Canada’s Bill C-22, also known as The Lawful Access Act, reintroduces contentious digital surveillance measures after last year’s failed Bill C-2. The bill mandates the retention of user metadata for a full year, expands data sharing with foreign governments, and grants authorities power to compel tech companies to create backdoors to encrypted services.
- Requires one-year metadata retention by digital services
- Forces creation of government backdoors into encrypted systems
- Expands cross-border data sharing, including with the US
What happened
Canada has introduced Bill C-22, dubbed The Lawful Access Act, which closely mirrors last year’s rejected Bill C-2 that faced strong opposition due to privacy concerns. The legislation requires telecom companies, messaging platforms, and other digital services to retain comprehensive metadata about users’ communications for at least one year. This includes information on who users communicate with, their locations, and timing details.
The bill also broadens provisions for sharing this information with foreign governments like the United States, and grants the Minister of Public Safety authority to compel companies to build backdoors that allow government agencies law enforcement access to encrypted communications. Companies are prohibited from disclosing these orders publicly, and vague definitions in the bill create ambiguity about what constitutes a systemic vulnerability or encryption, potentially undermining strong privacy safeguards.
Why it matters
Privacy advocates warn that forcing broad and indefinite metadata retention dramatically increases risks of data breaches by incentivizing attackers to target this trove of sensitive information stored by companies. The creation of government-mandated backdoors into encrypted services is particularly controversial, as it fundamentally weakens security protections and creates systemic vulnerabilities threatening all users’ privacy and safety.
Major technology companies including Meta and Apple have voiced concerns that Bill C-22 could force them to implement invasive surveillance features that compromise user privacy. US legislative committees have also expressed apprehension over the bill’s potential to undermine encryption. Similar backdoor requirements in other countries have already led to companies disabling strong privacy features to avoid legal conflicts, ultimately harming users’ digital security.
What to watch next
The Canadian government’s approach to balancing security and privacy will remain under scrutiny as Bill C-22 moves forward. Monitoring the bill’s progress through parliamentary stages and the extent to which privacy concerns influence amendments will be critical. Watch for responses from tech companies and civil society groups advocating for stronger privacy protections and transparency standards.
International attention will also continue as cross-border data sharing agreements involving the US and other allies come into focus. The debate around encryption backdoors is likely to intensify, with potential implications for global encryption standards and user rights. Stakeholders should be prepared for ongoing challenges to digital privacy and increased calls for robust safeguards to prevent systemic vulnerabilities.