The strongest case for Canada's Bill C-22 is not hard to make. Law enforcement agencies across the Five Eyes face a genuine operational problem: encrypted communications have become routine infrastructure for child exploitation networks, ransomware operations, and terrorism financing. Investigators obtain warrants and production orders only to find data they cannot read and service providers who cannot produce what courts have authorised. The gap between legal authority and technical capability is real, and the public safety cost is not hypothetical.
The problem with Bill C-22 is not that it addresses this problem. It is that the architecture Ottawa chose creates vulnerabilities at scale without meaningfully closing the investigative gap it is designed to fill.
What the Bill Actually Does
Introduced on March 12, 2026 and passed by the House of Commons on June 18, Bill C-22 — the Lawful Access Act, 2026 — is now at Senate first reading. The legislation has two operative parts. Part 1 reforms subscriber-information demands, narrowing them to telecom providers and requiring judicial production orders for most subscriber data. This is a genuine improvement over earlier proposals that drew criticism for broad warrantless demand powers.
Part 2 is where the structural problems live. It compels "core providers" — a term left to future regulations — to retain metadata for up to one year: transmission data, location information, and contact records. Content is excluded, but that exclusion matters less than it appears. The Supreme Court of Canada held in R. v. Spencer (2014) that metadata trails attract reasonable expectations of privacy, and reinforced that reasoning in R. v. Bykovets (2024). A standing one-year database of communications metadata for every Canadian, held without any requirement for individualised suspicion, is not an investigative tool calibrated to specific threats. It is a surveillance infrastructure that will exist whether or not any specific crime is ever investigated.
Part 2 also authorises ministerial technical-capability orders — demands that "core providers" build and maintain interception infrastructure. Sections 5(5) and 7(5) include a carve-out when compliance would create "systemic vulnerabilities," which the government has cited as evidence the bill will not require encryption backdoors. But Sections 12 and 13 state that compliance obligations "prevail over inconsistent regulations," with no equivalent carve-out. University of Ottawa law professor Michael Geist identified this contradiction in May 2026: the bill simultaneously disclaims backdoor requirements and creates an enforcement mechanism capable of overriding that disclaimer when orders are issued.
The Industry Response
The reaction from the technology sector has been unusually broad. Signal said it would exit Canada rather than comply; DuckDuckGo said it would remove its VPN service; NordVPN, Windscribe, and Tailscale — two of the latter headquartered in Toronto — all warned of market exits or operational restructuring. Apple and Google both raised serious concerns about being compelled to weaken encryption.
When encrypted service providers say they would rather exit a market than comply with a law, they are making a technical claim, not a political one. End-to-end encryption works because the service provider genuinely cannot produce decrypted content — including under government orders. A law that requires providers to be capable of compliance is, by definition, a law that requires them to no longer offer genuine end-to-end encryption. No amendment can change that arithmetic.
The chairs of the U.S. House Judiciary and Foreign Affairs Committees wrote to Public Safety Minister Gary Anandasangaree in May 2026, warning that Bill C-22 threatens U.S. national security and the integrity of cross-border data flows. The bill's own designated oversight body, the National Security and Intelligence Review Agency, told the parliamentary committee studying the bill that it does not have the access it needs for effective oversight — a remarkable admission about a law built around surveillance powers.
The Legal Precedent
The European Union has already litigated this architecture. The Court of Justice of the EU struck down blanket metadata retention regimes in Digital Rights Ireland (2014) and Tele2 Sverige (2016), holding that indiscriminate retention of all users' communications metadata, without individualised suspicion, violated fundamental rights to privacy and data protection. Canada is not bound by CJEU authority, but the Charter analysis runs on parallel rails: Spencer and Bykovets both directly implicate section 8 of the Canadian Charter's protection against unreasonable search and seizure. The government's own Charter Statement for Bill C-22 says nothing about the metadata retention provisions — a conspicuous gap that legal observers have noted suggests Ottawa lacks a credible answer to those cases.
The government has promised amendments to clarify that the bill does not require encryption compromise, while simultaneously confirming the one-year retention period will not be shortened. That combination suggests the amendments address political pressure rather than the underlying structural contradiction in Sections 12 and 13.
What Proportionate Regulation Would Look Like
The investigative gap Bill C-22 identifies is real, but the instrument is disproportionate to the problem. Several EU member states, after the CJEU rulings invalidated their blanket retention regimes, moved to targeted preservation orders — judicially supervised demands to retain specific data sets for specific suspects under active investigation. This provides investigators the targeted access they need without building a national metadata warehouse that represents a high-value target for foreign intelligence operations.
Canada already has production orders, wiretap authorisations, and data preservation demands under the Criminal Code. The case that none of these tools are sufficient has not been made with evidence before Parliament. What has been demonstrated, repeatedly and across multiple jurisdictions, is that blanket retention mandates create security vulnerabilities without closing the investigative gap they target — because encryption keys remain with users, not with providers.
If Signal exits Canada, the Canadians most at risk from surveillance — journalists, lawyers, dissidents, abuse survivors — lose access to one of the most reliable privacy tools available. That outcome weakens Canadian civil society and national security more than any investigative inconvenience the bill addresses. The Senate has time to fix this. The question is whether it will.