Canada's government has a genuine problem. Law enforcement and CSIS face a mounting 'going dark' dilemma: as communications migrate to end-to-end encrypted platforms, lawful intercept warrants become unenforceable. A court order served on Signal or WhatsApp yields nothing that the provider cannot itself read. The gap between legal authority and technical reach is real, documented, and worth addressing. Public Safety Minister Gary Anandasangaree is not inventing a crisis.
The question is whether Bill C-22 — the Lawful Access Act, 2026 — is a proportionate answer. The evidence so far says no.
What Part 2 Actually Does
Introduced on March 12, 2026, Bill C-22 has three parts. Part 1 modernises Criminal Code evidence-gathering procedures — the least controversial section. Part 3 requires a parliamentary review after the bill is in force. Part 2 is where the structural problem lives.
Part 2 establishes the Supporting Authorized Access to Information Act (SAAIA), which grants the Minister of Public Safety authority to issue secret orders compelling designated electronic service providers to 'facilitate lawful access.' In plain terms: companies can be ordered to build backdoor access into encrypted services. Recipients are barred from publicly disclosing those orders. Separately, Part 2's regulations may require core providers to retain user metadata — call records, IP logs, messaging timestamps — for up to one year, without any requirement that the retained data be tied to a suspected crime. The government pushed to pass the entire bill before June 19, 2026, with Part 2 blocked from independent committee debate.
The Citizen Lab, co-authoring a June 2, 2026 submission with the Canadian Civil Liberties Association, described Part 2 as offering 'the government maximum flexibility, minimal restrictions, and minimal judicial scrutiny' — calling that combination 'unacceptable.' Their core recommendation was not amendment but full withdrawal of Part 2. The mandatory metadata retention requirement was singled out as 'almost certainly constitutionally fatal' under the Canadian Charter, because it mandates indiscriminate collection with no nexus to criminal activity.
The Impossible Standard
The bill includes a nominal guardrail: backdoor orders cannot introduce 'systemic vulnerabilities.' This language was likely intended to reassure critics. Cryptographers find it incoherent.
End-to-end encryption works because no third party — not even the service provider — holds a decryption key that can be handed to authorities. Mandating that a provider be able to comply with an access order requires introducing exactly such a key or capability. The insertion of that capability is the systemic vulnerability. The bill cannot simultaneously demand compliant backdoors and prohibit systemic vulnerabilities.
Apple made this point bluntly at committee on May 26, 2026: 'This Bill Allows the Government of Canada to Force Companies to Break Encryption by Inserting Backdoors into their Products.' Apple's position is not rhetorical. When the UK Home Office served Apple a Technical Capability Notice ordering access to encrypted iCloud data under the Investigatory Powers Act, Apple withdrew its Advanced Data Protection feature from the British market entirely rather than comply. The case is now before the UK Investigatory Powers Tribunal. Apple did not wait to see whether the order would be upheld.
An International Coalition Pushes Back
The warnings coming in over Canada's transom should be difficult to dismiss.
Signal stated it would 'rather pull out of the country than be compelled to compromise on the privacy promises' it made to users. Windscribe, a Canadian-headquartered VPN provider, said it would relocate its headquarters outside Canada rather than comply. NordVPN said it is considering the same. Signal's threat is not unprecedented: when Sweden proposed similar lawful access requirements, Signal threatened withdrawal, and Swedish legislators paused the bill.
On May 8, 2026, House Judiciary Committee Chair Jim Jordan and Foreign Affairs Committee Chair Brian Mast sent a joint letter to Ottawa warning that Bill C-22 would 'weaken both countries' collective defences against hackers' and create 'significant cross-border risks to the security and data privacy of Americans.' The letter cited China's 2024 Salt Typhoon breach — in which state-sponsored actors exploited US lawful intercept infrastructure to intercept the communications of American political figures — as proof that 'a backdoor built to satisfy one government's demands inevitably becomes a target for adversaries.' Minister Anandasangaree dismissed the letter as reflecting 'a misunderstanding' of C-22.
Canada's Online News Act Déjà Vu
Canadians who tracked Bill C-18, the Online News Act, will recognise this pattern precisely.
When Meta and Google warned that mandatory link payment obligations would cause them to remove Canadian news content from their platforms, the government publicly dismissed the warnings as a negotiating bluff. Expert witnesses told Senate committees that the companies would comply once legislation passed. By summer 2023, Meta had removed news links from Facebook and Instagram in Canada — a restriction that remains in effect today. The government was wrong.
Minister Anandasangaree has now accused tech giants of 'misinterpreting' Bill C-22, 'categorically rejected' Apple's encryption backdoor concerns, and proposed amendments to 'better safeguard encryption' while insisting the bill will become law. The amendments have not been released for public evaluation at the time of writing.
What Proportionate Reform Looks Like
There is a path to meaningful lawful access reform that does not require mandating broken encryption. Targeted device forensics — extracting data from seized hardware under judicial warrant — preserves investigative capability without compromising communications security for every Canadian. Narrower metadata retention windows with explicit judicial authorisation before collection, rather than blanket one-year mandates, could address the preservation problem while surviving constitutional scrutiny. Cross-border data access agreements with allies can close gaps that encrypted communications create for transnational investigations without requiring service providers to hold master keys.
Canada does not have to choose between effective law enforcement and functional encryption. It does have to choose between a bill written around maximum ministerial flexibility and one written around constitutional constraints and technical reality. Bill C-22's Part 2 is the former. If it passes unchanged, Signal and Apple will not bluff their way into compliance. Canada will have purchased surveillance powers it cannot technically use from companies that have already left.