Bill C-22 Is Canada's Most Ambitious Surveillance Expansion in a Generation

Governments have been trying to get inside encrypted communications for decades. The argument never changes: public safety, terrorism, child protection, foreign interference. The target keeps shifting from phones to messaging apps to cloud storage, but the ask is always the same. Give us a key. Build us a door. Make it accessible when we need it.

Canada's Bill C-22, the Lawful Access Act, introduced in March 2026, is the latest and most aggressive version of that ask. It would require electronic service providers across the country to build and maintain surveillance capabilities for law enforcement and CSIS on demand, retain up to a full year of metadata on every user regardless of suspicion, and stay legally silent about any orders they receive. It passed second reading in April 2026 and is currently before the committee.

Key Takeaways

• Bill C-22 is a two-part law. Part 1 updates how law enforcement obtains existing data from providers. Part 2 would force providers to build new surveillance access points on government order, with minimal oversight and undefined terms.
• The bill enables bulk metadata retention for up to one year on every person in Canada, covering who they communicate with, when, and from where, with no requirement that the subject be suspected of anything.
• Non-disclosure provisions mean providers can be legally barred from telling users their data has been accessed.
• More than 25 civil society organizations, along with Meta, Apple, the Internet Society, Mozilla, the Tor Project, and Proton, have called for the bill's withdrawal, citing real-world evidence that mandated backdoors are exploited by hostile states.
• As of May 2026, Bill C-22 is under committee study and has not yet become law.

The Law That Sounds Reasonable Until You Read It

Canada's government introduced Bill C-22 as a modernization effort. Law enforcement has been operating under a 1995 framework built for voice telephony, one that genuinely has not kept pace with smartphones, encrypted messaging, and cloud services. Under the existing system, agencies can obtain warrants or production orders to access data, but there is no legal requirement for providers to maintain the technical infrastructure to actually deliver it. That gap, the government argues, has caused investigations to stall or fail.

Part 1 of the bill addresses this in a relatively targeted way, updating the legal framework for timely data access and clarifying enforcement. Even Meta, in testimony before the Standing Committee on Public Safety and National Security, acknowledged that Part 1 with narrowly tailored amendments could serve as an effective tool for law enforcement.

Part 2 is a different matter. The Supporting Authorized Access to Information Act would designate companies as "core providers," likely including telecoms and satellite operators defined in future regulations, and compel them to build interception capabilities on demand. The Minister of Public Safety would also gain authority to issue Ministerial Orders to any electronic service provider compelling specific surveillance capabilities based on evolving operational needs, subject to Intelligence Commissioner approval.

The bill introduces mandatory bulk metadata retention for up to one year, covering who users communicate with, their timestamps, and location data collected on everyone regardless of suspicion and held in reserve for when agencies need them. Non-disclosure orders can legally prohibit companies from revealing the existence of government demands, creating a surveillance architecture that operates entirely out of public view.

Bill C-22 is a revised version of last year's Bill C-2, which collapsed under public backlash without reaching committee. The government added an annual public report and a parliamentary review three years after the act comes into force. Those additions are not trivial, but they are cosmetic relative to the core mechanism critics objected to, which compelled backdoor access into encrypted systems, which remains fully intact.

Backdoors Do Not Check Credentials

The central objection to Part 2 is not about whether law enforcement should be able to access data with proper authorization. It is about what happens to the infrastructure required to deliver that access. A vulnerability created for law enforcement is a vulnerability that exists for anyone with the sophistication to find and exploit it, and the Internet Society, along with dozens of cybersecurity experts from Mozilla, the Tor Project, Proton, Fight for the Future, and more than 30 other organizations, expressed it as clearly as they could in an open letter to Parliament: once the infrastructure is mandated, the question is not whether hostile actors will find it but when.

The 2024 Salt Typhoon cyberattack is the case study every serious analyst of this bill cites, and for good reason. China's state-sponsored campaign gained access to highly sensitive US national security information by exploiting the built-in wiretap capabilities that US law required providers to install for law enforcement. The attackers walked through the door that had been legally built for them, and Canada's own Canadian Centre for Cyber Security noted in 2025 that Salt Typhoon almost certainly targeted Canadian telecoms too.

Yet, I'd say the most revealing detail is that the CCCS bulletin warning about Salt Typhoon and the government's Bill C-22 are products of the same administration. The same Canadian security apparatus that documented a hostile state exploiting mandated wiretap infrastructure is now tabling legislation that mandates the same kind of infrastructure for Canadian networks. 

Bill C-22's answer to this tension is a provision allowing providers to challenge demands that would introduce a "systemic vulnerability." As Meta's policy director Rachel Curran told the Standing Committee in May 2026, "systemic vulnerability" is left undefined in the legislation, "encryption" appears nowhere in the bill text, and Ministerial Orders can override the regulations supposed to contain them. There is no process for challenging a problematic order while it is in effect and no liability protection during a challenge.

The international precedent points clearly in one direction. France and Sweden both abandoned similar proposals in 2025. The EU guaranteed robust encryption protections in its online safety regulation. The UK used comparable authority to order Apple to compromise its Advanced Data Protection service for iCloud, and Apple withdrew the feature from the UK entirely rather than weaken it, drawing condemnation from US congressional committees and 200 civil society organizations worldwide. Canada's closest allies have already seen where this leads.

Who Is Saying No and Why That Matters

On April 21, 2026, more than 25 organizations delivered an open letter to Prime Minister Mark Carney and every member of Parliament, calling for the full withdrawal of the bill and describing it as potentially "the most expansive invasion of Canadian privacy rights in modern history." Signatories included the Canadian Civil Liberties Association, the International Civil Liberties Monitoring Group, OpenMedia, and individual experts including Ron Deibert of the Citizen Lab at the University of Toronto. The coalition against this bill is not a niche privacy lobby but a broad cross-sector alignment, and that breadth matters.

But the thing is that the economic stakes are not theoretical either. An Internet Society-commissioned analysis of Australia's analogous forced-access law found one company alone estimated an adverse impact approaching AU$1 billion from the collapse of trust in its tech sector. Canada's tech sector employs 2.2 million people, and a law signaling willingness to mandate backdoors tells every company building secure services that Canada carries legal liability for doing so. Those tracking how surveillance has gradually become normalized across democratic governments will recognize the pattern.

The legal liability would apply to VPN providers as well, which fall squarely within the bill's definition of electronic service providers. If C-22 passes, many would likely pull their services from Canada rather than compromise them, which is exactly what many companies already did in the UK. So, before that happens and such privacy tools become hard to get, just keep in mind that you can get Mysterium VPN with 82% off right now.

Canada Has Not Passed This Law Yet, and That Window Matters

Bill C-22 cleared second reading on April 20, 2026, and was referred to the Standing Committee on Public Safety and National Security. Committee stage is where legislation gets meaningfully amended or rejected, and it has not passed yet.

Every major expert voice that has engaged with Part 2 has reached the same conclusion: the vague definitions, the absence of challenge mechanisms, the metadata retention requirement, and the non-disclosure regime are not fixable with minor amendments. Both the Internet Society and Meta called for Part 2 to be separated from the rest of the bill, with the Internet Society additionally calling for a full public consultation before any future lawful access proposal is introduced.

A government that receives guidance from its own security apparatus recommending strong encryption as a national defense and then tables legislation directly contradicting that guidance has a credibility problem it cannot explain away. The fight over encryption is a cycle that governments keep forcing open regardless of what the evidence shows, and Canada is now about to add its name to the list of countries that chose the backdoor over the warning

The surveillance powers authorized under Part 2 would outlast any particular administration and be available to every subsequent one, and that is the part that is genuinely difficult to walk back once it is in place.