Canada encryption policy and lawful access

Canada's Lawful Access Act Passed Without Debating the Encryption Provisions That Matter Most

Bill C-22 cleared the House under time allocation on June 18, 2026, and heads to Senate study September 21 amid warnings from Apple, Google and Signal.

Bill C-22: Timeline and Industry Pushback People of Internet Research · Canada Jun 18, 2026 House passage date Passed under time allocation after… Sep 21, 2026 Senate study begins Senate takes up substantive review… 8 Amendments recommended Privacy Commissioner's submission … 4 Major firms opposing bill Apple, Google, Signal and DuckDuck… peopleofinternet.com
Bill C-22: Timeline and Industry Pushb… People of Internet Research · Canada Jun 18, 2026 House passage date Sep 21, 2026 Senate study begins 8 Amendments recommended 4 Major firms opposing bill peopleofinternet.com

Key Takeaways

Canada's House of Commons passed Bill C-22, the Lawful Access Act, 2026, on June 18, 2026 — but not after full debate. The government invoked time allocation earlier that week, and the Standing Committee on Public Safety and National Security was forced to approve the bill just before midnight without addressing dozens of outstanding amendments, according to Parliament's own LEGISinfo record. The bill now sits in the Senate awaiting first reading, with substantive study set to begin when Parliament returns on September 21, 2026.

The case for the bill, stated fairly

Canadian police and CSIS have a real problem: modern encrypted messaging and cloud services can put evidence beyond reach even with a valid warrant, and investigators increasingly lose leads to services that retain little or no metadata. Bill C-22 is Ottawa's second attempt at solving this after the government's earlier lawful-access provisions inside Bill C-2, the Strong Borders Act, stalled. The new bill narrows some of that predecessor's overreach — the Privacy Commissioner of Canada's submission to the committee explicitly credits C-22 with a "more narrowly tailored" confirmation-of-service demand than C-2 offered, and notes the bill now requires privacy and cybersecurity impacts to be considered before regulations are issued. A government that can compel a telecom to confirm whether a specific suspect uses its network, without demanding the content of their communications, is not obviously unreasonable — most G7 states have some version of subscriber-identification power, and Canadian courts already apply a lower privacy bar to basic subscriber data than to content.

Where the bill goes further than that

The problem is what sits underneath the subscriber-lookup power. Bill C-22 creates the Supporting Authorized Access to Information Act, which lets the Minister of Public Safety issue confidential orders compelling "electronic service providers" to build new technical capabilities for law enforcement access — potentially including capabilities that touch encrypted communications. The Privacy Commissioner's submission flags that the bill's definition of "subscriber information" is broad enough that a court order targeting one piece of data could require production of "much more subscriber information than is necessary for the purposes of a given investigation," and recommends narrowing it to a closed list of identifiers such as name, address, phone number and IP address. The Commissioner also asked Parliament to restrict compellable orders to telecommunications carriers rather than the sweeping category of "electronic service providers," and to write an explicit bar on regulations that create security vulnerabilities into the statute itself rather than leaving it to future rulemaking.

The University of Toronto's Citizen Lab went considerably further in its analysis of the bill, concluding the surveillance-capability regime is "almost certainly constitutionally fatal" because it lets the government compel any electronic service provider to retain metadata indiscriminately, without needing to show suspicion of wrongdoing — a design Citizen Lab says conflicts with existing Supreme Court of Canada jurisprudence on informational privacy. That is not a fringe objection; it is a specific, falsifiable prediction about how the bill will fare in court, and it should worry a government whose last major internet bill (the Online News Act) also drew sustained legal and diplomatic pushback that Ottawa dismissed until it became unavoidable.

Industry is not bluffing about exit

Three companies with direct operational stakes in Canadian encryption have now gone on record. Apple's Erik Neuenschwander told reporters the company does "not know of a way to deploy encryption technology that provides access only for the good guys without creating new ways for the bad guys to break in," and pointed to Apple's decision to pull Advanced Data Protection from the UK market last year rather than comply with a comparable order — a precedent Ottawa cannot credibly claim it wasn't warned about, per Global News's reporting. Google's Jeanette Patell said the bill "goes well beyond lawful access regimes in other G7 democracies" and objected specifically to ministerial orders that could "secretly force companies to redesign products" without judicial oversight. Signal's vice-president of strategy was blunter still, telling Global News: "If we are ever forced to choose between betraying the people who rely on us and leaving a market, we will leave" — and DuckDuckGo confirmed it would pull its VPN service from Canada outright if the bill passes as written. The Electronic Frontier Foundation noted the government rushed the vote before an arbitrary June 19 deadline rather than let Part 2 — the most consequential surveillance provisions — receive independent debate.

What the Senate should actually do

None of this requires treating lawful access as illegitimate in principle. It requires Parliament to do what the House chose not to: separate the parts of C-22 that modernize a genuinely outdated subscriber-identification regime from the parts that hand a minister unreviewed power to compel backdoor-adjacent engineering. The Privacy Commissioner's eight recommended amendments are a workable starting map — narrow the definitions, restrict who can be compelled, and write an explicit statutory bar on vulnerability-creating orders rather than trusting future regulations to supply one. If the Senate's study beginning September 21 simply rubber-stamps what committee couldn't finish debating at midnight in June, Canada risks becoming the country whose flagship encrypted-messaging and privacy-search options quietly stopped working — not because of a foreign adversary, but because its own Parliament wouldn't take five more months to get the drafting right.

Sources & Citations

  1. Department of Justice Canada — Charter Statement, Bill C-22 (An Act respecting lawful access)
  2. Privacy Commissioner of Canada — Submission on Bill C-22
  3. EFF — Canada Is Forging Ahead with Its Dangerous Surveillance Bill
  4. Global News — Apple, Google warn on lawful access bill
  5. Global News — Signal, DuckDuckGo weighing Canada exit
  6. Citizen Lab — (Un)forced Errors: Analysis of Bill C-22