The Bill in Brief
On June 18, 2026, Canada's House of Commons passed Bill C-22—the Lawful Access Act, 2026—at third reading and referred it to the Senate for consideration in the fall. The bill has a troubled genesis: its predecessor, Bill C-2, introduced in 2025, collapsed before reaching committee after sustained industry backlash. C-22 is a repackaged version, carrying many of the same provisions, pushed through on a compressed parliamentary timeline that prevented independent debate on its most contested elements.
What the Bill Actually Does
Proponents of lawful access legislation have a genuine case. Child exploitation investigations, terrorism financing probes, and organised crime prosecutions increasingly run through encrypted platforms that leave law enforcement with valid court orders and nothing to execute them against. Canada's security agencies, along with Five Eyes partners, have raised the "going dark" problem for years. Bill C-22's Part 1—which even Meta has said it supports—creates an updated framework for production orders and subscriber data disclosure under judicial oversight. That part of the bill is relatively uncontroversial.
Part 2 is not.
Part 2 authorises Canada's Minister of Public Safety to compel any electronic service provider to build "operational and technical capabilities" for extracting and organising communications on behalf of law enforcement. The bill stipulates that providers cannot be required to introduce a "systemic vulnerability"—but Apple, Google, Signal, and Meta all argue the language is circular: any mechanism for exceptional government access is, by definition, a systemic vulnerability. There is no independent appeals process for companies that object. And the bill prohibits disclosure, meaning Canadians will not know which services have been ordered to alter their security architecture.
Part 2 also originally mandated that digital service providers retain metadata—call records, message timestamps, IP addresses, location data—for a full year. After pressure, Parliament amended this to six months before the final vote. The concession is meaningful but limited: six months of comprehensive metadata is still a surveillance database, and the bill mandates its creation by essentially any provider operating in Canada.
Rushed, With No Real Debate
The legislative process deserves as much scrutiny as the substance. The Liberal government employed what Conservative shadow minister for public safety Frank Caputo described as "the most aggressive programming motion" he had witnessed in his parliamentary tenure. The national security committee was forced to complete clause-by-clause review in a session that stretched from Wednesday evening into early Thursday morning. Opposition amendments were blocked. Part 2's encryption provisions—the most technically contested elements—were prevented from being independently debated on the House floor. Caputo was direct: "A court will consider the words that we pass on paper here someday... and we are expected to pass those words without debate."
The Electronic Frontier Foundation observed that Canada moved forward "with no serious debate, including on proposed amendments." This is not an abstract procedural objection: vague statutory language about technical capabilities gets interpreted by regulators and courts, often in ways that exceed legislative intent. The vaguer the encryption provisions, the broader the authority effectively handed to the Minister.
The Companies Are Not Bluffing
Signal's vice president for strategy and global affairs, Udbhav Tiwari, told the House of Commons public safety committee: "In its current form, Bill C-22 would convert the everyday tools Canadians rely on into a sprawling, insecure surveillance apparatus." He added Signal's position plainly: "If we are ever forced to choose between betraying the people who rely on us and leaving a market, we will leave."
At least five other services have issued comparable warnings. NordVPN has warned it may limit or remove its Canadian presence. Windscribe, a Canadian-based VPN company, has said it will relocate its headquarters. DuckDuckGo confirmed it would remove its VPN service from Canada. Tailscale, a Toronto-founded networking company, is restructuring to exclude Canadian infrastructure. Apple and Google have raised formal concerns about the bill's encryption implications.
Meta, in a published position paper, was precise: "It is not possible to build backdoors to encrypted systems for law enforcement without creating vulnerabilities that will be exploited by malicious actors." The company supports Part 1 and opposes Part 2 on specifically this basis.
University of Ottawa law professor Michael Geist has noted that Canada ran this same playbook with the Online News Act. Officials dismissed Meta and Google's warnings that they would pull Canadian news content as bluffing. Meta blocked Canadian news in August 2023 and has not reversed course. The same pattern—government officials insisting companies "misunderstand" legislation, companies warning of market exits, officials refusing to engage with technical objections—is now repeating.
A Bilateral Security Problem
What distinguishes Bill C-22 from ordinary tech regulation is a cross-border dimension. On May 8, 2026, two committees of the U.S. House of Representatives—the Judiciary Committee and the Foreign Affairs Committee—sent a joint letter to the Canadian government warning that the bill could "weaken both countries' collective defences against hackers" and create "significant cross-border risks" to American security and privacy. The letter specifically flagged the risk that compelling U.S. companies to build backdoors would create exploitable vulnerabilities for state adversaries.
Allied governments raising national security objections about a partner's domestic surveillance bill is a meaningful escalation. It signals that the risks here extend beyond Canadian privacy into the collective security of the Five Eyes alliance.
What the Senate Should Do
Bill C-22 will sit in the Senate until Parliament reconvenes in September 2026. That gap is an opportunity the House was denied: genuine clause-by-clause scrutiny, expert testimony from affected companies and security researchers, and targeted amendments to Part 2 before Royal Assent.
Canada's legitimate need for updated lawful access tools is real—Part 1 broadly meets it. Part 2, as currently drafted, achieves the opposite of its stated security goal: it drives privacy-preserving services out of the Canadian market, concentrates communication on platforms with weaker security commitments, and creates a government-mandated attack surface that hostile states will target. Proportionate regulation means recognising that there is no such thing as a backdoor only the right people can walk through.