Bill C-22: Canada’s ‘lawful access’ bill and the very convenient habit of making your data everyone’s problem
Bill C-22 is being sold as a clean, lawful tool for police and intelligence agencies. Critics say it also builds a sturdier pipeline for mass metadata retention, surveillance backdoors, and foreign access to Canadian-held data.
Bill C-22: Canada’s “lawful access” bill and the very convenient habit of making your data everyone’s problem
Ottawa has a familiar talent: taking a privacy controversy, giving it a reassuring name, and insisting the plumbing is perfectly safe while everyone else stares at the flood. Bill C-22, the Lawful Access Act, is the latest example, and critics say it could expand domestic surveillance while also opening a wider door for foreign data access, including from the United States.
The government says the bill is about helping law enforcement and CSIS get information they are already legally entitled to obtain, while requiring certain electronic service providers to have the technical capability to comply with lawful orders. Critics say that is the official translation of a much more invasive idea: build the surveillance machinery first, then act surprised when everyone notices what it can do.
What Bill C-22 would change
At the center of the bill is a regime that would let the government require electronic service providers to develop and maintain technical capabilities to support lawful access requests. According to critics, that could include orders to build surveillance backdoors and to retain categories of metadata for up to one year.
The government disputes the most alarming framing and says the bill would not create new powers to intercept communications or obtain information, and would not require retention of content, web-browsing history, or social media activity. But the bill’s opponents say that distinction is doing a lot of emotional labor for a policy that still expands the state’s reach into communications infrastructure.
Why privacy advocates are worried
Privacy groups and researchers argue the bill goes beyond a narrow lawful-access fix and instead lays the groundwork for broad metadata collection, including transmission data that can reveal who communicated, when, for how long, and from where. The Citizen Lab and CCLA say the bill could require service providers to keep sensitive metadata on people in Canada and abroad for up to a year.
That matters because metadata is often the “not content” category politicians wave around as if it were harmless. It is not. It can still map social networks, movement patterns, and behavioral habits with impressive precision—proof that you do not need to read the letter to know who mailed it, where they live, and whom they annoy on a regular basis.
The foreign-access problem nobody pretends to misunderstand
The more controversial claim is that Bill C-22 could also make it easier for foreign governments to access data held in Canada. Public Safety’s backgrounder says the bill does not hand foreign governments a new free-for-all, but critics point to amendments that would make it easier for foreign law enforcement to seek data and to broader treaty-linked arrangements under discussion.
Research cited by the Citizen Lab and CCLA says the bill may help prepare Canada for international data-sharing arrangements, including the Second Additional Protocol to the Budapest Convention and a possible Canada-U.S. data-sharing framework. Policy Options notes that one concern is a potential U.S. CLOUD Act arrangement that could let U.S. law enforcement request data directly from Canadian technology companies, bypassing Canadian courts.
That is the sort of cross-border setup that makes sovereignty sound like a decorative word rather than a governing principle. Canada stores the data, the company may be Canadian, the user may be Canadian, and somehow the fast lane is being built for foreign access anyway.
Why U.S. lawmakers are also paying attention
The bill has drawn attention south of the border as well. House Republicans warned that Bill C-22 could create significant privacy risks for Americans and could compel companies to build backdoors into encrypted systems, creating vulnerabilities that hackers and hostile actors could exploit.
That concern is not hard to understand. If a law requires companies to create access mechanisms for governments, the same mechanism can become a target for criminals, regardless of which flag is painted on the request form.
The government’s defense
Ottawa says the bill is designed to make sure electronic service providers can comply with existing legal orders, not to create new interception powers. It also says any metadata retention would be limited, prescribed by regulation, and capped at one year.
That may sound measured, but the critics’ argument is that the bill creates a flexible legal architecture for future surveillance expansion, plus a framework that can be used to support broader data-sharing agreements later. In other words: the law may not say “mass surveillance” in so many words, but it does an excellent impersonation of a bill preparing for a larger role.
What happens next
Bill C-22 has become a flashpoint because it sits at the intersection of law enforcement, cybersecurity, encryption, privacy rights, and foreign data access. The debate is no longer just about whether the government should be able to get information. It is about how much infrastructure should be forced into existence to make that easier, and who else gets to benefit once it exists.
If Parliament wants public trust, it will need to do better than the usual ritual: announce a sweeping digital power, insist it is modest, and hope Canadians are too distracted to notice the metadata-shaped hole being cut into their rights.