What is Canada's Bill C-22?

Bill C-22, the Lawful Access Act, is legislation introduced in 2026 that mandates metadata retention by telecoms and digital services, enables the Minister of Public Safety to order companies to build encryption backdoors, and expands surveillance information sharing with foreign governments including the United States.

Does Bill C-22 break encryption?

It provides a mechanism for the Minister of Public Safety to order companies to create backdoors, claiming they won't introduce 'systemic vulnerabilities.' Cryptographers, Apple, and Meta say this is impossible — any backdoor IS a systemic vulnerability. The definitions of 'systemic vulnerability' and 'encryption' in the bill are vague enough to allow the government to demand circumvention of encryption.

What metadata does Bill C-22 require companies to store?

Location data, communication timestamps, device identifiers, and more — for up to one year. This excludes message content but includes who you talked to, when, and from where. Privacy expert David Fraser warns this turns every cell phone in Canada into a tracking device.

How is Bill C-22 different from the old Bill C-2?

Bill C-22 is the successor to Bill C-2 (2025), which was so broadly opposed it didn't even reach committee. C-22 narrows some definitions and splits the bill into two parts, but retains the core problems: mandatory metadata retention, backdoor authority, and gag orders preventing companies from disclosing surveillance orders.

Canada Bill C-22: The Lawful Access Act Wants Your Encryption Keys

Q: Why are Apple and Meta opposing Bill C-22?

Both companies say forced backdoors would make Canadians less safe. Apple warned the bill could force it to weaken device encryption. Meta says it undermines the security of all users, not just criminal targets. The U.S. House Judiciary and Foreign Affairs committees also sent a joint letter to Canada's Minister of Public Safety expressing concern.

In 2025, the Canadian government introduced Bill C-2, a sweeping surveillance bill dressed up as border security legislation. Civil liberties groups, tech companies, and the Canadian Chamber of Commerce pushed back so hard that the bill didn't even make it to committee. Now it's back. Bill C-22, formally the Lawful Access Act, is the Carney government's second attempt — same surveillance powers, narrower packaging, same fundamental problems. From Bill C-2 to C-22: The Surveillance Sequel The original Bill C-2 was introduced in 2025 under the banner of "border security." It would have forced digital service providers to build surveillance capabilities into their systems, retain user metadata, and share it with law enforcement — all with minimal judicial oversight. The backlash was swift. The Canadian Civil Liberties Association, OpenMedia, the EFF, and even the Canadian Chamber of Commerce opposed it. Privacy commissioners raised alarms. The bill stalled and died before reaching committee. The government's response was not to abandon the idea. It was to split the bill into two and reintroduce the surveillance provisions as Bill C-22, the Lawful Access Act, while moving immigration provisions into a separate Bill C-12. The EFF calls it "the spring's worst sequel" — and for good reason. The core surveillance powers survived the rewrite. What Bill C-22 Actually Does The bill has three core provisions that fundamentally change the relationship between Canadians, their devices, and their government. Mandatory Metadata Retention Bill C-22 requires telecommunications service providers and "electronic service providers" — a category broad enough to include messaging apps, social media platforms, and potentially any online service — to collect and retain metadata for up to one year. What counts as metadata under C-22: Device location data — where your phone was, and when Communication timestamps — who you contacted, at what time, for how long Device identifiers — IMEI numbers, IP addresses, subscriber information Routing information — which servers handled your traffic What the bill says metadata doesn't include: the content of messages, browsing history, and social media activities. But this distinction is misleading. Metadata reveals an enormous amount about a person's life — their movements, their associations, their routines, their health decisions, their political activities. As the Canadian Constitution Foundation notes, requiring location data retention for a year turns every cell phone in Canada into a tracking device. Encryption Backdoor Orders The most dangerous provision gives the Minister of Public Safety the power to issue "technical capability notices" and "technical capability orders" — requiring companies to build the capability to provide law enforcement access to encrypted communications. The bill claims these orders cannot require companies to introduce a "systemic vulnerability" into their services. But the definitions of both "systemic vulnerability" and "encryption" are dangerously vague in the legislation. Canadian officials have publicly insisted it's possible to add surveillance access without introducing systemic vulnerabilities. This is cryptographically false. Any mechanism that allows third-party access to encrypted data is, by definition, a vulnerability. The entire field of cryptography is built on the principle that there is no such thing as a backdoor that only good guys can use. The bill also includes gag orders — companies served with these notices are prohibited from disclosing their existence publicly. Canadians would never know if their messaging app had been compelled to build a backdoor. Expanded Foreign Information Sharing C-22 expands the ability of Canadian intelligence agencies to share information with foreign governments, including the United States. Given the Five Eyes intelligence alliance (US, UK, Canada, Australia, New Zealand), this means metadata collected under C-22 could end up in the hands of foreign intelligence agencies with even fewer privacy protections. This is not theoretical. The Snowden revelations showed that Five Eyes countries routinely share surveillance data to circumvent domestic restrictions on spying on their own citizens. Why "No Systemic Vulnerability" Is a Fantasy The Canadian government's position — that you can mandate backdoor access without creating systemic vulnerabilities — contradicts the consensus of every major cryptographic authority in the world. The Salt Typhoon hack of 2024 proved this conclusively. Chinese state-sponsored hackers breached major US telecommunications providers by exploiting the CALEA lawful access systems — the very infrastructure built to give law enforcement access to user data. When you build a door, anyone with the right tools can walk through it. The UK provided another case study. When the British government demanded that Apple build a backdoor into Advanced Data Protection, Apple's response was to remove the feature entirely for UK users rather than compromise the security of all users worldwide. UK iPhone users still don't have access to ADP as of May 2026. Bill C-22 would give the Canadian government the same power that the UK exercised — the power to demand that companies break their own encryption or face consequences. And just as in the UK, the result wouldn't be safer citizens. It would be weaker security for everyone. Every Phone a Tracking Device The Canadian Constitution Foundation's explainer on C-22 raises a point that deserves more attention: the bill's metadata retention requirements, combined with its broad definitions of "electronic service providers," could extend far beyond telecom companies. Privacy expert David Fraser warns that the bill's powers are so broad that the Minister of Public Safety, with approval from the Intelligence Commissioner, could order any electronic device — from a smartphone to a smart TV to a smart fridge — to be turned into a listening device, and to do so secretly. This isn't hyperbole. The bill defines "electronic service provider" broadly enough to include any service that facilitates electronic communication. In a world where your thermostat, your television, and your refrigerator are all connected to the internet, the surveillance surface area is enormous. Apple and Meta Push Back Two of the world's largest technology companies have publicly opposed Bill C-22: Apple warned that C-22 could force the company to weaken device encryption on iPhones and other Apple products sold in Canada. Apple's position is consistent: it has repeatedly refused to build backdoors, including in the high-profile 2016 FBI case and the 2025 UK Advanced Data Protection dispute. Meta stated that the bill undermines the security of all users, not just criminal targets. The company has invested billions in end-to-end encryption across WhatsApp and Messenger, and views backdoor mandates as fundamentally incompatible with user security. The opposition extends beyond tech companies. The U.S. House Judiciary and Foreign Affairs committees sent a joint letter to Canada's Minister of Public Safety, Gary Anandasangaree, expressing concern that C-22's backdoor requirements could compromise the security of Americans whose data flows through Canadian infrastructure. When the United States Congress is telling Canada that its surveillance bill goes too far, that should give every Canadian pause. What Canadians Can Do If you're concerned about Bill C-22, here are practical steps: Switch to Signal for private messaging. Signal has publicly committed to leaving any market that mandates backdoors into its encryption. If C-22 passes, Signal may exit Canada — use it while you can. Use a VPN to prevent your ISP from logging your browsing metadata. A VPN doesn't solve the metadata retention problem entirely, but it adds a layer of protection. Contact your MP. The bill is currently in the House of Commons. Your representative needs to hear from you. Support the organizations fighting this: the Canadian Civil Liberties Association, OpenMedia, and the Canadian Constitution Foundation are all actively opposing C-22. Check your devices. Review the privacy settings on every connected device you own. Disable location services where possible. Use our privacy tools to audit your digital footprint. The Bigger Picture: A Global Trend Canada's Bill C-22 is not happening in isolation. It is part of a coordinated global push to undermine encryption: EU Chat Control — would mandate client-side scanning of all encrypted messages in Europe. The latest vote failed, but the file stays open. UK Investigatory Powers Act — already used to force Apple to remove Advanced Data Protection. The UK is the playbook. US EARN IT Act — repeatedly introduced to pressure platforms to weaken encryption under threat of liability. Defeated multiple times but keeps returning. Australia Assistance and Access Act — passed in 2018, gives the government similar backdoor-ordering powers. The pattern is consistent: governments cite child safety and national security as justification, propose technically unworkable backdoor mandates, and refuse to acknowledge that these measures make everyone — including children — less safe. Canada's Bill C-22 is the latest chapter. Unless Canadians push back as forcefully as they did against C-2, it won't be the last.