Bill C-22: Canada Builds the Surveillance Infrastructure, Then Worries About Access Rules
Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
Bill C-22 was introduced on March 12, 2026. Michael Geist’s initial analysis confirms that the metadata retention mandate – up to one year – is new in this bill and was not present in the previous version (Bill C-2). That detail sharpens the infrastructure concern considerably: the government quietly expanded the data collection scope while publicising the narrowed access rules.
Changelog
| Date | Summary |
|---|---|
| 16 Mar 2026 | Initial publication. |
Canada’s government introduced Bill C-22, the Lawful Access Act, on March 12, 2026. It is the third attempt in under a year to pass sweeping surveillance powers into law. The first version – buried inside a border security omnibus bill (Bill C-2) in June 2025 – drew opposition from more than 300 civil society organisations and was ultimately shelved. The government reset, extracted the lawful access provisions, and reintroduced them as a standalone bill. This time, it might actually pass.
That framing – “narrower and more balanced than before” – is technically accurate for one of the bill’s two parts. It is actively misleading as a description of the whole.
What C-22 Actually Requires
The bill splits into two halves with very different characters.
Part 1 covers law enforcement access to subscriber information. Compared to the Bill C-2 version, this is genuinely improved. Warrantless demands are now limited to a single question: does this person have an account with this telecom? That confirmation-only demand is a major narrowing from C-2, which would have allowed warrantless demands for personal information from virtually any service provider in Canada – including doctors and lawyers. For anything beyond that yes-or-no confirmation, police must now obtain a production order reviewed by a judge. The threshold is “reasonable grounds to suspect” – lower than the balance-of-probabilities standard civil libertarians would prefer, but there is judicial oversight where there was none before. That is a real improvement.
Part 2 is the problem. It establishes the Supporting Authorized Access to Information Act (SAAIA), which compels ISPs and “electronic service providers” (ESPs) to build and maintain network surveillance capabilities. The definition of an ESP is broad enough to include cloud platforms, messaging services, and social media companies operating in Canada – not just telecoms. “Core providers” designated by regulation face the deepest obligations: developing interception and data extraction capabilities, installing and maintaining the equipment to support that access, and retaining categories of metadata for up to one year.
This metadata retention requirement is new in C-22. It was not in Bill C-2. While the government was publicising the narrowed access rules in Part 1, it quietly expanded the collection mandate in Part 2. Law professor Michael Geist, who has covered lawful access legislation in Canada for two decades, flagged this directly: the bill creates a “tale of two bills” structure where the access rules improved and the surveillance infrastructure mandate got worse.
“Just Metadata” Is Not a Reassuring Phrase
The government’s public framing is consistent: C-22 captures only metadata – who, when, where – not content. Not browsing history. Not messages. Not emails. Public Safety Minister Gary Anandasangaree said at the bill’s introduction that “it is not about surveillance of Canadians going on about their daily lives.”
This framing is technically illiterate.
Twelve months of location metadata maps a person’s home address, workplace, commuting patterns, medical appointments, places of worship, political events attended, and who they spend time with – all without capturing a single word they said or wrote. Communication metadata – who you called, how often, for how long, at what hours – reveals social networks, professional relationships, and behavioural patterns with more reliability than most content data, because content can be vague and metadata is precise.
The “just metadata” distinction was demolished in academic literature years ago. Stewart Baker, former NSA General Counsel, put it plainly: “metadata absolutely tells you everything about somebody’s life.” The NSA’s own bulk metadata collection programmes were built on exactly this premise. Canada’s government is using a privacy framing that its own security services would never apply internally.
What one-year mandatory metadata retention actually creates is a comprehensive behavioural dataset for every Canadian on a covered network. It reveals who associates with whom, patterns that suggest health conditions or political affiliation, and changes in behaviour over time that can retrospectively become relevant to investigations initiated months later. This is not identifying information. It is profiling infrastructure.
The Infrastructure Mandate Problem
There is a structural difference between requiring data retention and requiring surveillance capability. The distinction matters more than it might appear.
Data retention rules specify what gets kept. They can be scoped, audited, and – in principle – repealed. The data exists, but the mandate for its scope is defined in legislation.
Surveillance capability mandates are different. Requiring ISPs and ESPs to build, install, and maintain the technical infrastructure to intercept and extract data on demand means building that capability into the network itself. Once it exists, it does not require new legislation to expand. It requires a ministerial order – which under C-22 can be issued secretly, with no public registry, no parliamentary vote, and no right for users or companies to disclose that such an order was received.
The scope of those orders can be changed by regulation, not by Parliament. OpenMedia notes that the systemic vulnerability exception – which nominally prevents the government from mandating capabilities that would break encryption or introduce security holes – contains an intentional gap: the government can redefine what counts as a “systemic vulnerability” by regulation alone. No debate. No public process. The bar can be moved after the infrastructure is already in place.
The UK government’s 2025 secret order to Apple demanding global access to encrypted iCloud data is the reference case here. Apple chose to withdraw its strongest encryption feature from the UK rather than comply, and security researchers were unambiguous: any access capability built for one government cannot be architecturally contained to that government. The C-22 infrastructure mandate creates the same structural risk at the network layer, across a much broader set of providers.
This is the Geist critique: you cannot evaluate Part 1’s access rule improvements without accounting for Part 2’s capability mandate. The access rules govern what government can do with the infrastructure today. The infrastructure governs what any government can do with it indefinitely.
One Year of Metadata as a Breach Target
Mandatory retention of metadata for 32 million Canadians – across telecoms, ISPs, and potentially cloud platforms – creates a very large centralised dataset. It will be stored by private companies, accessed by police and CSIS, potentially shared with foreign governments under agreements including the Second Additional Protocol to the Budapest Convention and the CLOUD Act.
Each of those is a breach surface. The companies holding the data face the same threat landscape as any enterprise: ransomware, state-sponsored intrusion, insider access, and contractor compromise. The government-adjacent sensitive data stores are not better secured than commercial ones – the Conduent breach earlier this year demonstrated that again, with 25 million Americans’ records exposed through a government contractor. Requiring the creation of centralised metadata archives is also requiring the creation of a high-value target. The obligation to retain it does not come with any obligation for the holding company to secure it to a standard commensurate with its sensitivity.
Five Eyes implications compound this. Canada’s surveillance infrastructure interoperates with the US NSA, UK GCHQ, Australia’s ASD, and New Zealand’s GCSB under longstanding signals intelligence sharing arrangements. Canadian metadata collected under C-22 can – under certain conditions – flow to partner agencies. The access rules in Part 1 are scoped to Canadian law enforcement. The metadata sitting in a telecom’s retention store is not.
What It Means for Companies Operating in Canada
If you run systems that touch Canadian users, Bill C-22 changes your landscape in a few concrete ways.
If you are a telecom or ISP operating in Canada, compliance scope is expanding significantly. Core provider designation – which will be set by regulation, not defined in the bill – brings obligations to develop and maintain interception capabilities, install supporting equipment, and retain metadata for up to a year. The costs fall on providers. The orders can be secret.
If you operate any electronic service with Canadian users and carry on part of your business in Canada, you are potentially in scope as an ESP. The ministerial order power extends to services well beyond telecoms – the bill specifically contemplates global platforms. Companies that receive orders cannot tell users, cannot publicly confirm the orders, and face administrative penalties for non-compliance.
If you use Canadian telecoms or data processors as part of your infrastructure stack, their surveillance capability obligations become part of your architecture’s threat model. The surveillance infrastructure embedded in networks is not isolated from the applications running on top of them.
If your users are Canadian, the Five Eyes data-sharing dimension means metadata collected under Canadian authority can reach US, UK, and Australian intelligence agencies. This is a material consideration for any privacy risk assessment or data processing agreement involving Canadian subscribers. Identity and metadata are attack surfaces independent of whether any specific breach has occurred.
The Long Game
The access rules in C-22 are better than previous versions. The government made real concessions: judicial oversight for subscriber information, a narrowed scope for warrantless demands, a genuine improvement over the constitutional wreckage that was Bill C-2’s original provisions.
The infrastructure mandate is not better. It is worse – a metadata retention requirement that wasn’t in C-2 was added while the public discussion focused on the access rule improvements. The SAAIA provisions are largely unchanged from the version that 300-plus civil society organisations condemned. The ministerial order powers are secret, broad, and expandable by regulation without parliamentary scrutiny.
The access rules matter less than the infrastructure you are required to build. OpenMedia’s framing is correct: the architecture of surveillance is being laid now. The rules governing who accesses it are always subject to change.
This is Canada’s third attempt in under a year. The political will is there. The bill is better constructed than its predecessors. It will probably pass. The question for engineers and companies operating in Canada is not whether C-22 will become law – it is what compliance looks like, and what the surveillance-capable infrastructure that the bill mandates will look like in five years under a different government.