On June 18, 2026, the House of Commons passed Bill C-22, the Lawful Access Act, at third reading and sent it to the Senate (LEGISinfo). The bill does three consequential things at once: it lets the government order providers to retain connection metadata for up to a year, it expands data-sharing with foreign governments including the United States, and it empowers the Minister of Public Safety to compel companies to build the technical capability to hand over intercepted communications — what critics call a decryption backdoor. Within days, Signal reaffirmed it would leave Canada rather than comply, and Toronto-based VPN firm Windscribe said the regime would force it to relocate its home jurisdiction.
The case Ottawa is making
The strongest version of the government's argument deserves to be stated plainly. End-to-end encryption is now the default across messaging, and law enforcement genuinely does lose access to evidence it could once obtain with a warrant — the "going dark" problem is real, not invented. Serious investigations into child exploitation, organized crime, and terrorism increasingly stall at an encrypted device or channel. Public Safety Minister Gary Anandasangaree has framed C-22 as restoring a lawful-access capability that the analog-era wiretap regime took for granted, and the bill does contain safeguards its predecessor lacked. The Office of the Privacy Commissioner, which appeared before the Standing Committee on May 26, 2026, acknowledged that C-22 improves on the earlier Bill C-2 — adding a more narrowly tailored confirmation-of-service demand, requiring privacy and cybersecurity impacts to be weighed in orders, and giving the Intelligence Commissioner an oversight role over ministerial directives (OPC submission).
Why the design defeats the safeguards
The problem is that C-22's central safeguard is self-cancelling. The bill exempts compliance that would introduce a "systemic vulnerability," but it never adequately defines the term — and as the Electronic Frontier Foundation noted in its May 11 analysis, "surveillance of encrypted communications is fundamentally a systemic vulnerability" (EFF). You cannot give one party covert access to an end-to-end encrypted channel without weakening the cryptographic guarantee for everyone. There is no "good-guys-only" backdoor; there is only a vulnerability the government promises to use responsibly.
The statutory structure makes the contradiction concrete. As law professor Michael Geist documented, while Sections 5(5) and 7(5) nominally exempt actions that create systemic vulnerabilities, Sections 12 and 13 unconditionally require compliance with orders and provide that orders prevail over inconsistent regulations (Michael Geist). A safeguard that the operative compliance clauses can override is not a safeguard. Geist also flags that the threshold for compelling subscriber information drops to "reasonable grounds to suspect" — the lowest investigative standard in Canadian criminal law — and that the orders themselves are wrapped in secrecy provisions barring companies from disclosing they exist.
The market is already voting
The predictable result is exit, not compliance. At committee, Signal's VP of strategy and global affairs Udbhav Tiwari testified that the company "will not build surveillance into our service," warning the bill could force Signal to "silently create hidden accounts and slip them into private group conversations." His conclusion: Part Two is "incompatible with the fundamental human right to privacy" and should be scrapped entirely (Globe and Mail). Windscribe — which says it has more than 100 million registered users — reached the same conclusion from the metadata side. CEO Yegor Sak said retention requirements make it "impossible" to keep the firm's no-logs promise and "basically forces us to leave Canada as our home jurisdiction" (Globe and Mail).
This is the proportionality failure at the heart of C-22. The government has not published an estimate of how many serious investigations would actually be unblocked by a decryption mandate, nor weighed that against the security cost of mandated vulnerabilities and the economic cost of driving privacy-infrastructure firms offshore. A determined criminal can switch to a non-Canadian app in minutes; the law-abiding majority cannot opt out of weaker encryption baked into their providers. The likeliest outcome is that C-22 degrades security for ordinary Canadians and Canadian businesses while sophisticated targets route around it — the worst of both ledgers.
A proportionate path exists
None of this requires choosing between police effectiveness and strong encryption. The proportionate tools are well understood: targeted, judicially authorized access to data that already exists in plaintext; lawful device-level forensics under warrant; better-resourced metadata requests with prior judicial authorization rather than bulk retention; and mutual legal-assistance channels for cross-border evidence that come with accountability rather than blanket foreign data-sharing. Tiwari's own three conditions — prior judicial authorization, independent technical scrutiny, and a hard bar on degrading encryption or compelling metadata collection — are a reasonable floor, not maximalism.
The Senate now has the chance C-22's House sponsors declined to take: to define "systemic vulnerability" so that the safeguard binds, strip the override in Sections 12 and 13, restore the "reasonable grounds to believe" threshold, and remove the decryption-capability mandate altogether. A lawful-access regime that keeps Signal and Windscribe in Canada — and keeps Canadians' encryption intact — is achievable. The one the Commons just passed is not it.