Language selection

Government of Canada / Gouvernement du Canada

Search

Lawful access

Lawful access refers to the ability of law enforcement agencies or the Canadian Security Intelligence Service (CSIS) to legally obtain certain information or intercept communications.

On this page

What lawful access includes

Lawful access is used to investigate crimes and threats, such as:

Lawful access includes two things:

  1. The legal authorities to obtain information and data, such as warrants and productions orders. These authorities are set out in federal statutes, including the Criminal Code and the CSIS Act.
  2. The ability of Electronic Service Providers (ESPs) to provide the legally authorized information and data. This requires ESPs to have the technical capabilities to provide law enforcement and CSIS with the information they are legally authorized to obtain. There is currently no regulatory framework in Canada to facilitate or standardize these technical capabilities. This is discussed below under the heading "Lawful access in Canada".

There are strict rules for requesting information about an individual in the course of an investigation, out of respect for privacy and Charter rights.

Understanding lawful access

Law enforcement and CSIS use many investigative tools, including lawful access, which is the legal authority to intercept communications, seize information, or obtain data from ESPs, such as telecommunications companies.

In Canada, lawful access is notably used, among others, by:

Communications and information may be legally obtained from:

Lawful access can only be used when authorized by the law, usually though a warrant, a production order, or a wiretap authorization issued by a judge, which is granted under specific circumstances. A warrant authorizes law enforcement to do something, while a production order orders someone, like a Canadian telecommunications company, to provide information or data in their possession. A wiretap authorization is a very specific type of warrant that allows law enforcement and CSIS to intercept private communications exchanged in real-time.

A warrant, an authorization to intercept private communications, or a production order will only be granted if a judge is satisfied that specific legal requirements are met.

To obtain a warrant or production order to access communications stored on a device, such as an email or text messages, law enforcement and CSIS must demonstrate to the court that there are reasonable grounds to believe that an offence has been or will be committed and that the information will provide evidence of that offence. To obtain a warrant or production order for limited information like an IP address associated with a transaction or a call log, law enforcement and CSIS must demonstrate reasonable grounds to suspect that an offence has been or will be committed and that the information will assist in the investigation of the offence.

Key components of a warrant or production order include:

For example, intelligence indicates that members of an organized crime group are directing an individual to commit criminal acts, such as extortion and drug trafficking, through messages on cellphones. In this scenario, law enforcement could apply for a production order requiring a Canadian telecommunications service provider to provide the messages exchanged on one of the individuals' cellphones, where there are reasonable grounds to believe that these communications are being used to plan or carry out the crimes.

Part 2 - Supporting Access to Authorized Information Act

Part 2 of Bill C-22, the Supporting Access to Authorized Information Act (SAAIA), modernizes a 30-year-old government policy and provides law enforcement and the Canadian Security Intelligence Service (CSIS) with the tools they need to combat crime and protect national security in the digital age.

It addresses gaps in Canada's lawful access framework by ensuring that Electronic Service Providers (ESP) have the technical capability to provide information to law enforcement and CSIS when they are legally authorized to receive it, to keep Canadians safe, while upholding the Charter and protecting privacy.

What the legislation would do

Set a standardized regulatory framework for select ESPs

Law enforcement and CSIS currently depend on ad-hoc arrangements with specific ESPs. Bill C-22 would establish a regulatory framework that standardizes requirements, strengthens overall capabilities, and ensures that investigators can receive the legally authorized information that they are entitled to in a timely manner.

Regulations will identify classes of core providers and establish their respective baseline technical capability obligations required to support lawful access.
The Act also provides for a robust compliance and enforcement regime, including administrative monetary penalties (AMPs) to deter non-compliance.

Align our capabilities with like-minded partners

All G7, Five Eye partners and most other European countries have had lawful access frameworks for many years that include technical capability obligations for ESPs.

Bill C-22 would align Canada with its allies, supporting better cooperation on transnational investigations and make our country safer and more secure.

Safeguards against systemic vulnerabilities

Bill C-22 includes clear safeguards that would allow ESPs to refuse to implement a technical capability obligation if it creates a systemic vulnerability in electronic protections, such as encryption, or prevents them from correcting one.

The definition of systemic vulnerability was amended to lower the threshold from "substantial" to "credible" risk, based on recognized international technical standards". The definition was also amended to scope out those who are subject to a legal authorization to access their information.

Further clarification was added that ESPs are not required to comply with a provision of a Ministerial or compliance order if it would introduce a systemic vulnerability in their services or prevent them from rectifying one.

An amendments also clarified that the definition of terms included in Bill C-22, such as systemic vulnerability, cannot be redefined in regulations.

Transparency and Oversight

SAAIA includes strong, multi-layered oversight and transparency measures. Ministerial Orders must be reviewed and approved by the Intelligence Commissioner, who assesses the reasonableness of the Minister's decision. Service providers may also seek judicial review, adding an additional safeguard.

Independent review bodies, including NSIRA and NSICOP can examine the implementation of SAAIA at their discretion and pursuant to their mandates.

The Minister of Public Safety must publish an annual report outlining key activities undertaken under SAAIA, including Ministerial Orders, compliance and enforcement actions, and assistance requests. A redacted version must be made public, while an unredacted version is provided to NSIRA and NSICOP. The Intelligence Commissioner also reports on Ministerial Orders annually.

Finally, SAAIA will undergo a parliamentary review after three years. Together, these measures ensure transparent implementation and robust oversight of the Act.

Amendments to C-22 promote ongoing reporting and transparency. For the purposes of facilitating NSIRA's mandate, the IC's decision on Ministerial Orders along with all material submitted by the Minister must be provided to NSIRA within 30 days of receipt of the IC's decision. In addition, NSIRA must be notified of requests to review compliance orders, along with the results of the review; both within 30 days of the deadline of making such a request or when the review has been completed, respectively.

Additionally, amendments were made to add disclosure provisions to Ministerial orders and to allow ESPs to request written authorization from the Minister to disclose information pertaining to an order. Where it is relevant to a regulator's duties and functions, the Minister must grant the request.

What the legislation wouldn't do

Bill C-22 would not create "backdoors" and weaken cybersecurity

The Canadian Centre for Cyber Security defines a "backdoor" as a hidden mechanism that bypasses security controls. Bill C-22 does not require ESPs to create "backdoors" to their systems and does not abrogate the existing responsibility of ESPs to protect their networks from hacking or other unauthorized access. The Government of Canada will be required to consult impacted ESPs, both in the making of regulations and the issuance of Ministerial Orders, and take into account their potential impact on cybersecurity and privacy.

An amendment was added to the interpretation section of the Act to indicate that no obligations are to be construed as compelling an ESP to decrypt or have the capability to decrypt information unless the ESP provided the encryption and has the information necessary to do so. This protects end-to-end encryption using similar language to the U.S. in their lawful access technical capabilities legislation.

Bill C-22 would not allow direct access

Bill C-22 would not permit law enforcement and CSIS to directly access personal information from an ESP's system. ESPs would remain in control of their own systems, and they would only provide information to investigators in a secure manner, upon receiving legal authorization.

An amendment to Bill C-22 reinforces that legal authorization, such as a warrant or production order, is required to access personal information and that regulations or Ministerial Orders are not an alternative means of obtaining such information.

Bill C-22 would not authorize government mass surveillance and/or tracking

Nothing in Bill C-22 would authorize surveillance of any kind.

For example ESPs, like telecommunication service providers, already have information flowing through their networks that can identify cellphones that connect to their network.

Bill C-22 would ensure that ESPs, upon receiving a legally authorized request, they can provide the information quickly, in a format that is usable to law enforcement and CSIS.

Bill C-22 would not keep all types of metadata like history of personal web and social media activity or the content of an exchange

Bill C-22 explicitly prohibits regulations requiring ESPs to retain a person's web-browsing history, data that would reveal the content of their electronic communications, telephone conversations and social media activities.

Metadata is information that does not include the content of an exchange. It includes information such as the type, date, time, duration, origin or termination of an exchange. For example, it provides police information about when and where a call took place, and who was on the call which can help them identify individuals involved in organized crime groups.

ESPs generate metadata in their systems, but the retention periods vary greatly for the type of data and across providers. The absence of a legislated data retention regime creates a uneven playing field across ESPs and has significant implications, particularly in the case of complex investigations which may start months after the data was initially created. SAAIA would define in regulations the types of metadata that can be retained and their retention period.

Many Five Eyes and European countries have established robust data retention regimes, mandating the retention of metadata under specific circumstances for designated providers. For example:

The Government of Canada will develop an approach to metadata retention that reflects our threat environment and that respects the Canadian Charter of Rights and Freedoms.

Bill C-22 was amended to reduce the maximum data retention period from one year to six months. Furthermore, data retention obligations can only be imposed on metadata that is essential to facilitating effective and timely investigations under the Criminal Code and the performance of duties under the CSIS Act.

How Bill C-22 would help investigations

Scenario 1 – At-risk youth goes missing

An at-risk 16-year-old girl was reported missing. She had already been missing for 10 days when she made an emergency call.

The ESP was able to confirm the call and the closest cell tower used to make the call, but could not provide the last known location of the phone before it was disconnected since they are not required to have that capability.

This caused delays in finding the teen.

How Bill C-22 would help:

Bill C-22 would require ESPs to maintain accurate and consistent localization capabilities across the country that are standard in Europe and among all of our Five Eyes allies and share that information with law enforcement when they are legally authorized to do so. This would allow law enforcement to find the missing teen faster.

Scenario 2 – Foreign partner investigation

CSIS has received information from a foreign partner carrying out an investigation outside of Canada into several terrorism suspects with Canadian phone numbers.

The foreign partner has highlighted that, based on some of their intelligence, the threat activity may be moving to Canada.

CSIS has been able to confirm that these phone numbers were obtained through a reseller that does not maintain record of its sales or track any of its clients' activity.

CSIS is unable to help the foreign partner and risks not having sight on a threat to Canada.

How Bill C-22 would help:

Under Bill C-22, regulations could set obligations for resellers to address this barrier so that CSIS could investigate.

Scenario 3 – Drug and human trafficking investigation

A drug and human trafficking investigation in Saskatchewan revealed that a suspect was using an iPhone that was subscribed to an ESP's cellular data network.

Investigators obtained a warrant to intercept the suspect's transmission data from this phone.

Despite having the lawful authority to intercept this information, the ESP did not have the technical capability within their network to action the warrant.

Due to delay in implementing a solution, investigators were forced to abandon the investigation.

How Bill C-22 would help:

Bill C-22 will compel select ESPs to develop and maintain lawful access capabilities. In the scenario above, when the warrant was obtained for the suspect's data, the ESPs would have been able to provide it quickly and the drug and human trafficking investigation would have been able to continue.

Scenario 4 – Online extortion threats investigation

An individual is receiving online threats unless they pay money to a criminal organization. These threats are made using a fake (spoofed) phone number via a ‘VoIP’ Internet phone to contact the victim.

The criminals then escalate their threats and begin firing shots at the victim’s home, at a time when no witnesses are present. However, the criminals likely have devices with them or in their vehicles which would have location-based information that police could use to tie them to the scene of the crime.

Police investigators would serve a Production Order to the victim’s electronic service provider (ESP). This process is challenging as the call made by the criminals may have passed through multiple ESP.

As a result, the evidence, in the form of metadata, may no longer be accessible by the time police have identified the next provider in the evidence chain.

The location-based information captured by the ESP may also have a short retention period and might not be available by the time police can issue the request. Collecting that data may also be labour intensive for the ESP, or they may not have the capability to capture the data at all as they have not historically been required to do so.

How would C-22 help?

At present, before police can officially ask for information from an ESP, they have to know what type of data may exist in their records, and which company has those records. The types of data could include subscriber information, like the name, address, phone number of a client, or call records (but not the content of messages), or location-based data on a specific client’s device.

It is not enough to say that a message came from a particular IP address. Police have to connect that IP address to a device; that device to a person and, then prove that the same person was the one who used the device to send the message.

Bill C-22 would put a standardized framework in place to require an ESP to help police, who have obtained judicial authorizations, get information about the call or the devices in proximity of the crime scenes. Much of the data that police seek from ESPs is already captured for their own business purposes, but not all ESPs have the ability to share it with police because standardized capabilities are not currently mandated.

Bill C-22 would require ESPs to store certain metadata that is generally already collected and used for analytics, billing, or other business activities to effectively protect the public.  Metadata refers to information that does not include the content of an exchange, such as the type, date, time, duration, origin, destination, or termination of an exchange. For example, in the case of a phone call, it would include information such as the phone numbers of the people talking to each other and how long they talked for— not what they said. This is information that can only then be obtained via authorizations that have been approved by the judiciary and would be provided to police by the electronic service provider, not retrieved directly from their networks by police.

Your privacy

Current provisions for lawful access in Canada respect privacy laws and the Canadian Charter of Rights and Freedoms.

Without legal authority, law enforcement and CSIS cannot intercept communications or request information and data. Lawful access does not allow law enforcement and intelligence investigators to monitor just anyone's Internet use, e-mail content or social media activity. It also does not require companies to store all of their customers' communications.

The Government of Canada will continue to respect the rights and freedoms of people living in Canada with any update to lawful access tools, including legislation.

Lawful access in Canada

We live in a complex digital environment with many ways to communicate. New technology and other digital tools make communication faster and more accessible but they are also often misused for illicit purposes. A wide variety criminals, extremists and other bad actors take advantage of this digital environment. They use online platforms for criminal activities like online fraud, selling illicit products and money laundering. It's also a place where threats to Canada can be planned, coordinated and financed, such as terrorist attacks or foreign interference activities.

Law enforcement and CSIS have had to work for decades with outdated laws that do not require ESPs to have the technical capability to respond to lawful access requests made by authorities. This means, even when investigators have a warrant or production order to obtain communications, the ESP may not have the ability to provide the communication or information.

This results in lost time, missing information, or investigations being abandoned.

Canada is the only country amongst its Five Eyes partners, the G7, and across the European Union without legislation requiring ESPs to develop and maintain lawful access capabilities. Our coverage is limited and there are growing blind spots in interception and location tracking, with inconsistent capabilities among ESPs. This negatively impacts all Canadian law enforcement and CSIS to investigate domestically and collaborate on international investigations, such as transnational organized crime activities or terrorist plots.

In many investigations, law enforcement or CSIS are not able to take action that people in Canada would expect them to, such as tracking a phone or intercepting a call. As Canada struggles to obtain basic capabilities and other countries are advancing their investigative tools for emerging technology, Canada risks becoming an 'intercept haven' for threat actors.

In March 2026, the Government of Canada introduced an act that will keep Canadians safe (Bill C-22). This Bill proposes to modernize lawful access to give law enforcement and CSIS the modern tools people in Canada expect them to have to keep communities safe.

Related Links

Page details

2026-06-23