Canada’s proposed Bill C-22 faces strong resistance over encryption and privacy concerns

Big tech firms, US congressional committees and over 25 civil groups warn that the Act expands surveillance powers, threatening cybersecurity/privacy rights.

Canada’s proposed Bill C-22 is causing ripples of dissent from tech giants arguing the legislation (if enacted) would undermine cybersecurity and threaten user privacy by forcing firms to weaken encryption.

If passed, the Lawful Access Act grants the public safety minister the authority to issue orders compelling service providers to recover data or trace devices, with the intelligence commissioner required to endorse such actions. While providers can contest government directives, they cannot disclose details about the orders.

Current terms in the bill would require technology and telecommunications firms to retain user metadata for up to one year, including location data and complete records of online interactions. The terms also mandate that unspecified “electronic service providers” modify their systems to deliver information to investigators when presented with a warrant.

Critics argue the legislation represents the broadest expansion of government surveillance powers in recent Canadian history. Over 25 civil society groups have signed a letter opposing the bill, citing untenable privacy and cybersecurity risks.

The country’s Public Safety Minister, Gary Anandasangaree, who authored Bill C-22, announced the government will amend the legislation to strengthen encryption protections and clarify metadata definitions. According to him, the amendments will align metadata language with US legislation, and provide clearer definitions of what constitutes encryption.

Big tech spokespersons have warned lawmakers that the bill puts citizens’ security at risk by giving police expanded access to information stored on digital devices, and require corporations to build backdoors into their products, creating vulnerabilities that criminals and foreign adversaries could exploit. Private advocacy groups have also been making their objections heard. Two US congressional committees have sent a letter to Canada’s public safety minister warning that the bill “would drastically expand Canada’s surveillance and data access powers in ways that create significant cross-border risks to the security and data privacy of Americans.”

As the Canadian government faces mounting pressure from technology firms and privacy advocates concerned about potential overreach, it maintains that the bill is “encryption neutral”, insisting that firms are not compelled to weaken encryption or create systemic vulnerabilities.