News TechnologyThe estimated reading time is 6 minutes

Apple and Google Push Canada to Add Judicial Brake to Bill C-22

MasonMason Miller
0 Comments

Apple and Google sent their senior policy executives to a Parliament Hill committee room on Tuesday with one ask: write judicial oversight into Canada’s Bill C-22 before Ottawa hands itself the power to issue secret orders that could break the encryption of their software and devices. The two firms, joined in opposition by Meta Platforms, told the House of Commons Standing Committee on Public Safety and National Security that the bill as drafted reads less like a lawful-access tune-up and more like a third pass at a Five Eyes template that has already pulled end-to-end encrypted iCloud features out of the United Kingdom.

Public Safety Minister Gary Anandasangaree’s office rejects that framing, insisting nothing in the legislation compels companies to weaken security. The bill text itself, witnesses argued through May, leaves enough definitional room that ministerial regulations could do exactly that without a judge or Parliament ever signing off.

Inside the Tuesday Hearing on Bill C-22

Erik Neuenschwander, senior director for user privacy and child safety at Apple, and Jeanette Patell, director for government affairs and public policy in Canada for Google, appeared before the committee on May 26. Both pressed members for two amendments: an explicit statutory carve-out for encryption, and judicial sign-off on any order that would compel a service provider to alter how its product handles user data.

Patell’s framing landed first.

Secret orders are out of step with other democratic countries and would severely restrict companies’ ability to be transparent with users about how their data is protected.

That line, delivered to MPs studying clause-by-clause amendments in the coming weeks, named the mechanism tech firms fear most. The bill does not say build a backdoor. It says the Minister of Public Safety may issue notices compelling service providers to provide technical capabilities for lawful access, and it bars those providers from disclosing the existence of such notices.

Conservative MP Frank Caputo, who represents a British Columbia riding, asked Neuenschwander whether Apple would pull its products from Canada if forced to engineer a backdoor. “I can’t speculate what would happen in that situation,” the Apple executive replied, adding that the company hoped positive amendments would still emerge from the engagement. The non-answer was the answer: Apple is keeping the withdrawal option visible without putting it on a date.

Canada Bill C-22 lawful access encryption debate with Apple and Google testimony in Ottawa.
Canada Bill C-22 lawful access encryption debate with Apple and Google testimony in Ottawa.

What Bill C-22 Would Compel

Anandasangaree introduced Bill C-22, formally the Lawful Access Act, 2026, in the House of Commons on March 12. The bill cleared second reading on April 20 and was referred to the Standing Committee on Public Safety and National Security (SECU, the House committee that vets policing and intelligence legislation). Hearings began on May 5. The full clause-by-clause review has not started, meaning the operative text is still open to amendment.

The bill has two parts, and the fight is entirely about Part 2. David T.S. Fraser, a Halifax privacy lawyer with McInnes Cooper who testified before SECU on May 7, told members Part 1 is a defensible update to subscriber-information rules. Part 2 is the problem.

Stripped to its load-bearing provisions, Part 2 would:

  • Require digital service providers, including messaging apps and cloud platforms, to retain communications metadata for up to one year
  • Lower the legal threshold for police to demand subscriber information from “reasonable grounds to believe” to “reasonable grounds to suspect”
  • Authorize the Minister of Public Safety to compel a provider to build a new technical capability allowing law enforcement to access data on its service
  • Prohibit recipients of those orders from publicly disclosing that an order was received or complied with
  • Leave the term “encryption” undefined in statute, deferring the definition to regulations the cabinet can rewrite without returning to Parliament
  • Permit ministerial orders to override the same regulations they rely on, a recursive structure critics call self-rewriting

The bill’s drafters insist a systemic vulnerability safeguard prevents the orders from being used to crack encryption. Witnesses pointed out the safeguard is anchored to a phrase the bill leaves the cabinet free to redefine.

The UK Template Canada Is Copying

Section 253 of the United Kingdom’s Investigatory Powers Act 2016 (IPA, the law that governs surveillance compulsion in Britain) lets the Home Office serve a Technical Capability Notice (TCN, a confidential order compelling a service provider to build or maintain a specific surveillance capacity). Recipients cannot publicly confirm a TCN exists.

In early 2025, the Home Office served Apple with a TCN demanding the company maintain the ability to provide UK authorities access to any iCloud data stored by any Apple user worldwide. The order targeted Advanced Data Protection, Apple’s opt-in end-to-end encryption layer for iCloud Photos, device backups, Notes, and Messages backups.

Apple’s response was operational rather than legal. On February 21, 2025, the company withdrew Advanced Data Protection availability for new users in the UK and began transitioning existing UK users off the feature. iCloud data stored in the UK reverted to standard encryption, meaning Apple itself retains decryption keys and can comply with lawful warrants.

The company then filed a challenge before the Investigatory Powers Tribunal. A hearing was set for March 14, 2025, behind closed doors. By August 2025, after political pressure from Washington, including a joint letter from the US House Judiciary and Foreign Affairs committees, Apple and the Home Office agreed to drop the legal claim and the Tribunal closed the file citing a change in circumstances, language that disclosed nothing about the underlying notice’s status.

The UK experience is the template Patell and Neuenschwander cited when MPs asked what secret orders would look like in practice. A withdrawn product, a sealed tribunal, and a quiet diplomatic exit are now the documented playbook.

Australia Wrote the First Draft in 2018

Canberra got there seven years before London. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, known across the Five Eyes intelligence partnership as the TOLA Act, gave Australian agencies three tools: voluntary Technical Assistance Requests, mandatory Technical Assistance Notices, and Technical Capability Notices that compel a provider to build a new capability the agency can later activate.

The Australian framework includes a clause forbidding orders that would introduce a systemic weakness or vulnerability. Reviewers concluded the safeguard was largely toothless because the law also lets the Attorney-General define the operative terms. The Independent National Security Legislation Monitor’s 2020 review of TOLA described the protection as almost meaningless without independent oversight, and recommended moving the notice-issuing authority to a statutory office attached to the Administrative Appeals Tribunal. The government did not adopt that recommendation.

Canada’s drafters borrowed both the systemic-vulnerability clause and its definitional flexibility. They did not borrow the modest oversight reforms that Australian reviewers spent two years recommending. Civil-liberties witnesses appearing before SECU have repeatedly walked the committee through the Australian experience as a warning about how the carve-out reads on paper versus how it functions in practice.

Three Lawful-Access Regimes Compared

Bill C-22 sits inside a regional pattern that is now visible at the statutory level. The three Anglo jurisdictions whose policing agencies share intelligence most freely have each built lawful-access regimes around a similar compulsion-plus-secrecy core. Where they diverge is on the role of courts.

Regime Compulsion Power Secrecy Rule Judicial Sign-Off
United Kingdom, IPA 2016 (s.253) Technical Capability Notice issued by the Home Secretary Recipient barred from public confirmation Judicial Commissioner reviews; closed Investigatory Powers Tribunal hears appeals
Australia, TOLA 2018 Technical Capability Notice issued by the Attorney-General Recipient barred from public disclosure No prior court approval; ex post review only
Canada, Bill C-22 (as drafted) Technical capability order issued by the Minister of Public Safety Recipient barred from public disclosure None specified in the current text

The pattern Patell and Neuenschwander are pointing to is the rightmost column. Each successive regime narrows the role of courts. The current Canadian draft contains no equivalent of the Judicial Commissioner role that Westminster wrote into the IPA, and no equivalent of the post-hoc review process Australia eventually layered onto TOLA. That absence is what Apple and Google want fixed, not the existence of compulsion powers themselves.

Where the Amendment Fight Goes Next

SECU has now heard from the Canadian Civil Liberties Association, the Internet Society of Canada, McInnes Cooper’s Fraser, the Center for Democracy and Technology, and the three largest US tech platforms. Two camps are forming inside the committee. Liberals, the bill’s sponsors, want Part 2 reported back largely intact with cosmetic amendments. Conservatives, including Caputo, are signalling support for stronger encryption protections, in part to corner the government on a privacy-friendly position.

The Bloc Québécois holds the swing votes. The party’s public position is that Bill C-22 needs amendments before the Quebec caucus will support reporting it back to the House. If Bloc and Conservative members line up behind an encryption carve-out at clause-by-clause, Anandasangaree will face a choice his UK counterpart never had to make: accept a statutory limit on what the Minister can order, or let the bill stall before third reading.

Meta filed its own position through Rachel Curran, the company’s director of public policy in Canada. Her statement sharpened the technical argument Apple and Google made in person. “The technical community’s consensus on this is clear: it is not possible to build backdoors to encrypted systems for law enforcement without creating vulnerabilities that will be exploited by malicious actors.”

If clause-by-clause produces an encryption carve-out and a judicial-warrant requirement, Canada becomes the first Five Eyes jurisdiction to bend the lawful-access template toward court oversight rather than away from it. If those amendments fail, the Lawful Access Act will arrive at third reading as the cleanest version of the UK and Australian playbook yet written, and the next question becomes whether Apple repeats its UK withdrawal on Canadian soil.

Author

Mason
Mason Miller is a versatile and experienced writer who has been working for Mind Cron. He covers a wide range of topics, from education and pets to religion and technology, with a keen eye for detail and a flair for storytelling. He has a passion for learning new things and sharing his knowledge with his readers. He has been writing articles for over 13 years, and has developed a loyal and engaged audience. He is always looking for new challenges and opportunities to improve his writing skills and expand his horizons. Mason Miller is a valuable asset to Mind Cron and a trusted source of information and entertainment for its readers.
Other Posts
  • Related Articles
  • More from Author

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *