On May 11, 2026, the Electronic Frontier Foundation published an analysis of Canada's Bill C-22, the Lawful Access Act, 2026, and reached a blunt conclusion: it is a repackaged version of legislation Parliament could not stomach a year ago. The verdict matters, because the government is presenting C-22 as a careful, narrowed response to civil-liberties concerns. On the provision that worries technologists most — a power to compel companies to engineer law-enforcement access into their systems — the rewrite changed very little.
A rejected bill, lightly repainted
The lineage is not in dispute. In June 2025 the government tabled Bill C-2, the Strong Borders Act, whose lawful-access parts drew such sustained opposition from privacy advocates and opposition MPs that the bill never cleared committee. Rather than abandon the idea, the government split it: border and immigration measures became Bill C-12, while the surveillance powers were lifted out and reintroduced as Bill C-22. According to Parliament's LEGISinfo record, C-22 received first reading on March 12, 2026, is sponsored by Minister of Public Safety Gary Anandasangaree, and was referred to the House Standing Committee on Public Safety and National Security, which heard testimony in early May.
What the bill actually requires
C-22 has two operative parts. Part 1 modernizes existing data-production and tracking powers under the Criminal Code. Part 2 is the substantive shift: it enacts the Supporting Authorized Access to Information Act, which obliges "electronic service providers" — telecoms, internet companies, and messaging apps alike — to build and maintain the technical capability to assist authorized access requests.
Three elements of Part 2 are doing the heavy lifting. First, regulations may require providers to retain certain metadata for up to a year; per the Canadian Chamber of Commerce's reading, that covers data such as which numbers contacted each other and location information, though not message content, browsing history, or social-media activity. Second, the Minister may direct a company to provide access so long as the order does not introduce a "systemic vulnerability" — a term the bill does not clearly define. Third, the EFF notes the bill bars companies from disclosing that such orders exist and expands information-sharing with foreign governments, including the United States.
The strongest case for it
The case for lawful access is not frivolous, and it deserves to be stated plainly. Police and intelligence agencies argue that evidence in serious investigations — child sexual abuse material, terrorism financing, organized crime — increasingly sits behind encryption or vanishes before a warrant can reach it, and that providers' inconsistent retention practices leave real gaps. That argument has institutional weight in Ottawa: as Michael Geist reported, a police chief told the committee that three years of metadata retention would be "ideal," well beyond what C-22 itself proposes. A warrant-backed framework that lets authorities obtain records they are lawfully entitled to is a legitimate aim, not a pretext.
Where proportionality breaks
The problem is the means, not the goal. The "systemic vulnerability" carve-out is meant to be the safeguard that keeps encryption intact — but it rests on a premise the engineering community rejects. In testimony filed May 7, 2026, Meta restated the consensus: "it is not possible to build backdoors to encrypted systems for law enforcement without creating vulnerabilities that will be exploited by malicious actors." If access for the state is itself a systemic vulnerability, a clause that prohibits systemic vulnerabilities cannot coherently also authorize that access. The safeguard collapses into the harm it claims to prevent.
The companies most exposed have said as much. Signal's vice-president Udbhav Tiwari said the app would "rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users." Apple warned the bill could force firms to break encryption by inserting backdoors — "something Apple will never do." The objection is not merely commercial. On May 8, 2026, the chairs of the U.S. House Judiciary and Foreign Affairs Committees wrote that end-to-end encryption providers "will inevitably face directives to create backdoors," warning the bill could weaken both countries' collective defences against hackers — an unusual cross-border intervention on a domestic bill.
Economic self-interest points the same way as the security analysis. The Canadian Chamber of Commerce, which represents some 200,000 businesses including Rogers, Telus, Microsoft, Apple, and Google, warned that "no comparable jurisdiction in the Western world has adopted lawful access provisions of this breadth," noting that even the U.S. CALEA wiretap regime deliberately excluded information systems. A regime that drives privacy-focused providers out and signals to investors that Canadian-held data is uniquely exposed is a poor trade for marginal investigative gains.
The accountability gap
Two features compound the risk. The non-disclosure rule means a capability mandate or access order can be litigated, if at all, only in the dark — the public cannot know what was demanded. And expanded sharing with foreign governments routes Canadians' metadata into oversight regimes Parliament does not control. Anandasangaree has called the bill "encryption-neutral" and accused critics of misreading it. That is precisely the posture the government took before the Online News Act, when it insisted platforms were bluffing — and then Meta blocked news links across Canada.
A proportionate bill is achievable. Targeted, warrant-based production orders with judicial authorization, hard retention limits, and mandatory transparency reporting would serve every legitimate investigative aim C-22 invokes — without conscripting providers into mass metadata retention or asking them to weaken encryption that protects every Canadian, including the police. The committee should narrow Part 2 to that, or strike it.