By: Ulrike Bahr-Gedalia | juillet 6, 2026

Canada Needs Digital Safety Laws That Don’t Undermine Digital Security

Canadians should expect two things from their government in the digital age: protection from crime and protection of their privacy. Achieving both may not be easy — but it is essential. That is why Bill C-22 matters. 

Canadians are already facing record levels of cyber fraud, scams, ransomware attacks, and data breaches. Any policy that weakens digital security — even unintentionally — increases the risks facing ordinary users, particularly seniors, children, and small businesses that may lack the resources to recover from cyber incidents. 

The federal government’s objective of equipping law enforcement with modern tools to address crime in an increasingly digital world is commendable, but good intentions alone are not enough. If poorly designed, digital surveillance legislation can unintentionally weaken the very systems Canadians rely on every day to protect their personal information, financial transactions, businesses, and critical infrastructure. 

Strong encryption is not a luxury feature for tech companies. It is the backbone of modern cybersecurity and a cornerstone of Canada’s economic resilience and national security. Weakening it — even in pursuit of legitimate public safety goals — would create risks far beyond the scope of any single investigation. 

One of the most significant issues with Bill C-22 lies in its technical assistance provisions. While recent amendments prevent the government from compelling providers to break encryption applied by users themselves, the bill still permits compelled decryption where a provider manages the encryption and holds the keys. For Canadians who rely on provider-managed services for banking, healthcare, and everyday communications, that gap matters — it could expose widely used encryption systems to government-access requirements. In practice, that could mean introducing government-access mechanisms or surveillance capabilities into systems designed to be secure. 

The challenge is that vulnerabilities created “just for law enforcement” rarely remain exclusive. Once a weakness exists, malicious actors — whether criminal organizations, hostile states, or hackers — will inevitably attempt to exploit it. The result is not targeted insecurity for criminals, but broader insecurity for everyone. 

The bill does include protections against introducing a “systemic vulnerability,” which is defined as a security weakness serious enough to put all users at risk. However, how “credible risk” is interpreted by courts will determine whether this safeguard protects Canadians in practice. 

Parliament should close that gap by making clear that no technical assistance order can require forced decryption capabilities or measures that weaken encryption standards. 

Bill C-22 also creates authority for mandatory metadata retention of up to six months, with a requirement that each type of metadata be “essential” for investigations before retention can be mandated. Even with these limits, the framework still permits retention obligations that apply broadly to individuals not suspected of wrongdoing, and mandatory data storage would increase privacy risks and create attractive targets for cyberattacks and data breaches. 

A more balanced approach would preserve data only when tied to a specific investigation, under reasonable suspicion standards and judicial oversight. 

Another troubling aspect of the bill is that it continues to leave the designation of “core providers” to future regulations rather than specifying them directly in legislation. Recent amendments appear to have narrowed certain regulatory powers and limited Cabinet’s ability to alter key statutory definitions after enactment, but significant discretion remains over determining which classes of electronic service providers fall within the regime.  

Transparency is equally important. Bill C-22’s proposed non-disclosure provisions risk becoming a default secrecy regime, preventing companies from even disclosing aggregate information about government demands. Public trust in digital services depends on accountability, and secrecy should remain the exception — not the rule. 

Perhaps most importantly, the legislation currently places too much burden on providers themselves to identify and challenge problematic orders. The bill lacks clear timelines, procedures, and liability protections for companies contesting demands that could compromise security. That legal uncertainty discourages legitimate challenges and weakens one of the bill’s few meaningful safeguards. 

Canada does not need to choose between public safety and digital security. It can — and must — achieve both.

The solution is not to abandon modernization efforts, but to continue narrowing and clarifying them. Parliament should ensure the decryption safeguard cannot be circumvented, narrow secrecy provisions, and establish clear legal protections and oversight mechanisms. 

Government should also continue engaging collaboratively with industry, cybersecurity experts, legal scholars, and civil society organizations. The technologies at stake underpin virtually every aspect of modern Canadian life. Laws affecting them must be carefully designed, technically informed, and transparent enough to maintain public trust. 

Canadians deserve digital safety laws that make them safer — not less secure.

Ulrike Bahr-Gedalia is TECHNATION’s Executive Vice President of Public Policy with over 25 years of experience in the private, public, non-profit, and academic sectors. In her role, Ulrike leads member and government engagement on public policy and legislative issues such as AI, sovereignty, privacy, cybersecurity, and IT procurement modernization.

Prior to joining TECHNATION, Ulrike held executive roles including with Toronto Metropolitan University’s Diversity Institute and the Women Entrepreneurship Knowledge Hub, the Canadian Chamber of Commerce, Digital Nova Scotia, and the Nova Scotia Government, where her work spanned federal tech policy, digital transformation, technology adoption, and inclusive innovation.