to your service?
If the answer is yes, investigators would still need to obtain the appropriate legal authority before seeking subscriber information or other data.
Government and police witnesses have argued that this tool could reduce delays at the earliest stage of investigations. Critics have focused less on this tool than on other parts of the bill, though some have recommended clear limits to ensure it remains narrow and targeted.
Subscriber Information Production Orders
Bill C-22 would also create or amend powers related to subscriber information production orders.
Subscriber information can include identifying information associated with an account or service, such as a name, pseudonym, address, telephone number, email address, account number, service type, service period or device identifier.
The government’s position is that subscriber information can help investigators identify the person or entity behind an account, device or online activity, while still requiring judicial authorization.
Some legal experts have warned that subscriber information should not be treated as automatically low-sensitivity. Depending on the context, it can connect a person to devices, services, accounts, locations, communications patterns or networks of association.
Professor Leah West, a national-security law expert who appeared before the committee, said the bill is an improvement over some past lawful-access proposals but is “not there yet.” One of her concerns was that subscriber-information orders could lead to overcollection if judges are not required to authorize only the specific categories of information that are necessary for the investigation.
A likely amendment issue is whether the bill should be narrowed so that police request, and judges authorize, only the specific types of subscriber information that meet the applicable legal threshold.
Exigent Circumstances
The bill would also address urgent situations where officers believe the legal conditions for obtaining a warrant or order exist, but where exigent circumstances make it impracticable to obtain one in time.
This is relevant to investigations where delay could result in serious harm, loss of evidence or risk to a victim.
Supporters argue that urgent tools are necessary in cases involving missing children, trafficking, online exploitation or imminent threats. Critics generally accept that emergencies require flexibility, but argue that such powers should be carefully defined, documented and reviewable.
Technical and Operational Capability Obligations
Part 2 of Bill C-22 would allow obligations to be imposed on certain electronic service providers to maintain technical or operational capabilities needed to facilitate authorized access to information.
This is one of the bill’s most debated features.
The government says these provisions do not create new interception powers. In its view, the bill is about making sure that when police or CSIS already have lawful authority to obtain information, service providers are technically and operationally able to comply.
The government has also said the bill is “encryption neutral.” Public Safety Minister Gary Anandasangaree and federal officials have stated that Bill C-22 is not intended to require companies to break encryption or create systemic vulnerabilities.
Critics argue that the bill should state this more clearly. Their concern is that technical capability obligations could be interpreted broadly enough to pressure companies to redesign systems, weaken security or create access points that could be abused by unauthorized actors.
The bill does include language stating that a provider is not required to comply with a regulation or ministerial order if doing so would require the provider to introduce a systemic vulnerability or prevent it from fixing one. However, several witnesses have argued that the definition of “systemic vulnerability” should be strengthened and should explicitly protect end-to-end encryption.
Metadata Retention
Bill C-22 would allow regulations requiring certain categories of metadata to be retained for reasonable periods of time, not exceeding one year.
The bill states that regulations cannot require providers to retain the content of communications, web-browsing history or social media activities.
However, metadata remains a major point of dispute.
Metadata can include information about a communication or digital interaction without revealing the content itself. Depending on the type of metadata retained, it may show who communicated with whom, when, from where, using what device or through which service.
Government officials have emphasized that the one-year period is a maximum and that the specific categories of metadata would be defined later through regulation.
Privacy and constitutional experts have raised two concerns. First, they argue that metadata can be highly revealing even without content. Second, they argue that leaving important details to future regulation makes it difficult for Parliament and the public to assess the full privacy impact of the bill during the legislative process.
Professor Michael Geist described mandatory metadata retention as a potential “surveillance architecture.” Professor Robert Diab raised concerns that compelled retention for law-enforcement purposes could engage section 8 of the Canadian Charter of Rights and Freedoms, which protects against unreasonable search or seizure.
Some witnesses have recommended removing mandatory metadata retention entirely. Others have proposed a targeted “quick-freeze” model, where authorities can preserve specific data connected to a specific investigation rather than requiring broader retention in advance.
Law-enforcement witnesses, by contrast, have argued that retention is important because relevant data may be deleted before investigators know it is needed. Some have suggested that even a one-year period may not be enough for complex or long-running investigations.
Why the Government Says Bill C-22 Is Needed
The government’s case is based on the changing nature of crime and evidence.
At the May 5 meeting of the Standing Committee on Public Safety and National Security, officials from the Canadian Security Intelligence Service, the Department of Justice, Public Safety Canada and the RCMP appeared before the committee. Public Safety Minister Gary Anandasangaree and Justice Minister Sean Fraser also appeared.
Their central argument was that Canadian authorities are increasingly dealing with investigations where digital evidence is essential, but the legal and procedural framework has not kept pace.
Justice Minister Fraser summarized the government’s position by saying Canada cannot solve modern digital problems with outdated tools.
The government maintains that Bill C-22 does not remove the need for warrants, production orders or judicial authorization where those are currently required. Instead, it says the bill is designed to help authorities identify the correct service provider, preserve evidence and ensure that lawful orders can be carried out effectively.
Police witnesses made a similar argument at the committee’s May 7 meeting.
Toronto Police Chief Myron Demkiw told MPs that his service completed roughly 1,900 production orders over a 20-month period in detective operations alone. He said that identifying the correct provider and obtaining information through existing processes can be time-consuming.
Thunder Bay Police Chief Darcy Fleury gave a local example. He said that, in 2025, the Thunder Bay Police Service investigated 184 cyber-related cases, involving more than 140 production orders, 80 search warrants and over 1,370 devices seized for examination. Those investigations led to 20 victims being identified and more than 240 charges laid.
Fleury also described investigations involving missing or exploited youth, where timely access to digital leads may affect whether police can locate a child before further harm occurs.
For law enforcement, the issue is not only whether information can eventually be obtained. It is whether it can be obtained quickly enough to be useful.
Child Protection and Online Exploitation
Child-protection witnesses have added significant weight to the public-safety rationale for Bill C-22.
The Canadian Centre for Child Protection told the committee that Cybertip.ca, Canada’s tip line for online child sexual exploitation, received 28,000 reports in 2025. The organization also said its Project Arachnid platform has issued 141 million notices requesting removal of child sexual abuse material.
The centre pointed to a sharp rise in online exploitation. It said online luring reports to Cybertip.ca rose 344% between 2020 and 2025, and that sextortion reports have exceeded 14,000 since 2020.
At the same time, the organization said 2024 data showed charges were recommended in only 24% of online sexual offences against children and 6% of child sexual abuse material incidents.
Peel Children’s Aid Society also linked digital evidence to child trafficking investigations. Its CEO, Mary Beth Moellenkamp, said the average age of recruitment into sex trafficking is estimated at 13, and that her agency has supported children as young as nine. She said Peel CAS identified more than 200 cases last year where a child or youth was suspected of involvement in trafficking for sexual exploitation.
These witnesses generally supported tools that could help authorities move faster in identifying suspects, locating victims and connecting digital evidence to real-world harm.
Their testimony is important because it shows why many public-safety organizations support lawful-access modernization. It also underscores the central policy challenge: Parliament is being asked to design tools that are fast enough to help in serious investigations, but narrow enough to protect privacy, cybersecurity and civil liberties.
Why Technology Companies and Privacy Advocates Are Concerned
The strongest criticism of Bill C-22 has focused on Part 2.
Technology companies, civil-liberties advocates, privacy lawyers and some legal scholars have warned that the bill could impose broad obligations on service providers and create risks for encryption, cybersecurity and user trust.
The government has repeatedly said that the bill does not require companies to break encryption. But critics argue that the wording should be clearer and that the bill should include explicit protections for end-to-end encrypted services.
Several companies have publicly raised concerns.
Signal has said it would leave Canada if the bill required it to compromise user privacy. NordVPN has said it is reviewing the bill and would consider limiting or removing its presence from Canadian jurisdiction if the legislation required it to compromise privacy protections. Apple has warned that the bill could allow the government to require companies to insert backdoors into products, something Apple says it will not do. Meta has warned that the bill could require providers to install government surveillance tools on their systems or otherwise undermine encryption and cybersecurity.
Meta representatives Rachel Curran and Robyn Greene appeared before the committee on May 7. They argued that technical access obligations can create security risks if companies are required to build or maintain systems that allow third-party access. Their position was that there is no safe way to create an access mechanism that only law enforcement can use and that cannot be exploited by others.
This is the core of the encryption debate. Law-enforcement agencies argue that access to digital evidence is essential in serious investigations. Technology companies and security experts argue that weakening encryption for one purpose can weaken security for everyone.
Business and Compliance Concerns
The business community has also raised concerns about the scope and cost of Bill C-22.
The Canadian Chamber of Commerce, represented at committee by David Pierce, said businesses support appropriate tools for lawful investigations but are concerned about unclear obligations, compliance costs, cybersecurity exposure and potential conflicts with laws in other jurisdictions.
One concern is the bill’s definition of “electronic service provider.” David Fraser, a privacy and technology lawyer at McInnes Cooper, warned that the definition may be broad enough to capture organizations beyond telecommunications companies and major technology platforms.
Depending on interpretation, obligations could potentially affect a wider range of businesses and institutions that provide electronic services to people in Canada or carry on business activities in Canada.
This matters because the impact of the bill may depend heavily on later regulations and ministerial orders. A narrowly applied framework would affect a smaller group of core providers. A broader interpretation could create compliance uncertainty for many more organizations.
For businesses, the key questions are:
- Which entities could be designated or ordered to comply?
- What technical capabilities would they need to maintain?
- What categories of metadata could they be required to retain?
- What costs would compliance impose?
- What safeguards would protect retained data?
- How would Canadian obligations interact with foreign privacy, cybersecurity or data-protection laws?
Ministerial Orders and Oversight
Bill C-22 would allow certain obligations to be imposed through ministerial orders. These orders would require approval by the Intelligence Commissioner.
The government points to this approval mechanism as an important safeguard. However, oversight bodies have recommended improvements.
The National Security and Intelligence Review Agency appeared before the committee on May 7 through chair Marie Deschamps, vice-chair Craig Forcese and acting executive director Lawrence Mangano.
Deschamps said NSIRA should receive relevant information earlier, rather than waiting for annual reporting, so that it can conduct effective review. She recommended that NSIRA be proactively provided with classified ministerial orders issued to service providers, as well as information provided to the Intelligence Commissioner in support of those orders.
The Office of the Intelligence Commissioner also appeared. Intelligence Commissioner Simon Noël, joined by executive director and general counsel Justin Dubois, suggested that the bill should include clearer standards for reasonableness and proportionality. He also recommended placing limits on the validity period of ministerial orders and requiring new approval for renewals.
These oversight bodies did not reject the bill. Their testimony focused on making the accountability framework clearer, timelier and more practical.
Charter and Privacy Issues
Several witnesses raised potential Charter and privacy risks.
The main Charter issue is section 8, which protects against unreasonable search or seizure.
Critics argue that some forms of compelled data retention or broad production powers could interfere with reasonable expectations of privacy. They also argue that subscriber information, metadata and technical capability obligations may become more intrusive when combined.
Professor Robert Diab warned that a one-year metadata-retention regime could itself be considered a seizure if companies are required to retain data for law-enforcement purposes.
Professor Leah West recommended amendments to reduce overcollection, clarify subscriber-information orders and address risks connected to foreign data requests. She also argued that the bill should make clear that police and CSIS should not directly access or intercept information from service-provider systems. In her view, providers should remain responsible for the technical act of compliance when a lawful order is issued.
A key issue for Parliament will be whether the bill’s safeguards are specific enough to withstand constitutional scrutiny.
International and Cross-Border Concerns
Bill C-22 has also drawn attention outside Canada.
U.S. congressional leaders have sent a letter to Public Safety Minister Gary Anandasangaree warning that the bill could create cross-border risks for the security and privacy of Americans. Their concern is that American companies operating in Canada could face pressure to compromise the security of their broader user base or risk exclusion from the Canadian market.
The Canadian government has rejected the claim that Bill C-22 would require companies to create backdoors or weaken encryption. Minister Anandasangaree has said critics are misinterpreting the bill’s safeguards and that the government has more work to do in explaining the legislation.
The U.S. reaction matters because many of the companies potentially affected by the bill operate across borders. Technical changes made to comply with one jurisdiction may have implications for users, infrastructure and legal obligations in others.
This is also why Apple’s experience in the United Kingdom has been cited in the Canadian debate. Apple withdrew its Advanced Data Protection feature for UK users after a government demand under that country’s surveillance framework. Critics of Bill C-22 argue that Canada should avoid creating similar conditions.
Stakeholder Positions
| Stakeholder | General Position | Main Issues Raised |
| Federal Government | Supports Bill C-22 as a modernization of lawful access for digital investigations. | Says the bill does not create new interception powers and is “encryption neutral.” |
| Law Enforcement | Supports new tools to identify providers, obtain information faster and preserve evidence. | Concerned that current processes are too slow for online exploitation, trafficking, fraud, extortion and organized crime. |
| Child-Protection Organizations | Support tools that help identify offenders and locate children more quickly. | Emphasize rising reports of luring, sextortion, trafficking and child sexual abuse material. |
| Privacy and Constitutional Experts | Some accept the need for modernization but argue the bill requires substantial narrowing. | Raise concerns about metadata retention, subscriber information, Charter compliance and overbreadth. |
| Technology Companies | Concerned about encryption, cybersecurity and compelled technical capabilities. | Want explicit protections against backdoors, systemic vulnerabilities and government surveillance tools. |
| Business Groups | Support lawful investigations but want clearer limits and manageable obligations. | Concerned about compliance costs, broad definitions, cybersecurity risks and international legal conflicts. |
| Oversight Bodies | Do not reject the bill but recommend stronger review mechanisms. | Seek earlier access to information, clearer standards, duration limits and renewal requirements for ministerial orders. |
| International Observers | Some U.S. lawmakers have raised concerns about cross-border effects. | Focus on encryption, American users’ privacy, national security and economic impacts. |
Key Amendment Issues to Watch
As Bill C-22 moves through committee, the most important amendment questions are likely to include the following.
1. Encryption Protections
Will the bill explicitly state that providers cannot be required to break end-to-end encryption, create backdoors or introduce systemic vulnerabilities?
This is likely to be one of the most important issues for technology companies and privacy advocates.
2. Metadata Retention
Will the one-year metadata-retention framework remain, be narrowed or be replaced with a more targeted preservation model?
This is one of the central privacy and Charter issues in the bill.
3. Definition of Electronic Service Provider
Will Parliament clarify which entities can be subject to obligations under the bill?
A narrower definition could reduce business uncertainty. A broader definition could give the government more flexibility but increase compliance concerns.
4. Subscriber Information Safeguards
Will production orders be narrowed so judges authorize only specific categories of information needed for a particular investigation?
This issue affects the balance between investigative efficiency and privacy protection.
5. Ministerial Order Limits
Will the bill include clearer standards for reasonableness, proportionality, duration, renewal and challenge rights?
This is particularly important because some obligations may be imposed through ministerial orders rather than directly in the statute.
6. Oversight and Review
Will NSIRA and the Intelligence Commissioner receive stronger or timelier roles in reviewing the use of new powers?
Oversight bodies have suggested that the current framework can be improved.
7. Foreign Data and Mistreatment Risks
Will judges be required to consider whether certain requests could expose individuals to mistreatment in other jurisdictions?
This issue was raised by legal experts concerned about cross-border data-sharing and human-rights risks.
Why Bill C-22 Matters
Bill C-22 matters because it sits at the intersection of public safety, privacy, cybersecurity, business compliance and constitutional law.
For police and child-protection organizations, the bill addresses a real operational problem: digital evidence is often central to investigations, and delays can reduce the chances of identifying suspects or protecting victims.
For privacy advocates and legal experts, the concern is that lawful-access tools can become too broad if they are not tightly defined. Metadata, subscriber information and technical capability obligations may seem limited in isolation, but can become highly revealing when combined or applied at scale.
For technology companies, the central issue is whether Canada will require systems that could affect encryption or create new security risks. Even if the government does not intend to mandate backdoors, companies are seeking clearer statutory protection.
For businesses, the concern is uncertainty. If the bill applies broadly, organizations outside the traditional telecommunications and platform sectors may face new compliance, retention and cybersecurity obligations.
For Parliament, the challenge is to design a lawful-access framework that is operationally useful, constitutionally sound, technologically realistic and trusted by the public.
Current State of the Debate
The committee record so far suggests there is broad agreement on one point: Canada’s lawful-access rules need to reflect the realities of digital investigations.
There is much less agreement on how Bill C-22 should do that.
The government and law-enforcement witnesses argue that the bill preserves existing legal safeguards while helping authorities move faster and more effectively. Critics argue that the bill’s language is not yet precise enough to prevent overreach, cybersecurity risk or future misuse.
The May 5 and May 7 committee testimony and amendment tracking clarified the main lines of debate. Ministers and officials defended the bill as a modernization measure. Police and child-protection witnesses emphasized operational urgency. Legal experts, privacy advocates, technology companies, business groups and oversight bodies identified areas where they believe the bill requires amendment.
The result is a bill that is likely to change before it leaves committee.
The most important question is not whether Bill C-22 will give investigators new digital tools. It almost certainly would. The question is whether Parliament can define those tools clearly enough to preserve privacy, cybersecurity, judicial oversight and public trust.
Why Real-Time Legislative Monitoring Matters
Bill C-22 also illustrates how quickly the legislative record can evolve.
Committee testimony has already identified possible amendments on encryption, metadata retention, provider definitions, subscriber information, ministerial orders, oversight and Charter safeguards. For organizations affected by the bill, the practical implications may depend on wording changes made during clause-by-clause review.
A single amendment could affect whether a company is covered by the legislation, what data it must retain, how quickly it must respond, what technical capabilities it must maintain and what review or appeal mechanisms are available.
For government-relations teams, legal counsel, regulated businesses, technology companies and public-sector stakeholders, real-time legislative alerts can help your team stay ahead. Bill C-22 is a case study in why committee proceedings, witness testimony and amendment filings need to be monitored as they happen.
Stay Ahead of Legislative Change
Gnowit’s AI-powered legislative monitoring platform helps organizations monitor parliamentary debates, committee transcripts, legislative amendments, regulatory notices and policy developments in real time.
For files like Bill C-22, that means tracking the evidence, amendments and procedural developments that can reshape obligations before they become law.
Request a free demo at www.gnowit.com to see how real-time legislative intelligence can help your team stay ahead.