Canada has introduced Bill C-22, the Lawful Access Act, 2026, a proposed law that would expand how authorities can request and access certain types of digital information during investigations.

👉 Read Bill C-22 (First Reading)

At a high level, the goal is public safety: helping law enforcement respond to serious crime, organized criminal activity, and national security threats in an increasingly digital world.

But as with any law involving digital access powers, the details matter. Bill C-22 has raised significant concerns about privacy, encryption, secure communications, and the future of online trust in Canada.

What Bill C-22 aims to do

Bill C-22, known as the Lawful Access Act, 2026, proposes a framework for how law enforcement and public authorities may obtain access to certain information from service providers.

The bill is intended to modernize investigative tools for a world where communications, identity records, cloud services, and financial activity are increasingly digital.

Areas affected may include:

  • Subscriber and identity-related information
  • Production orders and access requests
  • Service provider obligations
  • Confidentiality requirements around certain requests
  • Digital communications and data-handling systems

Supporters argue that these tools are necessary to investigate serious crime. Critics argue that the bill could give the government too much access to private digital information without strong enough safeguards.

Where privacy concerns begin

The main concern with Bill C-22 is not simply that law enforcement may request information. In some cases, that already happens under existing legal processes.

The concern is whether the bill could lower thresholds, broaden access, increase secrecy, or create pressure on technology providers to weaken the security protections that users rely on.

That includes possible implications for:

  • Email providers
  • Messaging platforms
  • Cloud storage services
  • VPN services
  • Encrypted communications
  • Subscriber identity and metadata

Even when a law does not directly say “break encryption,” broad access powers can still affect how secure services are built, operated, and trusted.

A wider conversation about lawful access

The debate around “lawful access” is not new. Governments around the world have repeatedly argued that police and security agencies need better tools to investigate digital crime.

Privacy and security experts, however, have warned that access mechanisms can create serious risks if they weaken encryption, expand surveillance, or make confidential systems easier to compromise.

Internet Society: Keep Canada Protected campaign

The Internet Society and other critics argue that creating access pathways into private communications can create risks not only from government overreach, but also from cybercriminals, foreign actors, insider abuse, or technical mistakes.

You cannot create a backdoor that only “good actors” can use.

Once an access mechanism exists, the risk is that it can eventually be misused, copied, leaked, exploited, or expanded beyond its original purpose.

Why encryption matters

Encryption is not just a privacy feature. It is a core part of modern digital security.

It protects:

  • Private conversations
  • Business communications
  • Financial transactions
  • Healthcare records
  • Passwords and account data
  • Cloud backups
  • Journalists, lawyers, activists, and vulnerable users

Weakening encryption for one purpose can weaken it for everyone. That is why security experts often oppose laws that require companies to build special access systems into secure products.

Even a carefully designed access process can increase the attack surface. A single vulnerability, insider mistake, or unauthorized use could affect many users at once.

Potential implications of Bill C-22

Expanded access to digital data

Bill C-22 may expand the types of information that can be requested from service providers. Depending on how the law is interpreted and applied, this could increase access to subscriber information, account-related data, or other digital records.

Increased obligations for service providers

Companies may face new requirements to preserve, produce, or assist with access to certain information. For smaller Canadian providers, this could create compliance burdens and legal uncertainty.

Confidentiality and transparency concerns

If providers are restricted from disclosing when certain requests are made, users may have limited ability to know when their information has been accessed or challenged.

Cross-border data risks

Bill C-22 may also interact with international law enforcement cooperation frameworks. That raises questions about how Canadian user data could be accessed across borders and what safeguards would apply.

Encryption and secure systems

The most serious concern is whether the bill could pressure companies to alter secure systems, weaken encryption, retain more data, or create technical access capabilities that would otherwise not exist.

Economic and security implications

Beyond privacy, laws like Bill C-22 can affect trust in Canada’s digital economy.

If users believe Canadian services are less private or less secure, that can affect:

  • Consumer confidence in online services
  • Business adoption of Canadian technology providers
  • International trust in Canadian digital infrastructure
  • Costs related to compliance and cybersecurity
  • The ability of privacy-focused companies to operate in Canada

Canada’s digital economy depends on strong security. Any perception that secure systems may be weakened can have consequences far beyond the original law enforcement purpose.

A global trend

Bill C-22 is part of a broader international debate about privacy, encryption, and state access to digital information.

Countries in the Five Eyes alliance, including Canada, the United States, the United Kingdom, Australia, and New Zealand, have all debated or introduced laws dealing with surveillance, lawful access, online safety, or encrypted communications.

Examples include:

  • The United Kingdom’s Online Safety Act
  • Australia’s Telecommunications and Other Legislation Amendment framework
  • The United States’ foreign intelligence and surveillance laws
  • Canada’s proposed Bill C-22

Each raises the same central question: how should democratic societies balance public safety with privacy, security, and civil liberties?

The challenge: security vs. trust

Governments argue that stronger lawful access powers are necessary to:

  • Combat organized crime
  • Investigate serious offences
  • Respond to national security threats
  • Protect victims and communities

At the same time, critics argue that public safety cannot come at the cost of undermining the secure systems that protect everyone.

Trust cannot exist if people believe their private communications may be accessed through unclear, secretive, or expanding powers.

Clear safeguards, transparency, judicial oversight, narrow scope, and meaningful accountability are essential.

Why this matters to you

Even if you are not directly involved in law enforcement, telecommunications, or compliance, Bill C-22 could shape the digital environment you rely on every day.

It may influence:

  • How securely your email and messages are handled
  • What data companies may be required to retain or share
  • Whether privacy-focused services can continue operating as designed
  • How encryption is treated under Canadian law
  • How much transparency users receive when their data is requested

Thexyz perspective

At Thexyz, we believe:

  • Strong encryption should remain strong
  • Privacy should be preserved by design
  • Security should not depend on secret access mechanisms
  • Transparency is essential for trust
  • Lawful access powers must be narrow, accountable, and subject to meaningful oversight

We support legitimate efforts to combat crime and protect public safety. But those efforts should not weaken the tools that keep people, businesses, and institutions secure.

Final thoughts

Bill C-22 is still moving through the legislative process, and its final impact will depend on the wording that is adopted, how it is interpreted, and how it is enforced.

But the broader conversation is already here:

  • How much access is too much?
  • How do we balance safety with privacy?
  • Should companies ever be required to weaken secure systems?
  • What kind of digital future do Canadians want?

Once surveillance capabilities are introduced, they rarely disappear.

Staying informed, asking questions, and defending strong security protections is more important than ever.