Bill C-22 is Concerning for Cybersecurity and Part 2 Needs to Go Back to the Drawing Board
The federal government has introduced Bill C-22, the so-called Lawful Access Act, and if you care about your privacy, your security, or Canada's digital sovereignty, you should be paying attention. This isn't a new idea — it's a repackaged version of last year's Bill C-2, which died before it even reached committee because the backlash from the privacy community was so swift and so loud. The government has made some tweaks, but the core problems remain. And Part 2 of this bill, in particular, is not ready to become law.
See resources used to create this blog post here:
https://www.globalencryption.org/2026/04/open-letter-on-bill-c-22-an-act-respecting-lawful-access/
https://www.eff.org/deeplinks/2026/05/canadas-bill-c-22-repackaged-version-last-years-surveillance-nightmare
We've Seen This Before — It Didn't Work Then Either
The Electronic Frontier Foundation has been tracking this closely. Last year's Bill C-2 was so bad it didn't even make it to committee because of the backlash from the privacy community. Now C-22 is back with cosmetic changes but the same dangerous architecture underneath.
The bill forces digital services (which could include telecoms, messaging apps, and more) to record and retain metadata for a full year, and expands information sharing with foreign governments, including the United States. That metadata isn't innocuous. It can reveal a lot about who you communicate with, where you go, and when you do so. Mandatory metadata retention means companies have to store more of your information than they already do, which creates bigger targets for hackers and bad actors.
The Backdoor Problem Is Not Solvable
The most alarming provision in Part 2 is the encryption backdoor mechanism. Bill C-22 provides a mechanism for the Minister of Public Safety to demand companies create a backdoor to their services to provide law enforcement access to data, as long as these mandates don't introduce a "systemic vulnerability." These widespread surveillance backdoors would likely facilitate even more data breaches than we see already. The bill also bans companies from even revealing the existence of these orders publicly.
The government's position is that it's possible to build law enforcement access into encrypted systems without introducing systemic risk. That is simply not true. Surveillance of encrypted communications is fundamentally a systemic vulnerability. There is no version of a backdoor that only the right people can walk through. Once it exists, it can be found and exploited — by foreign governments, by criminal organizations, by anyone with the technical capability and the motivation.
We have proof of this. In 2024, the Salt Typhoon hack took advantage of a system built by Internet Service Providers to give law enforcement access to user data. When you build these systems, hackers will come.
The Definitions Are Too Broad — Deliberately So
The definitions of both "systemic vulnerabilities" and "encryption" are not clear enough in C-22, leaving wiggle room for the government to demand that companies circumvent encryption. The overbroad definitions in the bill can include apps as well as operating systems.
This vagueness is not an accident — it's a feature. Broad definitions give the government maximum flexibility to apply these powers however it sees fit, with minimal legal friction. For Canadian businesses operating digital services, this is a liability with no clear boundary. For everyday Canadians, it means the tools you rely on for private communication could be silently compromised without your knowledge.
The Right Stakeholders Were Not Consulted
Major companies are already raising alarms. Both Meta and Apple are concerned that C-22 would give the Canadian government similar powers to what the UK demanded of Apple last year, and both companies have come out against the bill. The U.S. House Judiciary and Foreign Affairs committees also sent a joint letter to Canada's Minister of Public Safety highlighting the concern around backdoors into encrypted systems.
But where is Signal in this conversation? Where is NordVPN, ProtonMail, or any of the privacy-first companies whose entire business model depends on not being able to hand over user data? These are the organizations that understand encryption at a technical level — not as a policy abstraction, but as an engineering reality. Their absence from meaningful consultation is a serious gap in how this legislation was drafted.
What Needs to Happen
Part 2 of Bill C-22 should not pass in its current form. It needs to go back to the drafting table with genuine consultation from technical experts and privacy-focused stakeholders — the ones who actually understand what they're being asked to break. Encryption protects banking, healthcare, legal communication, journalism, and the daily private lives of millions of Canadians. Legislation that treats it as a policy obstacle rather than a fundamental security tool is dangerous.
If you want to do something about it, write to your MP. Tell them you've read the bill. Tell them Part 2 is not ready. Tell them to demand better consultation before this moves forward.
The Canadian Civil Liberties Association has also published a coalition letter to MPs calling for these provisions to be scrapped, and OpenMedia has a plain-language breakdown worth reading. The EFF's full analysis is also worth your time.
