How Canada Silently Changed The Rules Of Surveillance

Canada’s Bill C‑22 does not literally switch on mass warrantless reading of everyone’s messages, but it does something more structurally consequential: it hard‑codes a surveillance‑ready infrastructure into the country’s digital systems, chiefly through blanket metadata retention and secret technical mandates on service providers.

Key Points

Bill C‑22 tightens rules for accessing content and subscriber information by insisting on warrants and production orders, while simultaneously mandating broad, suspicion‑blind retention of metadata for up to a year.^[2]^[20]
The bill creates a “surveillance capability regime” in Part 2 (SAAIA), allowing the government to secretly order electronic service providers to build and maintain technical access capabilities approved only by the Intelligence Commissioner, not by open courts.^[1]^[12]
Government communications stress that C‑22 does not authorize mass surveillance or direct system access, yet independent analyses warn that its combination of retention, capabilities mandates, and foreign‑access channels effectively lays the groundwork for systemic surveillance.^[1]^[4]^[2]
Major civil‑liberties groups, academics, tech companies, and the Privacy Commissioner argue that key provisions are likely unconstitutional, dangerous for cybersecurity, and out of step with public opinion on digital privacy.^[4]^[2]^[7]^[9]

What Bill C‑22 Actually Does: The Architecture, Not the Slogans

To make sense of Bill C‑22, you have to separate three layers: how investigators get permission to access data, what data must exist and be kept in the first place, and what technical capabilities providers must maintain on an ongoing basis. The public debate often collapses these into a single question—“Can they spy on me?”—but the bill is really an attempt to re‑engineer all three layers at once.

On the access side, the government’s own summaries emphasize continuity with long‑standing “lawful access” principles: investigators need legal authorization—warrants, production orders, wiretap authorizations—to obtain personal information from providers.^[1]^[3]^[21] Bill C‑22 reiterates that ESPs remain in control of their systems and that neither police nor CSIS may directly tap into networks at will.^[1] It introduces two new tools—confirmation of service demand and a subscriber information production order—both framed as fitting within this warrant‑and‑orders architecture rather than replacing it.^[3]^[16]

Where the bill breaks new ground is not primarily in the warrant rules, but in the two other layers: mandatory retention of metadata and the creation of a standing technical‑capability regime covering a broad swath of the digital economy.^[2]^[1]

Metadata Retention: Blanket, Long‑Term, and Suspicion‑Blind

Metadata—the who, when, where, and how of communications rather than the actual content—has long been treated as less sensitive than message text or call audio, but modern experience shows it can reveal intimate patterns of life. Bill C‑22’s Part 2, the Supporting Authorized Access to Information Act (SAAIA), empowers the Governor in Council to create regulations requiring “core providers” to retain metadata, including transmission and location data, for “reasonable periods of time not exceeding one year.”^[2]^[12]

Two aspects make this provision structurally significant. First, the retention order itself does not require individualized judicial authorization; it is imposed by regulation, applying across the user base of designated providers regardless of any suspicion of wrongdoing.^[2]^[11] Michael Geist characterizes this as “blanket retention of metadata about the communications of every Canadian who uses a service provided by a core provider with no regard for wrongdoing.”^[11] Second, once retained, that data becomes available to law enforcement through the ordinary lawful‑access tools—warrants and production orders—which are easier to obtain when the data is guaranteed to exist.

This is where the government’s “no mass surveillance” formulation does less work than it appears. Ottawa is correct that the bill does not create a new, stand‑alone power to trawl everyone’s data in real time without legal process.^[1]^[3] But building a system in which vast stores of metadata about everyone must be kept on hand for up to a year, specifically to be ready for lawful access, is precisely what many experts mean by “surveillance infrastructure.” It shifts the default from “data may or may not exist, depending on business needs” to “data must exist, because the state might want it.”^[1]^[2]

The Surveillance Capability Regime: Secret Technical Mandates

The second structural innovation is the surveillance capability regime in SAAIA. Here, the bill moves beyond specifying what data can be sought and into governing how providers’ systems must be built. Canada’s backgrounder is candid: the goal is to ensure ESPs have the technical capability to provide information to law enforcement and CSIS when they are legally authorized to receive it.^[1]^[12]

To that end, Bill C‑22 allows the Minister of Public Safety to issue ministerial orders to “electronic service providers” compelling them to develop or maintain specific capabilities, subject to approval by the Intelligence Commissioner.^[12]^[3] These capabilities can include altering how services operate, embedding tools that allow information to be accessed in response to authorized requests, and cooperating with system testing and assessment.^[12]^[16] The government stresses that these are not direct “backdoors,” and Communications Security asserts that lawful access under C‑22 is designed to obtain limited, specific information without compromising cybersecurity.^[20]

Civil‑liberties and technical experts are unconvinced. Citizen Lab describes SAAIA as a “surveillance capability regime” that would let the government “impose any obligation” on any ESP for the purpose of facilitating surveillance authorizations, including embedding surveillance tools into services.^[1] A coalition led by the Canadian Civil Liberties Association warns that, in practice, this amounts to the power to force “any electronic mechanism” to build new surveillance tools into the core of their service, turning general‑purpose digital products into potential spyware.^[2]

Compounding that concern is secrecy: ministerial orders are not public, companies are often barred from disclosing them, and there is no open registry of which platforms have been compelled to do what.^[6]^[7] The only independent check is the Intelligence Commissioner, operating in a closed process, rather than transparent judicial proceedings where impacted users or civil‑society groups might intervene.^[12]^[17] Taken together, critics argue, this is a classic infrastructure‑first strategy: wire the system for surveillance quietly, then rely on later legal authorizations to shape day‑to‑day use.

Access Rules: Narrow Improvements and a Lowered Floor

Compared with its predecessor Bill C‑2, C‑22 does address some of the most controversial aspects of subscriber information access. Under the new framework, a telecom provider can only be compelled without a warrant to say whether it provides service to a particular number or IP address—a yes‑or‑no confirmation of service.^[3]^[16] Any further subscriber information (names, addresses, associated identifiers) requires a court‑issued production order, and medical and solicitor‑client records receive explicit protection.^[3]^[17]

The government explicitly presents these changes as aligning with Supreme Court jurisprudence in R. v. Spencer and R. v. Bykovets on the privacy of subscriber data and IP‑address information.^[3] The legal threshold for some orders is “reasonable grounds to suspect,” which is lower than “reasonable grounds to believe” but still a recognized standard in Canadian criminal law.^[6] Supporters frame this as a pragmatic compromise: narrowing warrantless powers while ensuring police are not left “blind” online.^[1]^[8]

Yet the Canadian Bar Association and other legal analysts argue that, while these refinements are real, they do not cure deeper structural problems.^[7]^[3] In their view, expanding the circumstances in which authorities can demand metadata and facilitating faster, more routine access to “basic” subscriber data risks normalizing surveillance, especially when combined with blanket retention and technical‑capability mandates. They also highlight that government has not provided robust evidence that existing tools are insufficient or that the benefits justify the rights impact—a key step in any proportionality analysis under the Charter.^[7]

Foreign Access and Cross‑Border Risk

Bill C‑22 also modernizes and expands channels for cross‑border data requests. Part of the rationale is to streamline cooperation with foreign platforms like Google and Meta, which currently operate under a patchwork of mutual legal assistance treaties and voluntary law‑enforcement request processes.^[17]^[4] The new framework gives Canadian authorities more formalized mechanisms to seek data from foreign‑based services and similarly provides pathways for foreign authorities to obtain data located in Canada, subject to certain conditions.^[4]

This is where concerns about “foreign overreach” enter. Citizen Lab and the CCLA‑led coalition warn that expanding foreign law‑enforcement access to Canadian‑held data, without correspondingly robust safeguards, could expose communities in Canada—particularly diaspora populations—to abusive practices by other states.^[4]^[2] In an era of transnational repression and politicized use of police cooperation tools, this is not a theoretical risk. Critics argue that the bill underplays these dangers and lacks strong, explicit limitations on when and how Canadian‑stored data can be shared abroad.

Does Bill C‑22 Authorize Mass Surveillance?

The government’s public‑facing materials are unequivocal: “Bill C‑22 would not authorize government mass surveillance and/or tracking.”^[1] That statement is textually correct if one defines mass surveillance as real‑time, content‑level monitoring of everyone’s communications without individualized legal process. Nothing in the bill gives investigators that direct ability to sit behind a console and read every Canadian’s messages on demand.

However, most serious critics are not claiming that C‑22 instantaneously turns Canada into a science‑fiction panopticon. Their argument is more structural and cumulative. Mandatory metadata retention for all users of core providers, combined with a regime for compelling technical access capabilities across the digital ecosystem, plus expanded foreign‑access channels, builds the infrastructure conditions under which surveillance at scale becomes feasible whenever the legal and political winds permit.^[1]^[2]^[7]

From that perspective, the sharpest line in the sand is not between “content” and “metadata,” or between “mass surveillance” and “targeted investigations,” but between an internet where data exists only as a by‑product of providing services, and one where the state can dictate that data be created and kept just in case it is needed. Bill C‑22 pushes Canada decisively toward the latter.

Constitutional and Democratic Stakes

Multiple independent assessments conclude that at least some aspects of Bill C‑22 are likely unconstitutional. Citizen Lab describes more than one provision as “almost certainly constitutionally fatal,” focusing especially on blanket metadata retention and the breadth of SAAIA’s capability‑mandate powers.^[4] The Canadian Civil Liberties Association calls the bill “the broadest expansion of government surveillance powers in recent Canadian history.”^[2] The Canadian Bar Association echoes these concerns, emphasizing the lack of demonstrated necessity and the difficulty of reconciling suspicion‑less retention with Charter protections for informational privacy.^[7]

Beyond courts, the bill faces a legitimacy problem. Public‑opinion research indicates Canadians are broadly opposed to granting law enforcement access to their private online conversations and strongly support end‑to‑end encryption without backdoors.^[9] Major technology companies—including Apple and Google—have publicly warned that C‑22 “goes well beyond lawful access regimes” elsewhere and risks undermining cybersecurity by pressuring providers to weaken or circumvent encryption.^[20]^[5] The federal Privacy Commissioner has likewise raised civil‑liberties concerns.^[7]^[20]

These are not fringe voices. They reflect a broader global reckoning with the realization that systems built to enable “lawful access” often become high‑value targets themselves, and that today’s emergency powers have a habit of becoming tomorrow’s routine tools. In that light, the central question for Bill C‑22 is not whether it uses the word “surveillance” in its preamble—it does not—but whether its technical and legal architecture is one that a free, constitutional democracy wants to normalize.

𝗛𝗼𝘄 𝗧𝗵𝗲 𝗟𝗶𝗯𝗲𝗿𝗮𝗹𝘀 𝗣𝗹𝗮𝗻 𝗧𝗼 𝗪𝗶𝗻 𝗶𝗻 𝟮𝟬𝟮𝟵
HINT: 🚫🇵🇸/🚫 🪯

YES – still on break, but had to re-share insights shared with me this morning:

Are you concerned with the following bills:

✖️ C-8
✖️ C-9
✖️ C-11
✖️ C-22

A longtime colleague who worked in the… pic.twitter.com/OXKtAPHSYj

— Johnny Seabass (@BananaKingCo) June 24, 2026

Where the Debate Honestly Stands

An honest reading of the record yields a nuanced but firm picture. The government is correct that Bill C‑22, on its face, insists on legal authorization to access personal data and does not grant police or CSIS a direct tap into provider systems.^[1]^[3] It improves on earlier drafts by narrowing some warrantless powers and adding oversight to ministerial orders.^[3]^[17] Those points matter; they are not mere spin.

At the same time, critics are on solid ground when they describe C‑22 as a structural expansion of surveillance capacity. Blanket, suspicion‑less metadata retention; a secret, highly flexible technical‑capability mandate; and broadened pathways for cross‑border data sharing together create enduring infrastructure whose risks are not fully mitigated by formal warrant requirements or by assurances that “we are not looking for sneaky ways to surveil Canadians.”^[1]^[4]^[2]

For Canadians trying to evaluate the bill, the real stakes lie here: you are being asked not only whether you trust today’s government and courts to use these tools wisely, but whether you are comfortable entrenching an architecture that will be inherited by every future government, in every future crisis, long after the present debate has faded.