This article originally appeared in the National Post.
By Peter Copeland and Jamie Tronnes, June 2, 2026
The Canadian government is right to pursue lawful access reform under Bill C-22. But a key mistake remains in the proposed legislation: it leaves open a backdoor for government to access encrypted data. That door must be closed in order to protect Canadians’ privacy, as well as our relationship with our largest trading partner.
Lawful access allows police and intelligence agencies to use clear, reviewable mechanisms to obtain information that they are already legally entitled to seek, but to do so in a more timely manner. It means being able to confirm whether a digital service exists, identify the customer and provider, obtain limited subscriber information and ensure companies can efficiently comply with valid warrants.
It’s essential for Canada’s security agencies to have these powers. We cannot credibly ask to be treated as a trusted ally while lagging behind our G7 and Five Eyes partners. Nor will violent crime be blunted solely through bail reform and mandatory minimums — measures that target the foot soldiers of increasingly state-influenced transnational organized crime, not those who are actually in charge.
But Canada’s allies — particularly the United States — also expect us to have the necessary safeguards in place to protect commercial interests. That’s why Ottawa must take industry concerns seriously about C-22 providing backdoors to encrypted devices and information. In doing so, we’ll be protecting our national security, while strengthening our economic position by gaining leverage in upcoming trade negotiations.
Apple, Meta,NordVPN and Signal have all raised concerns about what the legislation means for their clients’ data privacy and security.
At present, the text of the bill does not live up to some of the more alarmist concerns that its opponents have raised, such as warrantless access to digital platforms. However, the bill’s key terms are broadly worded, leaving them vulnerable to regulatory amendments that could create such problems. C-22’s broad definitions, coupled with its special ministerial powers, validate these concerns.
As does recent experience. The Salt Typhoon breach, which compromised U.S. telecom networks, shows how surveillance infrastructure can become a target for hostile states. And in the United Kingdom, a ministerial demand for access to encrypted iCloud data prompted Apple to remove its advanced data protection for British users.
Canadian lawmakers must understand that any measures that pose a security risk or threaten the competitive advantage of digital giants will land on the White House’s radar, and draw attention from legislators on both sides of the congressional aisle. Indeed, last month the U.S. House committees on the judiciary and foreign affairs sent a stern warning to Public Safety Minister Gary Anandasangare about the threat posed by Bill C-22.
To address these concerns, Parliament must build safeguards directly into the legislation, not leave them to regulation or ministerial discretion. The law should clearly state that no regulation, compliance order or penalty may require a provider to weaken, or prevent, the use of end-to-end encryption — a term that should be defined as exhaustively as necessary to eliminate any loopholes. It should also declare that ministerial orders cannot override these statutory protections.
The same precision is needed on metadata retention — the legal requirement for digital service providers to store data related to a user’s communications and provide it to security agencies in some instances. Law enforcement is interested in seeking location and transmission — not content — based metadata to help identify persons of interest. This practice does not necessarily break encryption or require the retention of communications content but, if drafted broadly, could force firms to create state-accessible data linkages that their systems were designed to avoid for privacy and commercial purposes.
Some industry and privacy concerns have been overstated. For example, police can already seek judicial authorization for on-device investigative tools that can access encrypted data from a user’s device, rather than forcing providers to break encryption or build a separate backdoor.
What’s more, many technology firms already collect substantial metadata about users for purposes like billing, fraud prevention and advertising. The commercialization of user data is central to the business models of many large platforms, all of which require user agreements in line with privacy laws.
Parliament may conclude — as other countries with lawful access regimes, like Australia, have — that industry must retain and facilitate access to some metadata for public safety and national security purposes. But at present, the bill is overly broad, requiring the retention of transmission data and subscriber information without sufficient precision. The government should minimize and specify those requirements.
Canada has significant gaps in its public safety and national security architecture. Lawful access is a major piece of that puzzle, but greater precision in the legislation is needed to ensure we don’t create a bigger vulnerability in the process.
Peter Copeland is deputy director of domestic policy at the Macdonald-Laurier Institute.
Jamie Tronnes is executive director of the Center for North American Prosperity and Security.
