Canada's Proposed "Lawful Access Act" Would Force Tech Firms to Store User Data for Government Surveillance

Canada's Bill C-22 would force tech companies to store user data for a year, allowing government access and effectively ending encryption, risking privacy and cybersecurity.

Canada's parliament is considering Bill C-22, the "Lawful Access Act," which would require telecommunications companies, internet providers, and social media platforms to store users' data for up to a year so the government can access it with judicial authorization. According to a commentary published June 3, 2026 by Americans for Tax Reform, the bill had its first reading on March 12 after being proposed by the country's governing left-wing Liberal Party, which gained a parliamentary majority last month. The report warns that C-22 represents a major threat to digital privacy and would effectively eliminate Canadians' ability to use end-to-end encryption.

Part 2 of the bill would require digital service providers to store a wide range of user data for up to one year, including location information, health data, browsing history, and communications. The language covers a broad spectrum of companies—from internet service providers to VPNs—requiring them to retain information they otherwise wouldn't have. The report notes that C-22 is an even more intrusive version of last year's failed Bill C-2, the "Strong Borders Act," which would have allowed Canadian police and security agencies to violate users' privacy by installing eavesdropping mechanisms. C-2 was abandoned after backlash from hundreds of civil society organizations.

The report draws parallels to the United Kingdom's "Investigatory Powers Act" implemented in 2024, which allowed similar intrusions into digital privacy and has corresponded with a crackdown on freedom of expression online, including multiple instances of police arresting British residents for controversial online statements. Several large tech firms, including Meta and Proton, have warned of C-22's detrimental consequences. Apple was already forced to cease its Advanced Data Protection with end-to-end encryption when the UK adopted their IPA law that ordered tech firms to create a "back door" to access user data. A similar law in India saw the exodus of VPN services in 2022.

The report argues that requiring companies to store data and build government backdoors creates easier targets for hackers who wish to obtain private information. It highlights the 2024 incident when the Chinese hacking group Salt Typhoon infiltrated American internet service providers AT&T, Lumen Technologies, and Verizon by exploiting a path these companies had set up intended only for law enforcement. The authors warn that Canada's tech sector could wither with the end of certain services or the complete exit of firms like Signal and Nord VPN if the government forces companies to circumvent encryption, which would weaken the country's cybersecurity.

Given the security risks and surveys showing surveillance powers in C-22 to be widely unpopular, the report concludes that the Liberals should either withdraw the bill or radically alter it to be truly beneficial to Canadian cybersecurity while respecting digital privacy. Until then, C-22 is nothing more than government overreach that threatens both personal privacy and national security.