Back to Bills

Lawful Access Act, 2026

Full Title:
An Act respecting lawful access

Summary#

Bill C-22 (“Lawful Access Act, 2026”) updates how police and security agencies obtain digital data during investigations and sets new duties for electronic service providers. It aims to speed up access to basic subscriber and transmission data (metadata) and clarify how computer data can be searched, copied, and examined. It also creates a new law that can require major service providers to maintain technical capabilities to help lawful access.

Key changes:

  • Creates a “confirmation of service” demand so police or CSIS can require telecom companies to confirm if a phone number, email, or account is theirs, on reasonable suspicion, with limited gag (non-disclosure) periods.
  • Adds a production order for “subscriber information” (identifiers like name, address, account numbers, device identifiers, and service dates) on reasonable suspicion, and streamlines timelines to review and respond to orders.
  • Clarifies that officers may receive and act on data that is publicly available or voluntarily provided by a person or company that is not barred by law from sharing it.
  • Expands urgent (“exigent circumstances”) powers to get certain data without a warrant or order when it is impracticable to obtain one.
  • Lets warrants cover tracking or transmission data from “similar” devices or telecom means that are unknown at the time of the warrant (for example, if a target switches phones).
  • Allows judges to authorize police to request subscriber or transmission data directly from foreign service providers; lets Canadian courts enforce certain foreign decisions to compel subscriber or transmission data in Canada.
  • Clarifies how computer data can be searched and examined using on‑site equipment, and allows copying and examination at any time and place in Canada, with notice rules and exceptions.
  • Enacts the Supporting Authorized Access to Information Act, allowing regulations and ministerial orders (with Intelligence Commissioner approval) that can require core electronic service providers to keep capabilities to assist lawful access, retain certain metadata for up to one year, and keep related information confidential. It bars requirements that create “systemic vulnerabilities” (such as backdoors) and forbids mandated retention of content, web‑browsing history, or social media activity.
  • Requires an annual public report on orders and enforcement under the new Act and a parliamentary review three years after everything is in force.

Timing:

  • Most Part 1 changes start 180 days after Royal Assent.
  • The new provider‑obligations law (Part 2) starts on a date set by the government by order.

What it means for you#

  • Electronic service providers (telecoms, ISPs, cloud, email, messaging, platforms), including foreign firms that serve people in Canada

    • You may be required by regulation or ministerial order to build and maintain technical capabilities to extract, organize, and provide data to authorized officials, and to test devices or tools that enable access.
    • You could be required to retain defined categories of metadata (including Criminal Code “transmission data”) for periods up to one year. You cannot be required to retain content, web‑browsing history, or social media activities.
    • You may receive “confirmation of service” demands from police or CSIS to confirm whether an account or identifier is yours; telecoms must respond to CSIS demands unless varied or revoked by a judge.
    • You can apply to a court to vary or revoke demands or production orders within short timelines; you generally do not need to comply until a final decision is made.
    • You must keep orders, applications, and related communications confidential, subject to rules and any court orders.
    • Inspectors designated by the Minister can enter business premises (not homes without a warrant) to verify compliance, order internal audits, and issue compliance orders. Non‑compliance can lead to administrative penalties or offences.
    • Ministerial orders need approval by the Intelligence Commissioner and can include discretionary compensation for your costs. You do not have to comply if doing so would introduce a “systemic vulnerability.”
    • Regulations may set fees payable to you for assistance you provide.

  • Law enforcement and CSIS

    • You can demand quick confirmation from telecoms about whether an account is with them and seek production of subscriber information on reasonable suspicion.
    • You can act on information that is public or that a person or company lawfully provides without an order; providers are shielded from liability for voluntary provision where the law allows it.
    • In urgent cases, you may obtain some data without a warrant or order when it is impracticable to get one and the underlying conditions exist.
    • Warrants for tracking or transmission data can cover “similar” unknown devices or means a target is likely to use later.
    • With judicial authorization, you can request subscriber or transmission data directly from foreign service providers.
    • For CSIS, timelines and processes to compel confirmation are clarified, with judicial review pathways.

  • People in Canada who use digital services

    • Police and CSIS could get subscriber information and transmission metadata faster. This does not include message content under these tools, but it can include identifiers, service periods, device IDs, and non‑content transmission data.
    • Some providers may be required to retain limited categories of metadata for up to a year. The Act does not allow mandated retention of content, web‑browsing history, or social media activities.
    • Gag orders may prevent providers from telling you about certain demands or orders for a period of time.
    • In urgent situations, some data may be obtained without a prior warrant or order.

  • People under investigation

    • Warrants and orders can be broader for tracking and transmission data, including future “similar” devices.
    • Courts can authorize requests to foreign providers for subscriber or transmission data. Foreign decisions to compel such data in Canada can be enforced by Canadian courts if statutory conditions are met.

  • Courts and oversight bodies

    • Judges will see new applications (e.g., to authorize foreign production requests, to enforce foreign decisions, and for expanded computer‑data examination).
    • The Intelligence Commissioner must review and approve ministerial orders to providers under the new Act.
    • Parliament and national security review bodies will receive annual reporting and a full review after three years.

  • What is unclear

    • Which provider types will be designated as “core providers,” which capabilities will be required, and which metadata categories must be retained will be set later by regulation.
    • The amount and availability of compensation to providers, and any fees payable for assistance, will be set later.
    • The exact start date for the new provider‑obligations law depends on a future order.

Expenses#

No publicly available information.

Possible public costs and revenues:

  • New administration for the Minister of Public Safety (inspections, audits, compliance orders) and for the Intelligence Commissioner to review ministerial orders.
  • Court time for new applications and reviews.
  • Potential government compensation to providers for costs imposed by ministerial orders (discretionary).
  • Possible fee payments to providers for assistance, if set by regulation.
  • Reporting and parliamentary review duties.

Possible private/sector costs:

  • Providers may face costs to build, test, and maintain lawful access capabilities; retain specified metadata; respond to audits and inspections; and maintain confidentiality systems.
  • Risk of administrative monetary penalties (up to $50,000 for individuals and $250,000 for others per violation) or offence fines (up to $100,000 for individuals and $500,000 for others) for non‑compliance.
  • Compliance may be eased by exemptions, judicial review routes, and potential compensation or regulated fees.

Proponents' View#

  • The bill appears intended to speed up access to basic data needed early in investigations (for example, confirming who provides service to an account), which could help identify suspects and preserve evidence.
  • It clarifies how computer data may be searched, copied, and examined, which could reduce disputes and delays.
  • Allowing judges to authorize direct requests to foreign service providers could shorten cross‑border delays for basic subscriber or transmission data.
  • The new provider‑support law could ensure that key service providers maintain practical capabilities to assist lawful access, with oversight by the Intelligence Commissioner and annual public reporting.
  • Privacy and security guardrails are included: no mandated retention of content, web‑browsing history, or social media activity; a ban on requirements that create systemic vulnerabilities; judicial review rights; and time‑limited non‑disclosure orders based on investigative need.
  • A parliamentary review after three years could assess real‑world impacts and recommend adjustments.

Opponents' View#

  • One concern is privacy: expanded use of demands and production orders on a “reasonable suspicion” standard, broader tracking/transmission warrants that cover unknown future devices, and longer non‑disclosure periods may increase data access without users’ knowledge.
  • The bill permits officers to receive and act on voluntarily provided information without a court order if the provider is not barred by law, which may raise questions about safeguards and consistency.
  • Exigent‑circumstance powers to obtain some data without prior judicial authorization may be seen as too broad if not tightly controlled in practice.
  • The new obligations on providers (capabilities, testing support, metadata retention up to one year) could impose significant compliance costs, particularly for smaller or foreign companies serving Canadians. The extent of compensation or fee recovery is not yet defined.
  • Confidentiality rules and inspection/audit powers may be viewed as intrusive and could limit transparency reporting by providers.
  • Enforcing certain foreign decisions to compel data in Canada and enabling direct requests to foreign providers may raise concerns about due process and differences in foreign legal protections.
  • Key details will be set by future regulations (who is a “core provider,” which capabilities are required, which metadata must be retained), making it hard to fully assess impacts now.

Amendment analysis

Compare the current law against the bill text and review the change-by-change explanation for each affected provision.

Amendments
54
Sources
937
Updated
May 4, 2026

Create an account to unlock PRO analysis

Sign up to read the amendment-by-amendment breakdown for this bill.

  • See each amended section in one place.
  • Compare the current wording against the proposed text.
  • Review the source material behind each change.
Sign upAlready have an account? Sign in