PoliTraQ Blog

Bill C-22 and the Lawful Access Debate: What GR Teams Need to Watch

PoliTraQ

Bill C-22 and the Lawful Access Debate: What GR Teams Need to Watch

The Bill That Won't Stay Quiet

After two failed attempts and significant public backlash, the federal government has reintroduced its lawful access legislation as Bill C-22 — the Lawful Access Act, 2026. It's now at the committee stage, where amendments are actively being proposed, and the pressure on both sides is significant.

For GR teams at telecom companies, internet service providers, cloud platforms, and digital service companies, this bill is not abstract. It would compel core electronic service providers to build and maintain technical systems capable of handing over subscriber data and metadata to law enforcement and CSIS when a warrant is obtained. It would mandate retention of certain metadata for up to one year. It would give the Minister of Public Safety powers to issue orders on providers — subject to intelligence commissioner review.

That's an operational, legal, and reputational issue for companies in scope.

What the Bill Actually Does

Part 1 of C-22 amends the Criminal Code to modernize procedural tools for obtaining digital evidence. Part 2 — the contested part — is the Supporting Access to Authorized Information Act (SAAIA), which creates the new regulatory framework for electronic service providers.

The core obligations for core providers under the bill:

  • Build and maintain the capability to respond to lawful access requests
  • Retain certain metadata for up to one year
  • Provide information to law enforcement or CSIS upon receiving valid legal authorization
  • Comply with ministerial orders, subject to intelligence commissioner approval

The government argues this is long overdue — Canada's lawful access framework hasn't been updated since the mid-1990s and only covers wireless voice telephony. Police and CSIS say they are outpaced by technology and need these tools to protect public safety.

Where the Criticism Is Coming From

The pushback has been significant and broad:

Tech companies: Apple, Google, and Meta have all submitted concerns. Signal has stated publicly it would rather exit Canada than compromise its encryption. The Canadian Chamber of Commerce has raised concerns about compliance costs and security risks.

Privacy Commissioner: Philippe Dufresne submitted eight recommendations, including narrowing the definition of subscriber information, limiting the entities in scope, and adding a necessity and proportionality requirement to all technical obligations.

Cybersecurity experts: The core concern is that mandatory data retention creates a集中攻击目标 — a honeypot of sensitive metadata that, if breached, could expose Canadians to harm. There's also concern that "technical capability" requirements could be interpreted to require encryption workarounds.

U.S. congressional committees: Two committees have written to the Canadian government expressing concern that the bill could weaken cybersecurity and harm cross-border data flows.

Privacy and civil liberties advocates broadly have argued the bill's scope is too broad and its safeguards insufficient.

Where the Government Is Moving

Public Safety Minister Gary Anandasangaree has acknowledged the criticism and committed to amendments. The government has said it will:

  • Add explicit protection for end-to-end encryption
  • Clarify the definition of metadata to be more closely aligned with U.S. law
  • Provide compensation mechanisms for telecom companies for required system changes

The amendments are expected to be tabled as the committee continues its study.

Why This Is a GR Issue, Not Just a Legal Issue

For organizations in scope, C-22 is not just a compliance matter. The legislative process is still open — amendments are being proposed, and the final form of the bill will be shaped by the quality of the stakeholder engagement.

For GR teams at affected organizations, this means:

  • Monitoring the committee stage and understanding which amendments are adopted
  • Understanding where your industry association stands and whether you're represented in consultations
  • Identifying whether the final scope will capture your organization and what compliance obligations it will create
  • Tracking ministerial orders once the bill passes — those will be concrete, operational, and challengeable

The bill's progression through committee is a window. Once it becomes law, the regulatory framework will be developed through regulations — and the organizations that engage during the legislative phase will be better positioned to shape the regulations that follow.

The Timeline

C-22 was introduced in March 2026. It moved through second reading and is now at committee. The government has said amendments will be tabled during committee study. After committee report, it goes back to the House for third reading and then the Senate.

This is an active file. The window for meaningful influence is not closed.

What Good Monitoring Looks Like Here

For GR teams tracking C-22 as it moves, the relevant signals include:

  • Committee meeting schedules and witness lists (who is being called to testify matters)
  • Government and opposition amendments proposed (what is the direction of travel)
  • Statements from Public Safety Minister's office on amendment timeline
  • Regulatory consultation signals once the bill passes (the real implementation work will happen in regulations)
  • Provincial equivalents — lawful access frameworks at the provincial level vary and some may update in response to federal action

PoliTraQ monitors legislative developments across Canadian jurisdictions, including bills at committee stage, regulatory consultations, and the government orders that follow. Request a demo to see how GR intelligence works in practice. Request a demo

References