The government’s plans for lawful access have gone off the rails. In recent days, Signal has warned it would pull out of the Canadian market rather than comply with Bill C-22. Windscribe, the Toronto-headquartered VPN provider, has said it would relocate its headquarters out of Canada and NordVPN has warned it would consider following suit. Apple and Meta have both raised public concerns about the bill’s effect on encryption and cybersecurity. The Canadian Chamber of Commerce, the Cybersecurity Advisors Network, civil liberties groups, and a long line of legal and security experts have all called for changes. The chairs of the U.S. House Judiciary and Foreign Affairs Committees have written to Public Safety Minister Gary Anandasangaree warning that the bill threatens U.S. national security and the integrity of cross-border data flows. Even the bill’s own oversight body, the National Security and Intelligence Review Agency, has told the SECU committee it does not have the access it needs for effective oversight. If the government thought it could push through the bill largely unnoticed, it has been proven painfully wrong as there are now trade frictions with the U.S., the prospect of leading companies exiting the Canadian market, and weaker cybersecurity protections for ordinary users.

How did Canada’s lawful access plan go awry so quickly?

The answer starts with Bill C-2, introduced in June 2025 as a border measures bill but which included a sweeping lawful access regime buried at the end. The bill included unprecedented warrantless information demand powers that would have applied not just to telecom and Internet providers but to anyone who provides a service in Canada, including physicians and lawyers. The proposal was inconsistent with Supreme Court jurisprudence and faced an immediate backlash from privacy advocates, civil liberties groups, the legal community, and the opposition parties. Given the near-universal criticism, the government hit the reset button several months later, signalling that any new lawful access bill would return as a standalone measure.

That standalone bill arrived in March 2026 as Bill C-22. The good news was that the government scrapped the warrantless information demand and replaced it with a narrower “confirmation of service” demand limited to telecom providers, with subscriber information now subject to a judge-reviewed production order (which, however, is problematically set at “reasonable grounds to suspect”, the lowest investigative threshold in Canadian criminal law and a significant departure from the “reasonable grounds to believe” standard that has governed general production orders for the past decade). More consequentially, Part 2 of the bill, the Supporting Authorized Access to Information Act, was largely unchanged, except for a dangerous addition that established a new mandatory metadata retention obligation. As a result, the government gave some ground on warrantless access while quietly expanding the surveillance architecture in the other half of the bill.

Once the bill came up for debate, the government’s strategy made matters worse. As I chronicled on this blog, across four days of debate in the House of Commons, the government had little regard for the concerning portions of the bill. On the first day, Justice Minister Sean Fraser devoted a single paragraph to mandatory metadata retention and offered only process answers to questions about systemic vulnerability risks. On the second day, Secretary of State for Combatting Crime Ruby Sahota described Bill C-22 as “a first step,” and said she would be open to going further. On the third day, Parliamentary Secretary Patricia Lattanzio defended the lowered subscriber information threshold as “higher than the threshold of mere suspicion”, omitting the fact that mere suspicion is not a threshold for search at all.

Momentum against the bill accelerated once hearings began at the Standing Committee on Public Safety and National Security. One police chief told the committee that three years of metadata retention would be “ideal,” confirming that the bill’s one-year plan may be just the starting point. Meanwhile, the government’s Charter Statement ignored the bill’s most constitutionally vulnerable provisions entirely. With concerns mounting, Public Safety offered little other than a social media video defending the bill as one that “respects Canadian privacy and Charter rights.”

The substantive case against Bill C-22 has primarily focused on the impact of a two-headed monster: one that directly affects the privacy of Canadians (mandatory metadata retention) and the other that does so indirectly (technical mandates). Before explaining, it is important to emphasize that the reach of law is broader than commonly understood since the definition of “electronic service provider” captures any person that provides an electronic service to persons in Canada or carries on business activities in Canada, with “electronic service” defined to cover the creation, recording, storage, processing, or transmission of information by any technological means. In other words, I might be an ESP. ESPs are subject to a general obligation to provide all reasonable assistance for the assessment or testing of any device that may enable authorized access, while “core providers”, who are still to be named by regulation, face the full capability-building regime. However, Section 7 of the bill gives the Minister the power to issue orders to ESPs that impose the same regulatory requirements as those imposed on core providers. In other words, concerns about metadata and technical capabilities may apply to all services.

With that broad scope in mind, the first of the two-headed monster is the bill’s mandatory metadata retention regime, which would directly affect tens of millions of Canadians. Section 5(2)(d) of the SAAIA authorizes regulations requiring core providers to retain categories of metadata for up to one year. Retained at scale, that data amounts to a comprehensive surveillance map of virtually every Canadian, including where they go, when they go there, and who they communicate with. No individualized suspicion is required. And as noted, while the provision refers specifically to core providers, the bill also gives the Minister the right to issue an order covering metadata for any electronic service provider, encompassing virtually any digital service.

The Court of Justice of the European Union struck down precisely this kind of regime in Digital Rights Ireland and extended that reasoning to mandated private-sector retention in Tele2 Sverige. Germany’s Federal Constitutional Court has reached similar conclusions. Yet despite the obvious privacy implications and Supreme Court of Canada jurisprudence such as Spencer and Bykovets that recognize the informational privacy interests in identifying online activity, the government’s Bill C-22 Charter Statement remarkably says nothing about the regime and there has been no engagement on the international jurisprudence at all.

The second head of the monster is the technical capability mandate in Part 2 of the bill. The full capability-building regime includes developing, implementing, assessing, testing, and maintaining technical capabilities to extract and organize information authorized to be accessed, and installing and maintaining the devices and equipment that enable that access. In practical terms, this is an extensive intercept-infrastructure mandate, with the specific orders cloaked in secrecy provisions prohibiting providers from disclosing their existence. Given the Minister’s ability to extend the requirements to ESP, this also covers virtually all digital services.

The bill nominally protects against the worst outcome through a systemic vulnerability safeguard, which says that core providers are not required to comply with a regulation if compliance would require the introduction or maintenance of a systemic vulnerability. But the safeguard falls apart on careful reading. First, the term “systemic vulnerability” lacks specificity in the statute, which means the government could define encryption and vulnerability narrowly enough to hollow out the protection. Second, Sections 5(5) and 7(5) state that providers are not required to comply where doing so would result in a systemic vulnerability, but Sections 12 and 13 unconditionally require compliance with orders and provide that orders prevail over inconsistent regulations. The net effect is that providers are stuck with contradictory provisions in a system shrouded in secrecy and which could lead to the weakening of security systems. That is why Signal, Windscribe, NordVPN, Apple, Meta, the Canadian Chamber of Commerce, the Cybersecurity Advisors Network, and the U.S. Congress are raising the alarm.

The best approach to address these risks is to go back to the drawing board on Part 2 of the bill. Committee hearings should be extended to ensure that the long list of expert witnesses, industry voices, and international counterparts who have asked for changes receive a full hearing. Further, real amendments should be on the table that better balance law enforcement needs with Canadians’ privacy rights. Failure to do so will result in some of the world’s most privacy-protective services exiting the market, leaving behind a law that is vulnerable to constitutional challenge with millions of Canadians facing genuine privacy and cybersecurity risks.