Loading...
Loading...
Bill C-22, Canada’s proposed Lawful Access Act, would require telecoms, messaging apps and other digital services to retain metadata for a year and let the Minister of Public Safety compel companies to build access mechanisms. Vague terms like “encryption” and “systemic vulnerability” worry critics who say the law could be used to mandate backdoors that weaken end-to-end protections, increase breach risk, and gag disclosure of government orders. Major tech firms and U.S. lawmakers have raised alarms, arguing the bill prioritizes surveillance and cross-border data access over cybersecurity and user privacy, echoing past international controversies.
Bill C-22 would directly affect how tech companies design communications systems and handle user data, raising legal and engineering risks for services with end-to-end encryption. Compliance could force architectural changes, increase breach exposure, and create cross-border legal conflicts for firms operating in Canada.
Dossier last updated: 2026-05-17 19:13:27
Canada’s Bill C-22 would force messaging providers to build a duplicate decryption key and retain up to a year of transmission metadata for all users, fundamentally weakening end-to-end encryption and expanding lawful access. Providers would be legally required to create an access mechanism even if they oppose it, allowing courts to demand message content; the bill also mandates broad metadata retention, centralizing contact, location, device and network data. Tech companies (e.g., Apple, Signal) dispute whether the law technically mandates breaking encryption or merely requires capability. Privacy advocates warn the combination of backdoors and mass metadata retention creates systemic security risks and surveillance-ready datasets that threaten user privacy across healthcare, legal, and journalistic communications.
Signal says it would withdraw from Canada rather than comply with Bill C-22 if the law forces it to weaken end-to-end encryption or introduce vulnerabilities. Udbhav Tiwari, Signal’s VP of strategy and global affairs, told reporters the proposed lawful-access legislation could mandate system changes that create security flaws and make private messaging an appealing target for hackers or foreign adversaries. Signal, used by millions in Canada including journalists and officials, stores minimal user data and argues that ‘‘exceptional access’’ is incompatible with end-to-end encryption. The bill would require designated providers to retain certain metadata for up to a year; critics including tech firms and cybersecurity researchers warn this could erode privacy and increase systemic risk.
Canada’s Bill C-22 would force messaging providers to create a duplicate decryption key and retain up to a year of transmission metadata for all users. That would require services like Signal, iMessage, WhatsApp and Messenger to build lawful-access mechanisms enabling courts to demand message content, while also centralizing detailed contact, location and device metadata that providers might not otherwise collect. Privacy advocates warn the change undermines end-to-end encryption guarantees, weakens journalist-source and legal confidentiality, and increases risk from hackers who could exploit mandated access channels. The metadata-retention rule broadens surveillance and echoes rejected EU measures; critics say it creates systemic privacy and security harms across everyday apps.
Canada’s proposed Bill C-22 would force messaging and other service providers to create a government-accessible duplicate decryption key, effectively weakening end-to-end encryption across apps and services. The bill requires companies to build technical access mechanisms and comply with court orders or face penalties, expanding reach to messaging, health portals, legal communications, small business SaaS, and more. Advocates warn this central copy becomes a persistent vulnerability: they cite the 2024 Salt Typhoon compromise of U.S. lawful-access infrastructure, where a state-linked actor exploited similar access to intercept calls and texts. Critics say the law would erode privacy, endanger vulnerable users, and enable foreign governments to obtain Canadians’ data via mutual legal assistance. The debate pits law enforcement access against systemic cybersecurity and civil-liberties risks.
Canada’s Bill C-22 has sparked industry and international pushback after revisions to earlier proposals left a two-part surveillance framework that critics say weakens encryption and cybersecurity. Major tech firms and services — including Signal, Windscribe, NordVPN, Apple and Meta — have warned of market exits or raised concerns, while business groups, civil liberties organizations, legal experts and U.S. lawmakers have highlighted risks to cross-border data flows and national security. The bill removes some warrantless powers introduced in Bill C-2 but replaces them with a lower judicial threshold for production orders and adds mandatory metadata retention, expanding surveillance capabilities. Opponents argue the legislation increases systemic vulnerabilities and could drive companies and data out of Canada.
Canada’s proposed Bill C-22 (the Lawful Access Act) would force telecoms, messaging apps and other digital services to retain metadata for a year and expand data-sharing with foreign governments, while allowing the Minister of Public Safety to compel companies to build access mechanisms—potentially backdoors—so long as they don’t introduce “systemic vulnerabilities.” Critics say vague definitions of “encryption” and “systemic vulnerability” would enable circumvention of strong cryptography, increase breach risk, and ban public disclosure of such orders. Major tech firms including Apple and Meta have warned against the bill, and U.S. lawmakers have raised concerns; privacy advocates compare the proposal to the UK’s move that led Apple to disable a stronger iCloud protection. The debate centers on public safety vs. widespread cybersecurity and privacy risks.
Canada’s Bill C-22, dubbed the Lawful Access Act, would force digital services — from telecoms to messaging apps — to retain metadata for a year and empower the Minister of Public Safety to compel companies to build access mechanisms into their services. Critics warn ambiguous definitions of “encryption” and “systemic vulnerability” would let the government demand backdoors that undermine end-to-end protections, increase breach risk, and ban disclosure of such orders. Apple and Meta have publicly opposed the bill, and U.S. congressional committees raised cross-border concerns. Advocates point to prior incidents (like the Salt Typhoon hack) and the UK’s forced rollback of an Apple privacy feature as evidence these mandates harm security and privacy.