Bill C-22 Will Make Canadians Less Safe. The Government Knows.

Signal would rather leave Canada than comply with Bill C-22.

That sentence should embarrass the government. Signal is a non-profit messaging app trusted by journalists, lawyers, activists, domestic violence survivors, and ordinary people who want a private conversation. It does not sell data. It has no revenue motive to protect. When Signal says it will exit a country rather than weaken its encryption, it means the country has asked it to do something it considers wrong.

What the bill actually does

Bill C-22, the Lawful Access Act, was introduced by Public Safety Minister Gary Anandasangaree on March 12, 2026. It passed second reading in April and is currently in committee. The government calls it a modernization of Canadian law enforcement tools. Critics call it one of the most significant attacks on privacy rights in Canadian history. The government’s version leaves out the parts that matter.

The bill has two main parts.

Part 1 amends the Criminal Code to lower the evidentiary standard police need to demand subscriber information from telecom providers — from “reasonable grounds to believe” to “reasonable grounds to suspect.” This is not a technicality. “Reasonable grounds to believe” requires a probability that an offence has occurred. “Reasonable grounds to suspect” requires something less: a reasonable suspicion. The Ontario Court of Appeal has held that evidence obtained on grounds to suspect, where grounds to believe were required, must be excluded. Parliament is proposing to build a lower standard into the statute and hope the courts do not notice.

Part 2 is the more dangerous piece. It creates a new statute called the Supporting Authorized Access to Information Act (SAAIA), which:

• Designates classes of electronic service providers — messaging apps, cloud storage, email providers, VPNs, and potentially health platforms and financial services — and requires them to build capabilities enabling government access.
• Requires mandatory retention of metadata for up to one year: dates, times, durations, device identifiers, and location information for every Canadian user, on every covered service, stored continuously, whether or not any investigation exists.
• Empowers the Public Safety Minister to issue secret orders to any electronic service provider, reviewed only by the Intelligence Commissioner — not a judge, not the Privacy Commissioner, not Parliament.
• Prohibits providers from publicly acknowledging these orders exist.

The government insists this is not a backdoor mandate. It insists the bill does not require companies to weaken encryption. It insists judicial oversight remains in place throughout.

Read the bill. The government is wrong on all three counts.

The contradiction they haven’t explained

The bill includes a “systemic vulnerability exemption.” Sections 5(5) and 7(5) state that providers are not required to comply if doing so would introduce a systemic vulnerability — defined as a vulnerability that creates a substantial risk that secure information could be accessed by someone without authority to do so.

Section 12 states that providers must comply with ministerial orders.

The bill does not explain how to resolve this. There is no mechanism for a provider to assert the exemption against a ministerial order, no tribunal to adjudicate the conflict, no judicial pathway. A company that refuses a ministerial order on security grounds is, on the face of the statute, simultaneously exempt and in violation. The government has not answered this question in committee or publicly. The contradiction sits in the legislation.

The Electronic Frontier Foundation put the underlying principle plainly: surveillance of encrypted communications is fundamentally a systemic vulnerability. Building a door for the government builds a door for everyone. You cannot design access that only the authorized parties will find.

We know this is true because we watched it happen in the United States.

The door the US already built

In 2024, a Chinese state hacking group known as Salt Typhoon breached nine major US carriers — AT&T, Verizon, and seven others. They did it by exploiting infrastructure that US law already required those carriers to build. The Communications Assistance for Law Enforcement Act of 1994 (CALEA) mandated that telecommunications companies maintain the technical capability for law enforcement wiretapping. Salt Typhoon walked through the door CALEA built.

The US built mandatory access infrastructure. Foreign state actors used it. Millions of Americans had their communications compromised because their government insisted on a door that it then could not protect.

Canada is proposing to build the same door. The government’s response to the Salt Typhoon comparison has been silence.

A charter problem the government is pretending doesn’t exist

The Supreme Court of Canada established in R v Spencer (2014) that subscriber information attracts a high degree of privacy precisely because it connects a person’s identity to their online activity. In R v Bykovets (2024), the Court extended this reasoning to IP addresses, calling them “the first digital breadcrumb” linking a person to their communications.

These decisions were rendered under the higher standard — reasonable grounds to believe. Bill C-22 proposes to lower that standard for subscriber information access.

Michael Geist, Canada Research Chair in Internet and E-Commerce Law at the University of Ottawa, has reviewed the government’s own Charter statement — the document the Department of Justice is required to file with Parliament to inform debate. His conclusion: the Charter statement is “wilfully blind” to the bill’s most constitutionally vulnerable provisions. The mandatory metadata retention regime, the systemic vulnerability contradiction, the ministerial order powers — none of them receive meaningful Charter analysis in the government’s own filing.

The European Court of Justice has struck down blanket metadata retention three times: in 2014, 2016, and 2020. Each time it found that general, undifferentiated retention is disproportionate and incompatible with fundamental rights. Canada is proposing to build the regime those decisions rejected.

Canada’s own intelligence watchdog, the National Security and Intelligence Review Agency, told committee that C-22’s oversight mechanism is inconsistent with comparable legislation among Canada’s Five Eyes partners. The agency that reviews CSIS’s work said, in public testimony, that it would receive annual reports on ministerial orders that could be up to nineteen months out of date. That is not oversight. That is paperwork.

American politicians are more alarmed than Canadian ones

On May 7, 2026, US Representatives Jim Jordan and Brian Mast sent a joint letter to Minister Anandasangaree warning that C-22 would allow Canadian officials to compel American companies to build back-doors that could be exploited by hackers, foreign adversaries, and criminals.

Two American politicians are more publicly alarmed about Canadian surveillance legislation than most Canadian politicians are.

The companies speaking up — Signal, Apple, Meta, Windscribe — are doing so because they have to. Their users are asking. Their legal teams are watching what the bill requires. But the Canadian government is characterizing their opposition as a “misunderstanding.” It is not a misunderstanding. Apple withdrew its Advanced Data Protection feature entirely from the United Kingdom rather than comply with an equivalent secret notice from the UK Home Office. UK users still do not have access to features Canadians currently take for granted. That is not a misunderstanding. That is a company telling a government what it will not do and following through.

Canadian founders need to say something

Windscribe, a Canadian VPN company, has threatened to leave Canada if the bill passes unchanged. That is one company. It should not be alone.

Canada’s founders, investors, and operators have built companies on the premise that Canadian infrastructure is worth trusting. Bill C-22 changes that premise. A law that allows the Minister of Public Safety to issue a secret order to any electronic service provider — with no warrant, no public disclosure, and a legal contradiction that makes compliance and refusal simultaneously mandatory — is not compatible with building trustworthy software.

Foreign companies are calculating whether Canada is worth the legal exposure. Canadian companies should be asking the same question, and then doing something the foreign companies cannot: speaking to their elected representatives as citizens.

If you run a technology company in Canada — if you have built something on the assumption that your users’ data is theirs — you have standing to say so publicly. The Canadian Civil Liberties Association, the Canadian Constitution Foundation, and Open Media are all running active campaigns. They need names behind them — industry letters, public statements from people who employ Canadians and pay Canadian taxes and have something concrete to lose.

The bill is still in committee. Amendments are still possible.

What local politicians need to hear

Bill C-22 is not an abstract federal concern. The metadata it requires to be retained — location data, device identifiers, the timing and duration of every communication — is the metadata of your constituents. Every person in every riding using a phone, a messaging app, a cloud service, or a VPN will have that data retained for a year whether they are under investigation or not.

The Charter of Rights and Freedoms is not a federal document that only federal politicians protect. Section 8 — the right to be secure against unreasonable search and seizure — is a promise made to every Canadian by every level of government. Local elected officials have a voice in Ottawa and constituents whose data is in this conversation. They have standing to ask their MPs what exactly s. 12 means when it conflicts with ss. 5(5) and 7(5), and what happens to a company that refuses a ministerial order on security grounds.

These are not complicated questions. They require a phone call and a willingness to say: we would like an answer.

What you can do this week

The bill is in committee. This is where amendments happen. After committee, the window closes.

Contact your MP directly through ourcommons.ca. Ask them specifically how the government plans to resolve the conflict between s. 12 and the systemic vulnerability exemption. Do not accept a form letter. The Canadian Constitution Foundation is also running a public petition at theccf.ca/stop-government-spying, and Open Media at openmedia.org is coordinating the broader civil society response and tracking the committee hearings in real time.

If you run a technology company in Canada, a public statement carries weight a petition signature does not. It tells the government this law has economic consequences, not just civil liberties ones. The civil society organizations above need names behind them — founders and operators who employ Canadians and have something concrete to lose if the bill passes unchanged.

Most Canadians have not heard of this bill. The government introduced it in March and it is already past second reading. That is not an accident. Talk to people you know. Public awareness is the only thing that creates political cost for a government that would prefer to move quietly.

The government’s position is that Canadians have nothing to worry about, that judicial oversight remains robust, that encryption will be protected. The bill they filed says otherwise. Ask them to explain the difference. Ask in writing, on the record, with your name attached.

The Charter is worth that much.