LegislationMay 19, 20267 min read

Bill C-22 Just Passed Second Reading. With a Liberal Majority, the Path to Royal Assent Is Now Mostly Clear.

The Lawful Access Act, 2026 cleared a critical procedural hurdle in the House on April 20. Committee review starts next. Five distinct opposition voices — academic, technology-industry, civil-society, U.S. legislative, and Charter-rights — have already weighed in against parts of the bill. Here is where the bill stands, what it would do, and what happens between here and Royal Assent.

The big thing

Bill C-22 passed second reading in the House of Commons on April 20, 2026. The bill is now at committee — the last stage where substantial amendments are realistic before the Liberal majority votes it through.

Why it matters

Canada has never had mandatory telecom metadata retention. C-22 would change that, plus add a secret-order power for the Public Safety Minister and lower the police access threshold from "reasonable grounds to believe" to "reasonable grounds to suspect."

Go deeper

Second-reading vote: April 20, 2026 (Hansard 45-1 House debate, April 13–14, 17–20).
Now at the Standing Committee on Public Safety and National Security.
Five organized opposition voices public to date: University of Ottawa law (Geist), TWU law (Diab), Electronic Frontier Foundation, Meta + Apple (industry), and the U.S. House Judiciary Committee.
The Privacy Commissioner of Canada has no oversight role under the bill as drafted.
Liberal majority means amendments require government cooperation; opposition can pressure but not block.

Yes, but

Supporters argue C-22 is materially narrower than the failed Bill C-2 (Strong Borders Act), and that warrants are still required for the content of communications. The Minister states encryption is not interrupted.

The bottom line

The bill is past the point where it can be killed on the floor. The civil-liberties-coalition focus shifts to committee testimony, suggested amendments, and public pressure on individual Liberal MPs before third reading.

How we reported this

Reporting is based on (1) the Bill C-22 first-reading text on the Parliament of Canada website; (2) the Public Safety Canada backgrounder on Part 2 (the Supporting Authorized Access to Information Act); (3) the Department of Justice Charter statement on C-22; (4) the second-reading Hansard debate, April 13–20, 2026; (5) Michael Geist's two analytical pieces on the bill (University of Ottawa Faculty of Law); (6) Robert Diab's Thompson Rivers University analysis; (7) Electronic Frontier Foundation's May 2026 brief; (8) public statements from Meta and Apple; (9) reporting in CBC News on U.S. House Judiciary Committee concerns. No government official was contacted for this piece; all government positions are quoted from on-record statements.

On April 20, 2026, the House of Commons passed Bill C-22 — the Lawful Access Act, 2026 — at second reading. The bill is now at the Standing Committee on Public Safety and National Security, the last stage where substantial amendments are realistic before the Liberal majority votes it through. The bill mandates one year of metadata retention by "core providers," authorizes the Public Safety Minister to issue secret capability orders to electronic service providers, and lowers the police access threshold for subscriber information from "reasonable grounds to believe" to "reasonable grounds to suspect." Opposition is from a wide coalition: academic privacy law, civil-society groups, the U.S. House Judiciary Committee, technology firms including Meta and Apple, and the Department of Justice's own Charter statement, which is silent on the metadata-retention question. The Privacy Commissioner of Canada has no statutory oversight role under the bill as drafted.

Bill C-22 lawful access metadata civil liberties privacy second reading committee

Where the bill is right now

On April 20, 2026, the House of Commons passed Bill C-22 at second reading. The vote followed three sitting days of debate — April 13, 14, 17, and the procedural vote on April 20. Under House procedure, a successful second-reading vote means the House has approved the bill in principle and is sending it to a parliamentary committee for clause-by-clause study.

That committee is the Standing Committee on Public Safety and National Security (SECU). Committee study is where witnesses are heard, amendments are proposed, and the bill is reported back to the House for third reading. Three things matter about this stage:

- Amendments require government cooperation. With a Liberal majority on the committee, opposition-proposed amendments to strip or narrow the secret-order power, restore Privacy Commissioner oversight, or shorten the retention period cannot pass without Liberal support. - Witness testimony is on-record. Privacy advocates, providers, law-enforcement representatives, and Charter scholars who appear at SECU enter the record. That record is what next year's litigants, the Office of the Privacy Commissioner, and any future bill-amendment process will cite. - The committee schedule is public. Anyone tracking the bill can watch committee live, read the transcripts the next day, and contact MPs before key votes.

What the bill would do, in plain English

Bill C-22 has two parts.

Part 1 amends the Criminal Code and other statutes to create new investigative tools for police. The most notable changes:

- A "Confirmation of Service" demand allows police to require a telecom or internet provider to confirm whether they serve a particular individual. This is materially narrower than the warrantless subscriber-data access in the failed Bill C-2, but is broader than the status quo. - For information beyond service confirmation, police would need a court-approved production order — but the legal threshold is "reasonable grounds to suspect," a lower bar than the "reasonable grounds to believe" standard required for a search warrant.

Part 2 is the Supporting Authorized Access to Information Act. It contains two big provisions:

- Mandatory metadata retention for "core providers": telecom and internet companies would be required to retain transmission data on every user for up to one year. That data includes the date, time, duration, and type of every communication; device identifiers; and location information sufficient to reconstruct a person's movements over time. The retention applies to all users, not just those under investigation. - Secret capability orders. The Minister of Public Safety would gain authority to issue orders compelling electronic service providers to build and maintain surveillance capabilities. Providers receiving these orders would be legally barred from disclosing them publicly. The scope extends beyond traditional telecoms to major platforms.

The bill does explicitly exclude the content of communications, web browsing history, and social-media activity from the mandatory retention requirement.

Who is on the record against parts of the bill

Five distinct opposition voices are now public, and the diversity matters:

Academic privacy law. University of Ottawa professor Michael Geist published two detailed analyses in March 2026 calling out the metadata-retention model as a "fundamental shift" in the relationship between Canadians and providers, and the secret-order power as a "dangerous backdoor surveillance risk." Robert Diab at Thompson Rivers University reached similar conclusions.

Civil-society groups. The Electronic Frontier Foundation, in a May 2026 brief titled "Canada's Bill C-22 Is a Repackaged Version of Last Year's Surveillance Nightmare," argued the bill recycles core problems from prior lawful-access attempts.

Technology industry. Meta and Apple have publicly opposed Part 2, raising encryption-backdoor concerns. The Minister has disputed that characterization, stating that "encryption is not in any way interrupted as part of Bill C-22."

U.S. legislative. The U.S. House Judiciary Committee has reportedly raised concerns — a meaningful signal because cross-border data-sharing under the Cloud Act and Budapest Convention is one of the bill's quieter implications.

Charter rights. The Department of Justice's own Charter statement on C-22 is, per Geist, "oddly silent" on the metadata-retention question. That silence is the kind of thing future Charter litigants will point to.

What’s missing

The most concrete gap in the bill is the absence of the Office of the Privacy Commissioner from any statutory oversight role over the new powers. There is no requirement that the OPC approve or audit the secret capability orders, no requirement that retention practices be reported to the OPC, and no statutory mechanism for the OPC to investigate complaints about retained metadata.

This is a meaningful departure from how Canada has handled comparable privacy-affecting legislation in recent years. The OPC has had a defined audit and report-to-Parliament role in most lawful-access proposals since Bill C-30 in 2012.

What happens next

The committee schedule is set by the SECU committee chair in consultation with the government. Realistically:

- May to June 2026: SECU witness hearings. Privacy advocates, providers, law enforcement, Charter scholars, the OPC. - June to July 2026: Clause-by-clause review. Amendments proposed and voted on; the government can accept or reject. - September to October 2026: Report stage and third reading in the House. - Fall to Winter 2026: Senate review (committee, third reading). - Late 2026 or early 2027: Royal Assent if all stages proceed.

The bill could move faster than this if the government chooses to use closure or time-allocation motions. It could move slower if amendments require negotiation.

What to watch over the next week

Parliament Audit is running a daily piece on Bill C-22 from May 19 to May 25, each focusing on one specific dimension of the bill that bears civil-liberties or oversight scrutiny:

- Tuesday — What a year of metadata actually reveals. - Wednesday — Why the absence of the Privacy Commissioner role matters. - Thursday — How the secret capability-order process would work. - Friday — What happened when Europe tried a nearly identical scheme (Digital Rights Ireland, 2014). - Saturday — Documented Canadian surveillance overreach: from Tommy Douglas to Northern Gateway protesters. - Sunday — How to track committee study and contact your MP before third reading.

Sources & Official Documents

LegislationBill C-22 Would Require ISPs to Store Your Metadata for Up to a Year
The Lawful Access Act is back in Parliament with new powers for police and secret orders for telecom providers. Here is what it means for your privacy.
LegislationBill C-12 Is Now Law: What Canada’s Immigration Overhaul Means for 30,000 Refugee Claimants
The Strengthening Canada’s Immigration System and Borders Act received royal assent on March 26. Rights groups call it the biggest rollback of refugee protections in a decade.
LegislationBill C-9 Passed 186–137: What the Combatting Hate Act Actually Changes
The Liberals and Bloc voted together to pass the anti-hate bill and remove a decades-old religious speech defence. The Conservatives, NDP, and Greens all voted against. Here is what the bill does and why it divided Parliament.

About this article

Parliament Audit is non-partisan and does not endorse or oppose any legislation. This article is based on publicly available legislative documents and parliamentary records; all sources are linked above.

AI-assisted, human-edited. AI tools help us ingest parliamentary records and draft analysis; an editor reviews every article and verifies key facts against primary sources before publication. Quotation marks are reserved for verbatim text from a primary source. See our methodology and corrections log.

Share:X / Twitter Bluesky Facebook

Get Vote Alerts

Republish this storyFree, no permission required · CC BY-ND 4.0

You're welcome to run this article in full on your newsroom, blog, newsletter, or paper. Keep the byline and the link back to parliamentaudit.ca. See the full terms.

<!-- Parliament Audit — republished under CC BY-ND 4.0 -->
<article>
  <h1>Bill C-22 Just Passed Second Reading. With a Liberal Majority, the Path to Royal Assent Is Now Mostly Clear.</h1>
  <p><em>By Parliament Audit · May 19, 2026 · 7 min read</em></p>
  <p><strong>On April 20, 2026, the House of Commons passed Bill C-22 — the Lawful Access Act, 2026 — at second reading. The bill is now at the Standing Committee on Public Safety and National Security, the last stage where substantial amendments are realistic before the Liberal majority votes it through. The bill mandates one year of metadata retention by &quot;core providers,&quot; authorizes the Public Safety Minister to issue secret capability orders to electronic service providers, and lowers the police access threshold for subscriber information from &quot;reasonable grounds to believe&quot; to &quot;reasonable grounds to suspect.&quot; Opposition is from a wide coalition: academic privacy law, civil-society groups, the U.S. House Judiciary Committee, technology firms including Meta and Apple, and the Department of Justice&#39;s own Charter statement, which is silent on the metadata-retention question. The Privacy Commissioner of Canada has no statutory oversight role under the bill as drafted.</strong></p>
  <h2>Where the bill is right now</h2>
  <p>On April 20, 2026, the House of Commons passed Bill C-22 at second reading. The vote followed three sitting days of debate — April 13, 14, 17, and the procedural vote on April 20. Under House procedure, a successful second-reading vote means the House has approved the bill in principle and is sending it to a parliamentary committee for clause-by-clause study.</p>
  <p>That committee is the Standing Committee on Public Safety and National Security (SECU). Committee study is where witnesses are heard, amendments are proposed, and the bill is reported back to the House for third reading. Three things matter about this stage:</p>
  <p>- Amendments require government cooperation. With a Liberal majority on the committee, opposition-proposed amendments to strip or narrow the secret-order power, restore Privacy Commissioner oversight, or shorten the retention period cannot pass without Liberal support.
- Witness testimony is on-record. Privacy advocates, providers, law-enforcement representatives, and Charter scholars who appear at SECU enter the record. That record is what next year's litigants, the Office of the Privacy Commissioner, and any future bill-amendment process will cite.
- The committee schedule is public. Anyone tracking the bill can watch committee live, read the transcripts the next day, and contact MPs before key votes.</p>
  <h2>What the bill would do, in plain English</h2>
  <p>Bill C-22 has two parts.</p>
  <p>Part 1 amends the Criminal Code and other statutes to create new investigative tools for police. The most notable changes:</p>
  <p>- A "Confirmation of Service" demand allows police to require a telecom or internet provider to confirm whether they serve a particular individual. This is materially narrower than the warrantless subscriber-data access in the failed Bill C-2, but is broader than the status quo.
- For information beyond service confirmation, police would need a court-approved production order — but the legal threshold is "reasonable grounds to suspect," a lower bar than the "reasonable grounds to believe" standard required for a search warrant.</p>
  <p>Part 2 is the Supporting Authorized Access to Information Act. It contains two big provisions:</p>
  <p>- Mandatory metadata retention for "core providers": telecom and internet companies would be required to retain transmission data on every user for up to one year. That data includes the date, time, duration, and type of every communication; device identifiers; and location information sufficient to reconstruct a person's movements over time. The retention applies to all users, not just those under investigation.
- Secret capability orders. The Minister of Public Safety would gain authority to issue orders compelling electronic service providers to build and maintain surveillance capabilities. Providers receiving these orders would be legally barred from disclosing them publicly. The scope extends beyond traditional telecoms to major platforms.</p>
  <p>The bill does explicitly exclude the content of communications, web browsing history, and social-media activity from the mandatory retention requirement.</p>
  <h2>Who is on the record against parts of the bill</h2>
  <p>Five distinct opposition voices are now public, and the diversity matters:</p>
  <p>Academic privacy law. University of Ottawa professor Michael Geist published two detailed analyses in March 2026 calling out the metadata-retention model as a "fundamental shift" in the relationship between Canadians and providers, and the secret-order power as a "dangerous backdoor surveillance risk." Robert Diab at Thompson Rivers University reached similar conclusions.</p>
  <p>Civil-society groups. The Electronic Frontier Foundation, in a May 2026 brief titled "Canada's Bill C-22 Is a Repackaged Version of Last Year's Surveillance Nightmare," argued the bill recycles core problems from prior lawful-access attempts.</p>
  <p>Technology industry. Meta and Apple have publicly opposed Part 2, raising encryption-backdoor concerns. The Minister has disputed that characterization, stating that "encryption is not in any way interrupted as part of Bill C-22."</p>
  <p>U.S. legislative. The U.S. House Judiciary Committee has reportedly raised concerns — a meaningful signal because cross-border data-sharing under the Cloud Act and Budapest Convention is one of the bill's quieter implications.</p>
  <p>Charter rights. The Department of Justice's own Charter statement on C-22 is, per Geist, "oddly silent" on the metadata-retention question. That silence is the kind of thing future Charter litigants will point to.</p>
  <h2>What’s missing</h2>
  <p>The most concrete gap in the bill is the absence of the Office of the Privacy Commissioner from any statutory oversight role over the new powers. There is no requirement that the OPC approve or audit the secret capability orders, no requirement that retention practices be reported to the OPC, and no statutory mechanism for the OPC to investigate complaints about retained metadata.</p>
  <p>This is a meaningful departure from how Canada has handled comparable privacy-affecting legislation in recent years. The OPC has had a defined audit and report-to-Parliament role in most lawful-access proposals since Bill C-30 in 2012.</p>
  <h2>What happens next</h2>
  <p>The committee schedule is set by the SECU committee chair in consultation with the government. Realistically:</p>
  <p>- May to June 2026: SECU witness hearings. Privacy advocates, providers, law enforcement, Charter scholars, the OPC.
- June to July 2026: Clause-by-clause review. Amendments proposed and voted on; the government can accept or reject.
- September to October 2026: Report stage and third reading in the House.
- Fall to Winter 2026: Senate review (committee, third reading).
- Late 2026 or early 2027: Royal Assent if all stages proceed.</p>
  <p>The bill could move faster than this if the government chooses to use closure or time-allocation motions. It could move slower if amendments require negotiation.</p>
  <h2>What to watch over the next week</h2>
  <p>Parliament Audit is running a daily piece on Bill C-22 from May 19 to May 25, each focusing on one specific dimension of the bill that bears civil-liberties or oversight scrutiny:</p>
  <p>- Tuesday — What a year of metadata actually reveals.
- Wednesday — Why the absence of the Privacy Commissioner role matters.
- Thursday — How the secret capability-order process would work.
- Friday — What happened when Europe tried a nearly identical scheme (Digital Rights Ireland, 2014).
- Saturday — Documented Canadian surveillance overreach: from Tommy Douglas to Northern Gateway protesters.
- Sunday — How to track committee study and contact your MP before third reading.</p>
  <hr />
  <p><small>
    Originally published by <a href="https://parliamentaudit.ca/news/bill-c-22-second-reading-update-april-20-2026">Parliament Audit</a>
    under the <a href="https://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND 4.0</a> license.
    <img src="https://parliamentaudit.ca/api/republish-beacon?slug=bill-c-22-second-reading-update-april-20-2026" alt="" width="1" height="1" />
  </small></p>
</article>

Bill C-22 has two parts.

Part 1 amends the Criminal Code and other statutes to create new investigative tools for police. The most notable changes:

Part 2 is the Supporting Authorized Access to Information Act. It contains two big provisions:

The bill does explicitly exclude the content of communications, web browsing history, and social-media activity from the mandatory retention requirement.

Bill C-22 Just Passed Second Reading. With a Liberal Majority, the Path to Royal Assent Is Now Mostly Clear.

Where the bill is right now

What the bill would do, in plain English

Who is on the record against parts of the bill

What’s missing

What happens next

What to watch over the next week

Sources & Official Documents

More reporting on this

Bill C-22 Just Passed Second Reading. With a Liberal Majority, the Path to Royal Assent Is Now Mostly Clear.

Where the bill is right now

What the bill would do, in plain English

Who is on the record against parts of the bill

What’s missing

What happens next

What to watch over the next week

Sources & Official Documents

More reporting on this