A Bill With Teeth, Not Just a Proposal
Canada's Bill C-22, the Lawful Access Act, 2026, is no longer a discussion draft. Introduced by the Minister of Public Safety on March 12, 2026, it passed third reading in the House of Commons on June 18, 2026, and now sits with the Senate (Parliament of Canada, LEGISinfo). If enacted as written, it would require electronic service providers to retain user metadata — including location history — for up to a year, and it would give the government power to compel providers to build tracking capabilities or backdoors into their products.
That combination moved Sen. Ron Wyden (D-OR) to write acting Attorney General Todd Blanche and Secretary of State Marco Rubio on July 16, 2026, warning that the bill "threatens to weaponize American technology infrastructure by enabling the Canadian government to force U.S. companies to secretly facilitate surveillance of Americans, while systematically undermining the security of their products" (The Record). Wyden wants US officials to use ongoing CLOUD Act negotiations with Ottawa to lock in explicit prohibitions on these mandates — because, as he points out, US law currently contains no such bar.
Steelmanning Ottawa's Case
The government's justification is not frivolous. Canadian police and intelligence services have argued for years that end-to-end encryption and short data-retention windows leave them structurally blind to organized crime, child exploitation networks, and foreign interference operations that route through commercial platforms. A warrant is only as useful as the data that still exists by the time it's served, and metadata retention rules are a real lever for closing that gap. Canada's own Privacy Commissioner, Philippe Dufresne, credits the bill with improving on its failed predecessor, Bill C-2 — welcoming a more narrowly tailored confirmation-of-service demand and new oversight from the Intelligence Commissioner over ministerial orders (Office of the Privacy Commissioner of Canada). That is a genuine improvement over the version Parliament rejected last year, and it means C-22 is not simply a bad-faith surveillance grab.
Where the Bill Overreaches
But the Commissioner's own submission also flags what remains broken. His office warns that the bill's definition of "subscriber information" is wide enough to sweep in a person's healthcare providers, lawyers, or financial institutions, obtainable on "reasonable suspicion" rather than a judicial warrant. He is recommending Parliament narrow that definition to a closed list of basic identifiers, require warrants wherever a reasonable expectation of privacy exists, and — critically — bar any regulation issued under the bill from creating vulnerabilities in encryption or authentication systems.
That last recommendation goes to the heart of the problem. The Electronic Frontier Foundation notes that C-22 gives the Minister of Public Safety authority to order a company to build backdoor access to its services — and separately bans that company from disclosing the order even exists (EFF). A secret, unappealable backdoor mandate is not a narrow investigative tool; it's a standing vulnerability that any government, criminal group, or hostile intelligence service can eventually find and exploit. Security researchers have made this point for a decade, and Apple made it directly to Canadian lawmakers: "This Bill Allows the Government of Canada to Force Companies to Break Encryption by Inserting Backdoors into their Products, something Apple will never do," the company told a parliamentary committee in May (Michael Geist).
The Extraterritorial Problem
What makes this more than a domestic Canadian debate is that the companies capable of complying — Apple, Google, Meta, Signal — build one global product, not a Canada-only version. A backdoor engineered to satisfy Ottawa's ministerial order doesn't stay inside Canadian borders; it becomes a permanent feature of the software American, European, and Indian users rely on too. This is precisely the dynamic that played out when the UK secretly pressured Apple in early 2025 to weaken encrypted iCloud backups. The difference, as The Record notes, is that British authorities backed down within roughly six months under public pressure, while Canada's bill has already cleared the House and is closer to becoming binding law.
What Should Happen From Here
The fix is not to abandon lawful access entirely — police do need workable tools, and Dufresne's narrower-scope recommendations show what a proportionate version looks like. The Senate should adopt his amendments: a closed definition of subscriber information, a warrant requirement wherever privacy expectations attach, and — non-negotiably — a statutory bar on any order that degrades encryption or authentication security industry-wide. Washington, for its part, should treat Wyden's request as a low-cost win: an explicit CLOUD Act provision barring allied governments from conscripting US companies into secret extraterritorial surveillance protects American users without picking a fight over Canada's domestic policing needs. Both governments have a version of this bill they could actually defend. The one currently headed to the Senate isn't it.