A Bill That Left Parliament Quietly
On June 18, 2026, as Canada's Parliament wound down for the summer, the government passed several bills in a single bundled motion — no individual recorded vote, no final round of debate on the most contested provisions. Among the items approved was Bill C-22, the Lawful Access Act, 2026. The bill now heads to the Senate, carrying with it three powers that have alarmed technologists, civil liberties groups, and some of the world's largest technology companies: warrantless subscriber confirmation demands, mandatory metadata retention for up to one year, and — most critically — a ministerial power to compel electronic service providers to build surveillance-ready technical capabilities into their systems.
Law professor and technology policy commentator Michael Geist described the passage as "midnight madness," noting that the government invoked a single motion to approve several bills without further debate or individual votes on the legislation that had generated the most controversy.
What Bill C-22 Actually Does
The bill has three functional parts. Part 1 modernises existing Criminal Code data-gathering provisions. Part 3 provides for parliamentary review after five years. The fight is about Part 2, which enacts the Supporting Authorized Access to Information Act.
Under Part 2, law enforcement may demand "confirmation of service" — a yes/no answer confirming whether a named individual uses a particular electronic service — without a warrant. These requests are bounded to basic subscriber information, which the government argues is less intrusive than full interception orders. Police and intelligence agencies may then escalate to judicial warrants for content, but the initial warrantless confirmation step has no prior judicial check.
The metadata retention provision requires "core providers" — a category defined broadly enough to encompass telecoms, messaging platforms, cloud services, and email providers — to store transmission data, IP addresses, timestamps, and cell-tower connection records for up to one year. This occurs prospectively, for all users, regardless of any individualised suspicion. Global News reported that Thunder Bay's police chief called one year "a good start" and suggested "two or even three years would be ideal," which gives some indication of law enforcement's appetite for expansion.
The most technically consequential provision is the ministerial order power. The Minister of Public Safety may issue orders compelling any electronic service provider to build or maintain "technical or operational capabilities" for law enforcement access to communications. The bill's text states this cannot introduce "systemic vulnerabilities," but critics — including Apple — argue this is a distinction without a difference.
The Case for These Powers
The government's justification deserves a fair hearing. CSIS has publicly stated that Canada's lack of a formal lawful access regime has frustrated transnational investigations, including cases where allied intelligence services requested help identifying Canadian phone numbers involved in cross-border criminal activity. Canadian law enforcement is not inventing a novel threat: Australia mandates two years of metadata retention, and Five Eyes partners have for years pushed toward coordinated standards for lawful interception. A country that cannot provide basic subscriber information to its closest allies in serious criminal investigations faces genuine operational gaps.
The "confirmation of service" mechanism is also narrower than the warrantless subscriber disclosure regime that preceded it. Earlier Canadian lawful access proposals required no judicial involvement whatsoever; C-22 at least limits warrantless access to a binary confirmation and requires production orders — reviewed at a "reasonable grounds to suspect" threshold — for anything more.
Why the Encryption Provision Is the Problem
None of that context resolves the encryption issue. Apple, in written testimony reviewed by Michael Geist, stated directly: "This Bill Allows the Government of Canada to Force Companies to Break Encryption by Inserting Backdoors into their Products." Signal, Windscribe, and NordVPN have each indicated they would exit the Canadian market or disable features rather than comply. The Electronic Frontier Foundation called Bill C-22 "a repackaged version of last year's surveillance nightmare," a reference to the failed Bill C-2, and warned in June 2026 that the Ministry of Public Safety mechanism "establish[es] a mechanism allowing Canada's Ministry of Public Safety to demand that companies create backdoors, effectively breaking encryption."
The structural problem is well understood in cryptography: you cannot build a door only governments can open. Any capability that allows law enforcement to access encrypted communications at scale is, by construction, a vulnerability. The question of whether a government order is "targeted" is irrelevant to the underlying security architecture — the capability exists, and its existence is exploitable.
OpenMedia, which received nearly 25,000 community messages opposing the bill and coordinated opposition from more than 300 organisations, testified before Parliament's Standing Committee on Public Safety that "light amendments cannot do the job of making this bill safe." The committee never completed its review of Part 2: the government blocked debate on the surveillance powers section on June 16, two days before the House rose.
The Process Problem
The manner of passage compounds the substantive concerns. Third-reading votes on major legislation are normally recorded, allowing Canadians to know which of their elected representatives supported what. An omnibus motion that bundles contested surveillance legislation with other end-of-session housekeeping removes that accountability mechanism. This is not a trivial procedural complaint. Parliamentary scrutiny of surveillance legislation is one of the few safeguards between ministerial intention and operational use — removing it from the record makes future Charter challenges harder to frame and future legislative review less anchored.
European courts have already provided a roadmap for what happens when legislatures skip this step. Germany's Federal Constitutional Court and the Court of Justice of the European Union have repeatedly struck down blanket metadata retention regimes as disproportionate under constitutional and fundamental rights frameworks. Canada's Section 8 Charter protection against unreasonable search and seizure raises analogous questions about retention that occurs before any individualised suspicion is formed.
What the Senate Should Do
The Senate now has the opportunity to conduct the scrutiny the House never completed. Three specific interventions would make Bill C-22 defensible without gutting its legitimate law enforcement rationale. First, the ministerial capability order power in Part 2 should be narrowed to exclude any capability that requires modification of encryption or key management — the existing "no systemic vulnerabilities" language is insufficiently precise. Second, the metadata retention period should be anchored to targeted investigative triggers rather than applied universally; suspicion-less mass retention of a country's entire digital communications geography is not proportionate to the crimes it is ostensibly designed to solve. Third, the confirmation of service demand should require at minimum a post-hoc judicial notification within a defined period, preserving speed for legitimate investigations while creating an accountability trail.
Canada's legitimate need to modernise its lawful intercept framework — undeniably real — does not require a bill that Apple, Signal, and 300 civil society organisations consider incompatible with secure communications. The Senate should take the summer to confirm which of those concerns survives technical scrutiny, and amend accordingly.