Lawful access bill sparks cross-border cybersecurity concerns

On May 8, two US congressional committee chairmen sent a warning letter to Canadian Public Safety Minister Gary Anandasangaree about Bill C-22, Canada’s proposed lawful access legislation.

What happened

The letter came from Jim Jordan, chair of the House Judiciary Committee, and Brian Mast, chair of the House Foreign Affairs Committee. They argued Bill C-22 could expand Canada’s surveillance and data-access powers in ways with cross-border privacy, cybersecurity, and national-security risks for Americans. The bill would require telecoms, internet companies, and other digital service providers operating in Canada to maintain systems capable of supporting lawful surveillance and monitoring by police services and the Canadian Security Intelligence Service.

Apple and Meta had already raised concerns about the bill, warning it could weaken cybersecurity. The US lawmakers said providers offering encrypted services could face pressure to alter technical systems, creating access points attractive to hackers and foreign adversaries. The article also linked the concern to the Salt Typhoon cyberattack, where hackers allegedly exploited US telecom lawful-intercept infrastructure. Anandasangaree’s office rejected the criticism, saying the bill would not create indiscriminate access or require encryption backdoors.

Going deeper

Bill C-22 is comparable to a mix of US lawful-access laws, rather than one single statute. Its first part would create a narrower court order for subscriber information, such as a name, phone number, address, or email linked to an account, clarify production-order timing, and create a court-authorized way for Canadian law enforcement to request subscriber information or transmission data from foreign service providers during criminal investigations.

Its second part is more controversial because it would create the Supporting Authorized Access to Information Act. The framework requires electronic service providers to maintain technical and operational capabilities so authorized officials can access information under existing criminal code or Canadian Security Intelligence Service Act powers.

What was said

The lawmakers wrote in the letter, “Canada's Bill C-22, currently under consideration in Parliament, would drastically expand Canada's surveillance and data access powers in ways that create significant cross-border risks to the security and data privacy of Americans. We write to express our concerns that, if enacted, Bill C-22 would allow Canadian government officials to compel American companies to build backdoors into their encrypted systems, thereby introducing systemic vulnerabilities that could be exploited by hackers, foreign adversaries, and cybercriminals."

Why it matters

US lawmakers oppose Bill C-22 because they say it could pressure technology companies to weaken encryption, comply with confidential ministerial orders, and create access mechanisms with privacy risks beyond Canada’s borders.

A McGill Law Journal study on law enforcement access to encrypted data captures the concern well, concluding that exceptional access “creates too great a risk of data insecurity” to justify its benefits. For healthcare organizations, the issue is especially serious because encrypted systems protect patient emails, claims data, medical records, login credentials, and vendor communications.

A lawful access tool built into a platform may begin as a government access mechanism, but in a healthcare setting, any weakened security layer can become a new path to protected health information.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Why do privacy advocates worry about lawful access laws?

Privacy advocates worry because access powers can expand over time. A law created for serious investigations can raise broader concerns about surveillance, secrecy, data security, and government overreach.

Why is encryption part of the debate?

Encryption protects messages, records, passwords, financial data, and health information from unauthorized access. Any legal requirement forcing companies to alter encrypted systems can create concerns about weaker security for ordinary users.

What is an encryption backdoor?

An encryption backdoor is a built-in access path allowing someone to bypass normal security protections. Governments may view it as a lawful access tool, while cybersecurity experts often view it as a weakness attackers could exploit.