Loading...
Canada deserves to know.
Loading...
Every recent Canadian lawful-access proposal — from Bill C-30 in 2012 to Bill C-2 last year — included some statutory role for the Office of the Privacy Commissioner. Bill C-22 does not. The OPC cannot audit how the retained metadata is stored, cannot review the secret capability orders, and has no investigation power over complaints arising from the new regime. Here is what changed.
The Office of the Privacy Commissioner of Canada is the federal body designed specifically to audit how privacy-affecting government and private-sector practices are conducted. Every recent lawful-access bill in Canada — Bill C-30 (Toews, 2012), Bill C-2 (Strong Borders Act, 2025) — included some statutory role for the OPC in the regime being created. Bill C-22 (Lawful Access Act, 2026) does not. The OPC has no audit role over the bill's one-year metadata-retention requirement, no review role over the Public Safety Minister's secret capability orders, and no complaint jurisdiction over the new regime. The bill instead points to the Intelligence Commissioner as the review body for ministerial orders — a different review body with a different scope. This article walks through what changed between the predecessors and the current bill, and what an OPC role could look like as an amendment.
The Office of the Privacy Commissioner of Canada (OPC) is an Officer of Parliament. The OPC has existed since 1983 under the Privacy Act and operates under two statutes: the Privacy Act (governing federal departments' handling of personal information) and PIPEDA (governing private-sector handling of personal information in commercial activity).
The OPC's core powers include: auditing federal departments' privacy practices, investigating complaints from individuals, reporting publicly to Parliament on systemic issues, conducting research and public education, and reviewing Privacy Impact Assessments before new federal programs launch.
In the lawful-access context specifically, the OPC has been the principal independent voice on every prior lawful-access proposal in Canada: the 2002 Lawful Access consultation, the 2009 Conservative bills, Bill C-30 in 2012, and the Trudeau-era Bill C-51 (the 2015 anti-terror omnibus). Each of those proposals contained explicit OPC oversight roles in the regime they created.
**Bill C-30 (the 2012 Toews bill).** The "Protecting Children From Internet Predators Act" was the most controversial lawful-access bill of the Harper era. It was withdrawn after public outcry. The bill contained provisions requiring the Public Safety Minister to "consult with the Privacy Commissioner" on regulations and required telecommunications service providers (TSPs) to give the OPC certain reporting obligations. Those provisions were embedded in the bill text, not relegated to policy guidance.
**Bill C-2 (the 2025 Strong Borders Act).** The most-recent predecessor to C-22. Tabled by the previous government, abandoned before second reading. The bill contained a section requiring the Public Safety Minister to "consult with the Privacy Commissioner of Canada" before issuing regulations governing the retention of telecommunications data. While narrower than C-30's provisions, it was a statutory OPC touchpoint within the regime.
**Bill C-22 (2026).** No equivalent provision. The Privacy Commissioner is referenced in the federal backgrounder accompanying the bill, but the bill text itself does not contain a "Privacy Commissioner" role within the regime it creates.
Bill C-22 does the following on oversight:
- **Intelligence Commissioner approval** of ministerial orders under Part 2 (SAAIA). The IC reviews specific orders for reasonableness on a case-by-case basis. - **Production-order requirement** for police access to retained metadata, with a "reasonable grounds to suspect" threshold. - **Warrant requirement** for content access (already required by the Criminal Code).
It does NOT do the following:
- No statutory authority for the OPC to audit how providers store retained metadata. - No requirement that the Minister notify the OPC of secret capability orders (even in confidence). - No mechanism for the OPC to report aggregate statistics on the regime to Parliament. - No OPC complaint jurisdiction over the C-22 regime specifically (the OPC retains its general PIPEDA jurisdiction over private-sector providers, but with no special standing on C-22-specific practices).
The OPC therefore enters the C-22 regime only through general PIPEDA — the same statute under which it polices a credit-card company's data-breach handling. The bill creates new federal surveillance powers and does not grant the federal privacy watchdog a corresponding new oversight role.
The Intelligence Commissioner is a separate institution under the National Security Act, 2017. The IC reviews ministerial decisions in the national-security space — including authorizations for CSE foreign-intelligence operations and CSIS threat-reduction measures — for reasonableness.
The IC's role differs from the OPC's in three ways:
1. **Scope.** The IC reviews specific ministerial decisions one at a time, asking whether the Minister's reasoning is reasonable. The OPC audits patterns of practice across institutions. 2. **Reporting.** The IC reports annually to Parliament but is not structured to publish aggregate statistics on the use of specific powers in real time. The OPC publishes detailed annual reports on systemic privacy issues, often naming and tracking specific institutional failures. 3. **Complaints.** The IC does not investigate complaints from individuals affected by ministerial decisions. The OPC's complaint jurisdiction is one of its core functions and the principal mechanism for individual Canadians to challenge how their data is handled.
Michael Geist's analytical coverage of Bill C-22 has flagged this substitution explicitly: pointing to the IC as the review body for a metadata-retention regime is "not a substitute for OPC oversight" because the two bodies serve different functions in the federal privacy architecture.
None of the OPC roles that could be added to Bill C-22 are hypothetical. Each has a precedent in the OPC's existing federal mandate or in the predecessor lawful-access bills:
- **Audit authority over retention practices.** An amendment could authorize the OPC to audit how a "core provider" stores, accesses, and secures the retained metadata. This is functionally identical to the OPC's audit authority over federal departments' Privacy Act compliance. - **In-confidence notification of secret capability orders.** An amendment could require the Minister to notify the OPC (under classification) of each Part-2 order issued. The OPC could then publish aggregate counts annually — number of orders, broad subject-matter categories — without disclosing operational details. - **Charter-statement consultation requirement.** An amendment could require the Department of Justice to consult the OPC before issuing the Charter statement on any future amendment touching the metadata-retention regime. - **Complaint jurisdiction over the C-22 regime.** An amendment could give the OPC explicit complaint-handling authority for individual Canadians whose data has been accessed through the C-22 regime, with reporting back to Parliament on patterns.
These are standard OPC functions, not novel powers. They appear in some form in every prior lawful-access regime in Canada.
For an OPC oversight role to be added to Bill C-22, a Liberal MP on the Standing Committee on Public Safety and National Security would have to propose or accept the amendment. SECU has eleven members. Seven are Liberal. Four are opposition (two Conservative Vice-Chairs, plus Bloc and NDP members).
Under normal House rules, the committee can amend the bill at clause-by-clause review. But under a majority-government structure, government-side amendments are the only ones with a clear path. Opposition amendments need at least one government MP to break ranks — which is uncommon but not unprecedented on civil-liberties questions.
Day 7 of this series catalogues the seven Liberal members of SECU. The Chair is the Honourable Jean-Yves Duclos. The six other Liberal members are Sima Acan, Marianne Dandurand, Anthony Housefather, Marcus Powlowski, Jacques Ramsay, and Amandeep Sodhi.
Civil-liberties analysts treat institutional architecture — who has audit authority, who reviews what, who reports to whom — as the load-bearing structure of a regime, more telling than the specific operational provisions. The provisions can be amended at committee. The oversight architecture is harder to redesign once the bill is on the statute book.
The OPC's absence from the bill is the most institutionally distinctive feature of Bill C-22 relative to its predecessors. The predecessors had OPC roles. C-22 does not. That is not a drafting accident — Justice Canada's Bill C-22 working group included departmental privacy specialists, and the OPC's mandate is well known to them. The choice not to include a statutory OPC role under the new regime is exactly that: a choice.
What that choice means for the bill's eventual Charter test is the question Day 5 examines, in the context of the European Court of Justice's 2014 ruling on a structurally similar regime.
The bill explicitly excludes the content of communications from mandatory retention. What it would require — who you talked to, when, where you were, what device you used — is the data that intelligence professionals call "the more important half" of surveillance. Here is what a year of that data reveals about an ordinary Canadian.
The Lawful Access Act, 2026 cleared a critical procedural hurdle in the House on April 20. Committee review starts next. Five distinct opposition voices — academic, technology-industry, civil-society, U.S. legislative, and Charter-rights — have already weighed in against parts of the bill. Here is where the bill stands, what it would do, and what happens between here and Royal Assent.
The Lawful Access Act is back in Parliament with new powers for police and secret orders for telecom providers. Here is what it means for your privacy.
About this article
Parliament Audit is non-partisan and does not endorse or oppose any legislation. This article is based on publicly available legislative documents and parliamentary records; all sources are linked above.
AI-assisted, human-edited. AI tools help us ingest parliamentary records and draft analysis; an editor reviews every article and verifies key facts against primary sources before publication. Quotation marks are reserved for verbatim text from a primary source. See our methodology and corrections log.
Your MP votes on this. Their constituency inbox is the most-read channel for feedback on bills in committee.
You're welcome to run this article in full on your newsroom, blog, newsletter, or paper. Keep the byline and the link back to parliamentaudit.ca. See the full terms.
<!-- Parliament Audit — republished under CC BY-ND 4.0 -->
<article>
<h1>Bill C-22 Creates New Surveillance Powers. The Privacy Commissioner Has No Role in Overseeing Any of Them.</h1>
<p><em>By Parliament Audit · May 22, 2026 · 6 min read</em></p>
<p><strong>The Office of the Privacy Commissioner of Canada is the federal body designed specifically to audit how privacy-affecting government and private-sector practices are conducted. Every recent lawful-access bill in Canada — Bill C-30 (Toews, 2012), Bill C-2 (Strong Borders Act, 2025) — included some statutory role for the OPC in the regime being created. Bill C-22 (Lawful Access Act, 2026) does not. The OPC has no audit role over the bill's one-year metadata-retention requirement, no review role over the Public Safety Minister's secret capability orders, and no complaint jurisdiction over the new regime. The bill instead points to the Intelligence Commissioner as the review body for ministerial orders — a different review body with a different scope. This article walks through what changed between the predecessors and the current bill, and what an OPC role could look like as an amendment.</strong></p>
<h2>What the Privacy Commissioner does</h2>
<p>The Office of the Privacy Commissioner of Canada (OPC) is an Officer of Parliament. The OPC has existed since 1983 under the Privacy Act and operates under two statutes: the Privacy Act (governing federal departments' handling of personal information) and PIPEDA (governing private-sector handling of personal information in commercial activity).</p>
<p>The OPC's core powers include: auditing federal departments' privacy practices, investigating complaints from individuals, reporting publicly to Parliament on systemic issues, conducting research and public education, and reviewing Privacy Impact Assessments before new federal programs launch.</p>
<p>In the lawful-access context specifically, the OPC has been the principal independent voice on every prior lawful-access proposal in Canada: the 2002 Lawful Access consultation, the 2009 Conservative bills, Bill C-30 in 2012, and the Trudeau-era Bill C-51 (the 2015 anti-terror omnibus). Each of those proposals contained explicit OPC oversight roles in the regime they created.</p>
<h2>What predecessor lawful-access bills included</h2>
<p>**Bill C-30 (the 2012 Toews bill).** The "Protecting Children From Internet Predators Act" was the most controversial lawful-access bill of the Harper era. It was withdrawn after public outcry. The bill contained provisions requiring the Public Safety Minister to "consult with the Privacy Commissioner" on regulations and required telecommunications service providers (TSPs) to give the OPC certain reporting obligations. Those provisions were embedded in the bill text, not relegated to policy guidance.</p>
<p>**Bill C-2 (the 2025 Strong Borders Act).** The most-recent predecessor to C-22. Tabled by the previous government, abandoned before second reading. The bill contained a section requiring the Public Safety Minister to "consult with the Privacy Commissioner of Canada" before issuing regulations governing the retention of telecommunications data. While narrower than C-30's provisions, it was a statutory OPC touchpoint within the regime.</p>
<p>**Bill C-22 (2026).** No equivalent provision. The Privacy Commissioner is referenced in the federal backgrounder accompanying the bill, but the bill text itself does not contain a "Privacy Commissioner" role within the regime it creates.</p>
<h2>What Bill C-22 contains — and doesn't</h2>
<p>Bill C-22 does the following on oversight:</p>
<p>- **Intelligence Commissioner approval** of ministerial orders under Part 2 (SAAIA). The IC reviews specific orders for reasonableness on a case-by-case basis.
- **Production-order requirement** for police access to retained metadata, with a "reasonable grounds to suspect" threshold.
- **Warrant requirement** for content access (already required by the Criminal Code).</p>
<p>It does NOT do the following:</p>
<p>- No statutory authority for the OPC to audit how providers store retained metadata.
- No requirement that the Minister notify the OPC of secret capability orders (even in confidence).
- No mechanism for the OPC to report aggregate statistics on the regime to Parliament.
- No OPC complaint jurisdiction over the C-22 regime specifically (the OPC retains its general PIPEDA jurisdiction over private-sector providers, but with no special standing on C-22-specific practices).</p>
<p>The OPC therefore enters the C-22 regime only through general PIPEDA — the same statute under which it polices a credit-card company's data-breach handling. The bill creates new federal surveillance powers and does not grant the federal privacy watchdog a corresponding new oversight role.</p>
<h2>What the Intelligence Commissioner does — and doesn't</h2>
<p>The Intelligence Commissioner is a separate institution under the National Security Act, 2017. The IC reviews ministerial decisions in the national-security space — including authorizations for CSE foreign-intelligence operations and CSIS threat-reduction measures — for reasonableness.</p>
<p>The IC's role differs from the OPC's in three ways:</p>
<p>1. **Scope.** The IC reviews specific ministerial decisions one at a time, asking whether the Minister's reasoning is reasonable. The OPC audits patterns of practice across institutions.
2. **Reporting.** The IC reports annually to Parliament but is not structured to publish aggregate statistics on the use of specific powers in real time. The OPC publishes detailed annual reports on systemic privacy issues, often naming and tracking specific institutional failures.
3. **Complaints.** The IC does not investigate complaints from individuals affected by ministerial decisions. The OPC's complaint jurisdiction is one of its core functions and the principal mechanism for individual Canadians to challenge how their data is handled.</p>
<p>Michael Geist's analytical coverage of Bill C-22 has flagged this substitution explicitly: pointing to the IC as the review body for a metadata-retention regime is "not a substitute for OPC oversight" because the two bodies serve different functions in the federal privacy architecture.</p>
<h2>What an OPC role could look like</h2>
<p>None of the OPC roles that could be added to Bill C-22 are hypothetical. Each has a precedent in the OPC's existing federal mandate or in the predecessor lawful-access bills:</p>
<p>- **Audit authority over retention practices.** An amendment could authorize the OPC to audit how a "core provider" stores, accesses, and secures the retained metadata. This is functionally identical to the OPC's audit authority over federal departments' Privacy Act compliance.
- **In-confidence notification of secret capability orders.** An amendment could require the Minister to notify the OPC (under classification) of each Part-2 order issued. The OPC could then publish aggregate counts annually — number of orders, broad subject-matter categories — without disclosing operational details.
- **Charter-statement consultation requirement.** An amendment could require the Department of Justice to consult the OPC before issuing the Charter statement on any future amendment touching the metadata-retention regime.
- **Complaint jurisdiction over the C-22 regime.** An amendment could give the OPC explicit complaint-handling authority for individual Canadians whose data has been accessed through the C-22 regime, with reporting back to Parliament on patterns.</p>
<p>These are standard OPC functions, not novel powers. They appear in some form in every prior lawful-access regime in Canada.</p>
<h2>The political math at committee</h2>
<p>For an OPC oversight role to be added to Bill C-22, a Liberal MP on the Standing Committee on Public Safety and National Security would have to propose or accept the amendment. SECU has eleven members. Seven are Liberal. Four are opposition (two Conservative Vice-Chairs, plus Bloc and NDP members).</p>
<p>Under normal House rules, the committee can amend the bill at clause-by-clause review. But under a majority-government structure, government-side amendments are the only ones with a clear path. Opposition amendments need at least one government MP to break ranks — which is uncommon but not unprecedented on civil-liberties questions.</p>
<p>Day 7 of this series catalogues the seven Liberal members of SECU. The Chair is the Honourable Jean-Yves Duclos. The six other Liberal members are Sima Acan, Marianne Dandurand, Anthony Housefather, Marcus Powlowski, Jacques Ramsay, and Amandeep Sodhi.</p>
<h2>Why the absence is itself a story</h2>
<p>Civil-liberties analysts treat institutional architecture — who has audit authority, who reviews what, who reports to whom — as the load-bearing structure of a regime, more telling than the specific operational provisions. The provisions can be amended at committee. The oversight architecture is harder to redesign once the bill is on the statute book.</p>
<p>The OPC's absence from the bill is the most institutionally distinctive feature of Bill C-22 relative to its predecessors. The predecessors had OPC roles. C-22 does not. That is not a drafting accident — Justice Canada's Bill C-22 working group included departmental privacy specialists, and the OPC's mandate is well known to them. The choice not to include a statutory OPC role under the new regime is exactly that: a choice.</p>
<p>What that choice means for the bill's eventual Charter test is the question Day 5 examines, in the context of the European Court of Justice's 2014 ruling on a structurally similar regime.</p>
<hr />
<p><small>
Originally published by <a href="https://parliamentaudit.ca/news/bill-c-22-privacy-commissioner-no-oversight-role">Parliament Audit</a>
under the <a href="https://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND 4.0</a> license.
<img src="https://parliamentaudit.ca/api/republish-beacon?slug=bill-c-22-privacy-commissioner-no-oversight-role" alt="" width="1" height="1" />
</small></p>
</article>