Tucked into Part 2, a clause authorizes the government to require providers to retain broad categories of metadata — including transmission data — for up to one year. On everyone, regardless of suspicion. Even data providers don't currently collect for their own business purposes.
New in C-22. This retention provision was added in C-22 — it wasn't in the predecessor Bill C-2. So C-22 isn't just a carve-out of C-2's lawful access content; on metadata, it's an expansion. (Geist, March 2026.)
Michael Geist calls blanket metadata retention "one of the most privacy-invasive tools a government can deploy" — the patterns it captures (who you called, when, from where, with what device) are often more revealing than what was said. The EU struck down equivalent rules in 2014 as disproportionate.
SAAIA s. 5(2)(d) — authority for the Governor in Council to make retention regulations covering "categories of metadata — including transmission data, as defined in section 487.011 of the Criminal Code — for reasonable periods of time not exceeding one year."
- PoliticalDemand SAAIA s. 5(2)(d)'s one-year retention authority be struck or sharply scoped at committee. Cite the 2014 EU Data Retention Directive ruling as precedent.
- PersonalUse messengers that minimize metadata (Signal logs almost nothing). Turn on disappearing messages.
- CulturalMake the metadata-vs-content distinction visible — "we don't read your messages" doesn't mean "we don't know who you talk to."