Bill C-22, Canada's Lawful Access Act, passed the House of Commons on June 18, 2026 — one day after the government invoked Government Business No. 13, a programming motion that terminated committee study before the Standing Committee on Public Safety and National Security could address more than 100 proposed amendments. The bill now moves to the Senate, which resumes September 21, 2026. What the Senate inherits is a law that gives the Public Safety Minister secret authority to demand that companies build surveillance capabilities into encrypted products, backed by legally enforced gag orders and criminal penalties of up to $500,000 per violation.
Two Parts, One Direction
Bill C-22 has three legislative parts. Part 1, the Timely Access to Data and Information (TADI) provisions, amends the Criminal Code and CSIS Act to streamline police access to subscriber data — names, account numbers, and device identifiers — under judicial authorization. Part 2, the Supporting Authorized Access to Information Act (SAAIA), is where the most consequential expansion lives. Part 3 mandates parliamentary review after enactment.
Under SAAIA, a defined class of "core" electronic service providers — telecoms, internet platforms, and encrypted messaging services — must develop, implement, test, and maintain technical surveillance capabilities for law enforcement, and retain metadata for up to one year. That metadata includes transmission data, IP addresses, cell tower connection data, and contact records showing who communicated with whom, when, and from where — but explicitly excludes the content of communications and web browsing history.
More significant is Section 7, the ministerial order power. The Public Safety Minister may issue a binding directive to any electronic service provider — not only the defined "core" providers — requiring it to modify its systems for law enforcement access. Section 15 then prohibits companies from disclosing the existence of such orders. There is no public register, no transparency report mechanism, and no mandatory judicial pre-authorization for the ministerial order itself.
The Government's Strongest Case
The government's position deserves a fair hearing. The "going dark" problem is genuine: law enforcement agencies increasingly hold valid court orders for communications they cannot technically access because of end-to-end encryption. CSIS has cited cases where it held a warrant to track a terrorism suspect's cellphone but the provider lacked the interception capability. RCMP testimony argued that one-year metadata retention creates a "consistent" standard across providers who currently retain data for widely varying periods, some as short as 30 days. Metadata, the government notes, is narrower than content — location and contact patterns, not what was said.
The bill also includes a systemic vulnerability carve-out. Section 5 exempts core providers from any obligation that would "introduce a systemic vulnerability" — defined in the bill's text as one creating "a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so." The government insists this meaningfully distinguishes targeted interception capability from a backdoor.
The Protection That Protects Nothing
Critics — including cryptographers, civil society organizations, and every major affected technology company — have identified the structural flaw: there is no technical distinction between "interception capability" and a backdoor. Any mechanism that allows a third party to access encrypted communications by design is a systemic vulnerability, regardless of how the ordering authority labels it.
Signal VP of Strategy and Global Affairs Udbhav Tiwari stated plainly: "End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it." Signal stores only a phone number, last login date, and join date — making one-year metadata retention architecturally incompatible with its design without a fundamental rebuild. Tiwari also warned that engineered backdoors make messaging platforms "an ideal target for foreign adversaries."
At SECU hearings on May 26, 2026, Apple showed committee members a clip stating the bill "allows the Government of Canada to force companies to break encryption by inserting backdoors into their products." Meta's head of Canadian public policy, Rachel Curran, warned the bill could "conscript private companies into service as an arm of the government's surveillance apparatus." The U.S. precedent informing C-22 is not encouraging: Citizen Lab's review of CALEA-compliant interception equipment — the American framework the bill partially models — found security flaws in "every single switch" tested.
On May 7, 2026, the U.S. House Judiciary and Foreign Affairs Committees sent a joint letter to Canadian authorities raising concerns that C-22's backdoor requirements would expose American citizens' communications data — a rare instance of one democratic legislature formally objecting to another's domestic surveillance bill.
Companies Are Already Voting With Their Feet
Signal has said it would "rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users." Windscribe, the Toronto-based VPN provider, said it would relocate its headquarters out of Canada. NordVPN said it is "considering all viable options," including departure. DuckDuckGo, Apple, Meta, and Google have all registered formal objections.
This creates a lose-lose dynamic. Companies that comply weaken their global security architecture for every user worldwide, not just Canadians — a backdoor engineered for Ottawa is an attack surface for Beijing, Moscow, and every non-state adversary simultaneously. Companies that refuse face criminal penalties or must exit. Canadian users are left either surveilled or underserved by the most privacy-conscious tools on the market.
The Senate's Moment
Citizen Lab's "(Un)forced Errors" report, published June 2, 2026, made 18 specific recommendations for Part 2 — and suggested the government consider withdrawing it entirely. The report documented that Australia's comparable surveillance legislation required 173 amendments before passage; Canada's committee received approximately three weeks of study time before the government shut down debate with a programming motion.
The Senate is Canada's constitutional chamber of sober second thought, designed to review legislation that the House has rushed. When it resumes September 21, it can compel expert testimony, force a precise statutory definition of "systemic vulnerability," and require judicial pre-authorization for ministerial orders alongside mandatory transparency reporting. Without those changes, Bill C-22 as passed encodes a secret surveillance regime into Canadian law — accountable to no one outside the ministry that issues the orders and enforces the gag.
A backdoor paired with a gag order is not a proportionate law enforcement tool. It is, as Citizen Lab documented, the architecture of deniability. The Senate has a direct and time-limited opportunity to make it otherwise.