Canada’s Bill C-22 is drawing U.S. attention as lawmakers and tech companies warn its lawful-access powers could affect privacy and security across the border.
A Canadian security bill meant to help police and intelligence agencies obtain digital evidence is becoming a cross-border flashpoint, drawing objections from U.S. lawmakers and major technology companies over privacy, encryption and access to user data.
Bill C-22, the Liberal government’s second attempt at lawful-access legislation, would require telecommunications, internet and social media companies to adjust their systems so police and the Canadian Security Intelligence Service can more easily access data during investigations when they have a warrant. The bill would also require core providers to keep metadata for up to one year.
The fight now extends beyond the domestic debate over police powers and privacy. Late last week, two Republican committee chairs in the U.S. Congress — Jim Jordan of the judiciary committee and Brian Mast of the foreign affairs committee — wrote to Public Safety Minister Gary Anandasangaree urging changes to the bill. They argued it would expand Canadian surveillance and data-access powers in ways that could affect Americans’ privacy and security.
“American companies operating in Canada would face a difficult choice: compromising the security of their entire user base — including U.S. citizens — or risking exclusion from the Canadian market,” the lawmakers wrote.
The concern is focused on Part 2 of the bill. Critics, including University of Ottawa internet law professor Michael Geist, argue the metadata-retention requirement could create a detailed map of people’s online activity and a valuable target for hackers or hostile actors. Companies affected by the legislation have warned that compliance could force them to weaken security protections or create back doors.
Some technology firms have already signalled how seriously they view the issue. Signal has said it would leave Canada if required to comply with the bill. Apple has suggested it could withdraw some privacy services if the legislation passes unchanged. Meta, the parent company of Facebook, Instagram and WhatsApp, has warned the bill could undermine encryption, though its Canadian public policy director Rachel Curran said the company hopes amendments can address its concerns.
Ottawa disputes the industry’s interpretation. Anandasangaree has said the bill does not require companies to weaken encryption or create systemic vulnerabilities, and that safeguards are built into the legislation. Speaking Wednesday, he said tech companies are “misinterpreting” the bill and suggested the government needs to better explain its protections to Canadians and others watching the debate.
Police leaders and child-protection advocates are pressing the opposite case. Ontario Provincial Police Commissioner Thomas Carrique, who also leads the Canadian Association of Chiefs of Police, said investigators often cannot obtain court-authorized digital evidence from service providers. The Winnipeg-based Canadian Centre for Child Protection, whose technology has issued 141 million takedown notices for child sexual abuse material since 2017, argues delays carry risks for children and other Canadians.
The bill is now joining a broader list of Canada-U.S. irritants involving digital policy, trade and technology regulation. The next test is whether the government’s promised explanations — or possible amendments — can ease concerns from privacy advocates, police, tech companies and U.S. lawmakers before the legislation advances further.
Comments (0)