By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Fri, Jul 10
All Things Geek — Tech News, Reviews & Buying Guides
  • AI
  • Audio/Video
  • Computing
  • Gaming
  • Living
  • Mobile
  • Software
subscribe
All Things Geek — Tech News, Reviews & Buying GuidesAll Things Geek — Tech News, Reviews & Buying Guides
Font ResizerAa

Search

Subscribe

More from BuzzVibe

  • AI
  • Audio/Video
  • Computing
  • Gaming
  • Living
  • Mobile
  • Software

Latest Stories

Amazon sneaker sale slashes up to 50% off top running brands
Amazon sneaker sale slashes up to 50% off top running brands
AI memory chip shortage threatens automotive and medical sectors
AI memory chip shortage threatens automotive and medical sectors
Summer Game Fest 2026: Live updates on reveals and world premieres
Summer Game Fest 2026: Live updates on reveals and world premieres
Seagate FireCuda X Vault Review: Storage Beast for Creators
Seagate FireCuda X Vault Review: Storage Beast for Creators
Louis Vuitton sues casino over trademark infringement dispute
Louis Vuitton sues casino over trademark infringement dispute

Socials

Home > Software & Security > Cybersecurity > Bill C-22 amendments signal Canada’s encryption backlash
CybersecuritySoftware & Security

Bill C-22 amendments signal Canada’s encryption backlash

Craig Nash
By
Craig Nash
ByCraig Nash
Tech writer at All Things Geek. Covers artificial intelligence, semiconductors, and computing hardware.
Last updated: 28/05/2026
Share
9 Min Read
Bill C-22 amendments signal Canada's encryption backlash
SHARE

Bill C-22 encryption metadata rules are facing a dramatic shift after the Canadian government promised amendments in response to fierce opposition from tech companies, privacy advocates, and VPN providers. The Supporting Authorized Access to Information Act, formally known as Bill C-22, was designed as a lawful access compliance framework for electronic service providers, but its encryption and metadata provisions have ignited a firestorm of criticism that forced Ottawa’s hand.

Key Takeaways

  • Canada’s government pledged to amend Bill C-22 after massive backlash over encryption and metadata retention rules.
  • The bill requires designated core providers to develop technical capabilities for law enforcement and CSIS access to legally authorized information.
  • Metadata retention would be limited to one year and exclude content, web-browsing history, and social media activity.
  • Critics warn the bill’s scope could expand beyond core providers through ministerial orders approved by the Intelligence Commissioner.
  • The government insists Bill C-22 does not create new interception authorities, only compliance mechanisms for existing legal powers.

What Bill C-22 Actually Requires

The core of the controversy centers on what Bill C-22 demands from electronic service providers. The bill targets designated core providers—companies that create, store, process, transmit, receive, or make digital information available—requiring them to develop and maintain technical capabilities so law enforcement and the Canadian Security Intelligence Service can obtain information they are legally authorized to access. This is not a new power grab, according to the government: Part 2 of Bill C-22 does not create new interception authorities for law enforcement or CSIS. Instead, it establishes a framework to help providers comply with existing legal orders under the Criminal Code and the Canadian Security Intelligence Service Act.

The metadata retention rules have drawn particular fire. Bill C-22 allows regulations requiring retention of prescribed metadata—transmission data such as date, time, duration, type of communication, device identifiers, and location-related information—for up to one year. Critically, the bill explicitly excludes content, web-browsing history, and social media activity from mandatory retention. Yet critics like Michael Geist argue that the bill contemplates extending metadata-retention requirements beyond core providers to any electronic service provider by ministerial order, subject to approval by the Intelligence Commissioner. That expansion mechanism is where privacy advocates see the real danger.

Why Tech Companies and Privacy Advocates Are Alarmed

The backlash reveals a fundamental tension between law enforcement access and encryption integrity. Tech firms and security researchers worry that Bill C-22’s technical capability requirements could force providers to weaken encryption or install backdoors. Tailscale, a VPN and networking company, warned that the bill’s definition of electronic service providers is broad enough to cover services that create, store, process, transmit, receive, or make digital information available, including services provided to people in Canada or by companies doing business there. This expansive scope means the bill could theoretically pull in smaller tech firms and international services operating in Canada.

Related News

Seagate FireCuda X Vault Review: Storage Beast for Creators
Seagate FireCuda X Vault Review: Storage Beast for Creators
05/06/2026
Norton VPN 55% Off: $49.99 for 12 Months Explained
Norton VPN 55% Off: $49.99 for 12 Months Explained
05/06/2026
Instagram Plus Pricing Sparks User Backlash Over Paid Features
Instagram Plus Pricing Sparks User Backlash Over Paid Features
05/06/2026

Tailscale’s analysis flagged another concern: the bill could require core providers to develop, assess, test, and maintain technical capabilities for government access and could also require them to install, use, operate, or maintain equipment enabling access. Privacy advocates argue this language is vague enough to justify encryption weakening, even though the government backgrounder insists the framework is meant to respect rights and freedoms. The threat of ministerial-order expansion—allowing the government to bring any provider under these rules with Intelligence Commissioner approval—adds another layer of unease. Unlike Bill C-2, an earlier version that was scrapped for requiring warrantless information demands, Bill C-22 improved by requiring judicial oversight for subscriber information access. But critics say that is not enough.

The Government’s Oversight Safeguards and Their Limits

Ottawa has built several oversight mechanisms into Bill C-22, though their effectiveness remains contested. Ministerial Orders extending the framework to additional providers must be approved by the Intelligence Commissioner before issuance. The bill also requires a mandatory annual report from the Minister of Public Safety, with a public version made available within 60 days, and a parliamentary review three years after coming into force. Monetary penalties for contraventions are also included. Additionally, internal audit reports and information obtained during inspections are confidential and cannot be released without authorization.

Related News

Digital squatting threatens 94% of businesses—here's how to fight back
Digital squatting threatens 94% of businesses—here’s how to fight back
05/06/2026
HTTP/2 Bomb DoS attack crashes servers in seconds
HTTP/2 Bomb DoS attack crashes servers in seconds
04/06/2026
NSA warns of automatic tank gauging system attacks
NSA warns of automatic tank gauging system attacks
04/06/2026

These safeguards sound robust on paper, but privacy advocates question whether they are sufficient. The Intelligence Commissioner’s approval requirement does add an independent check, yet the Commissioner is a specialized office without the same public visibility as courts. A three-year parliamentary review is a long interval in tech terms—by then, the bill’s impact on encryption standards and metadata practices could already be entrenched. The annual reporting requirement is welcome, but a 60-day lag before public disclosure means government actions are already implemented before the public sees what occurred.

What Comes Next for Bill C-22

The government’s vow to amend Bill C-22 suggests negotiations are underway, though the specific changes remain unclear. Tech companies and privacy groups have put forward concrete recommendations: Tailscale called for amendments to protect encryption, narrowly define scope, limit metadata retention, allow transparency reporting, protect vulnerability disclosure, and add independent oversight plus sunset clauses. These proposals hint at where compromise might emerge. A narrower definition of core providers, explicit encryption-protection language, and sunset clauses requiring periodic reauthorization could soften opposition without gutting the bill’s law enforcement access goals.

The comparison with Bill C-2 is instructive. When the earlier version failed due to its warrantless information-demand power, the government revised its approach and reintroduced the concept with judicial safeguards. Bill C-22 follows a similar pattern: a broad lawful-access framework softened by oversight mechanisms. But the pattern also suggests the government is determined to pass some version of this bill—the amendments are likely to be refinements, not a wholesale rejection of the metadata and technical-capability requirements.

Does Bill C-22 create new surveillance powers?

No. The government backgrounder explicitly states that Part 2 of Bill C-22 does not create new interception authorities for law enforcement or CSIS. Instead, it establishes a compliance framework to help providers assist with existing legal orders. The controversy is not about new powers but about how providers must implement access to information law enforcement is already legally authorized to obtain.

Related News

Supernatural VR Workout App Returns Without Meta in Charge
Supernatural VR Workout App Returns Without Meta in Charge
04/06/2026
Google Gemini Android notification hijacking poses serious smart home risk
Google Gemini Android notification hijacking poses serious smart home risk
04/06/2026
Microsoft Edge kills master password for Windows Hello auth
Microsoft Edge kills master password for Windows Hello auth
04/06/2026

What metadata can the government require providers to retain under Bill C-22?

Bill C-22 allows regulations requiring retention of prescribed metadata for up to one year, including transmission data such as date, time, duration, type of communication, device identifiers, and location-related information. Content, web-browsing history, and social media activity are explicitly excluded from mandatory retention.

Can Bill C-22 be extended to all electronic service providers?

Yes, through ministerial order. The bill contemplates extending metadata-retention requirements beyond core providers to any electronic service provider by ministerial order, subject to approval by the Intelligence Commissioner. This expansion mechanism is a key concern for privacy advocates who worry about scope creep.

The Canadian government’s decision to amend Bill C-22 reflects a genuine collision between legitimate law enforcement needs and legitimate privacy concerns. The bill is not a secret surveillance power grab, nor is it a harmless compliance framework—it sits in contested middle ground where reasonable people disagree about where the line between security and privacy should be drawn. The amendments will determine whether Canada finds a workable balance or simply delays the same fight for another round.

Edited by the All Things Geek team.

Source: TechRadar

More in Cybersecurity

  • Windows 11 KB5079391 update pulled over installation errors
  • iOS 26.4 Brings 13 New iPhone Features Worth Installing Now
  • VPN partnerships with Internews expand digital safety for journalists
  • WireGuard exit-IP fingerprinting exposes VPN anonymity gap
  • Microsoft Dynamics 365 Human Resources: Power Without the Price Justification
TAGGED:bill c-22canadian privacy lawencryption policylawful accessmetadata retention
Share This Article
Facebook Bluesky Copy Link Print
ByCraig Nash
Tech writer at All Things Geek. Covers artificial intelligence, semiconductors, and computing hardware.
Previous Article Apple MacBook Air M4 hits record low at Amazon during sale Apple MacBook Air M4 hits record low at Amazon during sale
Next Article Human-First AI in Retail: Empower Staff, Don't Replace Them Human-First AI in Retail: Empower Staff, Don’t Replace Them

What's Hot

Cyberpunk 2077 DLC Is Dead — What CD Projekt Red Does Next

Cyberpunk 2077 DLC Is Dead — What CD Projekt Red Does Next

Windows 11 High Refresh Rate Support Is the OS Unlock Gaming Needs

Windows 11 High Refresh Rate Support Is the OS Unlock Gaming Needs

Nothing Headphone (a) Promises Five Days of Battery at a Budget Price

Nothing Headphone (a) Promises Five Days of Battery at a Budget Price

Amazon Spring Deal Days 2026: Best Home and Garden Discounts

Amazon Spring Deal Days 2026: Best Home and Garden Discounts

Samsung Mobile Faces Loss Risk as Memory Costs Spiral — AI-generated illustration

Samsung Mobile Faces Loss Risk as Memory Costs Spiral

Categories

- Advertisement -
Ad image
All Things Geek — Tech News, Reviews & Buying Guides

All Things Geek

  • AI
  • Audio/Video
  • Computing
  • Gaming
  • Living
  • Mobile
  • Software

Subscribe Newsletter

Subscribe to our newsletter to get our newest articles instantly!
[mc4wp_form]