Canada’s proposed online safety law, Bill C-22, has sparked pushback from Apple, Google, Alphabet and Signal, which warn it could weaken digital security and user privacy. Introduced by Mark Carney’s Liberal government, the bill would expand law enforcement access to digital communications during cybercrime and national security investigations.
At the centre of the debate is encryption. While Canadian authorities say the bill is needed to investigate serious threats and remains “encryption neutral,” tech firms argue it could effectively force companies to create backdoors into secure systems. They are pushing for judicial oversight and stronger safeguards for encryption.
The bill would require ‘core’ telecommunications and digital service providers to build technical capabilities enabling law enforcement agencies to obtain access to information. It would also mandate the retention of user metadata for up to one year.
One of the most contentious provisions concerns ministerial powers. Under Bill C-22, the federal government could issue orders to companies requiring compliance measures without prior judicial approval. Technology firms argue this creates the possibility of secret orders to build a backdoor into their services or devices without disclosing that backdoor to users or the public.
Jeanette Patell, Google Canada’s director of government affairs and public policy, told the House of Commons public safety committee that the proposed powers “could give the government the power to secretly force companies to redesign products, to include invasive surveillance capabilities, and to do so without sufficient safeguards or oversight”.
She added that “ministerial orders are not only alarming, but also unnecessary”, arguing Canada already possesses a transparent court-supervised system for lawful access requests.
Apple and Google maintain that no secure method exists to create access points solely for governments while preventing exploitation by malicious actors. “Speaking as an engineer, we do not know of a way to deploy encryption technology that provides access only for the good guys without creating new ways for the bad guys to break in,” Apple’s senior director of user privacy and child safety, Erik Neuenschwander, told MPs. “In other words, when you build a backdoor into an encrypted device, anyone can walk through.”
Neuenschwander pointed to the 2024 Salt Typhoon cyberattack on US government systems, which allegedly exploited lawful access infrastructure. “That law was narrower than Bill C-22,” he warned. “So imagine what could happen if more companies were required to create these vulnerabilities.” Google similarly warned that the legislation “goes well beyond lawful access regimes in other G7 democracies” and risks undermining user trust and privacy protections.
Signal has warned it may leave Canada over Bill C-22, saying it would rather exit than weaken user privacy protections. Apple took a similar step in the UK last year, removing some encrypted cloud backup features instead of altering its security.
Canada’s bill echoes similar laws in Australia and the UK. The issue has also drawn concern in the US, where lawmakers warned it could expand surveillance powers and create privacy risks. The debate reflects a wider global challenge between national security needs and protecting encrypted communications.
