Bill C-22 amends the Criminal Code to add explicit powers for judges, justices and peace officers to examine computer data, to compel telecommunications providers to confirm whether they served particular accounts, and to obtain domestic and foreign production of transmission data and subscriber information. It also enacts the Supporting Authorized Access to Information Act, which creates a regulatory and orders-based regime compelling electronic service providers to develop technical capabilities, retain limited metadata, and assist authorized persons.
The package centralizes quicker access to communications-related data for police and national security agencies, layers civil and criminal penalties for non‑compliance, and establishes inspection, audit and reporting tools. For legal, compliance and technology teams it means new notice, process and security obligations, potential costs for technical changes, and new confidentiality rules that limit public visibility into many uses of these powers.
At a Glance
What It Does
The bill adds express Criminal Code language authorizing warrants to examine computer data and creates ex parte production orders and short-form “confirmation of service” demands to telecommunications providers. It also creates a separate statute empowering the Minister to require technical capabilities and assistance from electronic service providers, backed by orders, inspections and penalties.
Who It Affects
Telecommunications carriers, platforms and any electronic service providers that offer services to Canadians (particularly those designated as “core providers” by regulation), law enforcement agencies (RCMP and police), CSIS, and judges who will authorize new forms of warrant and production requests.
Why It Matters
It shifts many routine investigatory steps from voluntary cooperation or mutual‑legal‑assistance into statutory authorities, imposing new operational and compliance requirements on providers while narrowing the circumstances under which they can decline to assist.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Part 1 rewrites Criminal Code search-and-production provisions to squarely address modern digital evidence. Judges may now authorize examination of computer data seized under a warrant or specified computer systems in police possession; the bill clarifies that computer-data examinations can occur at any time and place in Canada and that copying is permitted.
It standardizes notice and forms for warrants and production orders and creates a separate, shorter process — a "confirmation of service" demand — that requires a telecommunications provider to state whether it has or had a specified subscriber, account or identifier.
The bill builds procedural safeguards alongside the new powers. Judges may attach conditions to examinations to ensure reasonableness, and there is a statutorily defined route for providers to apply quickly to revoke or vary confirmation demands or production orders before they must comply.
Judges may also delay giving copies of computer-data warrants, and they may extend those delay periods (with an upper bound in the Code). Non-disclosure orders (gag orders) can be issued ex parte to prevent disclosure of the existence or contents of preservation demands, confirmation demands or production orders.The law also reaches across borders: investigators may, with judicial authorization, make production requests to foreign telecommunications entities and there is a new Mutual Legal Assistance pathway to seek court enforcement in Canada of foreign decisions compelling transmission data or subscriber information.
The Criminal Code amendment sets a criminal summary fine for failure to comply with preservation or confirmation demands.Part 2 enacts the Supporting Authorized Access to Information Act, a standalone administrative regime that identifies classes of “core providers” by regulation and authorizes both regulations and ministerial orders to require operational and technical capabilities. The Minister can order providers to develop, test and maintain capabilities, require limited metadata retention, and compel cooperation for assessments and testing.
Orders prevail over regulations and must be reviewed by the Intelligence Commissioner; the Act provides for ministerial discretion to offer compensation for costs and contains an exemption when compliance would introduce a systemic vulnerability. The Act sets out inspection and audit powers, internal-audit orders, compliance orders, administrative monetary penalties and criminal offences for contraventions, and creates reporting obligations with public and classified components.Finally, the bill includes administrative process features: timelines and forms for judicial authorizations, consultation requirements before certain regulations, judicial review parameters, confidentiality protections for provider-related information, and a mandatory parliamentary review in the third year after full commencement.
The Five Things You Need to Know
A judge may authorize the examination of computer data seized under a warrant or contained in a specified computer system, and the examination may occur at any time and place in Canada with copying allowed.
A peace officer or public officer may issue a "confirmation of service" demand to a telecommunications provider requiring confirmation (not content) of whether specified subscriber, account or identifier details exist; the demand must allow at least 24 hours for response and may include a non-disclosure condition of up to one year.
On ex parte application, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all subscriber information relating to specified data; the order cannot target a person who is under investigation for the offence in question.
The Supporting Authorized Access to Information Act lets the Minister issue orders to any electronic service provider (not only core providers) requiring technical capabilities and assistance; orders require Intelligence Commissioner approval and cannot force a provider to introduce a systemic vulnerability.
The Supporting Act creates administrative enforcement: AMP exposure up to $250,000 for organizations (and $50,000 for individuals), separate criminal penalties (up to $500,000 for corporations), internal-audit and compliance-order powers, and inspection/entry authority for designated persons.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
New computer-data warrant framework and production tools
This block modernizes search-warrant law to cover computer systems and computer data expressly: warrants can authorize active searching of a seized computer system, seizure of computer data, and judicial authorization to examine seized or specified computer data. It also introduces a formal confirmation-of-service demand for telecoms, clarifies preservation/production order procedures (including forms and timeframes), and creates ex parte routes to seek production from foreign entities. Practically, investigators gain standardized templates and statutory cover for digital‑evidence practices that were previously handled by ad hoc or legislative gaps.
Short-form demand to confirm subscriber/accounts and a five-day right to challenge
This section creates Form 5.0011 and authorizes peace or public officers to demand that a telecommunications service provider confirm whether it provided services to the named subscriber, account or identifier. The provider has at least 24 hours to respond, can seek judicial revocation or variation within five business days, and is not obliged to comply until judicial proceedings conclude. The provision also permits an investigator to impose temporary non‑disclosure conditions, while carving out medical and privileged information from demands.
Ex parte production orders for subscriber information and authorized foreign production requests
Judges may issue ex parte production orders compelling providers to prepare a document containing subscriber information tied to specified data. A separate authorization route allows investigators, with judicial sign‑off, to request transmission data or subscriber information from foreign telecommunications entities; authorizations must be used within 30 days. The statute includes forms and sets limits — for example, orders cannot target a person who is themselves under investigation for the offence at issue.
Regulatory and order-based regime imposing technical obligations on providers
This enacted Act lets the Governor in Council define "core providers" and make regulations about capabilities, device installation, testing, and retention of limited metadata (not content, browsing history or social media activity). The Minister may issue targeted orders to any electronic service provider, subject to review and approval by the Intelligence Commissioner; orders can include compensation, but providers can refuse to comply if compliance would introduce a systemic vulnerability. The Act also creates inspection, audit and compliance mechanisms and requires annual public reporting (with classified disclosures to oversight bodies).
Administrative and criminal sanctions, audits and compliance orders
The Supporting Act establishes an AMP regime (maximums: $50,000 individual, $250,000 non‑individual) for specified contraventions and separate criminal offences with higher fines. Designated persons can inspect facilities, order internal audits, and issue compliance orders; providers must comply with those orders and may request administrative review by the Minister. The Act also contains continuity provisions — e.g., orders override inconsistent regulations — and sets limitation periods and due‑diligence defences.
This bill is one of many.
Codify tracks hundreds of bills on this topic across all five countries.
Explore this topic in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal and provincial law enforcement (RCMP, municipal police): They gain clearer, faster statutory tools to obtain subscriber and transmission data and to examine computer data, reducing reliance on voluntary production or slow mutual‑legal‑assistance routes.
- Canadian Security Intelligence Service (CSIS) and intelligence investigators: CSIS receives parallel confirmation-demand authority and a statutory route to request provider cooperation under the Supporting Act, expanding its administrative toolkit for national‑security investigations.
- Judiciary and prosecutors: Standardized forms, explicit statutory bases and clearer procedural rules reduce ambiguity in applications and can streamline court review of digital‑evidence requests.
- Designated persons and oversight bodies: The Intelligence Commissioner, NSIRA and parliamentary committees receive structured reporting and review tasks, improving oversight channels compared with purely administrative requests.
- Victims and public‑safety stakeholders: Faster access to communications metadata and computer data can accelerate investigations in time‑sensitive criminal or security matters.
Who Bears the Cost
- Telecommunications service providers and electronic service providers: They face new statutory demands, potential ministerial orders to build technical capabilities, obligations to assist with assessments and testing, metadata retention duties, and exposure to AMPs and criminal sanctions.
- Cloud and platform operators with international infrastructure: Companies serving Canadians but headquartered elsewhere will encounter judicially authorized foreign‑request mechanisms and may need new compliance processes to handle production requests or ministerial orders.
- Privacy and security compliance teams: Firms must translate new legal forms and discretionary orders into operational playbooks, implement audit and record‑keeping regimes, and manage legal challenges while protecting privileged or medical information.
- Small or niche providers: The compliance burden and potential costs of technical capability development or audits may be disproportionate for smaller firms without economies of scale.
- Parliamentary and oversight bodies: The Intelligence Commissioner and review agencies will see increased workload reviewing ministerial orders and redacted reporting, requiring resources to maintain meaningful oversight.
Key Issues
The Core Tension
The central dilemma is straightforward: the state seeks rapid, reliable access to communications and device data to protect public safety and national security, but giving investigators that speed and breadth risks weakening cybersecurity, encroaching on privacy and imposing heavy operational costs on service providers — a trade-off between operational efficacy and the resilience/privacy of digital systems.
The bill balances expanded access with procedural checks, but several practical tensions and unanswered implementation questions remain. First, the statutory permission to examine seized computer data and to copy it at any time and place is broad; judges can add conditions, yet the ex parte architecture for production orders and confirmation demands means oversight often comes after the provider has been required to act.
Second, the Supporting Act permits ministerial orders that prevail over regulations and applies to providers outside the "core" regulatory class; though the Intelligence Commissioner must approve orders, the timing and depth of that review (and what counts as "reasonable" conclusions) will be decisive for whether orders become a planning or emergency tool.
Operationally, the regulations and orders regime raises cybersecurity trade‑offs. The statute forbids orders that require introducing a "systemic vulnerability," but it also requires technical capabilities and limited retention of metadata — design choices that can create attack surfaces if poorly specified.
The bill offers discretionary compensation but leaves the mechanics unspecified, which matters for willingness to comply and for smaller providers' capacity to implement costly technical changes. Finally, confidentiality and non‑disclosure rules protect investigations but also reduce public transparency: annual reports may be redacted and key uses of the powers can be shielded from parliamentary and public scrutiny unless oversight bodies demand otherwise.
There's more to this law than the bill.
Codify Laws traces every connection across the legislative lifecycle.