Bill C-22: The Privacy Battle Behind Canada’s New Lawful Access Bill
- Sara Santos-Vigneault
- 13 hours ago
- 7 min read
Written by: Sara Santos-Vigneault
Date: May 25, 2026
Bill C-22, the Lawful Access Act, 2026, has become one of the most controversial technology bills currently before Parliament. The Liberal government says the legislation is necessary because organized crime, child exploitation, terrorism, foreign interference, fraud, and other serious investigations increasingly involve encrypted communications and digital systems. [1][2]
Critics do not necessarily dispute those concerns. The disagreement is whether Bill C-22 is the correct response and whether Canada is moving from updating investigations toward influencing how secure digital systems themselves are designed.
Technology companies, privacy advocates, cybersecurity professionals, opposition politicians, and digital rights groups have raised concerns involving encryption, technical access obligations, metadata retention, economic effects, and the broader impact on Canada’s technology sector. [3][4][5]
The Birth of Bill C-22
Bill C-22 was introduced in the House of Commons on March 12, 2026, by the Minister of Public Safety. The legislation is formally titled the Lawful Access Act, 2026. [1]
The bill contains three major parts. Part 1 amends existing legislation including:
Criminal Code
Canadian Security Intelligence Service Act
Controlled Drugs and Substances Act
Cannabis Act
Mutual Legal Assistance in Criminal Matters Act [6]
These amendments deal primarily with digital information and investigative access.
Part 2 creates the proposed Supporting Authorized Access to Information Act. This section has attracted most of the criticism because it introduces technical capability obligations for certain electronic service providers. [2][6]
Part 3 creates mandatory parliamentary review after implementation. [6]
Legislative Progress and Criticism at Each Stage
First Reading – March 12, 2026
At introduction, the government presented Bill C-22 as modernization legislation designed to keep investigative powers effective in a digital environment. Public Safety Canada argued investigators increasingly encounter technological barriers when attempting to access evidence linked to serious crime. [7]
Criticism emerged quickly.
Privacy organizations questioned whether technical access requirements could indirectly affect encryption systems. Technology companies warned the bill might create pressure to redesign secure infrastructure. [3][8]
Second Reading – April 20, 2026
Bill C-22 passed second reading and moved to the Standing Committee on Public Safety and National Security. [1]
At this stage, opposition broadened.
The discussion expanded from privacy advocacy into the technology sector itself. Secure messaging providers, VPN companies, cybersecurity commentators, and legal analysts began publicly questioning the bill’s scope and possible consequences. [5][8][9]
One question appeared repeatedly:
Canada already has investigative powers. Is another layer necessary?
Committee Stage – Current Position
As of May 17, 2026, Bill C-22 remains before committee. It has not passed Parliament, has not completed Senate review, and has not received Royal Assent. [1] Expected areas of committee examination include:
Encryption protections
Metadata retention
Technical capability obligations
Ministerial powers
Oversight mechanisms
Economic consequences
What the Liberal Government Says
The Liberal government maintains that Bill C-22 is not intended to create unrestricted surveillance.
Public Safety Canada states the bill preserves lawful access where judicial authorization already exists. The government argues that investigators increasingly encounter technological barriers even after warrants or legal authority have been obtained. [2][7]
Public Safety Minister Gary Anandasangaree stated:
“Canada needs laws that are adapted to the technological world we live in, and the way criminals exploit it.” [7]
Justice Minister Sean Fraser stated:
“Criminals are using increasingly sophisticated methods online to threaten public safety.” [7]
The government also rejects claims that Bill C-22 requires encryption backdoors.
Public Safety Canada stated the legislation would not require companies to introduce “systemic vulnerabilities” into encrypted systems. [2]
The Liberal position is therefore relatively clear:
Existing investigative powers remain. Bill C-22 attempts to preserve their effectiveness where technology limits access.
Existing Investigative Powers and the Question of Necessity
Part of the criticism surrounding Bill C-22 comes from the fact that Canadian investigators already possess significant legal tools.
Police and the RCMP already operate under authorities found within the Criminal Code, including production orders, preservation demands, search warrants, tracking authorities, and wiretap provisions. Specialized RCMP units already conduct cybercrime investigations, digital forensic analysis, online evidence collection, and financial investigations. [10][11][12]
Because these mechanisms already exist, critics question whether Bill C-22 represents a necessary expansion or whether more targeted reforms could address technological challenges instead. [8]
Supporters respond differently.
Their position is that legal authority loses effectiveness if encryption prevents access to information already authorized by courts. Opponents answer that the issue changes once legislation affects system architecture itself.
The disagreement therefore becomes:
Canada already has investigative powers. Should government also influence the technical systems supporting those powers?
Companies Warning About Withdrawal, Reduced Operations, or Market Exit
Several technology companies have publicly criticized Bill C-22. 'Not all have threatened to leave Canada.
Signal
Signal issued one of the strongest responses. Signal vice-president Udbhav Tiwari reportedly stated:
“We would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users.” [8] Signal’s concerns focus on encryption integrity and privacy commitments.
NordVPN
NordVPN warned that obligations affecting no log systems or encryption architecture could affect Canadian operations. [5]
The company stated:
“To prevent this, we will consider all viable options, including limiting or, if necessary, removing our presence from Canadian jurisdiction.” [5]
Windscribe
Toronto based VPN company Windscribe also raised concerns. Windscribe reportedly stated:
“We won’t be far behind if C-22 passes.” [9]
Because Windscribe operates from Canada, its position attracted additional attention.
Apple
Apple publicly criticized the legislation. Reuters reported Apple stated:
“This legislation could allow the Canadian government to force companies to break encryption by inserting backdoors into their products, something Apple will never do.” [3]
Apple has not publicly stated it would leave Canada. Its criticism focuses on encryption.
Meta
Meta also opposed aspects of the legislation and reportedly warned about broad powers and limited safeguards. [3] Meta has not announced withdrawal plans or operational reductions.
Why These Companies Matter
The significance is not necessarily the number of companies involved.It is the type of companies involved. Signal, NordVPN, and Windscribe operate directly in:
Encryption
Secure communications
Privacy infrastructure
VPN technology
Cybersecurity services
These are sectors directly connected to lawful access legislation.
Potential Effects on Canada
The discussion surrounding Bill C-22 often focuses on policing and privacy.The economic and technology impacts receive less attention.
At present, no major company has withdrawn from Canada because of Bill C-22. The bill remains before committee and the concerns remain prospective. [1][5][8][9]
Technology Investment and Market Confidence
Canada has spent years presenting itself as a destination for:
Technology development
Cybersecurity growth
Artificial intelligence
Digital innovation
Critics argue that if encryption providers, VPN services, or privacy companies begin reconsidering Canadian operations, broader investment decisions could also be affected.
Companies evaluating Canadian expansion may examine:
Regulatory uncertainty
Compliance costs
Technical obligations
Data retention concerns
Reputation risk
Even uncertainty itself may affect investment decisions.
Privacy and Cybersecurity Services
Several companies speaking publicly operate specifically in privacy and cybersecurity sectors.
If services become limited or operations change, the impact could extend beyond ordinary users.
Secure systems are widely used by:
Journalists
Lawyers and legal professionals
Businesses handling confidential information
Human rights organizations
Researchers
Political actors
Domestic violence support organizations
Whistleblowers
Critics argue that confidence in secure communications becomes especially important for these groups.
Employment and Business Activity
Possible concerns raised include effects on:
Cybersecurity employment
Software development
Privacy compliance work
Technology consulting
Digital infrastructure services
If technical operations move outside Canada, related economic activity may move as well. This issue became more notable because Windscribe itself is Canadian based. [9]
Canada’s International Position
Canada often promotes itself internationally as supporting:
Privacy rights
Rule of law
Innovation
Democratic institutions
Secure digital markets
Critics argue legislation perceived as overly broad could create tension between those goals and lawful access policy.
Supporters disagree.
Their position is that effective investigations and public safety are also essential components of democratic systems.
The disagreement therefore is not whether public safety matters. It is whether stronger access requirements can exist without weakening privacy protections.
Bill C-22 Is Not Canada’s First Lawful Access Debate
Bill C-22 did not appear in isolation. Canada has debated lawful access legislation for more than a decade. One of the most significant earlier examples was Bill C-30, introduced in 2012 under the title Protecting Children from Internet Predators Act. [13]
Bill C-30 proposed expanded access mechanisms involving telecommunications providers and subscriber information. The bill generated major public opposition. Critics argued it granted excessive access powers and raised privacy concerns.
Then Public Safety Minister Vic Toews became widely associated with criticism after comments that opponents could stand “with us or with the child pornographers.” The remark attracted significant public backlash. [14]
Bill C-30 was later abandoned.
Although Bill C-22 differs structurally, many commentators see similarities. Michael Geist and other observers have argued that Canada repeatedly returns to lawful access debates as technology evolves. [8]
Supporters respond that modern encryption and digital crime environments are substantially different from those discussed in 2012. The historical comparison remains debated. What is clear is that Canada has returned to this issue repeatedly. Bill C-22 represents the newest version of a discussion that has existed for years.
Opposition Parties and Public Criticism
Conservative MPs have criticized Bill C-22 as potentially excessive and have raised concerns regarding surveillance expansion. [5]
The Bloc Québécois participated in second reading debate and questioned safeguards and proportionality. [1]
Outside Parliament, criticism has come from:
Privacy organizations
Cybersecurity professionals
Technology companies
Digital rights advocates
Encryption specialists
Not all criticism is identical. Some argue the bill requires stronger protections. Others question whether the legislation is necessary at all.
Why the Balance Is Controversial
The controversy surrounding Bill C-22 is not whether police investigations should exist. Those powers already exist.
The disagreement is whether existing tools have become ineffective because of encryption and whether technical access obligations create larger risks.
Supporters argue serious crime increasingly depends on encrypted systems.
Opponents argue strong encryption protects journalists, lawyers, businesses, domestic violence survivors, researchers, whistleblowers, and ordinary citizens.
Bill C-22 sits directly between those positions.
The Liberal government frames the legislation as modernization. Critics increasingly describe it as infrastructure level access. The debate therefore extends beyond warrants and investigations. It becomes a discussion about digital privacy architecture itself.
Bill C-22 remains before committee and has not become law. The legislation continues to move through Parliament while debate grows around privacy, encryption, policing powers, and Canada’s future role in the technology sector.
References
[1] Parliament of Canada, LEGISinfo, Bill C-22.
[2] Public Safety Canada, Backgrounder: Supporting Authorized Access to Information Act.
[3] Reuters, “Apple, Meta warn Canadian bill could force them to weaken encryption,” May 2026.
[4] Department of Justice Canada, Charter Statement for Bill C-22.
[5] Global News, NordVPN response to Bill C-22.
[6] Parliament of Canada, Bill C-22 First Reading Text.
[7] Public Safety Canada, News Release, March 12, 2026.
[8] Michael Geist, Bill C-22 analysis.
[9] TechRadar, Windscribe response.
[10] Criminal Code, RSC 1985, c C-46.
[11] RCMP Technical Investigative Services.
[12] RCMP National Cybercrime Coordination Unit.
[13] Parliament of Canada, Bill C-30, Protecting Children from Internet Predators Act.
[14] CBC News, coverage of Bill C-30 lawful access debate.