Meta urges Canada to amend Bill C-22 over encryption and surveillance concerns

Meta is urging the Canadian government to amend Bill C-22 to remove provisions that could force technology companies to build third-party surveillance capabilities into their systems.

The company’s executives testified at a parliamentary hearing on Thursday, May 7, the day after Apple issued a public statement opposing the same provisions.

Meta’s position separates Part 1 of the bill from Part 2. The company said Part 1 “will provide law enforcement with an effective legal framework to obtain critical evidence” and “protect public safety.”

Part 2, which lets the Public Safety Minister secretly order tech companies and telecoms to integrate surveillance capabilities into their systems, “could have a significant negative impact on Canadians’ privacy and cybersecurity.”

What Part 2 actually does

Part 2 of Bill C-22, formally the Supporting Authorized Access to Information Act (SAAIA), lets the Public Safety Minister order “core providers” to retain metadata for up to one year.

The retained data covers transmission information, device identifiers, routing details, and location records. The bill excludes the content of communications, web browsing history, and social media activity.

Privacy experts, including University of Ottawa law professor Michael Geist, argue metadata alone can be enough to reconstruct a person’s movements, relationships, and communications patterns over extended periods.

The provisions Meta wants amended also let the Minister expand retention obligations beyond telecoms to “any electronic service provider” through ministerial orders.

That language could potentially capture cloud platforms, encrypted messaging services, and crypto infrastructure providers, depending on how regulations define the term.

Apple’s parallel opposition signals broader industry pushback

Apple issued a statement to CBC News on May 6, the day before Meta’s hearing testimony.

“This legislation could allow the Canadian government to force companies to break encryption by inserting backdoors into their products, something we will never do,” Apple said.

The company indicated it could pull products from Canada rather than comply, mirroring its February 2025 withdrawal of Advanced Data Protection from the UK.

As Cryptopolitan reported in October 2025, the UK Home Office issued Apple a second technical capability notice seeking access to encrypted iCloud data after the initial product withdrawal. The Canadian bill could trigger the same dynamic.

The Canadian government rejects the backdoor framing. Public Safety Minister Gary Anandasangaree’s spokesperson, Simon Lafortune, told CBC the legislation “does not compel companies to weaken encryption or create systemic vulnerabilities” and that the bill is consistent with the Charter of Rights and Freedoms.

The precedent both Apple and Meta are pointing at

In late 2024, Chinese state hackers known as Salt Typhoon exploited the CALEA-mandated lawful intercept systems that US telecoms are required to maintain.

The intrusion compromised wiretap infrastructure at nine major carriers, including AT&T, Verizon, and T-Mobile, exposing metadata for over a million users plus active law enforcement surveillance targets.

Critics, including Geist, have flagged Salt Typhoon as the precedent Canada should study before mandating similar infrastructure for Canadian providers.

Bill C-22 is the Liberal government’s third attempt at lawful access in under a year. Bill C-2 was abandoned and split, with border measures advancing as Bill C-12 and the lawful-access provisions returning in revised form as Bill C-22 on March 12, 2026.

Anandasangaree has said he is open to reviewing opposition amendments.

The bill’s progress through Parliament will determine how Canada balances lawful-access powers with the encryption protections both Meta and Apple are now publicly defending.