What the Bill Actually Does
Bill C-22, the Lawful Access Act, has three distinct parts. Part 1 narrows the scope of warrantless subscriber data demands — a genuine improvement over the predecessor Bill C-2, which Ottawa withdrew in early 2026 after a privacy backlash. Part 2, formally called the Supporting Authorized Access to Information Act (SAAIA), is where the controversy concentrates. It mandates that all electronic service providers — telecoms, messaging apps, cloud platforms — retain six months of metadata and build "technical capability" to intercept communications when served a government order. Part 3 requires a parliamentary review three years after enactment.
The metadata mandate covers records of who communicated with whom, when, from where, and using which application. As Citizen Lab researchers Cynthia Khoo, Kate Robertson, and Tamir Israel noted in their June 2026 analysis, this data "creates sensitive inferences about political views and religious beliefs" without ever reading the content of a single message. The three-year retention period police chiefs originally requested was amended down to six months in committee — but the principle that mass data collection on an entire population is acceptable remains intact.
The Backdoor Provision
The technical capability mandate is the provision most likely to reshape Canada's digital infrastructure. The Public Safety minister can order any electronic service provider to build intercept infrastructure, and both the order and the company's compliance are subject to mandatory secrecy. Firms cannot publicly disclose that an order was served. Signal, which stores only phone numbers, registration dates, and last login timestamps, announced through VP of Strategy Udbhav Tiwari in May 2026 that it would "rather pull out of the country" than compromise its privacy architecture. Windscribe, a Toronto-based VPN, threatened to relocate its headquarters. Apple has signaled it might remove Advanced Data Protection from Canadian users — the same step it took in the United Kingdom in early 2025 after similar government pressure.
The government's case deserves a fair hearing before it is dismantled. Child exploitation investigations, terrorism cases, and organized crime operations often turn on metadata trails. Law enforcement agencies across the Five Eyes have consistently testified that "going dark" — the growing inaccessibility of communications content to lawfully authorized investigators — creates genuine investigative gaps. Metadata retention regimes exist across France, Germany, and Australia. The public safety argument is not frivolous.
Why the Security Math Runs the Other Way
The problem is that the history of mandated wiretap infrastructure reveals a consistent failure pattern: the backdoor cannot be made available only to the right parties. The 2024 Salt Typhoon intrusion — described in the Citizen Lab's analysis as "one of US history's most severe national security compromises" — exploited the lawful intercept infrastructure US carriers built under CALEA, the 1994 Communications Assistance for Law Enforcement Act. NSA testing cited in the same analysis found that every single CALEA-compliant switch examined contained a security vulnerability. The adversaries who benefit from weakened encrypted communications are not only police detectives.
The US Congress noticed. On May 8, 2026, the chairs of the House Judiciary Committee and the Foreign Affairs Committee sent a joint letter warning that Bill C-22 could "weaken both countries' collective defences against hackers" and create "significant cross-border risks" to American security and privacy. That two senior American legislators took the unusual step of writing to a foreign parliament about a domestic bill reflects how far the security implications travel beyond the Canadian border.
A Process Problem Compounds the Substance Problem
Canada's Privacy Commissioner Philippe Dufresne, testifying on May 26, 2026, was measured in his criticism. He acknowledged improvements over Bill C-2 but recommended that the definition of "systemic vulnerability" be narrowed to explicitly cover "any action that would render systemic methods of authentication or encryption less effective" — mirroring language Australia had used to hedge its own Assistance and Access Act. He also called for a proportionality standard for all SAAIA obligations.
The comparison to Australia is instructive. When Australia passed its equivalent law in 2018, the bill underwent 173 amendments through an extensive parliamentary process. Bill C-22's SAAIA provisions received approximately three weeks of committee study across five meetings before the government invoked time allocation on June 18 to end House debate. That is not proportionate scrutiny for legislation that affects every digital communication in the country.
The Senate Window
The Senate takes up Bill C-22 on September 21, 2026. Canadian Senate committees have historically produced substantive amendments on complex legislation — the Senate's work on Bill C-11 is a recent precedent. The Senate should focus on three specific changes: first, require that ministerial orders cannot mandate the introduction of vulnerabilities into existing security architecture; second, establish independent judicial oversight for SAAIA capability demands rather than unchecked ministerial discretion; third, place a sunset clause on the metadata retention regime pending a mandatory security impact review.
The goal of lawful access is legitimate. The question is whether the mechanism Parliament has chosen achieves it at acceptable cost. A six-month metadata database on 40 million Canadians, governed by secret ministerial orders, is not the narrowest available instrument. The Senate has one reading window before this becomes law.