Loading...
Canada deserves to know.
Loading...
Part 2 of the Lawful Access Act, 2026 — the Supporting Authorized Access to Information Act (SAAIA) — creates a new power for the Public Safety Minister to issue capability orders to electronic service providers. The provider must comply. The provider is legally barred from disclosing that the order exists. The Intelligence Commissioner reviews the order for reasonableness. The public does not.
Bill C-22 contains a provision that civil-liberties advocates from Meta, Apple, the Electronic Frontier Foundation, and academic privacy law have uniformly flagged as the bill's most aggressive feature: the Public Safety Minister's power to issue "capability orders" to electronic service providers. Under Part 2 of the bill (the Supporting Authorized Access to Information Act, SAAIA), the Minister can require a provider to build a specific surveillance capability into their service, maintain it, and not disclose its existence. The provider must comply. The provider is legally prohibited from disclosing that the order exists. The Intelligence Commissioner reviews the Minister's reasonableness on a case-by-case basis. There is no statutory requirement of public reporting — even aggregate. This article walks through how the order is issued, what the provider is and is not allowed to say, how the Intelligence Commissioner's review works in practice, and what amendments could restore public accountability.
Under Part 2 of Bill C-22 — the Supporting Authorized Access to Information Act (SAAIA) — the Public Safety Minister is granted authority to issue "capability orders" to electronic service providers operating in Canada. The bill's terminology is technical, but the substance is direct: the Minister can require a provider to:
- **Build a specific surveillance capability.** Not merely permit access to data the provider already has. The order can require the provider to design, develop, and deploy a new technical capability that the provider would not otherwise have built. - **Maintain the capability.** The order can require the provider to keep the capability operational, with ongoing engineering investment, for the duration the Minister specifies. - **Cooperate operationally.** The provider can be required to facilitate use of the capability by authorized federal investigators.
The order is signed by the Minister. The Minister's decision is informed by departmental advice from Public Safety Canada and operational input from the agencies that would use the capability — primarily the RCMP and CSIS.
The most distinctive feature of the SAAIA regime — and the feature that draws the sharpest opposition — is the non-disclosure requirement.
Under the bill, a provider receiving a capability order is legally barred from disclosing that the order exists. Specifically, the provider cannot:
- Tell its customers that a capability has been built into the service. - Inform the press of the order's existence. - Disclose the order to shareholders or in public regulatory filings. - Acknowledge the order in response to specific questions from journalists, customers, or oversight bodies.
The non-disclosure obligation runs with the order. The provider's senior leadership knows. The provider's engineering team knows (to the extent they need to know to build the capability). The Minister, the Intelligence Commissioner, and the operational agencies know. The public does not.
This differs from the existing CSE / CSIS warrant regime in scope. Existing intelligence warrants have classification rules attached to their content — but the existence of the warrant authority itself is public, the number of warrants issued is published in aggregate annual reports, and providers have generally been able to issue "transparency reports" disclosing aggregate numbers of warrants received. SAAIA, as drafted, does not provide for that aggregate-disclosure path.
The bill points to the Intelligence Commissioner (IC) as the review body for the Minister's SAAIA orders. The IC reviews each order for "reasonableness" — a standard borrowed from the existing IC mandate under the National Security Act, 2017.
What is IN the review: - The legal threshold for issuing the order (whether the Minister's grounds meet the statutory requirements). - Whether the Minister's reasoning is reasonable in the circumstances. - Whether the technical requirements imposed on the provider are proportionate to the stated purpose.
What is NOT in the review: - Public reporting of the existence or aggregate count of orders. - Investigation of complaints from providers or users. - Audit of how the capability is used after the order is approved. - Public reporting on whether the IC's review reasoning was followed by the agencies that use the capability.
The IC publishes an annual report. Existing IC annual reports cover the IC's broader caseload — CSE authorizations, CSIS measures, ministerial directives — and do not separately catalogue the use of specific authorities. Without specific disclosure obligations under the SAAIA regime, the public reporting would, by default, fold any SAAIA reviews into the same aggregated case statistics that exist today.
Meta and Apple have both publicly opposed the SAAIA capability-order regime. Their stated concerns center on two distinct points.
**The security argument.** A surveillance capability built into a service is also a vulnerability that bad actors can exploit. Apple has argued this point in multiple jurisdictions, most prominently in the 2016 FBI / San Bernardino litigation: building a backdoor for authorized use creates infrastructure that, once it exists, becomes a target for unauthorized exploitation. The same architecture that lets authorized investigators access communications can, in principle, be exploited by foreign intelligence services or organized crime that compromises the provider's systems.
**The disclosure argument.** Technology firms operate transparency programs in part because users demand them. A provider whose products advertise end-to-end security cannot truthfully maintain that claim while operating under a secret order that compromises the security property. The non-disclosure rule, as Apple has argued in U.S. proceedings, forces companies into a position of either misrepresenting their products' security to customers or refusing the order.
The Electronic Frontier Foundation's May 2026 brief on C-22 frames this as a "systemic insecurity" problem: even users who would consent to surveillance in narrowly-defined contexts cannot make informed decisions about which services to trust when capability-order existence is undisclosed.
Michael Geist has been on record from the bill's first reading that the SAAIA capability-order power is the bill's most aggressive provision. In his analytical coverage, Geist has framed the concern as a structural asymmetry: the government knows what surveillance capabilities exist in Canadian services; the public does not.
The Electronic Frontier Foundation's May 2026 brief on Bill C-22 echoes the same framing in stronger terms, drawing on EFF's longer institutional record opposing equivalent capability-order regimes in the United States (CALEA), the United Kingdom (the Investigatory Powers Act), and Australia (TOLA). The EFF brief notes that in every jurisdiction where capability-order regimes have been enacted, the regimes have expanded beyond their initial statutory scope through interpretive practice.
The BC Civil Liberties Association and the International Civil Liberties Monitoring Group have both filed submissions opposing the SAAIA provisions specifically, framing the non-disclosure rule as incompatible with the existing Canadian transparency-reporting practice that telecommunications providers have voluntarily developed over the last decade.
The U.S. House Judiciary Committee, in a letter to the Government of Canada dated April 2026, flagged Bill C-22 as a cross-border concern. The letter raises the interaction between Canadian capability orders and the U.S. Cloud Act framework, which governs cross-border law-enforcement access to data held by U.S.-based providers.
The Cloud Act allows a U.S. provider to challenge a foreign order that conflicts with U.S. law. The non-disclosure rule under SAAIA complicates that process: a U.S. provider receiving a Canadian capability order may not be able to mount an effective Cloud Act challenge if the order's existence is itself undisclosable.
The House Judiciary letter also raises Budapest Convention concerns. The 2001 Council of Europe Convention on Cybercrime sets transparency expectations for signatory states (including Canada) on cross-border data-access regimes. The Committee letter argues that secret capability orders, by design, are in tension with those expectations.
None of the amendments that committee MPs could propose on the SAAIA provisions are radical. Each has a precedent in lawful-access regimes in other peer democracies:
- **Aggregate public reporting.** Require the Minister to publish, annually, the total number of capability orders issued in the previous year, broken down by broad subject-matter category, without disclosing operational details. This is standard practice for FISA-court orders in the United States. - **OPC notification.** Require the Minister to notify the Office of the Privacy Commissioner (in confidence) of each order issued. The OPC would publish aggregate counts as part of its annual report to Parliament. - **Narrowed scope.** Restrict the SAAIA capability-order power to traditional telecommunications service providers, rather than the broader "electronic service provider" category, which can sweep in messaging platforms, cloud providers, and online services. - **Ex post Parliamentary review.** Require an automatic review of the SAAIA regime by a Parliamentary committee three years after enactment, with mandatory testimony from the Minister, the Intelligence Commissioner, and the OPC.
Any of these amendments would require government-side support to pass under the current majority structure. Day 7 of this series catalogues the seven Liberal MPs on the Standing Committee on Public Safety and National Security whose decisions over the coming weeks will determine which amendments, if any, are accepted.
Every recent Canadian lawful-access proposal — from Bill C-30 in 2012 to Bill C-2 last year — included some statutory role for the Office of the Privacy Commissioner. Bill C-22 does not. The OPC cannot audit how the retained metadata is stored, cannot review the secret capability orders, and has no investigation power over complaints arising from the new regime. Here is what changed.
The bill explicitly excludes the content of communications from mandatory retention. What it would require — who you talked to, when, where you were, what device you used — is the data that intelligence professionals call "the more important half" of surveillance. Here is what a year of that data reveals about an ordinary Canadian.
The Lawful Access Act, 2026 cleared a critical procedural hurdle in the House on April 20. Committee review starts next. Five distinct opposition voices — academic, technology-industry, civil-society, U.S. legislative, and Charter-rights — have already weighed in against parts of the bill. Here is where the bill stands, what it would do, and what happens between here and Royal Assent.
About this article
Parliament Audit is non-partisan and does not endorse or oppose any legislation. This article is based on publicly available legislative documents and parliamentary records; all sources are linked above.
AI-assisted, human-edited. AI tools help us ingest parliamentary records and draft analysis; an editor reviews every article and verifies key facts against primary sources before publication. Quotation marks are reserved for verbatim text from a primary source. See our methodology and corrections log.
Your MP votes on this. Their constituency inbox is the most-read channel for feedback on bills in committee.
You're welcome to run this article in full on your newsroom, blog, newsletter, or paper. Keep the byline and the link back to parliamentaudit.ca. See the full terms.
<!-- Parliament Audit — republished under CC BY-ND 4.0 -->
<article>
<h1>Bill C-22 Lets the Public Safety Minister Order a Telecom to Build Surveillance Tools. The Telecom Cannot Tell You. Here Is How That Works.</h1>
<p><em>By Parliament Audit · May 22, 2026 · 7 min read</em></p>
<p><strong>Bill C-22 contains a provision that civil-liberties advocates from Meta, Apple, the Electronic Frontier Foundation, and academic privacy law have uniformly flagged as the bill's most aggressive feature: the Public Safety Minister's power to issue "capability orders" to electronic service providers. Under Part 2 of the bill (the Supporting Authorized Access to Information Act, SAAIA), the Minister can require a provider to build a specific surveillance capability into their service, maintain it, and not disclose its existence. The provider must comply. The provider is legally prohibited from disclosing that the order exists. The Intelligence Commissioner reviews the Minister's reasonableness on a case-by-case basis. There is no statutory requirement of public reporting — even aggregate. This article walks through how the order is issued, what the provider is and is not allowed to say, how the Intelligence Commissioner's review works in practice, and what amendments could restore public accountability.</strong></p>
<h2>What a "secret capability order" actually is</h2>
<p>Under Part 2 of Bill C-22 — the Supporting Authorized Access to Information Act (SAAIA) — the Public Safety Minister is granted authority to issue "capability orders" to electronic service providers operating in Canada. The bill's terminology is technical, but the substance is direct: the Minister can require a provider to:</p>
<p>- **Build a specific surveillance capability.** Not merely permit access to data the provider already has. The order can require the provider to design, develop, and deploy a new technical capability that the provider would not otherwise have built.
- **Maintain the capability.** The order can require the provider to keep the capability operational, with ongoing engineering investment, for the duration the Minister specifies.
- **Cooperate operationally.** The provider can be required to facilitate use of the capability by authorized federal investigators.</p>
<p>The order is signed by the Minister. The Minister's decision is informed by departmental advice from Public Safety Canada and operational input from the agencies that would use the capability — primarily the RCMP and CSIS.</p>
<h2>The non-disclosure piece</h2>
<p>The most distinctive feature of the SAAIA regime — and the feature that draws the sharpest opposition — is the non-disclosure requirement.</p>
<p>Under the bill, a provider receiving a capability order is legally barred from disclosing that the order exists. Specifically, the provider cannot:</p>
<p>- Tell its customers that a capability has been built into the service.
- Inform the press of the order's existence.
- Disclose the order to shareholders or in public regulatory filings.
- Acknowledge the order in response to specific questions from journalists, customers, or oversight bodies.</p>
<p>The non-disclosure obligation runs with the order. The provider's senior leadership knows. The provider's engineering team knows (to the extent they need to know to build the capability). The Minister, the Intelligence Commissioner, and the operational agencies know. The public does not.</p>
<p>This differs from the existing CSE / CSIS warrant regime in scope. Existing intelligence warrants have classification rules attached to their content — but the existence of the warrant authority itself is public, the number of warrants issued is published in aggregate annual reports, and providers have generally been able to issue "transparency reports" disclosing aggregate numbers of warrants received. SAAIA, as drafted, does not provide for that aggregate-disclosure path.</p>
<h2>How the Intelligence Commissioner review works</h2>
<p>The bill points to the Intelligence Commissioner (IC) as the review body for the Minister's SAAIA orders. The IC reviews each order for "reasonableness" — a standard borrowed from the existing IC mandate under the National Security Act, 2017.</p>
<p>What is IN the review:
- The legal threshold for issuing the order (whether the Minister's grounds meet the statutory requirements).
- Whether the Minister's reasoning is reasonable in the circumstances.
- Whether the technical requirements imposed on the provider are proportionate to the stated purpose.</p>
<p>What is NOT in the review:
- Public reporting of the existence or aggregate count of orders.
- Investigation of complaints from providers or users.
- Audit of how the capability is used after the order is approved.
- Public reporting on whether the IC's review reasoning was followed by the agencies that use the capability.</p>
<p>The IC publishes an annual report. Existing IC annual reports cover the IC's broader caseload — CSE authorizations, CSIS measures, ministerial directives — and do not separately catalogue the use of specific authorities. Without specific disclosure obligations under the SAAIA regime, the public reporting would, by default, fold any SAAIA reviews into the same aggregated case statistics that exist today.</p>
<h2>Why technology firms specifically oppose it</h2>
<p>Meta and Apple have both publicly opposed the SAAIA capability-order regime. Their stated concerns center on two distinct points.</p>
<p>**The security argument.** A surveillance capability built into a service is also a vulnerability that bad actors can exploit. Apple has argued this point in multiple jurisdictions, most prominently in the 2016 FBI / San Bernardino litigation: building a backdoor for authorized use creates infrastructure that, once it exists, becomes a target for unauthorized exploitation. The same architecture that lets authorized investigators access communications can, in principle, be exploited by foreign intelligence services or organized crime that compromises the provider's systems.</p>
<p>**The disclosure argument.** Technology firms operate transparency programs in part because users demand them. A provider whose products advertise end-to-end security cannot truthfully maintain that claim while operating under a secret order that compromises the security property. The non-disclosure rule, as Apple has argued in U.S. proceedings, forces companies into a position of either misrepresenting their products' security to customers or refusing the order.</p>
<p>The Electronic Frontier Foundation's May 2026 brief on C-22 frames this as a "systemic insecurity" problem: even users who would consent to surveillance in narrowly-defined contexts cannot make informed decisions about which services to trust when capability-order existence is undisclosed.</p>
<h2>Why civil society opposes it</h2>
<p>Michael Geist has been on record from the bill's first reading that the SAAIA capability-order power is the bill's most aggressive provision. In his analytical coverage, Geist has framed the concern as a structural asymmetry: the government knows what surveillance capabilities exist in Canadian services; the public does not.</p>
<p>The Electronic Frontier Foundation's May 2026 brief on Bill C-22 echoes the same framing in stronger terms, drawing on EFF's longer institutional record opposing equivalent capability-order regimes in the United States (CALEA), the United Kingdom (the Investigatory Powers Act), and Australia (TOLA). The EFF brief notes that in every jurisdiction where capability-order regimes have been enacted, the regimes have expanded beyond their initial statutory scope through interpretive practice.</p>
<p>The BC Civil Liberties Association and the International Civil Liberties Monitoring Group have both filed submissions opposing the SAAIA provisions specifically, framing the non-disclosure rule as incompatible with the existing Canadian transparency-reporting practice that telecommunications providers have voluntarily developed over the last decade.</p>
<h2>The U.S. cross-border angle</h2>
<p>The U.S. House Judiciary Committee, in a letter to the Government of Canada dated April 2026, flagged Bill C-22 as a cross-border concern. The letter raises the interaction between Canadian capability orders and the U.S. Cloud Act framework, which governs cross-border law-enforcement access to data held by U.S.-based providers.</p>
<p>The Cloud Act allows a U.S. provider to challenge a foreign order that conflicts with U.S. law. The non-disclosure rule under SAAIA complicates that process: a U.S. provider receiving a Canadian capability order may not be able to mount an effective Cloud Act challenge if the order's existence is itself undisclosable.</p>
<p>The House Judiciary letter also raises Budapest Convention concerns. The 2001 Council of Europe Convention on Cybercrime sets transparency expectations for signatory states (including Canada) on cross-border data-access regimes. The Committee letter argues that secret capability orders, by design, are in tension with those expectations.</p>
<h2>What amendments could restore accountability</h2>
<p>None of the amendments that committee MPs could propose on the SAAIA provisions are radical. Each has a precedent in lawful-access regimes in other peer democracies:</p>
<p>- **Aggregate public reporting.** Require the Minister to publish, annually, the total number of capability orders issued in the previous year, broken down by broad subject-matter category, without disclosing operational details. This is standard practice for FISA-court orders in the United States.
- **OPC notification.** Require the Minister to notify the Office of the Privacy Commissioner (in confidence) of each order issued. The OPC would publish aggregate counts as part of its annual report to Parliament.
- **Narrowed scope.** Restrict the SAAIA capability-order power to traditional telecommunications service providers, rather than the broader "electronic service provider" category, which can sweep in messaging platforms, cloud providers, and online services.
- **Ex post Parliamentary review.** Require an automatic review of the SAAIA regime by a Parliamentary committee three years after enactment, with mandatory testimony from the Minister, the Intelligence Commissioner, and the OPC.</p>
<p>Any of these amendments would require government-side support to pass under the current majority structure. Day 7 of this series catalogues the seven Liberal MPs on the Standing Committee on Public Safety and National Security whose decisions over the coming weeks will determine which amendments, if any, are accepted.</p>
<hr />
<p><small>
Originally published by <a href="https://parliamentaudit.ca/news/bill-c-22-secret-capability-orders-public-safety-minister">Parliament Audit</a>
under the <a href="https://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND 4.0</a> license.
<img src="https://parliamentaudit.ca/api/republish-beacon?slug=bill-c-22-secret-capability-orders-public-safety-minister" alt="" width="1" height="1" />
</small></p>
</article>