Canada’s federal government has reintroduced its lawful access regime in a narrower form, using Bill C-22 to preserve new investigative powers for police while cutting back some of the broad warrantless reach that triggered the backlash against the earlier version, Bill C-2.
Public Safety Minister Gary Anandasangaree said the new bill followed consultations with police and privacy groups and was designed to “balance the needs of law enforcement with the privacy and civil rights that Canadians demand.”
He added that C-22 “is not about surveillance of Canadians going on about their daily lives” and instead targets online criminal activity.
Warrantless access and subscriber data request
The biggest structural change is the contraction of warrantless access. Under C-22, warrantless powers would be limited to a new “confirmation of service demand,” which would allow police to ask a telecommunications service provider only whether it has provided service to a specific person.
The earlier proposal had drawn criticism because privacy advocates said it could let a much broader set of service providers voluntarily hand over identifying information without a warrant.
For information beyond service confirmation, the bill raises the threshold. Production orders would now be confined to basic identifying data such as names and addresses and would require judicial authorization based on a “reasonable suspicion” standard.
C-22 also extends the period to challenge production orders in court to 10 business days from five days, giving affected parties twice the response window in business-day terms.
The bill still preserves a broad operational scope in one area by applying those production orders to a wider category of online service providers, not only internet and phone companies. At the same time, Justice Minister Sean Fraser said the revised definition of service provider is now restricted to “electronic service providers,” which he described as “effectively cell phone companies, internet service providers,” and explicitly contrasted with access to sensitive records such as medical information from a family physician.
C-22 also opens a route for Canadian police to seek court authority to request subscriber or transmission data from foreign firms such as Google, Meta and OpenAI. Government officials said during a technical briefing that nothing in the legislation would compel those companies to comply.
Operationally, ministers and police framed the bill as a response to lagging investigative tools. Officials said Canada is the only Five Eyes country without such powers and that the rules governing whether Canadian telecom companies must maintain lawful-intercept capabilities have not been meaningfully updated since the 1990s. C-22 would require “core” electronic service providers to build and update technical capabilities aligned with international partners, including cases where authorities need location-tracking functionality for suspected terrorist activity.
Any ministerial order imposing such a requirement would need approval from the federal intelligence commissioner.
The earlier Bill C-2 had bundled lawful access with border security, asylum and immigration measures, and Conservatives said they would block it unless the lawful access provisions were removed and reworked. Privacy advocates had also warned the original language could let a wide spectrum of businesses, from dating sites to hotels, provide identifying information without a warrant.
The government ultimately split out the border and immigration measures into Bill C-12, which has passed the House of Commons and is nearing final Senate approval.
Oversight
The government paired those powers with new oversight mechanisms. C-22 would require annual public reporting on all ministerial orders issued to core providers, while unredacted versions would go to the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency.
The bill would also face a mandatory parliamentary review three years after passage, which Fraser said is meant to keep the framework current as technology evolves.
Police used case timelines to argue the need for faster access. Ottawa Police Chief Eric Stubbs said investigators in one current case waited between 12 days and 11 weeks for data returns tied to six separate social media accounts allegedly used to spread non-consensual sexualized AI deepfake images.
Officials also offered a sextortion scenario in which police, under C-22, could ask Meta for the suspect’s IP address, require a Canadian provider to confirm service, and then seek a production order for the suspect’s name and address.
The new bill does not address separate calls, including from BC Premier David Eby, to force AI companies to report troubling online behaviour to police after the Tumbler Ridge mass shooting. Anandasangaree said that issue is distinct from lawful access, while ministers indicated separate legislation on AI reporting obligations could still emerge later.
Information for this story was found via Global News and the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
