Canada's Bill C-22 Progresses Amid Privacy Concerns Over Encryption
Bill C-22 moves forward with little amendment debate, sparking privacy concerns.
Why it matters: The bill could reshape privacy rights and encryption standards, key for legal advisors on data protection and civil liberties.
- Bill C-22 mandates one-year metadata retention and access to encrypted data.
- Introduced March 12, 2026, by Public Safety Minister Gary Anandasangaree.
- Tech giants like Google, Apple, Meta, and Signal oppose the bill citing privacy risks.
- Government signals openness to amendments but specifics are unclear.
Bill C-22, known as the Lawful Access Act, was introduced on March 12, 2026, by Canada's Public Safety Minister Gary Anandasangaree. The legislation requires electronic service providers to retain user metadata for up to one year and develop technical capabilities to allow law enforcement to access encrypted communications. This has sparked widespread concern about privacy and surveillance.
Major technology companies, including Google, Apple, Meta, and Signal, have openly opposed Bill C-22. They warn it could compromise end-to-end encryption and create a broad surveillance infrastructure that weakens security for all users.
Rachel Curran, Meta's Director of Public Policy for Canada, emphasized the broader impact: "Weakening encryption does not just affect the target of an investigation. It affects every Canadian who depends on secure private communications to bank, access health care, run a business, or simply talk to their family." Similarly, David Peterson from Proton VPN pointed out that creating backdoors could be exploited by both good and bad actors.
Despite these criticisms, the Canadian government has indicated a willingness to consider amendments, particularly regarding encryption and metadata retention provisions. Simon Lafortune, Deputy Director of Communications and Press Secretary to the Minister of Public Safety, sought to clarify misconceptions, stating, "We want to reassure Signal, Windscribe, NordVPN, and all service providers that we are not legislating to require them to install capabilities to enable surveillance, and any assertions otherwise are false." However, details about proposed changes remain ambiguous.
The bill's rapid progression with minimal legislative debate has intensified concerns among privacy advocates and legal experts. The legislation echoes earlier failed attempts, such as Bill C-2, which faced significant backlash over privacy infringements. As Bill C-22 advances, the balance between national security interests and the protection of individual privacy rights remains a critical and contested issue.
By the numbers:
- March 12, 2026 — Bill C-22 introduction date
- 1 year — Required metadata retention period
- 4 major tech companies — Google, Apple, Meta, Signal opposing the bill
Yes, but: The government denies that Bill C-22 mandates providers to build surveillance backdoors, but tech firms remain unconvinced.
What's next: Details on bill amendments have not been disclosed; timeline for parliamentary passage is unclear.