The Carney government tabled its newest lawful access legislation today. Public Safety Minister Gary Anandasangaree and Justice Minister Sean Fraser stood before cameras in Ottawa and called it a balanced, modernized bill that will help keep Canadians safe online. Bill C-22 — officially titled An Act to Keep Canadians Safe — is being presented as a targeted, narrower version of the government’s previous surveillance legislation.

Don’t let the branding fool you.

This is the third attempt at this same framework of powers. It was in C-2. Pieces of it were carved out into C-12. Now it’s back, restructured, repackaged, and backed by a Liberal majority that can push it through without opposition. The bones of this bill have been stripped from context and handed to a government with no meaningful check on its power to pass them.

Here is what Bill C-22 actually does — in plain language.

The Ministerial Order: No Judge Required

The most alarming provision in C-22 is the Ministerial Order system. Under Part 2 of the bill, the Minister of Public Safety — currently Gary Anandasangaree — can issue a secret order requiring an electronic service provider to build and maintain surveillance capabilities inside their own systems.

This includes the power to compel providers to install devices, equipment, or software that enables law enforcement and CSIS to intercept communications and access data. These orders can be issued with no judicial oversight. No warrant. No judge. The minister signs it; the company complies; users are never told.

The government’s own backgrounder confirms the framework: ESPs will be designated as “core providers” (telecoms, satellite providers, and others to be defined later through regulations), and through ministerial orders, other companies can be compelled to build and maintain the same capabilities. The National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency will receive unredacted copies — but that is review after the fact, not a check before the surveillance begins.

Warrantless Information Demands

Part 1 of C-22 creates and expands warrantless “confirmation of service demands.” Under this provision, any police officer or CSIS agent can demand that a service provider confirm:

  • Whether they have ever provided services to a specific person, account, or identifier
  • When those services were provided and from what geographic area
  • What other service providers that person also uses

The government has narrowed this slightly compared to the original C-2 version, which would have let officers demand information from hotels, medical providers, psychological counsellors, and rental car companies without a warrant. After significant public backlash, Anandasangaree acknowledged the original scope was unintended — but the fundamental architecture of warrantless demands to telecoms, internet providers, and digital platforms remains intact in C-22.

Privacy experts have consistently warned that even this “basic” subscriber data is not trivial. Knowing who someone’s telecom provider is, combined with their IP address and which other services they use, builds a digital map of a person’s life. This information can be demanded before a court order is ever obtained — it’s positioned as a step that enables investigators to then seek a warrant. But the demand itself happens without one.

Forced Technical Backdoors

Bill C-22’s Part 2, called the Supporting Authorized Access to Information Act (SAAIA), requires designated service providers to engineer their own systems to be interceptable. If a provider doesn’t currently have the technical capacity to hand over communications or data when ordered, the bill mandates they build it.

Critics including the Chamber of Progress have noted that C-22 still contains the core encryption problem: the bill’s language prevents orders that would introduce a “systemic vulnerability” — but as the non-profit Internet Society and multiple technical experts have pointed out, the wording is vague enough that back doors and forced re-engineering of secure systems remain very much on the table.

The government says this doesn’t create new interception authorities — it just ensures providers can comply with existing ones. But that distinction collapses the moment you realize that mandating the infrastructure for mass interception is itself a form of surveillance architecture, regardless of what triggers its use.

The U.S. Connection: Who Gets This Data?

Bill C-2 — C-22’s direct predecessor — contained provisions explicitly designed to lay the groundwork for sharing Canadian surveillance data with foreign law enforcement, including the United States. Researchers at the Citizen Lab identified language in C-2 referencing potential “agreements or arrangements” with foreign states, and Justice Canada officials confirmed in a technical briefing that some provisions were intended to enable Canada to ratify the Second Additional Protocol to the Budapest Convention, a cross-border data-sharing framework.

Canada and the U.S. are currently negotiating a deal under the U.S. CLOUD Act, which would allow American law enforcement to demand data from Canadian companies — with gag orders preventing those companies from even disclosing the requests.

The Electronic Frontier Foundation has called C-2 a “Trojan horse for U.S. law enforcement” that would build the infrastructure to ship Canadians’ private data to Washington. Whether C-22 strips or retains the specific language that enables this pipeline remains to be fully analyzed — but the surveillance architecture it creates would be the mechanism through which any such sharing would flow.

Three Bills, One Agenda

This is not a new idea from a new government responding to a new threat. The surveillance expansion now packaged in C-22 has been in the works for years:

Bill C-2 (June 2025): The Strong Borders Act, an omnibus bill quietly containing sweeping warrantless surveillance powers buried inside border and immigration measures. Civil liberties groups called it an “assault on basic human rights.” Dozens of Canadian legal academics signed a joint letter denouncing it. The government eventually split the bill in half after the surveillance provisions became politically toxic.

Bill C-12 (Fall 2025): The border and immigration measures peeled off from C-2, fast-tracked through Parliament. The surveillance provisions were set aside for further consultation.

Bill C-22 (March 12, 2026): The surveillance provisions return — restructured, somewhat narrowed, but fundamentally intact — backed now by a Liberal majority and presented as a fresh, balanced piece of legislation.

Anandasangaree described C-22 as legislation that “balances the needs of law enforcement with the privacy and civil rights that Canadians demand.” He said it is “not about surveillance of Canadians going on about their daily lives.”

But the Chamber of Progress said today that the revised bill “falls short of protecting Canadians from weakened encryption and unauthorized spying,” and called for “substantial reforms that close backdoor loopholes and ensure strong judicial oversight.” The Canadian Civil Liberties Association had previously described C-2 as an overreach that was “problematic” at its core.

What the Government Says vs. What the Bill Says

The government’s communications strategy around this legislation relies heavily on what it is not: not access to emails, not browsing history, not private messages. Officials said at a technical briefing Thursday that C-22 is “limited to information that identifies who and where they are.”

But that framing obscures several things:

Ministerial orders are secret. The public cannot verify what capability is being mandated into which system. Annual reporting requirements exist — but after the fact, and with potential redactions.

“Basic” information is a starting point, not a ceiling. The warrantless confirmation demands are explicitly framed as early-investigation tools that help authorities build a case before seeking a warrant. The concern is not whether each individual demand is small — it’s whether a system designed to aggregate identity, location, and service metadata without judicial gatekeeping is compatible with the Charter.

The capability regime is the surveillance. Requiring every major telecom, satellite provider, and digital platform to build and maintain interception-ready infrastructure — regardless of whether it is “turned on” for any given user — creates a permanent surveillance architecture embedded in Canada’s communications systems.

Why This Moment Is Different

Previous versions of this legislation were vulnerable to political pressure because the government was working with a minority Parliament. That constraint no longer applies. The Carney Liberals hold a majority. Bill C-22 can pass without a single opposition vote.

That does not mean it will pass without scrutiny. Parliamentary committees will still study it, witnesses will testify, and civil society groups will push hard on every provision. But the political mathematics have fundamentally changed. The government has more runway to push this through than it did with C-2.

For Canadians concerned about privacy and state power, that reality matters enormously.

What To Watch

The provisions in C-22 that most warrant close scrutiny as the bill proceeds:

  • The scope of Ministerial Orders: Which companies will be designated “core providers”? What specific capabilities can be mandated, and how will the encryption question be handled?
  • Warrantless demand breadth: Has the scope truly been narrowed from C-2, or have the same powers been reworded?
  • Foreign data-sharing architecture: Does C-22 retain provisions that would enable CLOUD Act implementation or Budapest Protocol ratification?
  • Oversight mechanisms: Are the NSICOP and NSIRA review functions genuinely independent, or are they post-hoc rubber stamps?
  • Charter challenge readiness: Multiple legal experts have argued that the warrantless demand provisions in C-2 were constitutionally vulnerable. That analysis will now apply to C-22.

The government has called this bill a necessity. Canada’s spy agencies have said their ability to investigate national security threats is “eroding” without it. Those arguments deserve to be heard and examined seriously.

But so does this one: a government that can secretly order surveillance infrastructure installed in private systems, demand your digital identity without a warrant, and pass legislation over the objections of civil liberties groups, privacy scholars, and the opposition — with no judicial check at the point of demand — is a government whose power over its citizens has meaningfully expanded.

That is not speculation. That is what the bill says.

Sources: CBC News, Globe and Mail, Electronic Frontier Foundation, Citizen Lab, Canadian Civil Liberties Association, Chamber of Progress, Privacy and Access Council of Canada, Government of Canada (Public Safety Canada), Fasken Privacy & Cybersecurity Bulletin, Global News.