- within Insurance, Criminal Law and Law Department Performance topic(s)
- with Senior Company Executives, HR and Inhouse Counsel
- with readers working within the Insurance, Healthcare and Oil & Gas industries
On March 12, 2026, the Government tabled Bill C-22, the Lawful Access Act 1. Bill C-22 is a standalone bill that revisits the lawful access provisions contained in Parts 14 and 15 of Bill C-2, the Strong Borders Act 2, which was tabled in June 2025 (see our bulletin on the lawful access portions of Bill C-2, here).
Bill C-2's lawful access provisions faced significant opposition from civil-liberties groups, privacy advocates, and others, who raised concerns about the breadth of the provisions and their potential conflict with Charter rights and Supreme Court of Canada jurisprudence on subscriber information. In response, Public Safety Minister Gary Anandasangaree introduced Bill C-12, the Strengthening Canada's Immigration System and Borders Act, which retained the border-security, customs, and immigration measures from Bill C-2 to advance them through Parliament, but did not include Parts 14 and 15 pertaining to lawful access. The Government subsequently undertook targeted consultations with opposition parties, experts, and industry on potential amendments to reintroduce refined lawful access measures. Bill C-22 is the product of those consultations, with Part 1 being a revised version of the law enforcement and Canadian Security and Intelligence Service (CSIS) access regime that was set out in Part 14 of Bill C-2, and Part 2 being the new regulatory regime for electronic service providers to facilitate law enforcement and CSIS access to information introduced in Part 15 of Bill C-2 with some revisions.
Bill C-22 retains the overall architecture and intent of the lawful access regime from Bill C-2, but it narrows the proposed new law enforcement and CSIS demand power, both in who can be targeted (telecommunications service providers only) and in what can be demanded (only confirmation of service, not subscriber information or other data). It also introduces additional accountability mechanisms and procedural detail in relation to the new regulatory regime for facilitating lawful access, including mandatory parliamentary review, while adding a new power to enact metadata retention regulations applicable to core providers.
This bulletin highlights the key changes Bill C-22 introduces relative to its predecessor provisions in Bill C-2 and identifies implications for electronic service providers (ESPs), telecommunications providers, and the businesses that rely on them.
Part 1 — Timely Access to Data and Information
Part 1 of Bill C-22 amends the Criminal Code and the Canadian Security Intelligence Service Act (CSIS Act) to provide for additional lawful access authorities. While the core mechanisms (production orders, exigent-circumstance disclosures, tracking-data requests, computer data examination warrants, and cross-border production) carry forward from Part 14 of Bill C-2, Bill C-22 makes notable changes in scope.
Narrower Scope for Demands Without Judicial Oversight
Under Part 14 of Bill C-2, information demands could be issued to "any person who provides services to the public", a category broad enough to capture cloud providers, SaaS platforms, and virtually any business with public-facing operations. This formulation was a focal point of criticism. The new "confirmation of service demand" is limited specifically to telecommunications service providers, while retaining the "reasonable grounds to suspect" standard.
The substance of the demand is also significantly narrowed. Under Bill C-2's information demand power, law enforcement and CSIS would have been able to compel a much broader category of information, including whether services are provided, whether the provider possesses relevant information, the location and dates of services provision, the identities of other providers involved, and a statement if the provider is unable to provide any of the mandated information. Bill C-22's confirmation of service demand compels only a confirmation as to whether the provider provides or has provided telecommunications services to a specified subscriber, client, account, or identifier. The broader categories of information previously available without judicial authorization must now be obtained through a production order.
Subscriber information production orders, by contrast, continue to apply to any "person who provides services to the public", preserving the broad scope for judicially authorized orders initially established in Bill C-2.
Part 1 comes into force on the 180th day after Royal Assent, providing a transition period that was not specified in Bill C-2. Bill C-22 also includes coordinating amendments with Bill C-16, the Protecting Victims Act.
Part 2 — Supporting Authorized Access to Information Act
Part 2 enacts a revised version of the Supporting Authorized Access to Information Act (SAAIA), first introduced in Part 15 of Bill C-2. The definitions of electronic service and electronic service provider (ESP) remain broadly drafted, and the core framework established in Bill C-2 is preserved. However, Bill C-22 addresses some of the gaps in Bill C-2 and introduces an additional oversight mechanism for ministerial orders under the SAAIA. Our overview of the SAAIA as presented in Bill C-2 can be found here.
Intelligence Commissioner Oversight on Ministerial Orders; Additional Factor to Consider
Under Bill C-2, the Minister of Public Safety could issue orders to any ESP after consulting with the ESP and the Minister of Industry. Bill C-22 replaces ministerial consultation by instead making such orders subject to approval by the Intelligence Commissioner before they take effect. This introduces a quasi-judicial oversight mechanism that was absent from the original framework. Further, Bill C-22 adds the privacy protection and cybersecurity impacts of the order to the factors that the Minister must consider in making an order applicable to an ESP (s. 7(3)(e)).
Factors in Setting Core Provider Regulations; Metadata Retention Regulations
In addition to the obligations that may be imposed on core providers by regulation that were already introduced in Bill C-2 (namely, obligations respecting operational and technical capabilities, equipment, and notices to be given to the Minister), Bill C-22 also authorizes the Governor in Council to establish regulations requiring core providers to retain metadata "for reasonable periods of time" of up to one year (s. 5(2)(d)).
Bill C-22 now also requires the Governor in Council to consider enumerated factors when making regulations for core providers, including privacy and cybersecurity impacts, feasibility, costs to providers, and impacts on customers, and any other factor the Governor in Council considers relevant (s. 5(3)), thus replicating the factors for consideration in making ministerial orders. Bill C-22 also imposes explicit limits on such regulations to exclude obligations to retain the content of information transmitted through an electronic service, web browsing history, and social media activities (s. 5(4)).
Definition of "Systemic Vulnerability"
Both the C-2 and C-22 versions of the SAAIA prohibit requiring ESPs to introduce a "systemic vulnerability" in electronic protections. Under Bill C-2, the meaning of "systemic vulnerability" was left entirely to regulation, creating significant uncertainty about the scope of the prohibition. Bill C-22 introduces a definition of the term in the statute itself (s. 2(1)), with a systemic vulnerability being "a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so." While the Governor in Council retains the power to make regulations respecting any term in the SAAIA (s. 47(1)(c)), the statutory definition provides a baseline that did not exist in Bill C-2.
Further, Bill C-22 eliminates the express prohibition on ESPs from disclosing "information related to a systemic vulnerability or potential systemic vulnerability in electronic protections employed by that electronic service provider".
Reporting and Accountability
Bill C-22 introduces an annual reporting requirement (s. 49), which the Minister of Public Safety must prepare within 90 days of the end of the calendar year and must be published within 60 days of its preparation subject to redactions "that the Minister considers necessary".
Obligations to Assist
Bill C-22 adds important limitations on the obligations of ESPs to assist with the assessment of devices or equipment that may enable authorized access to information. In Bill C-22, such a request may only be made by the Minister rather than the much broader classes of persons under Bill C-2, which included any employee of CSIS, the RCMP, another police force, and any peace officer (s. 14(1)). Further, the revised provision in Bill C-22 clarifies that such testing may not have the effect of granting access to personal information.
Part 3 — Parliamentary Review
Bill C-22 introduces a requirement for parliamentary review of Parts 1 and 2 that has no counterpart in Bill C-2. The review must be undertaken during the third year after all provisions of the Act are in force, by the standing committee of each House of Parliament that normally considers matters relating to national security.
Implications and Next Steps
Bill C-22 adds a measure of clarity to the SAAIA and significantly limits law enforcement and CSIS access to information without judicial oversight relative to Bill C-2. Nonetheless, the bill would still represent a significant expansion of law enforcement and CSIS access to information outside the confines of traditional warrants, through new warrantless demands, broadened exigent circumstances powers, and production orders that, while subject to judicial authorization, are not subject to obtaining a warrant.
In addition, Part 2 would impose substantial new obligations on ESPs. In particular, the SAAIA allows the Governor in Council to establish regulations applicable to ESPs that are core providers, which may require core providers to: 1) develop, maintain, and deploy technical capabilities (including access-enabling equipment) to facilitate authorized access to information; 2) develop, test, and maintain interception and data extraction capabilities; and, 3) retain categories of metadata for up to one year. The SAAIA also allows the Minister of Public Safety to order an ESP, even if they are not a core provider, to do any of the foregoing. All ESPs are also subject to inspection powers, internal audit orders, compliance orders, and AMPs for non-compliance.
It remains the case that significant parts of the lawful access regime are yet to be determined. The Governor in Council's regulation-making powers are broad, and the identification of core ESPs by class in a Schedule to the SAAIA will be the critical determinant of who bears enhanced obligations under that Act. In practice, the specific obligations under the SAAIA and the classes of core provider ESPs who will be subject to them remains to be determined. Further, any ESP may be subject to similar requirements through a ministerial order, which may contain any requirements that could otherwise be imposed on core providers by regulation. TSPs and other ESPs, and parties doing business with ESPs or core providers, whether upstream as suppliers or downstream as clients, should be attentive to the progression of Bill C-22 in Parliament, as Minister Anandasangaree has called on Parliamentarians to collaborate across the aisle to support the rapid passage of the Bill. For further guidance on Bill C-22, please contact the authors of this bulletin or members of our Communications, Privacy and Cybersecurity, National Security, or Technology groups.
Footnotes
1. Bill C-22, An Act respecting lawful access (Lawful Access Act), 1st Sess., 45th Parl., 2026. First reading March 12, 2026.
2. Bill C-2, An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures (Strong Borders Act), 1st Sess., 45th Parl., 2026. First reading June 3, 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
