Statement by the Privacy Commissioner of Canada to the House of Commons Standing Committee on Public Safety and National Security on Bill C-22

May 26, 2026
Ottawa, ON

Opening statement by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Mr. Chair, members of the Committee. Thank you for inviting me to discuss my views on Bill C-22, the Lawful Access Act, 2026.

Last week, I shared a written brief with the Committee, which I look forward to discussing in more detail here today.

Bill C-22 reintroduces lawful access provisions that were originally proposed in Bill C-2, with several notable changes reflecting feedback that the government received. Some of those changes are consistent with written recommendations on Bill C-2 that I made to the Minister of Public Safety last November.

Bill C-22 improves on its predecessor Bill C-2 in several respects. In particular, I welcome the more narrowly tailored confirmation-of-service demand. I appreciate the addition of potential privacy and cybersecurity impacts as a factor that must be considered in the making of regulations and orders under the Supporting Access to Authorized Information Act (the SAAIA). I am also pleased to see the Act’s new oversight role for the Intelligence Commissioner with respect to ministerial orders.

That being said, in my written brief to this Committee, I have highlighted some aspects of Bill C-22 that would warrant, in my view, further amendments to strengthen and ensure privacy protections for Canadians.

Specifically, I recommend narrowing the definition of “subscriber information” to a closed list of discrete identifiers, such as a subscriber’s name, address, telephone number, and IP address. This would help to avoid capturing information that could attract a heightened expectation of privacy.

I also recommend restricting the range of persons or entities who could be compelled to produce subscriber information to telecommunications service providers, and ensuring that the justice or judge making the order can specify the subscriber information that must be produced.

Further, I recommend defining “publicly available information” in such a way as to exclude information in which a person has a reasonable expectation of privacy, consistent with the definition in the Communications Security Establishment Act.

The concept of publicly available information continues to evolve, and an individual does not automatically forfeit any reasonable expectation of privacy in information that may be accessible online. An example of this is when an individual’s information has been disclosed as a result of a data breach or has been published without their knowledge or consent.

Another recommended amendment would be to add an overarching requirement that obligations imposed under the SAAIA be limited to what is necessary and proportionate. This would help to ensure that any such obligations – including with respect to the retention of metadata – are tailored to minimize privacy impacts.

On the issue of accessing secure information, I would recommend amending the definition of “systemic vulnerability” to clarify that it includes any action that would render systemic methods of authentication or encryption less effective, as in Australia’s analogous law. In addition, I recommend specifying that regulations and orders must not have the effect of requiring an electronic service provider to introduce – or of preventing an electronic service provider from rectifying – a systemic vulnerability.

Finally, I recommend adding an exemption to the SAAIA’s confidentiality rules that would expressly allow electronic service providers to disclose information to appropriate regulatory bodies, such as my Office, for the purpose of allowing regulatory bodies to exercise their powers and duties as required.

Thank you. I would be pleased to answer your questions.