Bill C-22 and Your Privacy: Risks Every Canadian Should Know

1. What Is Bill C‑22?

Canada's Bill C‑22 — formally the National Security Review of Procurement Iterations Act and associated lawful-access reform proposals — is part of an ongoing effort by the federal government to update the legal tools available to law enforcement and national security agencies for digital investigations.

In practical terms, lawful-access legislation generally does two things:

It requires telecommunications providers and internet service providers (ISPs) to retain certain data about their customers for a specified period.
It requires those same providers to build technical systems capable of extracting and handing over that data when law enforcement presents a legal demand.

Supporters argue these powers are necessary to modernize policing in the digital age. This page is not a neutral government summary. It focuses on the privacy and security risks these measures create for ordinary Canadians — risks that government communications often minimize or omit entirely.

Key question to keep in mind: When the government requires companies to collect and hold more of your data, who is responsible if that data is stolen, leaked, or misused?

2. How Bill C‑22 Affects Your Personal Data and Metadata

What is "metadata"?

Most people think of privacy in terms of content — the actual words in a text message or email. But metadata is the information about your communications. It is often far more revealing than the messages themselves.

Metadata includes things like:

Your IP address — a number that identifies your device and can pinpoint your approximate physical location.
Timestamps — exactly when you sent or received a message, made a call, or visited a website.
Who contacted whom — the phone numbers, email addresses, or device identifiers of everyone you communicate with.
Duration — how long a call lasted, how long you were on a website.
Device identifiers — unique codes that identify your specific phone, tablet, or computer.
Cell tower data — which cell towers your phone connected to, which can track your physical movements throughout the day.

🚫 Why metadata matters so much: Researchers have shown that metadata alone — with no message content at all — can reveal your religion, your health conditions, your political views, your relationships, your financial situation, and your daily routine. If someone knows who you call at 2 a.m., how long you talk, and where your phone was, they know a great deal about your life.

What does Bill C‑22 change?

Lawful-access proposals associated with Bill C‑22 and related legislative efforts can require:

Mandatory retention periods: ISPs and providers must keep logs of your metadata for a specified time — even if you have done nothing wrong and are never under investigation.
Technical interception capabilities: Providers may be required to build or maintain systems that allow law enforcement to efficiently extract organized datasets about users on demand.
Subscriber information disclosure: Your name, address, and associated identifiers may be disclosable to certain authorities without a traditional warrant in some circumstances.

The critical point is that every Canadian's data is affected — not just those suspected of wrongdoing. You do not need to be investigated to have your metadata retained and organized by your ISP under these rules.

3. Security Risks and the "Honeypot" Problem

What is a "honeypot"?

In cybersecurity, a honeypot is any system or data store that is particularly attractive to attackers because of what it contains. The larger and more complete a dataset, the more valuable it becomes — and therefore the more effort a criminal, foreign intelligence service, or malicious insider will spend trying to steal it.

How mandatory retention creates honeypot-like risks

When legislation requires ISPs and telecommunications companies to retain detailed metadata on millions of Canadians, the result is the creation of very large, centralized data stores. These stores:

Contain detailed behavioural profiles of millions of people.
Are held by private companies with varying security maturity and budgets.
Must, by law, be made accessible to law enforcement systems — which means interfaces and access pathways must exist.
Represent a single point of failure: one breach can expose millions of records.

⚠ This is a risk analysis, not a claim about any specific breach. No specific data breach under Bill C‑22 is being alleged here. The concern is structural: requiring large-scale data retention inherently increases the risk and value of a breach.

What could happen if retained metadata is stolen?

The potential consequences of a breach of lawful-access retained metadata are serious:

Detailed profiling: A complete picture of your daily habits, social network, and movement patterns could be assembled from metadata alone.
Tracking and targeting: Journalists, activists, abuse survivors, and political dissidents could be tracked and identified by hostile actors — foreign governments, organized crime, or stalkers.
Exposure of sensitive patterns: Visits to medical clinics, calls to legal aid, contact with support services for domestic violence — all of this can be inferred from metadata and could be weaponized.
Identity and financial fraud: Combined with other data sources, retained metadata can help criminals answer security questions and bypass identity verification systems.

The security paradox

There is a fundamental tension at the heart of lawful-access legislation: the more data that is required to be retained, and the more accessible that data must be made to law enforcement, the harder it becomes to secure it. Access pathways that exist for police also create potential pathways for attackers. This is not speculation — it is a well-documented principle in information security.

4. Accountability and Responsibility Gaps

Who holds the data?

Under lawful-access frameworks, the data is typically held by private companies — your ISP, your mobile carrier, or other telecommunications providers. These companies are legally responsible under Canadian privacy law (including PIPEDA and provincial equivalents) for the security of the data they hold.

A structural accountability problem

The concern here is structural. Consider the chain of responsibility:

The government passes a law requiring data to be retained and access systems to be built.
The private company is required to collect, store, and secure that data — at its own expense and with its own security team.
Ordinary Canadians have no choice in the matter; their data is collected whether they consent or not.
If the data is breached, ordinary Canadians bear the real-world consequences — identity theft, exposure of sensitive information, loss of anonymity.

The government mandates that the data exist. The government mandates that it be accessible. But the government does not directly secure it, and in many cases, the legal remedies available to victims of a data breach are slow, costly, and uncertain.

Weak remedies for individuals

Under current Canadian law, if your retained metadata is stolen in a breach, your options are limited:

You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC), but the OPC has historically had limited enforcement powers.
Class-action litigation is possible but expensive, slow, and often settled for amounts that do not meaningfully compensate individuals.
There is no automatic right to compensation or notification of what specifically was exposed about you.

This asymmetry — the state requires the data to exist; private actors secure it imperfectly; individuals suffer the consequences — is, from a privacy and security standpoint, a serious design flaw in the lawful-access model.

5. Who Benefits from Bill C‑22?

Any honest policy analysis must ask: who does this legislation primarily serve? This is a policy critique — not an accusation of bad faith by any specific person.

Benefits Law enforcement and security agencies

Law enforcement agencies gain significant operational advantages from lawful-access legislation:

More predictable, standardized access to data — reducing the time spent on data preservation orders and negotiations with providers.
Longer retention windows mean data is available further back in time, supporting retrospective investigations.
Standardized technical interfaces make it easier and faster to extract the data once a legal demand is issued.

Benefits Large telecommunications providers

Counterintuitively, large ISPs and carriers can benefit from these requirements as well:

Compliance requirements tend to favour larger companies that have the resources to build and maintain compliant systems.
Standardized compliance creates a potential market for compliance-as-a-service products sold to smaller providers.
Clear legal requirements give companies a defined legal defence when handing over data — reducing their own legal uncertainty.

Bears the risk Ordinary Canadians

The benefits for ordinary Canadians are indirect and diffuse — better-equipped law enforcement is, in theory, a public good. But the costs and risks are direct and specific:

More of your behavioural data is logged and retained, whether or not you have ever been suspected of anything.
That data exists as a target for breach, theft, or misuse for the full duration of its retention period.
You have limited legal recourse if things go wrong, and you had no meaningful ability to opt out.
Vulnerable populations — domestic abuse survivors, journalists, Indigenous communities, political activists — face heightened risk from expanded surveillance infrastructure.

The core concern: In this model, the risks are socialized broadly across the population, while the operational benefits are concentrated in specific institutions. Ordinary Canadians bear the exposure while having the least say in how the system is designed and secured.

6. Civic Action: How Canadians Can Respond

The most effective response to legislation you disagree with is lawful, respectful, and direct: contact your elected representative. Members of Parliament (MPs) in Canada represent individual ridings, and they are genuinely accountable to the people who contact them — especially in writing.

✓ Good news: You do not need to be an expert, a lawyer, or politically connected to write to your MP. A clear, respectful letter from a constituent carries real weight.

Step-by-step: How to find your MP

Go to the official Parliament of Canada website at www.ourcommons.ca (or search "Find your MP Parliament of Canada").
Look for the "Find a Member of Parliament" tool — usually accessible from the homepage under "Members of Parliament."
Enter your postal code in the search field and click Search or Find.
Note your MP's full name and the name of your electoral district (riding).
You can find your MP's office phone number, email address, and local constituency office address on the same page.

Mailing your MP for free

You can mail any Member of Parliament at their House of Commons address with no postage required for mail sent within Canada. Use this format:

[Your MP's Full Name], MP
House of Commons
Ottawa, Ontario  K1A 0A6

(No postage is required when mailing to the House of Commons from within Canada.)

What to ask your MP

When you contact your MP, consider asking them specifically:

What safeguards will prevent unauthorized access to retained metadata?
What is the government's plan if a provider holding retained data suffers a major breach?
What remedies will be available to Canadians whose retained data is stolen or misused?
Has an independent security and privacy impact assessment been conducted and publicly released?
Will there be independent oversight of how retained data is accessed and used?

7. Form Letter to Your MP

📋 The letter below is designed to be adapted for your own situation. Replace the items in [square brackets] with your own information. You may edit the language as you see fit. Personalizing a letter — even briefly — makes it more effective.

[Your Full Name]
[Your Street Address]
[City, Province  Postal Code]
[Your Email Address]
[Date]

The Honourable [MP's Full Name], MP
House of Commons
Ottawa, Ontario  K1A 0A6

Dear [MP's Last Name],

I am writing to you as a constituent of [your riding name] to express my serious
concerns about the privacy and security implications of Canada's Bill C-22 and
the lawful-access measures associated with it.

I understand that law enforcement agencies need tools to investigate serious
crimes in the digital age. However, I am concerned that the current approach
creates significant risks for ordinary Canadians that have not been adequately
addressed.

My specific concerns are:

1. MANDATORY METADATA RETENTION

   Requiring telecommunications providers and ISPs to retain detailed metadata
   on all Canadians — including IP addresses, timestamps, location data, and
   communications patterns — creates comprehensive records of our daily lives.
   This data is retained regardless of whether we are suspected of any wrongdoing.

   Metadata alone can reveal a person's religion, health situation, political
   views, relationships, and physical movements. This is not a minor technical
   detail; it is a detailed portrait of a person's life.

2. SECURITY AND "HONEYPOT" RISKS

   When legislation requires large volumes of sensitive data to be stored and
   made technically accessible to law enforcement, it creates large, attractive
   targets for cyberattacks. Security experts have long warned that mandated
   retention creates systemic risks: data that must exist and must be accessible
   is harder to secure than data that is simply never collected.

   If a major breach of retained metadata were to occur, millions of Canadians
   could face serious harms — identity theft, exposure of sensitive personal
   patterns, and risks to individuals such as survivors of domestic abuse,
   journalists, and political activists.

3. ACCOUNTABILITY GAPS

   Under the current model, the government requires data to be retained and
   access systems to be built, but private companies are left responsible for
   securing that data. If a breach occurs, ordinary Canadians have limited and
   difficult legal remedies. This is a structural design concern: the risks are
   borne by the public, while the operational benefits flow to specific agencies.

WHAT I AM ASKING

I respectfully urge you to:

   a) Oppose or seek amendment to any provisions of Bill C-22 that expand
      mandatory metadata retention or mandated technical access capabilities
      without strong, binding security standards and independent oversight.

   b) Support clear legal remedies — including meaningful compensation — for
      Canadians whose retained data is lost, stolen, or misused.

   c) Require that an independent privacy and security impact assessment be
      conducted and publicly released before any lawful-access provisions
      come into force.

   d) Advocate for a transparency framework that allows Canadians to know,
      in aggregate terms, how often retained data is accessed and by whom.

I am a concerned Canadian who values both public safety and the right to
privacy and digital security. I believe these goals can be achieved together,
but only with the right safeguards in place.

I would welcome a response indicating your position on these issues and the
steps you are taking to protect your constituents' privacy and digital security.

Yours sincerely,

[Your Full Name]
[Your Riding]
[Your Contact Information]

⚖ Legal Disclaimer

This page is for general information and civic engagement purposes only. It does not constitute legal advice of any kind.

The author of this page is not a lawyer and does not hold any legal or professional qualifications in law. Nothing on this page creates or implies a lawyer‑client relationship between the author and any reader.

The analysis presented here reflects a privacy-and-security-focused opinion based on publicly available information. It is not a definitive legal conclusion about the legality, constitutionality, or effect of any legislation. Reasonable, qualified people — including lawyers and policy experts — may disagree with the views expressed here.

Laws, bills, and regulations change. The Canadian Parliament amends and passes legislation regularly. The information on this page may be out of date by the time you read it. You should independently verify the current status of any legislation referenced here, including by consulting official Parliament of Canada sources at www.parl.ca and www.laws-lois.justice.gc.ca.

If you have questions about how any law affects your specific situation, you should consult a qualified lawyer licensed to practise in your province or territory. Free or low-cost legal advice is available in many provinces through legal aid clinics, law school clinics, and community legal organizations.

Nothing on this page should be read as encouraging any illegal activity. The civic actions described — contacting your MP, writing letters — are lawful forms of democratic participation recognized under Canadian law.