Parliament’s Privacy Watchdog Says Bill C-22 Still Needs Guardrails

This is no longer just a Big Tech complaint. Canada’s own Privacy Commissioner says the lawful-access bill still needs tighter limits before Parliament moves it forward.

Bill C-22 is now sitting exactly where a surveillance bill should be tested: in committee, under public pressure, with the Privacy Commissioner putting specific amendments on the table.

Parliament’s LEGISinfo page lists Bill C-22, the Lawful Access Act, 2026, as a House government bill sponsored by the Minister of Public Safety. It passed second reading and was referred to the public safety committee on April 20, 2026. That means MPs are no longer debating a slogan. They are shaping the machinery that police and security agencies could use to seek Canadians’ digital information.

Privacy Commissioner Philippe Dufresne was fair in his May 26 committee statement. He said Bill C-22 improves on the earlier Bill C-2 in several respects, including a more narrowly tailored confirmation-of-service demand, consideration of privacy and cybersecurity impacts, and a new oversight role for the Intelligence Commissioner on ministerial orders. Good. Government should get credit when it narrows an overreach.

But Dufresne did not give the Liberals a blank cheque. He recommended narrowing “subscriber information” to a closed list of identifiers such as name, address, phone number, email address and IP address. He also urged MPs to limit who can be compelled to produce that information, and to make sure a judge can specify what must actually be produced.

That matters because “subscriber information” is not harmless paperwork. Depending on the service, it can point to sensitive relationships, locations, devices and online behaviour. A conservative accountability standard is simple: if the state wants data, the law should say exactly what data, from whom, for what purpose and under what independent limit.

Dufresne also warned that “publicly available” information should not become a loophole for privacy invasion. Information leaked in a breach or posted without consent may be technically accessible, but that does not mean Canadians surrendered their rights.

The Commissioner’s most important guardrail may be on encryption. He recommended that Bill C-22 clarify that regulations and orders must not require an electronic service provider to introduce a systemic vulnerability, and that “systemic vulnerability” include anything that would make authentication or encryption less effective. That is not anti-police. It is pro-security. A weakness built for government can become a weakness exploited by criminals or hostile states.

Google and Apple have also warned MPs that the bill could threaten encryption and user data. But the stronger point is that Canada’s own privacy watchdog is asking for guardrails too.

If the Liberals say Bill C-22 is about public safety, they should accept amendments that protect both safety and liberty: narrow definitions, necessity and proportionality tests, encryption protection, and breach-reporting access for regulators. Anything less asks Canadians to trust a black box with their private lives.