A new federal bill introduced in Parliament on March 12, 2026 significantly expands the power of police and intelligence agencies to access your personal digital information. And often without the safeguards Canadians have long relied on.
Bill C-22, the Lawful Access Act, 2026, is presented as a modernization of existing law. But a closer look reveals provisions that should concern anyone who values privacy in the digital age.
The bill has three main parts.
Part 1 amends existing laws, including the Criminal Code and the Canadian Security Intelligence Service Act, to make it faster and easier for police and intelligence agencies to collect digital data during investigations.
Part 2 creates a new law called the Supporting Authorized Access to Information Act, which compels telecommunications and electronic service companies to build and maintain technical capabilities that allow government agencies to access information.
Part 3 calls for a parliamentary review of the new regime after three years. Which is great. Only three years of breaching privacy in terrible ways is just fine, right? Right?
The government frames this as closing gaps in the law created by the rise of digital communications.
This only closes gaps if you look at it from the narrow lens of policing and criminal investigatory powers. In reality, the mechanisms chosen to close those gaps come with real costs to civil liberties.
One of the most significant legal changes in this bill is a shift in the standard of proof required before police can obtain certain types of information about you.
Under traditional Canadian law, a peace officer seeking a production order, which is a court order compelling someone to hand over documents or data, must satisfy a judge that there are “reasonable grounds to believe” an offence has been committed. They must also demonstrate reasonable grounds that the information sought will provide evidence of that crime. This is a meaningful legal threshold. It requires something more than a hunch.
Bill C-22 introduces a new category of production order, specifically for subscriber information from your internet provider.
Specifically, your name, address, phone number, email address, account numbers, and the types of services you use. Under new law, if it passes, police could obtain this information based only on “reasonable grounds to suspect.”
Suspicion is a lower standard than belief. In practice, it means police can seek your identifying information earlier in an investigation, on a weaker factual foundation. It is the same factual foundation required to do a sobriety test roadside.
There is also another tool that police can use on the basis of this lower threshold. This tool lets officers demand that a telecom company confirm whether it provides services to a specific person, account, or device identifier.
Police Can Demand Your Subscriber Data Without a Judge… and then Gag the Telecom That Tells Them from letting you know.
The confirmation of service demand is particularly striking. A police officer, not a judge, can directly order a telecommunications company to confirm whether it provides services to a named individual. No court is involved at the outset. No judicial oversight of police use of authority.
The telecom company has only five business days to apply to have the demand reviewed, and it can only do so if it notifies the officer first. Yeah, what telecommunications company is going to spend its hard-earned money fighting police when it can just hand over your information with no consequences to them?
While this review mechanism provides some check on the power, the default is compliance, and the telecom bears the burden of challenging the demand. Which we all know they won’t. Since when have we felt our internet companies were on our side. I don’t know about your bills, but mine certainly don’t give off that vibe.
Making matters worse, the officer making the demand can prohibit the telecom from telling anyone about it… including you for up to one year. If you are the subject of such a demand, you may never find out. There is no mechanism in the bill to notify individuals after the fact that their information was sought.
What about exigent circumstances?
Canadian law has long allowed police to act without a warrant in urgent situations. Bill C-22 expands this principle by explicitly allowing officers to seize subscriber information in exigent circumstances. That is, when the conditions for a court order exist but getting one is not practical in the moment.
It’s so hard to be police. Getting a court order is like, you know, actual work.
The concern here is that “subscriber information” is defined broadly in the bill. It includes not just your name and address, but device and equipment identifiers. This means the unique identifiers tied to your phone, tablet, or computer. Capturing that data without a warrant, based only on an officer’s judgment that the situation is urgent, raises serious questions about oversight and accountability.
Urgent isn’t even defined in the bill. Which leaves it open to judicial interpretation only after your privacy rights have been violated.
To make matters worse, telecommunications companies are required to build a whole structure that permits the police to enter a backdoor into their systems and directly spy on you. And they can’t tell you when they use it.
Part 2 of the bill goes further still. The new law gives the Minister of Public Safety the power to issue secret orders to electronic service providers like phone companies, internet providers, app developers, and potentially others, requiring them to build and maintain technical capabilities to facilitate government access to information.
These ministerial orders are subject to review by the Intelligence Commissioner, which provides a degree of independent oversight. However, the orders are secret. Companies subject to them are prohibited from disclosing their existence. The bill creates broad confidentiality obligations that apply to the order itself, the information the Minister relied on, the fact that a company is subject to an order, and any representations made during the process.
The bill does include one important protection
A company cannot be required to build a “systemic vulnerability.” The would essentially be a backdoor that could be exploited by unauthorized parties. This protection matters, and its inclusion is important. But it does not eliminate the fundamental concern that the government can secretly require companies to reconfigure their services to facilitate surveillance.
It doesn’t protect your privacy. It protects the billion-dollar telecommunications companies that are already exploiting you in the billing cycle every month. Yay. Capitalism at work.
You may be thinking: I have nothing to hide. I am not doing anything wrong on the internet so why do I care?
But privacy rights are not only for people who have done something wrong.
They protect the innocent person caught up in an investigation because their phone pinged near a crime scene. They protect the journalist whose sources could be exposed by a subscriber information demand. They protect the political activist whose associations might draw scrutiny.
Criticize the government? Get subjected to an order that you don’t know exists so you can’t challenge their secret surveillance of you. It’s dystopian for sure.
Privacy rights protect everyone, because investigations can be wrong. The broader the surveillance net, the more innocent people get caught in it.
Bill C-22 has not yet passed. There is still parliamentary debate, committee review, and potential amendment to come.
That process matters.
Canadians should be paying attention, and if you have concerns, now is the time to make them known to your MP. I know I will be.
