Skip to main content
News Analysis

Bill C-22 Lawful Access: U.S. Tech Giants and Congress Push Back as Canada Weighs Year-Long Metadata Retention — What Users and Businesses Should Do Now

Apple, Meta, Signal, and a joint letter from two U.S. House committees have raised major concerns about Canada's Bill C-22, which would require telecoms and digital platforms to retain metadata for up to one year and could grant the Public Safety Minister secret powers to compel design changes. Here's our expert guide for households, small businesses, and IT teams on what's actually in the bill, what to do now, and what to watch.

By Refdesk Team

Bill C-22 Lawful Access: U.S. Tech Giants and Congress Push Back as Canada Weighs Year-Long Metadata Retention — What Users and Businesses Should Do Now

What This Means for You

A federal bill called Bill C-22 — An Act respecting lawful access is moving through Parliament right now, and it has triggered the first significant Canada–U.S. tech policy fight of the Carney government. In the past week alone, the chairs of two U.S. House committees sent a joint letter warning that the bill could weaken North American cyber-defences; Signal has said it would withdraw from the Canadian market rather than comply; Apple and Meta have raised public concerns; and Canada's Public Safety Minister, Gary Anandasangaree, has accused U.S. tech companies of "misinterpreting" the proposal.

If you are a Canadian who uses encrypted messaging (Signal, WhatsApp, iMessage, Telegram), runs a small business that handles sensitive client data, manages IT for any organization with users in Canada, or simply cares about how long your phone's metadata is retained, this is the most consequential digital-privacy bill currently before Parliament. The bill is not yet law. It is in committee. The decisions you make over the next 30 to 60 days about your tools, your backups, and your data hygiene matter — both because the bill could change shape in committee and because well-designed personal data hygiene is good practice regardless of how this particular fight ends.

The single most important thing to understand: even if you have "nothing to hide," metadata about your communications, location, and online activity describes your life in extraordinary detail — who you talk to, where you go, when, for how long, in what pattern. Year-long mandatory retention of that data at the carrier and platform level changes the default privacy floor for every Canadian, not just people under investigation. That is why this bill matters even to people who have never been the subject of a warrant.

If You're a Canadian Consumer or Household

Immediate moves (this week):

  • Audit which messaging apps you actually use, and consolidate. If your group chats are split across iMessage, WhatsApp, Signal, Telegram, Discord, and Instagram DMs, you are leaking metadata everywhere — and any of these services may or may not be available, or may operate under different terms, depending on how Bill C-22 ends up. Pick one or two primaries. Signal remains the strongest end-to-end-encrypted, non-profit, no-metadata default — and if Signal does follow through on its threat to leave Canada, you'll want time to migrate your contacts elsewhere.
  • Enable disappearing messages where the conversation doesn't need to be permanent. Signal, WhatsApp, iMessage, and Telegram all support automatic message deletion after a set time. Even if a service is later required to hand over historical data, what you've already deleted from your own devices is gone. Default to 30 days for non-business conversations.
  • Check your phone backup settings. Many iPhone users have iCloud Backup turned on, which uploads an unencrypted copy of your iMessages to Apple's servers by default unless you've enabled Advanced Data Protection (Settings → [Your Name] → iCloud → Advanced Data Protection). Many Android users are syncing message backups to Google Drive that are accessible to Google. End-to-end encryption is only meaningful if your backup is also encrypted.
  • Set up two-factor authentication on every account you care about. Use an authenticator app (Authy, Aegis, 1Password) — not SMS, which can be intercepted via SIM swap. This is not specifically a C-22 response, but the privacy-anxious moment is the right moment to do the security basics you've been putting off.

What to prepare for as the debate continues:

  • Possible withdrawal of certain services from the Canadian market. Signal has publicly threatened to leave Canada if the bill passes in its current form. Windscribe (a Canadian-headquartered VPN) has said it would relocate its headquarters out of Canada. NordVPN has said it is "considering" doing the same. If you rely on any of these for personal or business privacy, identify a backup that is based in a jurisdiction with strong privacy protections (Switzerland, the Netherlands, Iceland, Germany).
  • Plan for a longer "data trail." If Bill C-22 passes with the one-year metadata retention requirement, your wireless carrier, your ISP, and many of the platforms you use will be storing more information about you for longer than they do today. Reduce the surface: turn off ad-personalization on iOS and Android, decline app tracking, use a private browser (Firefox, Brave, or Safari with cross-site tracking blocked) instead of Chrome for general browsing, and consider a privacy-respecting search engine (DuckDuckGo, Brave Search, Kagi).
  • If you're a journalist, lawyer, doctor, social worker, or anyone with a professional duty of confidentiality, the practical implications are sharper. Talk to your professional regulator about its position on platform choice and encryption. Many regulators have already issued guidance that you should not be using consumer SMS for client communications. C-22 makes that guidance more urgent, not less.

Example scenario: A Toronto household with two adults and two teenagers, currently using iMessage, WhatsApp, Instagram DMs, and Signal in different contexts. A reasonable response to the current Bill C-22 debate: (1) consolidate household communication to Signal with disappearing messages set to 30 days, (2) turn on Advanced Data Protection for iCloud, (3) move the password manager from "saved in browser" to a dedicated password manager (1Password, Bitwarden), and (4) set a calendar reminder to revisit the situation when the bill clears or fails committee. Total time investment: about three hours over a weekend.

If You Run a Small or Medium Business

Bill C-22 would impose real operational obligations on what the bill calls "core providers" — broadly, telecoms and large internet companies — but the second-order effects on Canadian SMEs are significant.

Immediate moves:

  • Inventory the third-party tools that hold your customer data. Your CRM, your email marketing platform, your appointment-booking system, your file-storage provider (Dropbox, Google Drive, OneDrive), your accounting software, and your e-commerce platform are all places where your customers' personally identifying information lives. If your providers are subject to either C-22 (because they have Canadian operations) or to a foreign equivalent that would require disclosure under a cross-border request, you have legal exposure under PIPEDA (the federal Personal Information Protection and Electronic Documents Act) and possibly Quebec's Law 25.
  • Update your privacy notice. Many SME privacy notices were last written in 2018 for GDPR alignment and have not been touched since. Update yours to (a) accurately describe what data you collect, (b) name the third-party processors that hold it, (c) note that data may be retained by core providers under Canadian law for periods specified by federal legislation, and (d) describe what a customer should do if they want their data deleted from your systems.
  • Talk to your IT provider or MSP about end-to-end encryption for client deliverables. If you transmit any sensitive client material — legal drafts, medical reports, financial statements, real-estate transactions — you should be using an encrypted file-transfer tool (Tresorit, Proton Drive, SwissTransfer, encrypted PDF + out-of-band password) rather than email attachments. If you don't have an MSP, your accountant or law firm probably has a recommendation.

What to plan for:

  • Higher compliance costs from your telecom and SaaS vendors. If C-22 passes as drafted, large carriers and platforms will pass on the cost of metadata retention, system redesign, and lawful-access tooling. The pass-through to small business in past similar regulatory waves (CRTC consumer-protection rules, PCI-DSS, PIPEDA breach reporting) has been in the range of 3–8% on affected services within 18 months of implementation. Build a small buffer into your 2027 IT budget.
  • A possible "Canadian-only" tier from some vendors. Some U.S. vendors may decide to offer Canadian customers a separate product or refuse to sell certain features in Canada. This already happens with some privacy and security tools. Diversify so that the loss of any one vendor does not stop your business operations.

If You Manage IT for a Canadian Organization

You are already three to six months behind where you should be on this. The work to do now:

  • Document your encryption posture. Which services do you use end-to-end encryption for? Where is data at rest encrypted vs. plaintext? Which keys are held by you vs. by the vendor? You will be asked this by your board, your auditor, and possibly your regulator in 2026–27.
  • Read the bill yourself, don't rely on summaries. The Department of Justice technical paper for Bill C-22 is published at justice.gc.ca and runs about 60 pages including charter analysis. The provisions that matter most to a CISO or IT director are in Part 2 (operational requirements for providers), and the ministerial-order regime.
  • Decide whether to engage on the consultation. The Canadian Chamber of Commerce has filed a public submission. CIPPIC (the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa) has filed a submission. The Canadian Civil Liberties Association has filed a submission. If your organization has a view, the open committee process at the House of Commons Standing Committee on Public Safety and National Security (SECU) is the place to file it.

For All Canadians

There are two macro trends worth holding in mind:

  • This is not a fringe debate. When Apple, Meta, Signal, the Canadian Chamber of Commerce, the Canadian Civil Liberties Association, the Electronic Frontier Foundation, and two committees of the United States Congress all raise the same concern about the same bill, that is a strong signal that the bill as drafted has real technical problems — even if you support stronger investigative tools for police and CSIS.
  • The Canada–U.S. relationship is in the background of everything. The Carney government is currently negotiating a number of cross-border files at once: tariffs, defence procurement, energy, pipeline timelines. Letters from U.S. House committee chairs about a Canadian domestic privacy bill are not just a privacy story — they are a diplomatic story. Expect the bill to be modified in committee rather than passed in its initial form. That doesn't mean it goes away.

The News: What Happened

According to The Globe and Mail and CBC News, two committees of the U.S. House of Representatives — the Judiciary Committee, chaired by Representative Jim Jordan, and the Foreign Affairs Committee, chaired by Representative Brian Mast — sent a joint letter on May 8, 2026 to the Government of Canada warning that Bill C-22 could "weaken both countries' collective defences against hackers" and create "significant cross-border risks" to American security and privacy. As reported by The Globe and Mail, the letter raised specific concerns that the bill could compel American companies to "create backdoors and architectural changes that bypass or weaken encryption."

According to the Department of Justice technical paper, Bill C-22 — formally titled An Act respecting lawful access — was tabled in Parliament on March 12, 2026, after a previous effort under Bill C-2 was withdrawn following heavy public criticism. As reported by the Electronic Frontier Foundation (EFF), the bill would require telecommunications providers, internet companies, and social-media services to retain metadata for up to one year, including data that, according to the EFF, could "reveal a lot about who you communicate with, where you go, and when you do so."

The Globe and Mail reports that Part 2 of the bill would require core providers to adapt their systems so that police and the Canadian Security Intelligence Service (CSIS) can more easily access data when investigators have a warrant. According to the EFF analysis, the Minister of Public Safety would gain the power to "demand companies create a backdoor to their services to provide law enforcement access to data, as long as these mandates don't introduce a 'systemic vulnerability.'" The EFF further notes that the bill would bar companies from publicly revealing the existence of such ministerial orders.

According to CBC News, Public Safety Minister Gary Anandasangaree has rejected the characterization of the bill as a backdoor mandate. His spokesperson Simon Lafortune, quoted by The Globe and Mail, stated the bill "does not require companies to weaken encryption" and does not allow "indiscriminate access to devices or communications." Anandasangaree, according to CBC News, has accused U.S. tech companies of "misinterpreting" the proposal.

As reported by The Globe and Mail and the technical analysis by Michael Geist (Canada Research Chair in Internet and E-commerce Law at the University of Ottawa), Signal has said it will pull out of the Canadian market rather than comply with the bill; Windscribe (a Canadian-headquartered VPN) has said it would relocate its headquarters outside Canada; and NordVPN has said it would consider doing the same. According to The Globe and Mail, Apple and Meta have publicly raised concerns about the bill's effect on encryption and cybersecurity. The Canadian Chamber of Commerce, as reported by The Globe and Mail, has warned the bill could "threaten encryption" and "deter investment." The Canadian Civil Liberties Association, according to the EFF, has released a formal statement of opposition.

The bill is currently before the House of Commons Standing Committee on Public Safety and National Security.

Analysis: Why This Matters

Based on our analysis of how previous Canadian lawful-access proposals have moved through Parliament — from the original C-30 in 2012 (which was abandoned after public backlash), to Bill C-2 in 2025 (withdrawn at committee), to the current Bill C-22 — the pattern is clear: every iteration of this idea has been narrower than the last, and every iteration has still drawn substantial expert opposition. The disagreement is not really about whether police should have lawful-access tools (almost no one disputes that); it is about whether mandatory architectural changes to encrypted services can be made without weakening security for everyone.

Cryptographers have been almost unanimous on this point for more than a decade: there is no technical way to provide a backdoor for "lawful" access that cannot also be used by adversaries. That technical reality is why the U.S. House letter, the EFF analysis, the Canadian Chamber of Commerce filing, and Signal's threat to exit all converge on the same conclusion despite their very different starting points. Minister Anandasangaree's response — that the bill does not require companies to weaken encryption — depends on the definition of "systemic vulnerability" in the bill being narrow and well-policed. The EFF's reading is that the definition is sufficiently vague to give the government considerable latitude. Whether the committee tightens that language will be the most important amendment to watch.

There is also a meaningful business-climate angle that has not received enough public attention. If multiple privacy-focused companies relocate out of Canada in 2026–27 in response to C-22, that affects not only consumer choice but also the federal government's stated economic agenda of building out a Canadian tech sector. The Carney government cannot easily simultaneously argue that Canada is open to global tech investment and pass a regulatory framework that the most security-focused tech companies in the world publicly refuse to comply with.

Historical Context

This is the third major attempt by Canadian governments — Conservative, Liberal, and now Liberal again — to modernize lawful-access powers. The 2012 Conservative bill collapsed after then-Public Safety Minister Vic Toews suggested critics could "stand with us or with the child pornographers." The 2025 Liberal Bill C-2 collapsed at committee under expert opposition. Bill C-22 is a more narrowly drafted attempt that responds to specific 2025 criticisms — but, as the EFF puts it, is "a repackaged version of last year's surveillance nightmare." The pattern suggests the bill will pass in heavily amended form, fail at committee again, or pass with provisions that are later struck down by the courts.

What Happens Next

Realistic short-term timeline:

  • Summer 2026: SECU committee hearings continue; expert and industry testimony; amendments tabled
  • Fall 2026: Committee report and any amended bill returns to the House for third reading
  • Late 2026 / Early 2027: Senate review; possible additional amendments
  • 2027: Royal Assent (in some amended form) or withdrawal
  • 2027–28: If the bill passes, first ministerial orders issued; first court challenges filed under the Canadian Charter of Rights and Freedoms (section 8, search and seizure; section 2(b), expression)

Watch for: (1) whether the committee adopts an amendment requiring independent judicial — not just intelligence commissioner — review of ministerial orders; (2) whether the metadata retention period is reduced from one year to something shorter; (3) whether Signal, Apple, or Meta formally make a market-exit decision; and (4) whether the federal government's responses to U.S. Congressional concerns become entangled in broader Canada–U.S. negotiations.

Your Action Plan

Immediate (This Week):

  • Consolidate household communications to one or two encrypted messaging apps (Signal recommended)
  • Enable disappearing messages (30 days is a sensible default)
  • Turn on Apple Advanced Data Protection or equivalent for your iCloud/Google backups
  • Enable two-factor authentication with an authenticator app on every account
  • If you run a business, list every third-party tool that holds customer data

Short-term (This Month):

  • Switch to a privacy-respecting browser (Firefox, Brave, or Safari) for general browsing
  • Move from browser-saved passwords to a dedicated password manager (1Password, Bitwarden)
  • If you handle confidential professional communications, adopt an encrypted file-transfer tool
  • Update your business privacy notice to reflect current PIPEDA and Law 25 expectations
  • Read the Department of Justice technical paper for Bill C-22 yourself

Long-term (This Year):

  • Build a small IT-cost buffer into your 2027 business budget for compliance pass-through
  • Diversify away from single-vendor dependence on privacy and security tools
  • Follow SECU committee hearings on Bill C-22 (parlVU.parl.gc.ca)
  • If you have a professional stake, consider filing a submission to the committee
  • Reassess your encryption posture quarterly

Other Perspectives

Government View (Public Safety Minister Anandasangaree):

According to The Globe and Mail, the Minister's spokesperson Simon Lafortune stated that Bill C-22 "does not require companies to weaken encryption" and does not allow "indiscriminate access to devices or communications." CBC News reports that the Minister has accused U.S. tech companies of "misinterpreting" the bill.

U.S. Congressional View:

According to The Globe and Mail and the House Judiciary Committee's published statement, Representatives Jim Jordan and Brian Mast wrote that if enacted, Bill C-22 "would allow Canadian government officials to compel American companies to build backdoors into their encrypted systems, thereby introducing systemic vulnerabilities that could be exploited by hackers, foreign adversaries, and cybercriminals."

Civil Liberties View:

According to the Electronic Frontier Foundation analysis, "surveillance of encrypted communications is fundamentally a systemic vulnerability," meaning the bill's safeguard against "systemic vulnerabilities" is self-contradicting. The Canadian Civil Liberties Association has filed formal opposition.

Industry View:

According to The Globe and Mail, the Canadian Chamber of Commerce has warned the bill could threaten encryption and deter investment. Signal has publicly said it would leave the Canadian market; Windscribe has said it would relocate headquarters; NordVPN has said it would consider doing the same. Apple and Meta have publicly raised concerns.

University of Ottawa law professor Michael Geist has written extensively about the bill, characterizing it as the "Lawful Access Two-Headed Surveillance Monster" and arguing that the proposal's structure has gone "off the rails." Geist's testimony to the SECU committee is part of the public record.

Note: Including multiple perspectives doesn't imply all views are equally valid, but ensures readers can make informed judgments.


Corrections Policy

We strive for accuracy. If you find an error in this analysis, please email us at [email protected]. We will promptly investigate and correct any factual inaccuracies.

Updates:

  • No corrections to date (as of 2026-05-17)

Sources