Bill C-22, Canada's new Lawful Access Act, marks a significant shift from the previous attempt to embed warrantless surveillance in border legislation. The bill splits into two parts: one addressing timely access to data and the other establishing the Supporting Authorized Access to Information Act (SAAIA). Crucially, the data access component abandons the previous, overly broad approach that targeted any service provider, including doctors and lawyers.

Instead, it introduces a new 'confirmation of service' demand power, forcing telecom providers (not all service providers) to confirm if a specific person is a customer. This narrows the scope significantly compared to Bill C-2. Access to more personal information now requires judicial oversight via production orders.

However, the SAAIA section remains deeply concerning. It mandates electronic service providers (including major platforms like Google and Meta) to actively assist law enforcement in developing surveillance capabilities, testing them, and retaining metadata for up to one year. While some metadata categories like content and web browsing history are excluded, the new retention requirement expands obligations compared to the previous bill.

Oversight exists via ministerial approval by the Intelligence Commissioner, but concerns persist about network security vulnerabilities, secrecy, and alignment with international agreements like the CLOUD Act.