As Canada continues to debate the future of digital privacy and lawful access legislation, concerns surrounding Bill C-22 are rapidly intensifying. In a recent article, Canadian internet law expert Michael Geist warns that the federal government may be repeating mistakes made during the rollout of the Online News Act (Bill C-18), where early warnings from industry experts and technology companies were largely dismissed until serious consequences followed.
For businesses, consumers, and organizations responsible for safeguarding sensitive information, the debate around encryption, metadata retention, and digital surveillance is more than political theatre, it is fundamentally about trust, cybersecurity, and data protection.
What Is Bill C-22?
Bill C-22 is Canada’s proposed lawful access legislation designed to provide law enforcement and security agencies with expanded tools to access digital communications and subscriber information during investigations.
According to critics, however, several provisions within the bill could weaken encryption standards and create cybersecurity vulnerabilities that affect every Canadian internet user.
Major technology companies and privacy advocates have publicly expressed concern, including:
Signal
Apple
Meta
Canadian Chamber of Commerce
Signal reportedly stated it would rather leave the Canadian market than compromise its end-to-end encryption protections. Apple similarly warned that the legislation could potentially force companies to create backdoors into secure systems.
Why Encryption Matters for Privacy and Security
Encryption is one of the most important safeguards protecting personal, corporate, financial, and healthcare information from cybercriminals and unauthorized access.
When governments propose legislation that could weaken encryption systems, cybersecurity experts often warn about unintended consequences:
- Increased vulnerability to hacking and ransomware
- Greater exposure of sensitive personal data
- Risks to confidential business communications
- Reduced public trust in digital platforms
- Potential international trade and cross-border data concerns
Michael Geist argues that government officials have repeatedly characterized critics as “misunderstanding” the bill, despite warnings coming from technology companies, cybersecurity professionals, legal experts, and even members of the U.S. Congress.
Echoes of the Online News Act
One of the central themes of Geist’s article is that the government appears to be following a familiar pattern seen during the debate over the Online News Act (Bill C-18).
At that time, major platforms warned that the legislation would result in news content being blocked in Canada. Government officials publicly downplayed those concerns, until companies like Meta ultimately removed Canadian news links from their platforms.
Geist suggests the same “it won’t happen” messaging is now unfolding around Bill C-22 and encryption concerns.
Metadata Retention Raises Additional Concerns
Beyond encryption, privacy advocates are also alarmed by metadata retention provisions within Bill C-22.
Metadata can include:
- Who communicated with whom
- When communications occurred
- Device identifiers
- Location data
- Duration and frequency of communications
While metadata may not include message content itself, experts warn that long-term retention of this information can create highly detailed digital profiles of individuals and organizations.
Critics argue that mandatory metadata retention could dramatically expand surveillance capabilities while simultaneously increasing the amount of sensitive information available to hackers in the event of a breach.
Why This Matters to Businesses
For organizations handling confidential customer records, employee information, financial documents, or legal files, cybersecurity and privacy compliance are critical operational responsibilities.
At Norfolk Shredding, protecting sensitive information goes beyond physical document destruction. Modern information security requires businesses to think holistically about how data is stored, transmitted, retained, and ultimately destroyed.
Whether discussing digital encryption standards or secure paper shredding practices, the underlying principle remains the same:
Protecting sensitive information protects businesses, customers, and communities.
The Growing Importance of Data Security
As cyber threats continue to evolve, businesses must remain proactive about information governance and privacy protection.
Key best practices include:
- Secure destruction of physical documents
- Strong digital encryption practices
- Limited data retention policies
- Employee cybersecurity training
- Proper disposal of electronic devices and storage media
- Working with trusted privacy and security partners
Legislation like Bill C-22 demonstrates how rapidly the privacy landscape can change, and why organizations must stay informed about emerging cybersecurity risks and regulatory developments.
Protect Your Business Information with Norfolk Shredding
Whether your business needs secure document destruction, scheduled shredding services, or support with protecting confidential records, Norfolk Shredding is committed to helping organizations safeguard sensitive information while supporting environmentally responsible recycling initiatives.
To learn more about secure document destruction services, contact Norfolk Shredding today at 1-855-561-1716.
References
Geist, Michael. “Bill C-22’s Groundhog Day: Why the Government’s Dismissal of Signal, Apple and the U.S. Congress Concerns Runs Back the Disastrous Online News Act Playbook.” Michael Geist Blog Article. Published May 14, 2026.
Additional context and related analysis by Michael Geist:
- “The Lawful Access Two-Headed Surveillance Monster: How Bill C-22 Went Off the Rails”
- “The Lawful Access Privacy Risks: Unpacking Bill C-22’s Expansive Metadata Retention Requirements”
- “How Much Further Will Lawful Access Go?: Police Chief Tells Bill C-22 Hearing That Three Years of Metadata Retention Would Be ‘Ideal’”
