On June 18, 2026, Canada's House of Commons passed Bill C-22, the Lawful Access Act, after the Liberal government used a procedural programming motion to force clause-by-clause committee review through the night — preventing MPs from submitting new amendments and shutting down substantive floor debate. The bill had its third reading the following morning, moved immediately to the Senate, and will not return until the fall sitting. Conservative shadow minister Frank Caputo described the manoeuvre as "the most aggressive programming motion" he had witnessed, warning: "A court will consider the words that we pass on paper here someday… we are expected to pass those words without debate." Five tech companies have since threatened to exit the Canadian market rather than comply.
The Legitimate Case for Modernization
The government's argument for Bill C-22 deserves its full weight before being contested. Canada's existing lawful access framework was designed for telephone networks; it is functionally obsolete for investigating encrypted communications. Law enforcement agencies have documented cases where child exploitation investigations stalled at the encryption wall of a messaging platform. The government's position — that modernizing these tools is a matter of public safety, not surveillance expansion — is reasonable as a policy goal. The bill also includes a nominal safeguard: a prohibition on requirements that create "systemic vulnerabilities" in providers' systems.
The problem is not what the bill says it wants to do. The problem is the mechanism it uses to do it.
What Part 2 Actually Does
Part 2 of the bill — the Supporting Authorized Access to Information Act (SAAIA) — empowers the Minister of Public Safety to issue orders to any "electronic service provider" (a definition broad enough to cover messaging apps, VPN providers, and cloud services) requiring them to develop and maintain "technical capabilities" enabling law enforcement and CSIS to access information. These orders carry sweeping secrecy provisions: providers are barred from disclosing the existence of an order, its contents, or the representations they made in response to it. The duration is set by the Minister.
Oversight runs through the Intelligence Commissioner, not the Privacy Commissioner. Canada's Privacy Commissioner Philippe Dufresne appeared before Parliament in May 2026 and submitted five concrete amendments — including one that would explicitly allow providers to disclose information to his office for oversight purposes. The recommendation was necessary precisely because the bill, as written, excludes his office entirely.
The Citizen Lab at the University of Toronto examined the bill in detail and concluded that Part 2 is "almost certainly unconstitutional." Their central finding: Sections 12–13 unconditionally require compliance with ministerial orders, potentially overriding the bill's own systemic-vulnerability safeguard. A provision that promises not to break encryption while mandating the capability to do so is not a safeguard — it is a contradiction. Fourteen civil liberties organizations and fifteen of Canada's leading privacy academics reached the same conclusion, submitting a joint letter calling for the bill's full withdrawal.
Exit Threats Are Not Bluffs
Signal's VP of Strategy was precise: "End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it." The company stated it "would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users." Apple's statement to Parliament was equally unambiguous: "This Bill allows the Government of Canada to force companies to break encryption by inserting backdoors into their products."
These are not rhetorical postures. The precedent is immediate: Apple withdrew its Advanced Data Protection feature from the United Kingdom in early 2025 after the British government issued a technical capability notice under the Investigatory Powers Act. Canada has now enacted the same conditions.
At least four additional providers have made comparable signals: NordVPN warned it would "consider all viable options, including limiting or removing our presence from Canadian jurisdiction"; Windscribe, a Canadian VPN provider, said it would relocate its headquarters; DuckDuckGo indicated it would remove its VPN service; Tailscale's CEO suggested the company's profits would "flow elsewhere." The users who would bear the consequence are not criminals — they are journalists, lawyers, activists, domestic abuse survivors, and ordinary Canadians who depend on end-to-end encryption for genuine operational security.
The Cybersecurity Trap
Surveillance capability mandates have a documented history of creating the vulnerabilities they claim to address. The Citizen Lab analysis cited NSA testing of CALEA-compliant equipment — the U.S. lawful access standard from 1994 — in which every switch tested harboured a security flaw. The 2024 Salt Typhoon breach, in which Chinese state-sponsored actors penetrated U.S. telecom lawful intercept infrastructure, illustrated the same dynamic at national-security scale: surveillance backdoors are high-value targets that foreign intelligence services will exploit. The government's "systemic vulnerability" safeguard does not answer this risk when the bill's own drafting contradicts it.
Bill C-22's committee review ran for three weeks. Australia's comparable surveillance legislation underwent 173 amendments in committee. That disproportion matters when the legislation has constitutional implications, binding treaty connections to the U.S. CLOUD Act, and cybersecurity consequences that technical witnesses were not given adequate time to fully present.
What the Senate Must Do
Bill C-22 now sits in the Senate with no set second-reading date. The Privacy Commissioner's amendments are specific and actionable: narrow the definition of subscriber information, add a proportionality requirement, clarify that publicly available information does not automatically forfeit Charter protection, and bring Privacy Commissioner oversight to ministerial orders. Citizen Lab has proposed the more surgical alternative of withdrawing Part 2 entirely.
Canada's law enforcement agencies have a legitimate need for modernized lawful access tools — a need this publication does not dismiss. That need is better served by legislation that will survive constitutional challenge, maintain the confidence of the service providers Canadians rely on daily, and avoid replicating the cybersecurity architecture that made the Salt Typhoon breach possible. The Senate has the time, the mandate, and a ready set of amendments. The real question is whether it will use them.