The Canadian government is right to pursue lawful access reform under Bill C-22. However, a critical flaw remains in the proposed legislation: it leaves open a backdoor for government access to encrypted data. This door must be closed to protect Canadians' privacy and maintain strong relations with our largest trading partner.
Why Lawful Access Matters
Lawful access allows police and intelligence agencies to use clear, reviewable mechanisms to obtain information they are already legally entitled to seek, but in a more timely manner. It enables confirmation of whether a digital service exists, identification of customers and providers, access to limited subscriber information, and ensures companies can efficiently comply with valid warrants. These powers are essential for Canada's security agencies to function effectively. Without them, Canada cannot credibly ask to be treated as a trusted ally while lagging behind G7 and Five Eyes partners. Moreover, violent crime cannot be addressed solely through bail reform and mandatory minimums, which target foot soldiers rather than the leaders of increasingly state-influenced transnational organized crime.
Allies Expect Safeguards
Canada's allies, particularly the United States, also expect robust safeguards to protect commercial interests. Ottawa must take industry concerns seriously about C-22 providing backdoors to encrypted devices and information. By doing so, Canada will protect national security while strengthening its economic position in upcoming trade negotiations. Companies such as Apple, Meta, NordVPN, and Signal have raised concerns about the legislation's implications for client data privacy and security.
Currently, the bill's text does not live up to the most alarmist concerns, such as warrantless access to digital platforms. However, its key terms are broadly worded, leaving them vulnerable to regulatory amendments that could create such problems. C-22's broad definitions, combined with special ministerial powers, validate these concerns. Recent experience underscores the risks: the Salt Typhoon breach compromised U.S. telecom networks, showing how surveillance infrastructure can become a target for hostile states. In the United Kingdom, a ministerial demand for access to encrypted iCloud data prompted Apple to remove advanced data protection for British users.
Parliament Must Act
Canadian lawmakers must understand that any measures posing a security risk or threatening the competitive advantage of digital giants will draw attention from the White House and legislators on both sides of the congressional aisle. Last month, U.S. House committees on the judiciary and foreign affairs sent a stern warning to Public Safety Minister Gary Anandasangare about the threat posed by Bill C-22. To address these concerns, Parliament must build safeguards directly into the legislation, not leave them to regulation or ministerial discretion. The law should clearly state that no regulation, compliance order, or penalty may require a provider to weaken or prevent the use of end-to-end encryption. This term should be defined as exhaustively as necessary to eliminate any loopholes. It should also declare that ministerial orders cannot override these statutory protections.
