A Fast Trip Through the House
Bill C-22, the Lawful Access Act, 2026, was introduced in the House of Commons on March 12, 2026, cleared second reading on April 20, and passed committee, report stage, and third reading all on the same day — June 18, 2026 (LEGISinfo, Parliament of Canada). That is roughly 98 days from introduction to House passage for a bill that Citizen Lab says contains provisions that are "almost certainly constitutionally fatal" (Citizen Lab). The bill has had its first reading in the Senate and now awaits second reading there — the last real chance to amend it before it becomes law.
What Part 2 Actually Authorizes
The Department of Justice's own Charter Statement on the bill describes Part 2 as creating a regulatory framework requiring electronic service providers to maintain "lawful access capabilities" — meaning the Minister of Public Safety can order a company to build interception infrastructure into its own product (Department of Justice Canada). Providers can also be compelled to retain metadata — who contacted whom, when, and from where — for up to one year, a sharp expansion from the retention window in the bill's predecessor, C-2 (Canadian Bar Association).
The Case for the Bill, Stated Fairly
Public Safety's argument is not frivolous. End-to-end encrypted platforms genuinely complicate investigations into kidnapping, child exploitation, and organized crime, and Canadian police services have said for years that they are "going dark" as suspects move communications onto encrypted apps that predecessor wiretap laws never anticipated. A modern lawful-access regime that lets police execute a validly obtained warrant against a messaging platform, the way they always could against a phone company, is a defensible policy goal. The problem is not that Ottawa wants a mechanism for court-authorized access — it's how broadly this bill defines the mechanism and how thin the safeguard against abuse actually is.
Why the Safeguard Doesn't Hold
The bill lets a provider refuse an order only if compliance would create a "systemic vulnerability." Citizen Lab's review found that term defined narrowly enough to cover only unauthorized third-party access — not risks to data integrity, availability, or the security of the underlying device or operating system (Citizen Lab). The Canadian Bar Association reached the same conclusion independently, warning that comparable language in other jurisdictions has already been used to force a company's hand: it cited reports that the UK's Investigatory Powers Act was used against Apple's Advanced Data Protection feature (CBA). A safeguard that only blocks the narrowest technical definition of a backdoor is not a safeguard against the practical one.
Industry Isn't Waiting for the Senate
Apple told parliamentarians in May testimony that the bill "allows the Government of Canada to force companies to break encryption by inserting backdoors into their products" — something the company says it will not do (Michael Geist). Signal has said it would rather exit the Canadian market than comply with an order to weaken its encryption. Neither company is bluffing for leverage — both have made and kept the same threat in other jurisdictions rather than ship a compromised product.
The Business Case Against It
It isn't only privacy and civil-liberties groups raising alarms. The Canadian Chamber of Commerce, whose members include Rogers, Telus, Microsoft, Apple, and Google, warned lawmakers that the bill "presents considerable risks to Canadian businesses, investment and the integrity of data systems" and noted that "no comparable jurisdiction in the Western world has adopted lawful access provisions of this breadth" — pointedly distinguishing Canada's approach from the narrower U.S. lawful-intercept framework, which explicitly excludes information services (The Globe and Mail). When your own tech sector's trade association says a security bill will chase investment out of the country, that is not a talking point regulators can wave away as activist noise.
The Senate's Narrow Window
Our editorial position is not that lawful access is illegitimate — it's that a mandate broad enough to force architectural changes to encrypted products, with a vulnerability test narrow enough to exclude most real vulnerabilities, is a backdoor by another name. Backdoors don't stay exclusive to the "good guys": state-linked intrusions like the Salt Typhoon campaign against U.S. telecom wiretap systems are the standing proof that any interception capability built into infrastructure becomes a target for hostile intelligence services, not just domestic police with warrants. Canada does not need to choose between effective law enforcement and secure communications. It needs the Senate to narrow Part 2 to genuinely targeted, judicially authorized capability orders — and to fix the systemic-vulnerability definition before, not after, Apple and Signal make good on their exit threats.