Canada’s Liberal government has introduced Bill C-22, the Lawful Access Act, 2026, a surveillance bill that compels electronic service providers to store Canadians’ metadata for a year and hands police and intelligence agencies new tools to access it.
We obtained a copy of the bill for you here.
The bill follows a failed first attempt, Bill C-2, which collapsed under the weight of near-universal criticism from opposition parties, rights groups, and the tech industry.
This is a mandatory data retention regime that forces companies to hold location data, device information, and other sensitive metadata on every Canadian, not just those suspected of crimes, ready for law enforcement retrieval via warrant. The logic is familiar: build the haystack first, search it later.
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
Public Safety Minister Gary Anandasangaree framed the bill as a necessary modernization. “Canada is woefully behind our most important allies. Technology has moved forward; our laws are stuck in the previous century,” he said Thursday, flanked by police chiefs and Justice Minister Sean Fraser.
RCMP senior deputy commissioner Bryan Larkin added, “There’s an actual series of tools here that will eventually lead to greater success, greater efficiencies in police investigations, greater solvency in crime and, quite frankly, improving the safety of Canadians and, more importantly, addressing the concerns of victims.”
The government claims this isn’t surveillance of ordinary Canadians. Anandasangaree was explicit: “I want to be clear what C-22 is not. It is not about surveillance of Canadians going on about their daily lives. It is about keeping Canadians safe in the online space.”
The bill does exclude web browsing history and social media activity from its mandatory retention requirements. But the bill doesn’t need to include everything to be seriously invasive.
Location data alone tells a story. Where you sleep, where you worship, which doctor you visit, which protests you attend. All stored for a year, accessible to police and CSIS with a warrant, and built into every electronic service provider’s systems by law.
Tamir Israel, director of the Canadian Civil Liberties Association’s privacy, surveillance, and technology program, named the distinction that matters most. “Being able to categorically order companies to keep everybody’s information, not just people who are suspected of crimes… is different from getting a company to build a backdoor that then police could walk through to grab information,” he said.
“You’re both putting people’s privacy at risk, and you’re creating cybersecurity threats.”
That’s the architecture of C-22 in a sentence. Mass data retention treats everyone’s location and device data as pre-collected evidence, stored in advance on the off-chance it becomes useful later.
The bill’s most technically alarming section authorizes the Minister of Public Safety to issue secret orders compelling “core” electronic service providers, a category the government hasn’t fully defined yet, to build and maintain surveillance capabilities for law enforcement access. Providers who receive these orders are gagged. They cannot discuss them.
The government included limits: these technical capabilities cannot require providers to retain message content, browsing history, or social media activity. They also cannot introduce “systemic vulnerabilities” that weaken encryption or authentication, or create “a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.”
Compared to Bill C-2, C-22 does pull back in one meaningful area. Under the original proposal, police could have approached any service provider, including those bound by professional privilege like doctors and lawyers, to ask whether an individual was a client, for how long, from where, and whether the company knew of other providers who had dealt with that person, all without a warrant. C-22 limits warrantless inquiries to telecommunications companies only, and restricts the question to a simple yes-or-no: is this person a client? Any further information requires a warrant.
The bill also creates a new warrant mechanism for Canadian police seeking data held by foreign, almost certainly American, tech companies.
A Canadian judge can issue a production warrant that wouldn’t bind the foreign company legally but would give it legal cover to hand over data voluntarily. It’s a workaround, not a solution, and it depends entirely on the company’s willingness to cooperate.
Some of the bill’s warrant requirements include a carve-out for “exigent circumstances,” when police argue that getting a warrant would be impractical due to urgency. That exception tends to expand over time.
C-22 borrows several provisions from the Strong Borders Act, Bill C-2, which drew fierce opposition before stalling entirely with no movement since September 2025. Anandasangaree acknowledged the retreat explicitly. “One thing I’ve learned is that at times when more work needs to be done on a particular bill, you retreat and you come back. You come back with better consensus, better consultation, and better supports from across the board,” he said.
The rework narrows some of C-2’s most aggressive powers. What it doesn’t change is the central premise: that electronic service providers should be required to organize and warehouse Canadians’ sensitive data on behalf of the state, held in readiness for law enforcement use.
