Canada encryption policy

Canada's Lawful Access Bill Cleared the House Without Fixing Its Encryption Problem

Bill C-22 passed the Commons on June 18, 2026 still letting Ottawa order providers to build interception tools Apple and Signal call backdoors.

Bill C-22 by the Numbers People of Internet Research · Canada 98 days House passage timeline Introduced March 12, 2026 and pass… 1 year Metadata retention window Providers can be ordered to retain… 200,000+ Chamber members opposing bill The Canadian Chamber of Commerce, … peopleofinternet.com
Bill C-22 by the Numbers People of Internet Research · Canada 98 days House passage timeline 1 year Metadata retention window 200,000+ Chamber members opposing bill peopleofinternet.com

Key Takeaways

A Fast Trip Through the House

Bill C-22, the Lawful Access Act, 2026, was introduced in the House of Commons on March 12, 2026, cleared second reading on April 20, and passed committee, report stage, and third reading all on the same day — June 18, 2026 (LEGISinfo, Parliament of Canada). That is roughly 98 days from introduction to House passage for a bill that Citizen Lab says contains provisions that are "almost certainly constitutionally fatal" (Citizen Lab). The bill has had its first reading in the Senate and now awaits second reading there — the last real chance to amend it before it becomes law.

What Part 2 Actually Authorizes

The Department of Justice's own Charter Statement on the bill describes Part 2 as creating a regulatory framework requiring electronic service providers to maintain "lawful access capabilities" — meaning the Minister of Public Safety can order a company to build interception infrastructure into its own product (Department of Justice Canada). Providers can also be compelled to retain metadata — who contacted whom, when, and from where — for up to one year, a sharp expansion from the retention window in the bill's predecessor, C-2 (Canadian Bar Association).

The Case for the Bill, Stated Fairly

Public Safety's argument is not frivolous. End-to-end encrypted platforms genuinely complicate investigations into kidnapping, child exploitation, and organized crime, and Canadian police services have said for years that they are "going dark" as suspects move communications onto encrypted apps that predecessor wiretap laws never anticipated. A modern lawful-access regime that lets police execute a validly obtained warrant against a messaging platform, the way they always could against a phone company, is a defensible policy goal. The problem is not that Ottawa wants a mechanism for court-authorized access — it's how broadly this bill defines the mechanism and how thin the safeguard against abuse actually is.

Why the Safeguard Doesn't Hold

The bill lets a provider refuse an order only if compliance would create a "systemic vulnerability." Citizen Lab's review found that term defined narrowly enough to cover only unauthorized third-party access — not risks to data integrity, availability, or the security of the underlying device or operating system (Citizen Lab). The Canadian Bar Association reached the same conclusion independently, warning that comparable language in other jurisdictions has already been used to force a company's hand: it cited reports that the UK's Investigatory Powers Act was used against Apple's Advanced Data Protection feature (CBA). A safeguard that only blocks the narrowest technical definition of a backdoor is not a safeguard against the practical one.

Industry Isn't Waiting for the Senate

Apple told parliamentarians in May testimony that the bill "allows the Government of Canada to force companies to break encryption by inserting backdoors into their products" — something the company says it will not do (Michael Geist). Signal has said it would rather exit the Canadian market than comply with an order to weaken its encryption. Neither company is bluffing for leverage — both have made and kept the same threat in other jurisdictions rather than ship a compromised product.

The Business Case Against It

It isn't only privacy and civil-liberties groups raising alarms. The Canadian Chamber of Commerce, whose members include Rogers, Telus, Microsoft, Apple, and Google, warned lawmakers that the bill "presents considerable risks to Canadian businesses, investment and the integrity of data systems" and noted that "no comparable jurisdiction in the Western world has adopted lawful access provisions of this breadth" — pointedly distinguishing Canada's approach from the narrower U.S. lawful-intercept framework, which explicitly excludes information services (The Globe and Mail). When your own tech sector's trade association says a security bill will chase investment out of the country, that is not a talking point regulators can wave away as activist noise.

The Senate's Narrow Window

Our editorial position is not that lawful access is illegitimate — it's that a mandate broad enough to force architectural changes to encrypted products, with a vulnerability test narrow enough to exclude most real vulnerabilities, is a backdoor by another name. Backdoors don't stay exclusive to the "good guys": state-linked intrusions like the Salt Typhoon campaign against U.S. telecom wiretap systems are the standing proof that any interception capability built into infrastructure becomes a target for hostile intelligence services, not just domestic police with warrants. Canada does not need to choose between effective law enforcement and secure communications. It needs the Senate to narrow Part 2 to genuinely targeted, judicially authorized capability orders — and to fix the systemic-vulnerability definition before, not after, Apple and Signal make good on their exit threats.

Sources & Citations

  1. Parliament of Canada — Bill C-22 (Lawful Access Act, 2026)
  2. Department of Justice Canada — Charter Statement on C-22
  3. Citizen Lab — Analysis of Bill C-22
  4. Canadian Bar Association submission on C-22
  5. Michael Geist — Apple's statement on C-22
  6. The Globe and Mail — Chamber of Commerce warning