Canada Canada Online News Act platform link tax

Ottawa Fast-Tracks Its Lawful Access Bill Using the Same Playbook That Blew Up the Online News Act

Bill C-22 passed the House on a limited-debate motion as Signal and Apple threaten to exit Canada — echoing the miscalculation that emptied Facebook of news in 2023.

Lawful Access, Rushed Timeline People of Internet Research · Canada 6 mo Metadata retention cap Bill C-22 caps mandated retention … ~3 months House passage timeline First reading to third-reading pas… 85% Publisher engagement decline Facebook/Instagram engagement drop… $100M Google's annual news payment What Google negotiated instead of … peopleofinternet.com
Lawful Access, Rushed Timeline People of Internet Research · Canada 6 mo Metadata retention cap ~3 months House passage timeline 85% Publisher engagement decli… $100M Google's annual news payment peopleofinternet.com

Key Takeaways

A rushed vote, a familiar shape

On June 18, 2026, Canada's House of Commons passed Bill C-22, the Lawful Access Act, at third reading — pushed through by a Liberal government programming motion that Conservative public safety critic Frank Caputo called "the most aggressive programming motion" he'd seen in five years in Parliament, forcing an overnight clause-by-clause review at committee and blocking new amendments once the bill reached the floor (BetaKit). The bill, sponsored by Public Safety Minister Gary Anandasangaree, had its first reading on March 12, 2026 and cleared the House barely three months later — a compressed timeline for legislation this technically dense (Parliament of Canada, LEGISinfo). It now sits at first reading in the Senate, with no committee study scheduled before Parliament returns from summer recess.

The reaction from the technology sector was immediate. Signal's leadership said the company would rather leave the Canadian market than compromise the privacy guarantees it makes to users; Apple, Google, and several VPN providers echoed the concern that the bill's Part 2 — the "technical capability" provisions — could be used to compel weakened security by another name (EFF).

What the bill text actually says

Ottawa has pushed back hard on the "backdoor" characterization, and the bill text supports part of that pushback. Section 2(4) explicitly states that no obligation under the Act compels a provider to decrypt information "unless the encryption was provided by the electronic service provider and the provider possesses the information necessary to decrypt" it — a carve-out meant to exclude end-to-end encrypted services like Signal, where the company itself holds no keys. Metadata retention, meanwhile, is capped at "not exceeding six months" under Section 5(2)(d), explicitly excluding communications content, browsing history, and social media activity (Bill C-22, Third Reading text, Parliament of Canada).

That's narrower than critics' worst framing suggests. But it doesn't close the gap entirely. Section 5(2)(a) still lets the minister order providers to develop and maintain new "operational and technical capabilities" for extracting authorized information — and building infrastructure to extract data at police request, even without a mandated decryption key, is precisely the kind of standing surveillance architecture that security researchers have long warned becomes a target in itself. A system built to comply with a valid Canadian warrant is also a system that can be compromised by a foreign intelligence service, a criminal group, or an authoritarian government pointing to Canada's own statute as precedent.

The steelman, and where it runs out

The government's underlying case isn't frivolous. Encrypted, metadata-shielded communications genuinely do complicate CSIS and police investigations into terrorism, child exploitation, and organized crime, and Canada's existing wiretap framework predates ubiquitous end-to-end messaging. A narrowly scoped, warrant-gated, sunset-reviewed lawful-access regime with real technical guardrails is a defensible policy goal that peer democracies have grappled with for a decade. The problem here isn't the goal — it's the process. Rushing a 100-plus-page bill with an open-ended ministerial capability-order power through committee overnight, on a deadline seemingly chosen for political convenience, is how you turn a fixable technical debate into a company deciding it's cheaper to leave the country than to trust that ambiguity will be resolved in its favor.

Canada has run this experiment before

As University of Ottawa law professor Michael Geist has pointed out, this is a rerun of the government's 2023 approach to the Online News Act (Bill C-18). Ottawa was warned explicitly that Meta would block news links rather than pay into a mandated bargaining scheme; officials called the threat a bluff. Meta did it anyway. Within weeks, publishers' engagement on Facebook and Instagram fell 85%, with total engagement across the ban down 43% and roughly 30% of local outlets going dark on social platforms entirely (Digital Content Next). Google, by contrast, negotiated its way to a CRTC-approved exemption by committing $100 million annually, indexed for inflation, to a news-industry collective — a five-year deal that took effect October 28, 2024 (CRTC Decision 2024-262). One company negotiated; one company walked. The government got a policy outcome — an empty news feed for millions of Canadians — that nobody in Ottawa actually wanted (Geist).

Signal has already said it will exit rather than build capability infrastructure it doesn't trust. If Ottawa is betting that's a bluff too, the Online News Act is the wrong precedent to have ignored.

The cross-border dimension raises the stakes further

U.S. Senator Ron Wyden has now written to acting Attorney General Todd Blanche and Secretary of State Marco Rubio warning that C-22 "threatens to weaponize American technology infrastructure," and urging that ongoing U.S.–Canada CLOUD Act negotiations be used to bar Canada from compelling backdoors into U.S. products used by American citizens (The Record). That's not a hypothetical diplomatic irritant — it's a live input into a bilateral data-sharing framework Canada needs functioning smoothly.

What the Senate should actually do

The encryption carve-out and the six-month retention cap show the government can write narrower text when pressed — proof this bill is fixable, not proof it's fine as passed. The Senate has the one thing the House denied itself: time. A public safety committee that actually hears from Signal, Apple, the Privacy Commissioner, and CSIS in the same room — rather than an overnight clause-by-clause sprint — could close the technical-capability loophole, add an independent judicial or Privacy Commissioner sign-off on capability orders, and sunset the whole regime for mandatory review. Canada doesn't have to choose between effective lawful access and companies that stay in the market. It does have to stop finding that out the hard way.

Sources & Citations

  1. Bill C-22 (45-1) Lawful Access Act, 2026 — Third Reading, Parliament of Canada
  2. Bill C-22, Third Reading text
  3. CRTC Decision 2024-262 (Google exemption)
  4. EFF: Canada Is Forging Ahead with Its Dangerous Surveillance Bill
  5. The Record: Wyden letter on Canadian surveillance legislation
  6. Michael Geist: Bill C-22's Groundhog Day
  7. BetaKit: Liberals limit debate on Lawful Access Act
  8. Digital Content Next: How Meta's news ban reshaped Canadian media