Centre Block - Parliament Hill by Saffron Blaze is licensed under CC Attribution-Share Alike 3.0 Unported

Even though Canada withdrew its Digital Services Tax last year, it continues to add other digital trade barriers, causing it to rise to the top half of most restrictive countries on the Trade Barrier Index. Canada imposed the Online News Act and Streaming Act, a thorn in the side of U.S.- Canada trade relations, it now plans to impose the Bill C-22 Lawful Access Act that would require digital service suppliers to spy for the government.

The bill had its first reading in the Canadian parliament on March 12 after being proposed by the country’s governing left-wing Liberal Party, which gained a majority in parliament last month. Policy experts Philip Thompson from the Tholos Foundation, Josh Tabish from Chamber of Progress, and David Clement from Consumer Choice Center discussed encroaching threats to Canada’s digital freedom, like C-22, at the Canada Strong and Free Network panel on May 7.

The bill would gut digital privacy by compelling telecommunication companies, internet providers, and social media platforms to store users’ data for up to a year so the government may access it with judicial authorization. C-22 is an even more intrusive version of last year’s failed Bill C-2, the “Strong Borders Act,” which would have allowed Canadian police and security agencies to violate users’ privacy by installing eavesdropping mechanisms. C-2 was rightfully discarded after backlash from hundreds of civil society organizations and those who wish to be left alone by the government. That bill’s successor, C-22, should face the same fate.

Despite statements from the Department of Public Safety, C-22 would also effectively take away Canadians’ ability to use end-to-end encryption, which provides privacy by scrambling data sent from one device and unscrambling it only on the recipient’s device. Specifically, Part 2 of the bill would require digital service providers to store user data for up to one year, including location, health information, browsing history, and communications. The language of the bill encapsulates a broad range of firms, from internet service providers to VPNs, requiring them to store information they other wise would not have.

This proposal follows the United Kingdom’s recent implementation of the “Investigatory Powers Act” (IPA) in 2024, which allowed for similar intrusions into digital privacy. Even though this bill alone severely undermines personal privacy, those on the fence should remember to where such legislation has led in places like Britain. It should not be surprising that the IPA has corresponded with a crackdown on freedom of expression online, with multiple instances of the police targeting and even arresting British residents for making controversial (though nevertheless included under free speech) statements online.

Proponents of such legislation again argued that it was necessary for national security even at the expense of liberty. What they overlook is how the government would create easier targets for bad actors who wish to obtain private information by requiring digital service providers to store data.

Several large tech firms, such as Meta and Proton have warned of C-22’s detrimental consequences. These companies understand that users care deeply about their privacy, vowing to oppose any legislation that puts personal data at risk. Apple was already forced to cease its Advanced Data Protection that included end to end encryption when the UK adopted their IPA law that ordered tech firms to create a “back door” to access user data. A similar law that took effect in India saw the exodus of VPN services in 2022. The government’s intrusion into digital security could also cause Canada’s tech sector to wither with the end of certain services or the complete exit of firms like Signal and Nord VPN.

The dangers of building a back door were highlighted in 2024 when the Chinese hacking group Salt Typhoon infiltrated American internet service providers AT&T, Lumen Technologies, and Verizon. The hackers took advantage of a path set up by these companies intended only for law enforcement. Unfortunately, Canada’s Liberals ignore this example. If Canada’s ruling party forces tech companies to circumvent encryption, it will weaken the country’s cybersecurity.

Given the security risks and surveys showing surveillance powers in C-22 to be widely unpopular, the Liberals should either withdraw this bill or radically alter it so as to be truly beneficial to Canadian cybersecurity while respecting digital privacy. Until then, C-22 is nothing more than government overreach.