Skip to main content
News Analysis

Bill C-22 Passes Third Reading and Heads to the Senate: What Canadians Should Do This Summer Before Lawful Access Becomes Law

The House of Commons passed the Lawful Access Act on June 18, 2026, after the Liberals invoked time allocation to limit debate. The bill now waits for the Senate to return on September 21. Here is a practical summer playbook for everyone whose subscriber data, metadata, and digital footprint is in scope.

By Refdesk Team

Bill C-22 Passes Third Reading and Heads to the Senate: What Canadians Should Do This Summer Before Lawful Access Becomes Law

What This Means for You

Bill C-22, the Lawful Access Act, cleared its final hurdle in the House of Commons on June 18, 2026, and is now waiting on the Senate, which will not begin study until Parliament returns on September 21. That three-month window is not idle time: it is your opportunity to take concrete steps that protect your digital footprint, build a paper trail for your business, and — if you choose — make your voice heard in the upper chamber. Based on our reading of the third-reading text of the bill and the analyses published by the Office of the Privacy Commissioner of Canada, the Canadian Bar Association, the law firm Fasken, and University of Ottawa professor Michael Geist, here is what each affected group should do between now and September 21.

If You Use a Phone or the Internet in Canada (Almost All of Us):

Immediate action this week:

  • Understand what the bill actually compels. Under the version that passed third reading, electronic service providers (ESPs) — telcos, app makers, cloud providers, social media platforms — can be compelled to confirm whether a named individual is one of their subscribers, and to provide subscriber data (name, address, phone number, email, IP address) when police obtain a judicial production order. The standard a judge must apply is "reasonable grounds to suspect," not the higher "reasonable grounds to believe" standard that has traditionally protected the content of communications.
  • Audit your account hygiene. Within the next week, sign in to your three most-used digital services (email provider, mobile carrier, primary social media platform) and: (1) enable two-factor authentication if you have not, (2) review which devices and sessions are currently logged in, (3) close any old sessions you do not recognize.
  • Decide whether you want end-to-end encryption. Bill C-22 explicitly prohibits regulations that would compel ESPs to weaken or break encryption, and prohibits requirements to retain web-browsing history or message content, according to the Department of Justice's plain-language summary. End-to-end encryption — Signal, iMessage between Apple devices, WhatsApp — remains lawful, and the content of those messages cannot be compelled under C-22. The metadata (who you messaged, when, from where) can still be requested with judicial authorization.

What to prepare:

  • A password manager (1Password, Bitwarden, Apple iCloud Keychain) with unique passwords on every account. According to Statistics Canada's 2024 Canadian Survey of Cyber Security and Cybercrime, two-thirds of Canadian adults still reuse passwords across multiple sites. C-22 changes nothing about the underlying need for hygiene; what changes is the consequence if a single account is compromised, because that account becomes a foothold for lawful subscriber-data requests as well as criminal hacks.
  • A clear understanding of which messaging apps are end-to-end encrypted by default (Signal, iMessage between Apple devices, WhatsApp) and which are not (standard SMS, most workplace chat tools, Facebook Messenger unless explicitly enabled).
  • A current list of which email address, phone number, and IP address you have given to each service. Subscriber data requests are tied to identifiers; if your dating app uses a different email than your bank, a request to one does not automatically expose the other.

Resources:

  • Office of the Privacy Commissioner of Canada, "Tips on protecting your personal information": priv.gc.ca
  • Canadian Centre for Cyber Security guidance on encryption: cyber.gc.ca
  • Michael Geist's running analysis of C-22 at michaelgeist.ca is the most accessible day-by-day legal commentary in the country

Example scenario: A 28-year-old Ottawa freelance journalist uses Gmail for client work, Signal for source communications, and a separate ProtonMail account for sensitive correspondence with one whistleblower. Under C-22, police investigating an unrelated leak could obtain a production order asking Google whether her Gmail address is a Google subscriber and what subscriber data attaches to it. They cannot read her messages without a separate content warrant on a higher threshold. They cannot compel Signal to break encryption on her source chats. They can ask her telco for cell-tower location data on a "reasonable grounds to suspect" production order — which is why journalists working with sources increasingly use Signal on a secondary phone in an alternate name on a prepaid plan, even though that practice is not legally required.

If You Run a Small Business or Operate Customer Software:

Immediate action:

  • Map your data inventory. What customer data do you store, where, and for how long? C-22 obligations attach to "electronic service providers" — a term that, under the third-reading version, can include software-as-a-service businesses and platforms that connect users to one another, not just telcos. If you operate a customer-facing app, you may be inside the perimeter.
  • Engage privacy counsel for a 60-minute scoping call. Most full-service Canadian law firms (Fasken, McCarthy Tétrault, BLG, Borden Ladner Gervais, Osler) have published primers on C-22. A short scoping call now will save five times the legal spend if you are later compelled to respond to a production order without prepared procedures.
  • Document your incident-response plan. Who in your company receives a lawful production order? Who reviews it for scope and proportionality? What is your timeline for responding without over-disclosing?

What to prepare:

  • A written process for receiving, logging, and responding to law-enforcement requests, with a single named decision-maker.
  • A standard rejection template for requests that arrive without judicial authorization (the bill does not eliminate the warrant requirement for content).
  • A clear customer-communications policy for when (if ever) you tell a user that their data has been requested. Bill C-22 contains gag provisions in some categories; your counsel should walk you through which categories prohibit notice and which permit delayed notice.

Example scenario: A 12-person Halifax startup operates a wellness app with 240,000 Canadian users. They store names, email addresses, phone numbers, IP logs, and approximate location data tied to in-app workouts. Under C-22, a police service investigating a tip about a user could file a production order requiring the startup to confirm the user is a subscriber and disclose subscriber data. The startup's CTO needs a process where the order reaches a single accountable executive within 24 hours, gets reviewed against the scope of the order (does it match the named user?), and is responded to with the minimum data the order specifies — not the broader dataset that would be tempting to dump to close the file faster.

If You Are a Journalist, Lawyer, Doctor, or Counsellor:

Immediate action:

  • Reconfirm professional-privilege awareness with your team. Solicitor-client privilege, journalist source confidentiality, and clinical confidentiality are constitutional and common-law protections that C-22 does not eliminate. But the bill changes the procedural landscape, and the practical defence depends on knowing what to assert and when.
  • Move sensitive communications to platforms with strong end-to-end encryption. Signal and ProtonMail are the consensus tools among Canadian press freedom organizations.
  • Maintain separate work and personal device identities. When subscriber data is requested by phone number or email address, an investigator cannot pivot to a number you do not give them.

Example scenario: A Vancouver criminal defence lawyer represents a client in an ongoing investigation. The client's number is in her contacts. Under C-22, an investigator working a separate file can request subscriber data tied to the client's number. The lawyer's number could come up as a recent contact in any later production order tied to the client's phone records. A second lawyer-only line, registered to her firm rather than her personal name, contains the exposure to the file rather than to her broader practice.

For All Canadians (Civic Action):

If you have concerns or support for the bill, this is the window. The Senate's pre-study and committee process for Bill C-22 begins after Parliament returns on September 21. Senators read constituent mail and committee briefs the same way MPs do — often more carefully, because senators do not face elections and tend to spend more time on the technical details of legislation. Write to senators on the Senate Standing Committee on National Security, Defence and Veterans Affairs (the most likely committee referral) before mid-September.

The News: What Happened

According to CBC News, the House of Commons passed Bill C-22, the Lawful Access Act, at third reading on Thursday, June 18, 2026, ahead of the scheduled summer adjournment. The Globe and Mail reports that the Liberal government moved time allocation earlier in the week to limit debate and bring the bill to a final vote before the House rose for the summer recess.

According to BetaKit, the closure motion was opposed by the Conservatives, the NDP, and the Bloc Québécois. CBC News reports that Conservative public safety critic Frank Caputo said the government had "promised to listen on Bill C-22 and amendments, but [is] attempting to aggressively pass this bill into law while ignoring legitimate concerns." Bloc Québécois member Claude DeBellefeuille told committee that members "needed more time to study the many amendments," according to the same CBC report.

Global News reports that Liberal ministers dismissed some of the privacy concerns raised during committee study, with Public Safety Minister using the phrase "tinfoil hat" in response to specific cybersecurity criticisms — a comment the Office of the Privacy Commissioner of Canada and the Canadian Bar Association had previously characterized as serious in their formal submissions.

The bill's substantive content, as summarized by the Department of Justice and analyzed by Michael Geist, establishes a federal framework requiring electronic service providers to assist law enforcement and the Canadian Security Intelligence Service in obtaining subscriber data and certain metadata pursuant to judicial production orders. The third-reading version explicitly prohibits regulations that would require service providers to retain web-browsing history or message content, and prohibits regulations that would compel weakening of encryption.

CBC News reports the Senate will take up its study of the bill when Parliament returns on September 21, 2026.

Analysis: Why This Matters

Based on our analysis of the third-reading text and the published commentary from Canada's leading digital-rights and privacy scholars, three features of Bill C-22 will shape Canadian digital life for the next decade if the bill is enacted in its current form.

First, the lowering of the judicial threshold from "reasonable grounds to believe" to "reasonable grounds to suspect" for subscriber-data production orders is the most consequential procedural shift in Canadian electronic-surveillance law in a generation. The Supreme Court of Canada held in R. v. Spencer (2014) that subscriber information attracts a reasonable expectation of privacy under section 8 of the Charter, which is why production orders are required at all. Reducing the burden of justification will produce more orders, and more orders will produce more disclosures.

Second, the explicit statutory prohibition on retention of message content and browsing history is a genuine concession. Privacy advocates in Australia, the United Kingdom, and several U.S. states have spent the past decade fighting bulk-retention rules that C-22 forecloses by statute. Whether that concession survives in regulations or subsequent amendments is the variable to watch.

Third, the use of time allocation to push the bill through ahead of the summer recess sets a precedent that will likely shape how the Senate handles its review. Senators historically respond to House closure on contested legislation with longer, not shorter, committee study. Expect the National Security committee to hold extensive hearings in October and November 2026.

Historical Context:

This is the third major lawful-access push in 15 years. The Harper government's Bill C-30 in 2012 was withdrawn after sustained public backlash. The current iteration is more procedurally constrained — it preserves judicial authorization for substantive disclosures and rules out the most invasive retention regimes — but lowers the evidentiary threshold in a way that critics including Michael Geist describe as the bill's "hidden tradeoff."

What Happens Next:

  • September 21, 2026: Parliament returns; bill receives first reading in the Senate.
  • October–November 2026: Expect Senate committee hearings featuring the Privacy Commissioner, telecom industry representatives, civil-liberties associations (CCLA, BCCLA), the Canadian Bar Association, and academic witnesses.
  • December 2026–March 2027: Likely Senate amendments returning to the House. If amendments are accepted, royal assent could come in early 2027.
  • 6–24 months after royal assent: Regulations defining "essential metadata" categories will be drafted and consulted on. This is the second major opportunity for public input.

Your Action Plan

Immediate (This Week):

  • Enable two-factor authentication on email, banking, and primary social media accounts.
  • Audit which devices are currently signed into each account.
  • Install Signal (signal.org) if you have not, and confirm at least one important contact uses it as well.

Short-term (This Month):

  • Move sensitive personal communications to end-to-end encrypted platforms.
  • If you run a small business, schedule a 60-minute scoping call with privacy counsel.
  • Write to one senator with your views on the bill before September 21 (Senate contact list: sencanada.ca).

Long-term (This Year):

  • Follow the Senate committee hearings in October–November 2026.
  • If you are a regulated professional (lawyer, doctor, journalist), confirm your professional body has filed a brief.
  • Watch for the regulations consultation in 2027 — the technical specifications matter as much as the statute.

Other Perspectives

Government Position:

According to the Department of Justice plain-language summary, the bill is needed because "criminal investigations increasingly depend on digital evidence" and existing processes are "too slow or unclear for modern online crime." Public Safety Canada has framed the bill around investigations of child exploitation, human trafficking, fraud, organized crime, terrorism, and foreign interference.

Opposition Positions:

CBC News reports Conservative MP Frank Caputo characterized the bill's passage as the Liberals "ram[ming]" controversial legislation through. The NDP leader publicly opposed the bill. The Bloc Québécois sought additional committee time to study amendments.

Privacy Commissioner and Civil-Liberties Groups:

The Office of the Privacy Commissioner of Canada filed a public statement on May 26, 2026, raising specific concerns about the evidentiary threshold for subscriber-data orders and the breadth of "electronic service provider" definitions. The Canadian Bar Association's submission characterized parts of the bill as requiring "more work" to align with Charter standards.

Technology Industry:

According to coverage in CBC News and analysis by Fasken, major technology companies including Apple, Google, and Meta, alongside the Canadian Chamber of Commerce, raised concerns during committee study about cybersecurity, business operating costs, and constitutional risks.

Academic Analysis:

Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, has written extensively that the bill's main "hidden tradeoff" is the lowered evidentiary standard for subscriber information, which he argues is more significant than the more publicly debated encryption questions.

Note: Including multiple perspectives does not imply all views are equally valid, but ensures readers can make informed judgments.

Corrections Policy

We strive for accuracy. If you find an error in this analysis, please email us at [email protected]. We will promptly investigate and correct any factual inaccuracies.

Updates:

  • No corrections to date (as of 2026-06-20)

Sources

  • CBC News, "Liberals tout 21 bills passing House of Commons this year as MPs break for summer" — cbc.ca
  • BetaKit, "Bill C-22 passes third reading after Liberals adopt measures to limit debate" — betakit.com
  • The Globe and Mail, "Ottawa moves to curb debate to push through controversial lawful access bill" — theglobeandmail.com
  • CBC News, "Conservatives blast Liberals for trying to 'ram' controversial lawful access bill through House" — cbc.ca
  • Global News, "Liberals dismiss 'tinfoil hat' privacy fears as lawful access bill passes" — globalnews.ca
  • Office of the Privacy Commissioner of Canada, "Statement to the House of Commons Standing Committee on Public Safety and National Security on Bill C-22," May 26, 2026 — priv.gc.ca
  • Michael Geist, "The Hidden Lawful Access Tradeoff: How Bill C-22 Lowers the Evidentiary Standards for Police Access to Subscriber Information" — michaelgeist.ca
  • Department of Justice, "Proposed changes to laws on timely access to information (Bill C-22 - Part 1)" — justice.gc.ca
  • Canadian Bar Association, "Bill C-22 Lawful Access Act, 2026" — cba.org
  • Parliament of Canada, "Government Bill (House of Commons) C-22 (45-1) - Third Reading" — parl.ca