Bill C-22, the Lawful Access Act, 2026, was tabled in the House of Commons on 12 March 2026 by the Minister of Public Safety. This paper argues that C-22 is best understood not as a crime bill but as an infrastructure bill: it lowers the judicial threshold for compelled production of identifying information about Canadian internet users from "reasonable grounds to believe" to "reasonable grounds to suspect"; it authorizes mandatory metadata retention of up to one year applied to broad classes of providers without individualized suspicion; and it creates a ministerial and regulatory capability-mandate regime — backed by significant penalties and wrapped in non-disclosure — under which electronic service providers can be required to build, install, and maintain standing access capabilities in their own systems. The bill reaches non-core providers through the s. 7 order power, exempts extension-only orders from Intelligence Commissioner approval through s. 10(2), and contains no role for the Office of the Privacy Commissioner and no Indigenous-consultation provision. The paper reads the bill against its text, the Supreme Court of Canada's section 8 jurisprudence (Spencer; Marakah; Mills; Bykovets), the comparative European data-retention record (Digital Rights Ireland; Tele2 Sverige; La Quadrature du Net) as persuasive ballast rather than binding authority, the substantive submissions of the Office of the Privacy Commissioner of Canada and the National Security and Intelligence Review Agency, and approximately 150 years of documented Canadian surveillance practice — including the Indian Act registry, residential schools, the Sixties Scoop, RCMP political surveillance and the LGBT Purge, Japanese, Ukrainian, and Italian Canadian internment, the Maher Arar case, Bill C-51, and Project SITKA. The argument proceeds from the foreseeable institutional risk that the bill's architecture creates, not from a claim that abuse is certain. The paper develops a five-layer framework — access authority, capability architecture, data availability, oversight, remedy — to answer the Government's central defence that Part 2 of the bill creates no new access authorities. It addresses Indigenous data sovereignty under section 35 of the Constitution Act, 1982, the United Nations Declaration on the Rights of Indigenous Peoples Act, and the OCAP and CARE frameworks, including the implications of C-22 for any Indigenous-governed compute infrastructure. It sets out ten specific statutory amendments — several tracking recommendations of the Privacy Commissioner and NSIRA — that would convert the bill from an open-ended architecture into a constrained one, including a hard systemic-vulnerability prohibition, renewed Intelligence Commissioner approval for any extension of a section 7 order, timely NSIRA access, a defined limit on "publicly available information," replacement of blanket metadata retention with preservation-on-demand ("quick freeze"), and an explicit Indigenous consultation and data-governance clause grounded in section 5 of the UNDRIP Act. References to Bill C-22 in this paper are to the bill as tabled at first reading on 12 March 2026; readers should re-verify clause numbers against the current version of the bill. This paper is part of a series of Quantum Strategies policy papers on Canadian sovereignty in the cognification era; companion papers are linked in the Related Works section of this record. A forensic source appendix maps every material claim in the paper to its statutory clause, judicial authority, official submission, or historical record.
Adeel Salman (Thu,) studied this question.