A federal fight over phone data, encrypted messages, and cross-border surveillance is moving from privacy circles into the political spotlight. Bill C-22, the Lawful Access Act, is being promoted by Ottawa as a modernization of investigative powers for a world of smartphones, messaging apps, cybercrime, fraud, terrorism, and foreign interference.
Critics see something more dangerous: a legal framework that could require telecoms and digital platforms to preserve more metadata, build technical access capabilities, and make it easier for foreign governments — including the United States — to obtain Canadian communications information. The dispute is not only about criminals or national security targets. It is about whether ordinary Canadians’ digital trails could become easier to collect, retain, and share.
What Bill C-22 Is Really About
Bill C-22 is Ottawa’s latest attempt to update Canada’s “lawful access” rules, the legal framework that allows police and intelligence agencies to obtain information from telecom companies and digital service providers when they have lawful authority. The government argues that older rules were built for a telephone era, while today’s investigations often involve encrypted messaging apps, cloud accounts, IP addresses, burner numbers, social platforms, and data stored outside Canada.
The bill is not limited to traditional phone companies. Its language reaches electronic service providers that offer services to people in Canada or carry on business in Canada. That could include telecom carriers, internet providers, messaging services, cloud platforms, and potentially other digital services depending on future regulations. For critics, that breadth is the first warning sign. A phone number is no longer just a phone number. It can connect to app accounts, device identifiers, location patterns, payment activity, and a person’s broader digital life.
Why Critics Say Phone Data Is the Flashpoint
The phrase “phone data” can sound like call recordings, but the most immediate fight is about metadata: the information around communications rather than the content itself. That can include who contacted whom, when, for how long, from what type of service, and sometimes information connected to devices, identifiers, routing, or transmission records. In daily life, that kind of data can be surprisingly revealing even when no one reads a message.
A person’s metadata can show a late-night call to a crisis line, repeated visits to a medical clinic, contact with a journalist, a union organizer, a lawyer, or a political group. A single record may look minor. A year of records can create a map of someone’s routines, relationships, and vulnerabilities. That is why privacy experts often argue metadata deserves stronger protection than the word suggests. It may not show the words in a conversation, but it can still show the shape of a life.
The One-Year Metadata Retention Concern
One of the most disputed parts of Bill C-22 is the power to require certain “core providers” to retain categories of metadata, including transmission data, for reasonable periods of time not exceeding one year. Critics argue that this changes the privacy equation because data may be stored in advance, including for people who are not suspected of wrongdoing. In their view, retention creates a large pool of sensitive information that can later be searched, requested, breached, or shared.
The bill contains limits. It says metadata-retention regulations would not authorize requirements to retain the content of communications, a person’s web browsing history, or social media activities. Supporters point to those restrictions as evidence that the proposal is targeted. Critics respond that the excluded categories do not solve the core problem. Even without message content or browsing history, communication records can still expose patterns that are deeply personal. The disagreement is really about whether preserving metadata is a modest investigative tool or a form of population-scale surveillance infrastructure.
How the U.S. Access Warning Enters the Debate
The U.S. concern comes from two overlapping issues: Bill C-22’s foreign-data provisions and broader Canada-U.S. negotiations around cross-border law enforcement access to digital information. The bill would amend Canada’s mutual legal assistance framework to allow foreign decisions seeking transmission data or subscriber information held in Canada to be enforced through a Canadian process. A minister could authorize arrangements, and a Canadian judge could make the decision enforceable if the legal criteria are met.
Critics argue that this could become a faster route for foreign governments to obtain Canadian data, especially if paired with a future Canada-U.S. CLOUD Act-style agreement. Citizen Lab researchers have warned that such an agreement could give U.S. law enforcement a more direct path to data held by Canadian providers, potentially bypassing the slower mutual legal assistance process. Ottawa would likely argue that judicial and ministerial safeguards remain in place. The political anxiety is that once the legal pipes are built, pressure from Washington could determine how forcefully they are used.
The CLOUD Act Shadow Over Canada
The U.S. CLOUD Act allows American authorities, under certain conditions, to obtain data held by technology companies, including data stored outside the United States. It also allows the U.S. to enter executive agreements with foreign governments to streamline cross-border requests. Canada has been in discussions over such an arrangement, and privacy researchers argue that Bill C-22 could help align Canadian law with a future bilateral deal.
That matters because Canadian and U.S. privacy standards do not always match. Canadian courts have recognized privacy interests in subscriber information and IP addresses under section 8 of the Charter, which protects against unreasonable search and seizure. Critics worry that a cross-border framework could let U.S. investigators benefit from Canadian-built access systems without equivalent Canadian constitutional safeguards. The practical example is simple: a Canadian phone number, app account, or cloud profile could become easier to pull into a U.S.-led investigation, even when the person affected expects Canadian privacy law to be the controlling standard.
Ottawa’s Argument for the Bill
The government’s case is straightforward: serious crime and national security threats have moved online, while investigative tools have not kept pace. Public Safety Canada says law enforcement and CSIS can already obtain legal authorization to intercept communications or obtain information, but service providers outside traditional voice telephony may not have a corresponding obligation to maintain systems capable of complying. In Ottawa’s view, that gap can slow or derail investigations.
The government also says Part 2 of the bill does not create new authorities to intercept communications or obtain information. Instead, it is framed as a compliance framework that ensures providers can respond when authorities already have legal authorization under the Criminal Code or the CSIS Act. That distinction is central to Ottawa’s defence. The state is saying it is not inventing a new right to spy; it is trying to make existing lawful powers work in a digital environment where evidence may be encrypted, fragmented, offshore, or technically difficult to access.
Why Apple, Meta, Signal, and VPN Firms Are Alarmed
Major technology and privacy-focused companies have pushed back hard. Apple and Meta warned that Bill C-22 could require companies to weaken encryption or build capabilities that undermine secure systems. Signal has reportedly warned it would rather leave Canada than compromise privacy promises to users. VPN providers, including NordVPN, Windscribe, Proton VPN, and ExpressVPN, have also raised concerns because their business models often depend on not logging user activity and protecting encrypted traffic.
The backlash matters because these are not abstract players. Millions of people use encrypted messaging to talk with family, coworkers, doctors, clients, sources, and community groups. Businesses use secure platforms to protect customer files, payment details, and trade secrets. If companies believe Canadian law could force them to redesign products or retain data they otherwise would not keep, the impact could go beyond criminal investigations. It could affect whether some services remain available in Canada, how they are built, and whether users trust them.
The Encryption Backdoor Debate
The bill says providers are not required to comply with a regulation or order if doing so would introduce a “systemic vulnerability” related to an electronic service. The government sees that as a safeguard. Critics say the problem is that governments and technologists may define the risk differently. From a security expert’s view, a special access mechanism built for lawful use can still become a weakness if it is discovered, abused, or repurposed by hackers, insiders, or foreign intelligence agencies.
The fear is not theoretical. U.S. telecom networks were hit by the Salt Typhoon hacking campaign, which raised alarms about the security of lawful-intercept systems. Privacy groups cite that case as evidence that access infrastructure can become an attractive target. Law enforcement argues that investigators need practical ways to obtain evidence with proper authorization. Security critics counter that a secure system cannot be made selectively insecure only for approved users. That tension — lawful access versus universal security — sits at the heart of the Bill C-22 fight.
What Canadian Courts Have Already Said About Digital Privacy
Canadian privacy law has moved strongly toward recognizing that digital identifiers can reveal intimate information. In 2014, the Supreme Court of Canada found that there can be a reasonable expectation of privacy in subscriber information because it can identify a person behind online activity. In 2024, the Court ruled that an IP address can attract a reasonable expectation of privacy because it can be the key to connecting a user to internet activity and identity.
Those rulings matter because Bill C-22 deals with categories of data that may appear basic but can become powerful when combined. A phone number, IP address, account identifier, or transmission record may not look like a diary, but it can point investigators toward a person’s private life. Critics argue that any new system for faster access or broader retention must be measured against that legal history. The government’s Charter Statement acknowledges that several parts of the bill may engage section 8 rights, while arguing that safeguards and legal thresholds can support Charter consistency.
The Real Question: Targeted Investigations or Surveillance Infrastructure?
The central dispute is whether Bill C-22 is a targeted modernization law or the beginning of a broader surveillance architecture. Supporters focus on fraud victims, organized crime, online exploitation, terrorism, cyberattacks, and foreign interference. They argue that investigators need speed and technical cooperation before evidence disappears or harm escalates. For many Canadians, that argument will carry weight because digital crime is no longer rare or abstract.
Critics focus on scale, secrecy, foreign access, and future misuse. They worry that once providers are required to retain metadata, build access capabilities, and keep certain orders confidential, the public may never fully know how far the system reaches. The U.S. angle makes the story even more politically combustible because it connects privacy law with sovereignty. Canadians are not only being asked how much power Ottawa should have over domestic phone and internet data. They are being asked how easily that data should move across the border.
What Happens Next
Bill C-22 is still moving through Parliament, and its most controversial provisions could be amended before final passage. Committee study is where definitions, safeguards, reporting requirements, foreign-access rules, and oversight mechanisms may come under the sharpest scrutiny. The key questions will be whether metadata retention remains in the bill, how “systemic vulnerability” is interpreted, whether companies can meaningfully challenge orders, and how much transparency Canadians will get after the fact.
For now, the warning from critics is not that U.S. agencies already have blanket access to Canadian phone data through Bill C-22. The warning is that Ottawa may be building legal and technical pathways that could make such access easier in the future, especially if paired with a Canada-U.S. data-sharing agreement. The government says the bill is about keeping Canadians safe in a digital world. Opponents say safety built on mass retention, secret access orders, and cross-border pressure may leave Canadians less secure in the long run.
