On June 8, 2026, the House of Commons Public Safety committee resumed clause-by-clause review of Bill C-22, the Lawful Access Act, 2026. Fresh submissions from Apple and the Canadian American Business Council warned that the bill weakens encryption, mandates up to a year of metadata retention, and lets the Public Safety Minister order messaging apps, cloud services, and social platforms to build access capabilities. Signal says it would leave Canada rather than comply; Toronto-based Windscribe says it would move its headquarters and "take our taxes elsewhere."
What the bill actually says
It is worth reading the text rather than the press releases. Part 2 of Bill C-22 enacts the Supporting Authorized Access to Information Act, which empowers the Governor in Council to require "core providers" to develop "operational and technical capabilities" and to retain metadata for "reasonable periods of time not exceeding one year" (Parliament of Canada, first reading). The Act explicitly bars regulations forcing retention of message content, web-browsing history, or social-media activity. It also contains an exemption: providers need not comply where doing so would "introduce a systemic vulnerability" or prevent fixing one.
That exemption is the government's whole defence. Public Safety Minister Gary Anandasangaree calls the bill "encryption-neutral" and has "categorically rejected" Apple's backdoor claims, accusing companies of misinterpreting the text (Michael Geist).
The case for the bill is real
The steelman deserves a fair hearing. Police and CSIS investigating child exploitation, terrorism financing, or transnational fraud routinely hit a wall: a lawful warrant that a provider is technically unable to execute because the relevant data was never retained or was encrypted end-to-end. "Going dark" is not a fiction invented to justify surveillance; it is a genuine operational gap, and a year of metadata can be the difference between mapping a criminal network and losing the thread. Canada also has Mutual Legal Assistance obligations, and a warrant that cannot be served is a hollow authority. A democracy is entitled to insist that lawful court orders can actually be carried out.
Where proportionality breaks down
The problem is not the goal but the architecture. A capability mandate is not encryption-neutral simply because the statute avoids the word "backdoor." If the state can compel a provider to make plaintext available on order, the provider must design its system so that someone other than the user can decrypt — which is the definition of a backdoor, whatever the drafting says. There is no cryptographic construction that opens only for Canadian law enforcement and stays shut for everyone else. The "systemic vulnerability" carve-out is doing enormous work, yet the bill leaves the term to be litigated case by case rather than settled in statute.
Canada's own Privacy Commissioner, Philippe Dufresne, made this concrete. Appearing before the committee on May 26, 2026, he allowed that C-22 improves on its withdrawn predecessor, Bill C-2, but asked Parliament to amend the systemic-vulnerability definition to cover "any action that would render systemic methods of authentication or encryption less effective," to narrow compelled "subscriber information" to a closed list — name, address, phone number, IP — and to add an "overarching requirement" that any obligation be "necessary and proportionate" (Office of the Privacy Commissioner). These are not abolitionist demands. They are the guardrails a proportionate regime would already contain — and the government has so far declined to write them in.
The exit threat is not a bluff
Officials are treating the industry warnings as negotiating theatre. That is the most expensive assumption available. Signal, DuckDuckGo, NordVPN and Windscribe have all said they will limit or end Canadian operations rather than re-engineer their security (Global News). Signal VP Udbhav Tiwari put it plainly: "If we are ever forced to choose between betraying the people who rely on us and leaving a market, we will leave."
Canada has watched this film before. When the Online News Act passed in 2023, ministers insisted Meta and Google were bluffing about blocking news — and Meta then removed news from Facebook and Instagram, where it remains absent years later. The same dynamic threatens to repeat: a law meant to bring platforms to heel instead drives them out, leaving Canadians with fewer secure tools and the government with no leverage. The U.S. House Judiciary and Foreign Affairs committees have separately warned that compelling American firms to weaken encryption would create cross-border cybersecurity risk — a reminder that the costs do not stop at the border.
A narrower path exists
None of this requires abandoning lawful access. It requires writing the bill to do what its sponsors say it does. Put the proportionality test in the statute, not the regulations. Define systemic vulnerability to expressly protect end-to-end encryption. Cap retention at what investigations demonstrably need rather than a flat twelve months for everyone. And restore the Privacy Commissioner to the clause-by-clause process — from which Liberal members of the committee have moved to exclude him even as they debate amendments drawn from his own recommendations (EFF). A lawful-access regime that the country's privacy regulator and its security industry can both live with is achievable. The current draft is not it.