Bill C-22: Surveillance and Punishment

Lisez cette chronique en français.

A few weeks ago, I came across an open letter in Le Devoir signed by privacy lawyer Simon Du Perron, who referred to Bill C-22 as “surveillance in all but name” (une surveillance qui ne dit pas son nom).

This letter was a good starting point for my research, but as soon as I opened the bill itself, I realized that what is truly at stake is much bigger than one might imagine.

Bill C-22, introduced on March 12 by Minister of Public Safety, Gary Anandasangaree, is titled “An Act respecting lawful access.” The objective is to adapt investigative tools to the digital reality.

One of the central elements of C-22 is the definition of what is called “subscriber information,” which includes name, address, phone number, email address, and account credentials, as well as the types of services used, duration of use, and the devices used to access them. In other words, it is the mapping of a person’s digital presence — the complete exposure of another person.

Support your local indie journalists

On April 30, the Quebec Bar Association filed a brief in which it argues that by far the main problem with the bill is the definition of “subscriber information.” This definition is too broad to serve as the basis for all the new powers, and, with excessive and imprecise scope, it poses a serious risk to privacy protection. For this reason, data that seems trivial is highly revealing once cross-referenced, in a digital context. The Supreme Court has already recognized that an IP address constitutes reasonable grounds for an expectation of privacy, as it provides access to a large portion of a person’s online activity, acting as a “digital breadcrumb trail.”

Bill C-22 is divided into three main parts.

The first part amends several laws, particularly the Criminal Code, to facilitate access to data for investigations. In practical terms, this makes it easier for police and intelligence agencies to obtain basic information about a person — the so-called “subscriber information” — which also includes mechanisms to reduce response times from companies, limit opportunities for challenge, and specify that certain information may be obtained even without a warrant if it is provided voluntarily or is already publicly available.

In addition to expanding the power to intervene in emergency situations, this will allow authorities to retrieve data — such as location or communications related to devices that were not known at the time a warrant was obtained — thereby strengthening their ability to examine digital data. It also opens the door to requests directed at companies located abroad and to the enforcement in Canada of decisions made by other countries to obtain data on an individual. In practical terms, this means that information can flow across jurisdictions and that investigations no longer stop at borders.

The bill introduces new mechanisms for obtaining this “subscriber information.” One of the main ones is the disclosure order. A law enforcement officer can ask a judge to order a company to produce all subscriber information. This request can be made without the person’s knowledge, in a non-adversarial proceeding. And above all, it is based on a relatively low legal threshold: “reasonable grounds to suspect.” Technically, any jealous police officer or minister curious about the past of a person they are seeking to imprison, or whose rights they are seeking to restrict, could employ this.

Under the current wording of the section, the judge would not have the discretion to limit the request solely to information deemed relevant to the investigation. If the “reasonable grounds for suspicion” criteria are met, then all information relating to the subscriber should be disclosed.

The Bar Association emphasizes this point: this legal threshold is lower than the one used elsewhere in the Criminal Code, which requires “reasonable grounds to believe.” It may seem technical, but the difference is significant. We’re moving from a requirement of probability to a mere possibility. And according to the Bar Association, this choice could raise constitutional issues, because it reduces the safeguards surrounding access to sensitive information.

Another important point: to whom these orders can be directed. The bill refers to “any person providing services to the public.” The Bar Association points out that this phrase is far too broad. It could include not only internet service providers, but also hospitals, financial institutions, credit agencies — organizations that hold extremely sensitive information about a person’s privacy.

Part Two creates a new law requiring electronic service providers to adapt their systems to facilitate authorities’ access to data. When we talk about electronic service providers, we’re talking about companies like Bell or Videotron as well as Google, Instagram, your bank, or Netflix. Basically, all the companies that organize our digital lives and keep track of what we do. In other words, law enforcement is no longer content with companies simply allowing them access to your data; they are actively advocating for collaboration by compelling companies to commit more fully to it.

This second part also contains one of the most concerning aspects of the bill. The government could adopt regulations requiring these companies to retain certain metadata for up to a year, without having to provide a specific justification. However, this type of data is typically erased quickly. This means we are no longer talking about accessing information that already exists, but about forcing its prolonged storage in anticipation of potential future use by the authorities.

Part Three is simpler. It provides for a parliamentary review of the new measures, meaning a revision of the law three years after it becomes law. In other words, Parliament commits to revisiting the legislation after it takes effect to assess its impact and, if necessary, make adjustments.

This isn’t the first time the government has tried to push through this type of reform; C-22 incorporates several provisions that were already present in Bill C-2 (the Strong Borders Act), which had been challenged by more than 300 organizations, coalitions, and human rights advocates.

We are therefore facing a relaunch that they are trying to make more palatable.

I find this to be relentless, but you might say I lack nuance. I’m comfortable with that.

The Bar Association highlights this in its brief: by lowering the threshold for accessing personal information, there is a risk of broader infringements on fundamental rights.

There is also a point that stands out strongly in the Bar Association’s brief and is central to understanding the logic of the bill: the voluntary disclosure of data. The text provides that no warrant is necessary if a company chooses to transmit information to the authorities. And it is protected if it does so, thanks to civil and criminal immunity.

However, businesses remain, in theory, subject to privacy laws—such as Bill 25 in Quebec—which generally require individuals’ consent before their information is disclosed to a third party, except in certain cases stipulated by law, particularly when a request is accompanied by a court order.

In other words, some access to data can occur without judicial oversight. The Bar Association recommends removing these mechanisms because they circumvent fundamental safeguards and create a loophole incompatible with existing law.

This is not the only criticism raised by the Bar Association, however, and it makes several specific recommendations: narrowing the definition of the information in question, better regulating the entities that may be targeted, raising the legal threshold to “reasonable grounds to believe,” and eliminating mechanisms for voluntary disclosure without judicial authorization. In short, it does not reject the idea of adapting the law, but it argues that in its current form, the bill risks infringing on rights protected by the Charter.

As for the Ligue des droits et libertés, the tone is rather firm. The organization calls it one of the greatest threats to privacy in the last two decades and outright calls for the bill’s complete withdrawal, asserting that C-22 could turn a large portion of digital services into tools for state surveillance by forcing companies to adapt their systems to facilitate data access and by increasing data retention requirements. It also warns against the risks of hacking and misuse, noting that the more access points to data are created, the more vulnerable that data becomes.

The enormously intrusive scope of Bill C-22 and the unprecedented, unlimited powers it establishes represent the latest in a series of expansions of state powers in recent legislation—bills that, individually and collectively, pose a formidable threat to human rights in Canada.

– Ligue des droits et libertés, April 21, 2026.

In general, what I take away from my reading is that there is a disconnect, because on the one hand, the courts, including the Supreme Court, recognize that digital data deserves strong protection, as it provides access to intimate aspects of life. On the other hand, Bill C-22 facilitates access to this same data by lowering privacy protection thresholds, expanding the categories of entities covered, and introducing loopholes that circumvent judicial oversight.

Whether we agree or not, everyone has a right to privacy.

Digital privacy refers to the protection of personal information and the management of privacy on online platforms. It involves controlling one’s digital footprint, securing one’s data, and limiting the exposure of one’s private life — photos, location, feelings — to avoid harassment or exploitation. And even though we know that the companies providing us with internet access will always have access to our browsing data, there is a sort of implicit “I pay you,” so, “you keep this between us” contract intrinsic to the transaction.

In my view, we live in an ultra — or even supra — digital world where we tend to project an image of ourselves to feel alive (I’m convinced that even criminal gang leaders have a private TikTok, or an Insta, or a Facebook if they’re boomers). In this era, where we could say that many of us indulge in extimacy, that is, in externalization, exhibitionism, the desire to make visible certain aspects of ourselves and our activities that we consider private, that doesn’t mean we’re giving up everything. Choosing to show certain things does not grant access to everything else. There is a difference between what we decide to make visible and what we wish to keep protected. Extimacy is a voluntary act. Surveillance is something else.

If we are collectively concerned about child sexual abuse, why doesn’t this law directly target the people who commit these serious offences, rather than expanding surveillance mechanisms to the entire population? These tools are not limited to a single type of crime. Once they exist, they can be used in other contexts, for other offences, and with less clear justifications.

Digital surveillance is one of the most obsessive pursuits, and above all, one of the main conditions for the functioning of late capitalism and our states on the path to fascism. What we look at, what we search for online, where we go, who we talk to on the phone, who we text, what we say and who we follow on social media, as well as our movements — everything is exploitable data that will be used to generate behavioural profiles, model our conduct, and steer our choices and paths.

Thus, it is by no means exceptional that we have reached the point of excessive surveillance of people. This practice is integrated into the very infrastructure of daily life; a daily life that, needless to say, is already plagued by the exploitation of our labour and the logic of productivity.

In practical terms, C-22 makes it much easier to link a person to an account or an online activity. In activist contexts, such as Montréal Antifasciste or Robins des ruelles, this means that these collectives, which also organize online, could be linked more quickly to real identities using data held by platforms like Meta. It’s a tool to lift anonymity, attaching a name and address to accounts and networks. And once that link is made, the investigation can expand. Remember that it takes only “reasonable grounds for suspicion” for an investigator to have the right to request access to your personal information.

The consequences this could have for people who speak out against inequality, environmental activists, journalists, and the general public are very serious. Restrictions on fundamental freedoms — particularly the freedom to oppose state violence — always serve a repressive agenda.

I believe this bill is one of the most severe restrictions imposed by the state, and that we must urgently oppose it.

Did you like this article? Share it with a friend!