Back to Bills

Lawful Access Act, 2026

Full Title:
An Act respecting lawful access

Summary#

  • Bill C-22, the Lawful Access Act, 2026, updates Canada’s criminal and national security laws for the digital age. It aims to help police and intelligence agencies get basic digital information faster while setting rules for how tech companies must assist.

  • It also creates a new law that can require electronic service providers (like telecoms, social media, cloud, and messaging services) to build and maintain tools that support lawful access, with independent oversight.

  • Key changes:

    • Police and CSIS can require telecoms to confirm if a named person or account is a customer, and judges can order companies to hand over “subscriber information” (name, address, account identifiers, and service details).
    • In urgent emergencies, police can get some data (including subscriber info) without a warrant; officers can also act on public information and on information given to them voluntarily.
    • Warrants for tracking data (location) and transmission data (non-content routing and technical data) can cover “similar” devices or accounts not known when the warrant is issued.
    • Judges can authorize the examination of seized computer data and delay notice to the owner or subject, in some cases for up to three years.
    • A new law lets the Minister order service providers to maintain access capabilities and retain certain metadata for up to one year (not content, browsing history, or social media activity). Orders need approval by the Intelligence Commissioner.

What it means for you#

  • Internet and phone users

    • Police can ask your provider to confirm if you have an account. This does not need a judge, but must relate to a suspected offence and give at least 24 hours to respond. Your provider can be barred from telling you for up to one year.
    • Police or a judge can order companies to give subscriber information about you (name, address, account numbers, device identifiers, and service dates). Content of messages is not included here.
    • In emergencies (exigent circumstances), some data can be obtained without a court order.
    • Your provider may need to keep certain metadata (such as transmission data) for up to one year if regulations require it. They cannot be required to keep content, your web browsing history, or your social media activity.
    • You may not be told right away if your computer data is examined; notice can be delayed in some cases.

  • Privacy and security

    • The bill bars the government from forcing companies to create “systemic vulnerabilities” (no mandated backdoors that weaken encryption).
    • Officers can receive and use information that is publicly available or voluntarily shared by a company, with immunity for the company if sharing is lawful.

  • Tech companies and telecoms (including platforms and cloud services)

    • “Core providers” (classes set by regulation) may have to build and maintain technical capabilities to locate, extract, and deliver authorized information, and to install or operate equipment that enables access.
    • You may be required to retain specific categories of metadata for up to one year (not content, browsing history, or social media activity).
    • The Minister can issue company‑specific orders (subject to Intelligence Commissioner approval), after giving you a chance to respond. Orders can include timelines and, at the Minister’s discretion, compensation for costs.
    • You must assist with testing of access tools (without exposing personal information), keep matters confidential, and accept inspections, internal audit orders, and compliance orders.
    • Penalties for violations can reach $50,000 for individuals and $250,000 for companies (administrative), and higher fines for offences.

  • Law enforcement and security agencies

    • Faster tools to identify which provider holds an account and to obtain subscriber and transmission data, including from foreign providers with a judge’s authorization.
    • Broader tracking and transmission data warrants that cover similar devices or accounts not known at the start.

  • People in Canada whose data is sought by foreign authorities

    • A Canadian judge can enforce a foreign decision that compels production of subscriber or transmission data held in Canada if Canadian legal conditions are met, with set deadlines (about 20 days for subscriber info and 45 days for transmission data). Non‑disclosure orders can apply.

Expenses#

Estimated annual cost: No publicly available information.

  • Providers are likely to face new compliance costs to build and maintain technical capabilities, retain certain metadata, and meet security and confidentiality rules.
  • The government may incur costs for oversight, inspections, court processes, and the Intelligence Commissioner’s reviews.
  • The Minister may set regulated fees for provider assistance and can include discretionary compensation in ministerial orders.

Proponents' View#

  • Helps solve crimes faster by quickly linking suspects to accounts and devices, especially in time‑sensitive cases.
  • Keeps core protections: many steps still require a judge, and orders to companies need approval by the Intelligence Commissioner.
  • Protects cybersecurity by banning requirements that would weaken encryption or create backdoors.
  • Limits data retention to metadata only and expressly forbids keeping content, web browsing history, or social media activity.
  • Improves clarity: officers can rely on public information and lawful voluntary sharing, reducing delays.
  • Adds transparency and accountability through annual public reports and a formal parliamentary review after three years.

Opponents' View#

  • Expands access without a warrant in key areas (account confirmation demands and emergency powers), which could erode privacy.
  • Uses a lower threshold (“reasonable suspicion”) for several production tools, which critics say may be too easy to meet.
  • Allows long secrecy periods (gag orders up to one year; delayed notice for computer data up to three years), limiting people’s ability to know and challenge searches.
  • Lets the Minister order companies to build surveillance‑enabling capabilities, with penalties for non‑compliance, raising concerns about mission creep and burden on smaller firms.
  • Permits retention of metadata for up to a year, increasing the amount of personal data at risk from breaches or misuse.
  • Encourages voluntary sharing with legal immunity, which critics say can sidestep court oversight and create uneven privacy protections across providers.