On March 12, 2026, Canada’s Minister of Public Safety Gary Anandasangaree introduced Bill C-22, the Lawful Access Act, to the House of Commons. The bill mandates metadata retention for up to one year, expands law enforcement access to subscriber data under a lowered threshold, and grants ministerial power to compel electronic service providers to build technical capabilities for surveillance. Meta, Apple, the U.S. House Judiciary Committee, and privacy advocates have publicly opposed Part 2 of the bill, warning it could force encryption backdoors. This is the legislative successor to Bill C-2, introduced in June 2025, whose lawful access provisions were split off following widespread criticism.
What Changed Between Bill C-2 and Bill C-22
Bill C-2, introduced in June 2025 as the Strong Borders Act, bundled immigration enforcement measures with sweeping lawful access provisions that drew criticism from civil liberties groups and industry. In response to pushback, the government split the bill: the less controversial immigration measures became Bill C-12, which received royal assent on March 26, 2026, while the lawful access framework was reintroduced as Bill C-22.
Bill C-22 was tabled on March 12, 2026, as a standalone bill that revisits the lawful access provisions contained in Parts 14 and 15 of Bill C-2. Unlike Bill C-2, Bill C-22 no longer includes a ban on cash transactions exceeding $10,000, nor does it grant Canada Post employees authority to open letter mail without judicial authorization. The revised bill narrows who can request assistance from electronic service providers: such requests may only be made by the Minister, not by any CSIS employee, RCMP officer, or peace officer as proposed in C-2. The testing of equipment may not grant access to personal information.
Yet major constitutional and privacy concerns remain with Bill C-22. While it no longer contains some of the controversial measures warned about in C-2, it appears to create an even greater risk of a surveillance state than Bill C-2. The iteration is instructive: removing visible overreach does not resolve structural problems with metadata mandates and ministerial orders that can be issued in secret.
Metadata Retention as Default Architecture
Bill C-22 explicitly allows regulations to be made regarding the retention of prescribed metadata for a reasonable period of no longer than one year. It authorizes the Governor in Council to establish regulations requiring core providers to retain metadata for reasonable periods of time of up to one year. Metadata as defined in C-22 excludes the content of a text message, web browsing history, or social media activities. But it does allow the government to require that cellphone companies track the location of devices for up to one year, so that law enforcement and CSIS can later access that data if given judicial authorization.
Buried in the second half of Bill C-22 is a provision granting the government the power to require core providers to retain categories of metadata, including transmission data, for up to one year. Bill C-22 even contemplates expanding the metadata requirements beyond core providers to any electronic service provider, which would scope in a far broader range of Internet companies. Expanding the scope requires a Ministerial order and is subject to prior approval by the Intelligence Commissioner. That safeguard may help, but the absence of the Privacy Commissioner of Canada from any oversight role suggests that privacy is at best a secondary consideration.
Michael Geist, Canada research chair in internet and e-commerce law at the University of Ottawa, called the provision disproportionate and predicted it would be struck down by the Supreme Court. The sheer scale of the data collection covering every subscriber regardless of any suspicion would amount to a comprehensive surveillance map of virtually every Canadian: where they go, when, and who they communicate with. Metadata from telecom providers includes records of which device connected to which cell tower and at what time. In aggregate, that is detailed location tracking of an entire population.
The entire approach is a fundamental shift in the relationship between Canadians and their communications providers, under which the default is retention of data about everyone rather than preservation of data about specific suspects. This is not merely a capability framework; it is a structural mandate to collect first and query later. European courts have repeatedly struck down similar blanket retention requirements as disproportionate. If the government does not fix these rules, Canadian courts might well do the same.
The Definitional Gap on Encryption and Systemic Vulnerability
Meta warned that Part 2 of Bill C-22 has sweeping powers, minimal oversight, and lack of clear safeguards that could have a significant negative impact on Canadians’ privacy and cybersecurity. The technical assistance obligations in Part 2 could conscript private companies into service as an arm of the government’s surveillance apparatus. As drafted, the Bill could require companies like Meta to build or maintain capabilities that break, weaken, or circumvent encryption or other zero-knowledge security architectures, and force providers to install government spyware directly on their systems.
Apple stated that Bill C-22, as drafted, would undermine its ability to offer the powerful privacy and security features users expect. The legislation could allow the Canadian government to force companies to break encryption by inserting backdoors into their products – something Apple will never do. Public Safety Minister Gary Anandasangaree’s office rejected claims that the legislation mandates encryption backdoors, stating that nothing in Bill C-22 compels companies to weaken security protections. Government officials maintain the proposal aligns Canada with lawful access frameworks already used across other G7 and Five Eyes nations.
The definitions of both systemic vulnerabilities and encryption are not clear enough in C-22, leaving wiggle room for the government to demand that companies circumvent encryption. The overbroad definitions in the bill can include apps as well as operating systems. Canadian officials have made it clear they believe it is possible to add surveillance without introducing systemic vulnerabilities, which is just not true. Surveillance of encrypted communications is fundamentally a systemic vulnerability.
This resembles what happened in the UK last year, when the government demanded that Apple implement this type of backdoor into its optional Advanced Data Protection feature, which then forced Apple to revoke the feature for its UK users instead of complying with the request. To this day, UK users still do not have access to this powerful privacy-protective feature. Part 2 of Bill C-22 would move Canada in the opposite direction and out of step with closest allies. Last year, France and Sweden both abandoned similar proposals and the EU guaranteed robust encryption protections in its agreement on an online safety regulation. The UK’s use of a similar authority drew condemnation from the U.S. Government, including Congress and the FTC, and 200 global civil society organizations, and ultimately resulted in Apple withdrawing its Advanced Data Protection service.
Salt Typhoon and the Exploitation Timeline
The technical community’s consensus on this is clear: it is not possible to build backdoors to encrypted systems for law enforcement without creating vulnerabilities that will be exploited by malicious actors. Weakening encryption does not just affect the target of an investigation – it affects every Canadian who depends on secure private communications to bank, access health care, run a business, or simply talk to their family. This is not a hypothetical risk. Governments around the world are still dealing with the fallout from China’s state-sponsored Salt Typhoon cyberattacks, which targeted internet service providers and were a direct result of building technical assistance mechanisms for law enforcement as required under a far narrower U.S. law than Part 2.
This is particularly true in the wake of new AI systems that can autonomously scan software, find the vulnerabilities created by encryption backdoors, and write attacks to break in. AI has collapsed the timeline from discovery to exploitation from months to mere hours, ensuring that any mandated backdoor will be weaponized by adversaries almost instantly. The exploitation velocity matters here: a ministerial order can mandate a capability, the provider can challenge it before the Intelligence Commissioner, and during that adjudication period the capability may already be in production and under adversary reconnaissance.
Ministerial Orders and Secrecy Provisions
One of the more unusual aspects of Bill C-22 is a blanket secrecy provision that would bar companies from disclosing if they have received a ministerial order to modify their systems or hand over data. Ministerial orders are a powerful tool that allow the Minister of Public Safety to request a broad range of technical capabilities in a confidential way to avoid tipping off threat actors. The Intelligence Commissioner’s role in ministerial order approvals strengthens the framework by providing an external oversight mechanism. The addition of an annual report and parliamentary review, three years after the Act comes into force, further increases transparency.
Yet Part 2’s overly broad non-disclosure orders risk becoming a default secrecy rule, undermining public trust and transparency. The ministerial order framework creates a two-tier disclosure regime: core providers will be identified in regulations and their obligations will be publicly known in general, but any electronic service provider can be compelled through a secret ministerial order to build the same capabilities. The Governor in Council’s regulation-making powers are broad, and the identification of core ESPs by class in a Schedule will be the critical determinant of who bears enhanced obligations. In practice, the specific obligations under the Act and the classes of core provider ESPs who will be subject to them remains to be determined. Further, any ESP may be subject to similar requirements through a ministerial order, which may contain any requirements that could otherwise be imposed on core providers by regulation.
The transparency model here differs from warrant canaries or transparency reports: providers cannot disclose the existence of an order, cannot report aggregate statistics on ministerial demands, and face penalties for breach. Users cannot know whether the service they use has been architecturally modified under government compulsion. This is not oversight; it is opacity with a review mechanism that operates entirely out of public view.
What This Means for Email and Encrypted Messaging
The term electronic service provider is extraordinarily broad. It includes any service that deals with information in an electronic format. As such, the list of electronic service providers is almost limitless. Any business operating in Canada on the Internet appears captured by this definition. Email providers, encrypted messaging apps, VPN services, and cloud storage platforms all process information in electronic format. If they serve Canadian users, they fall within scope.
For email specifically, the implications compound. One of the central elements of C-22 is the definition of subscriber information, which includes name, address, phone number, email address, and account credentials, as well as the types of services used, duration of use, and the devices used to access them. Metadata retention would include connection logs, IP addresses, timestamps, recipient and sender identifiers, and device fingerprints. Under a year-long retention mandate, this creates a continuous map of correspondence patterns, geolocation inferred from IP blocks, and behavioral profiling.
For services offering end-to-end encryption, the technical assistance obligations in Part 2 present an architectural dilemma. The U.S. House Judiciary and Foreign Affairs committees sent a letter expressing concern that Bill C-22 would allow Canadian government officials to compel American companies to build backdoors into their encrypted systems, thereby introducing systemic vulnerabilities that could be exploited by hackers, foreign adversaries, and cybercriminals. If a Canadian ministerial order compels a provider to maintain a capability to decrypt content, and the provider’s architecture is zero-knowledge, the provider must either re-architect the service, exit the Canadian market, or challenge the order and face penalties during litigation.
Apple and Meta have indicated they will not break encryption. That leaves withdrawal or legal challenge. The UK precedent is instructive: Apple withdrew Advanced Data Protection rather than comply. If C-22 passes unamended, Canadian users of services that refuse to build backdoors may find themselves with degraded security features, not because of a technical failure, but because of regulatory incompatibility with strong encryption.
Threat Model and Architectural Principles
The structural problem Bill C-22 reveals is this: legislative frameworks that mandate technical capabilities and prohibit disclosure of those mandates create an environment where users cannot verify the integrity of the tools they depend on. Transparency is a security property. When a government can compel a provider to modify a system in secret, every claim the provider makes about its architecture becomes unverifiable.
This affects threat modeling. A user evaluating an email service today might ask: does this service use end-to-end encryption? Is the server open-source? Can the provider read my mail? Under C-22, a fourth question becomes necessary: has this provider received a ministerial order compelling it to build a capability it cannot disclose? The user cannot answer that question. The provider is legally prohibited from answering it. The security model collapses into trust in the absence of verification.
Email infrastructure designed around the assumption that server operators face legal and extrajudicial pressure handles this differently. When PGP encryption happens client-side, the server stores ciphertext it cannot read. A ministerial order demanding plaintext access would be technically unenforceable unless it compelled modification of the client software itself – at which point the open-source nature of email clients and the difficulty of compelling global software distribution become relevant constraints. Tor routing provides transport anonymity orthogonal to content encryption. Cryptocurrency payment removes financial identity linkage. These are architectural decisions made in anticipation of regulatory pressure.
PQCServer, the post-quantum cryptography platform under development at github.com/onion-search-engine/pqcserver, is released under AGPL-3.0 precisely because mandatory disclosure of source code under that license makes it harder to insert secret backdoors without detection. A proprietary system under a ministerial order can be modified in silence. An AGPL-licensed system modified under compulsion would require the provider to distribute the backdoored source to anyone who requests it, turning the secrecy provision into a disclosure mechanism by legal paradox. Whether courts would uphold that interpretation is uncertain, but the architecture is designed to make silent compromise structurally difficult.
The principle here is not immunity to legal process. It is that systems designed with client-side encryption, open-source components, and jurisdictional segmentation constrain what legal process can compel. C-22 attempts to mandate capabilities at the server layer. Services architected with thin servers and thick clients resist that mandate by moving cryptographic operations out of the compellable layer.
Observation
Bill C-22 is not an anomaly. It is part of a pattern: the UK’s Investigatory Powers Act, Australia’s Assistance and Access Act, the EU’s stalled Chat Control proposal. Each iteration learns from the previous backlash, removes the most inflammatory provisions, and reintroduces the core capability mandates under new language. C-22’s removal of cash transaction bans and mail-opening powers makes it more palatable than C-2. The metadata retention and ministerial order framework remain.
The legislative learning curve is real. Governments are refining how to write lawful access bills that survive first-reading criticism. The opposition is also learning: Meta and Apple now testify at committee hearings, the EFF coordinates international civil society response, the U.S. Congress writes letters flagging cross-border risks. The outcome is not yet determined. C-22 is under study by the Standing Committee on Public Safety and National Security. Amendments are possible. Withdrawal is possible. Passage unamended is also possible.
What is no longer possible is assuming that encryption will remain legal by default simply because breaking it is technically hard. The new assumption must be that capability mandates will be written into law, that secrecy provisions will prevent disclosure, and that architectural decisions made today determine what can be compelled tomorrow. C-22 is not the final version of this bill. It is the second iteration. There will be others.