https://feeds.feedburner.com/MichaelGeistsBlog

Over the past week, a growing number of tech companies have warned that they may be forced to leave Canada if Bill C-22, the lawful access bill, remains unchanged. The government’s response to warnings from Signal, Windscribe, NordVPN, Apple, and Meta is that the companies are misreading the bill. But the prospect of a tech exodus from Canada rests on clear-cut privacy and security risks that do not apply in the U.S. or Europe. When Yegor Sak, the Toronto-headquartered CEO of Windscribe, told the Globe and Mail last week that he is actively looking at moving the company out of Canada or when Signal’s Vice President of Strategy and Global Affairs Udbhav Tiwari told the same paper that Signal “would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users,” those statements are a direct response to the government’s legislative choices in the Supporting Authorized Access to Information Act (SAAIA), the second half of Bill C-22, that will have serious economic implications for the future of the tech sector in Canada.

The Act’s definition of “electronic service provider” captures any service involving the creation, recording, storage, processing, transmission, or reception of information, provided either to persons in Canada or by an entity carrying on business activities in Canada. The breadth intentionally covers far more than just telecom companies and Internet providers, extending to platforms, messaging applications, VPN services, and device manufacturers. Every ESP is subject to a general assistance obligation under section 7 and to a secrecy obligation that bars disclosure of the existence of requests. Moreover, the broader set of obligations for core providers, including mandated metadata retention and technical capabilities requirements subject to an inadequately defined exception for “systemic vulnerabilities,” can also be applied to ESPs under the direction of the Minister. When VPNs or messaging services express fears that the law could capture them, it is based on a straightforward reading of Bill C-22.

For a VPN provider such as Windscribe, the metadata retention obligation alone is incompatible with the product. Sak told the Globe that Windscribe currently keeps no IP logs about its users, which is why it has been unable to respond to past RCMP data requests with anything other than the explanation that it has nothing to provide. Indeed, that is how VPNs function. For an end-to-end encrypted messaging service such as Signal, the technical capability obligation causes similar incompatibilities. The service’s value proposition depends on the company itself not having access to the content of communications, which means that a regulation requiring Signal to develop “capabilities related to extracting and organizing information that is authorized to be accessed” can only be satisfied by changing the architecture that makes the service what it is. Tiwari put the point bluntly in his statement to the Globe: “End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it.”

What places the Canadian tech sector at risk of an exodus is that U.S. law imposes neither obligation. There is no federal mandatory data retention law in the United States, as the Electronic Frontier Foundation has documented across more than a decade of failed legislative proposals. The closest analog, the preservation provision in 18 U.S.C. § 2703(f) of the Stored Communications Act, allows the government to compel a provider to preserve existing records for up to 90 days while it obtains a court order, with a single 90-day extension available. It is a reactive, targeted mechanism tied to a specific account, not a forward-looking retention mandate covering every user of the service. A U.S.-based VPN or messaging service can therefore lawfully maintain a no-log approach, which is precisely how the no-log policies are built. Given the choice, VPNs and other services will surely leave Canada rather than architect their systems to retain metadata on every single user for a year.

The technical capability situation plays out in much the same way. The U.S. equivalent of the SAAIA is the Communications Assistance for Law Enforcement Act, enacted in 1994, which requires telecommunications carriers to maintain interception capability. CALEA expressly excludes “information services” (a category the statute defines to include “electronic messaging services”) from its scope. The Federal Communications Commission extended CALEA in 2005 to cover facilities-based broadband access and interconnected VoIP, but it has never been extended to over-the-top messaging applications, app-based platforms, or VPN services. Successive proposals to update CALEA, beginning with the Department of Justice’s “Going Dark” campaign in the early 2010s and continuing through bills such as the Lawful Access to Encrypted Data Act of 2020 and the recurring iterations of the EARN IT Act, have all failed to become law. The most direct test of whether U.S. courts would compel a non-CALEA provider to build capabilities to defeat encryption, the Apple-FBI litigation over the San Bernardino iPhone in 2016, ended with the Justice Department withdrawing its application and no statute has since been enacted to fill the gap. A U.S.-based encrypted messaging service therefore operates in a regulatory environment with no equivalent to Bill C-22.

These are not theoretical comparisons. When India’s Computer Emergency Response Team issued a directive in 2022 requiring VPN providers to retain customer information for five years, ExpressVPN, NordVPN, Surfshark, and other major providers responded by withdrawing their physical servers from the country and offering Indian IP addresses through virtual servers in Singapore and the United Kingdom. India’s Minister of State for Information Technology at the time, Rajeev Chandrasekhar, told the companies that if they did not like the rules they could leave and so they did so.

In Europe, the Court of Justice of the European Union struck down general data retention regimes in Digital Rights Ireland in 2014 and Tele2 Sverige in 2016, and has continued to constrain them in later rulings. Germany’s Federal Constitutional Court has imposed similar limits, and general retention obligations on email providers remain unlawful there. The jurisdictions that have moved in C-22’s direction are precisely the ones where major services have begun to exit or restrict features. The United Kingdom’s Investigatory Powers Act sparked Apple’s withdrawal of its Advanced Data Protection feature from the UK market rather than comply with a Technical Capability Notice ordering it to create access to encrypted iCloud data, and Apple is now litigating that order before the Investigatory Powers Tribunal. Switzerland’s recent attempt to extend its surveillance ordinance to VPN providers and encrypted messaging services prompted Proton to begin moving infrastructure out of the country to Germany before the Swiss Federal Council paused the amendment pending an impact study. Where jurisdictions impose obligations of the kind Bill C-22 contains, privacy-protective services have either left, scaled back, or restricted features.

The compliance obligations on Canadian electronic service providers under Bill C-22 do not apply to a U.S.-based competitor, are limited or unconstitutional in much of Europe, and have led to exits or feature withdrawals in jurisdictions that have imposed them. The companies aren’t bluffing and they aren’t misreading the bill. Rather, they are responding to an outlier approach that threatens the Canadian tech landscape with obligations that place the privacy and security of millions at risk.

The post Tech Exodus: Why Bill C-22’s Privacy and Security Risks Will Drive Digital Services Out of the Country appeared first on Michael Geist.

The government’s plans for lawful access have gone off the rails. In recent days, Signal has warned it would pull out of the Canadian market rather than comply with Bill C-22. Windscribe, the Toronto-headquartered VPN provider, has said it would relocate its headquarters out of Canada and NordVPN has warned it would consider following suit. Apple and Meta have both raised public concerns about the bill’s effect on encryption and cybersecurity. The Canadian Chamber of Commerce, the Cybersecurity Advisors Network, civil liberties groups, and a long line of legal and security experts have all called for changes. The chairs of the U.S. House Judiciary and Foreign Affairs Committees have written to Public Safety Minister Gary Anandasangaree warning that the bill threatens U.S. national security and the integrity of cross-border data flows. Even the bill’s own oversight body, the National Security and Intelligence Review Agency, has told the SECU committee it does not have the access it needs for effective oversight. If the government thought it could push through the bill largely unnoticed, it has been proven painfully wrong as there are now trade frictions with the U.S., the prospect of leading companies exiting the Canadian market, and weaker cybersecurity protections for ordinary users.

How did Canada’s lawful access plan go awry so quickly?

The answer starts with Bill C-2, introduced in June 2025 as a border measures bill but which included a sweeping lawful access regime buried at the end. The bill included unprecedented warrantless information demand powers that would have applied not just to telecom and Internet providers but to anyone who provides a service in Canada, including physicians and lawyers. The proposal was inconsistent with Supreme Court jurisprudence and faced an immediate backlash from privacy advocates, civil liberties groups, the legal community, and the opposition parties. Given the near-universal criticism, the government hit the reset button several months later, signalling that any new lawful access bill would return as a standalone measure.

That standalone bill arrived in March 2026 as Bill C-22. The good news was that the government scrapped the warrantless information demand and replaced it with a narrower “confirmation of service” demand limited to telecom providers, with subscriber information now subject to a judge-reviewed production order (which, however, is problematically set at “reasonable grounds to suspect”, the lowest investigative threshold in Canadian criminal law and a significant departure from the “reasonable grounds to believe” standard that has governed general production orders for the past decade). More consequentially, Part 2 of the bill, the Supporting Authorized Access to Information Act, was largely unchanged, except for a dangerous addition that established a new mandatory metadata retention obligation. As a result, the government gave some ground on warrantless access while quietly expanding the surveillance architecture in the other half of the bill.

Once the bill came up for debate, the government’s strategy made matters worse. As I chronicled on this blog, across four days of debate in the House of Commons, the government had little regard for the concerning portions of the bill. On the first day, Justice Minister Sean Fraser devoted a single paragraph to mandatory metadata retention and offered only process answers to questions about systemic vulnerability risks. On the second day, Secretary of State for Combatting Crime Ruby Sahota described Bill C-22 as “a first step,” and said she would be open to going further. On the third day, Parliamentary Secretary Patricia Lattanzio defended the lowered subscriber information threshold as “higher than the threshold of mere suspicion”, omitting the fact that mere suspicion is not a threshold for search at all.

Momentum against the bill accelerated once hearings began at the Standing Committee on Public Safety and National Security. One police chief told the committee that three years of metadata retention would be “ideal,” confirming that the bill’s one-year plan may be just the starting point. Meanwhile, the government’s Charter Statement ignored the bill’s most constitutionally vulnerable provisions entirely. With concerns mounting, Public Safety offered little other than a social media video defending the bill as one that “respects Canadian privacy and Charter rights.”

The substantive case against Bill C-22 has primarily focused on the impact of a two-headed monster: one that directly affects the privacy of Canadians (mandatory metadata retention) and the other that does so indirectly (technical mandates). Before explaining, it is important to emphasize that the reach of law is broader than commonly understood since the definition of “electronic service provider” captures any person that provides an electronic service to persons in Canada or carries on business activities in Canada, with “electronic service” defined to cover the creation, recording, storage, processing, or transmission of information by any technological means. In other words, I might be an ESP. ESPs are subject to a general obligation to provide all reasonable assistance for the assessment or testing of any device that may enable authorized access, while “core providers”, who are still to be named by regulation, face the full capability-building regime. However, Section 7 of the bill gives the Minister the power to issue orders to ESPs that impose the same regulatory requirements as those imposed on core providers. In other words, concerns about metadata and technical capabilities may apply to all services.

With that broad scope in mind, the first of the two-headed monster is the bill’s mandatory metadata retention regime, which would directly affect tens of millions of Canadians. Section 5(2)(d) of the SAAIA authorizes regulations requiring core providers to retain categories of metadata for up to one year. Retained at scale, that data amounts to a comprehensive surveillance map of virtually every Canadian, including where they go, when they go there, and who they communicate with. No individualized suspicion is required. And as noted, while the provision refers specifically to core providers, the bill also gives the Minister the right to issue an order covering metadata for any electronic service provider, encompassing virtually any digital service.

The Court of Justice of the European Union struck down precisely this kind of regime in Digital Rights Ireland and extended that reasoning to mandated private-sector retention in Tele2 Sverige. Germany’s Federal Constitutional Court has reached similar conclusions. Yet despite the obvious privacy implications and Supreme Court of Canada jurisprudence such as Spencer and Bykovets that recognize the informational privacy interests in identifying online activity, the government’s Bill C-22 Charter Statement remarkably says nothing about the regime and there has been no engagement on the international jurisprudence at all.

The second head of the monster is the technical capability mandate in Part 2 of the bill. The full capability-building regime includes developing, implementing, assessing, testing, and maintaining technical capabilities to extract and organize information authorized to be accessed, and installing and maintaining the devices and equipment that enable that access. In practical terms, this is an extensive intercept-infrastructure mandate, with the specific orders cloaked in secrecy provisions prohibiting providers from disclosing their existence. Given the Minister’s ability to extend the requirements to ESP, this also covers virtually all digital services.

The bill nominally protects against the worst outcome through a systemic vulnerability safeguard, which says that core providers are not required to comply with a regulation if compliance would require the introduction or maintenance of a systemic vulnerability. But the safeguard falls apart on careful reading. First, the term “systemic vulnerability” lacks specificity in the statute, which means the government could define encryption and vulnerability narrowly enough to hollow out the protection. Second, Sections 5(5) and 7(5) state that providers are not required to comply where doing so would result in a systemic vulnerability, but Sections 12 and 13 unconditionally require compliance with orders and provide that orders prevail over inconsistent regulations. The net effect is that providers are stuck with contradictory provisions in a system shrouded in secrecy and which could lead to the weakening of security systems. That is why Signal, Windscribe, NordVPN, Apple, Meta, the Canadian Chamber of Commerce, the Cybersecurity Advisors Network, and the U.S. Congress are raising the alarm.

The best approach to address these risks is to go back to the drawing board on Part 2 of the bill. Committee hearings should be extended to ensure that the long list of expert witnesses, industry voices, and international counterparts who have asked for changes receive a full hearing. Further, real amendments should be on the table that better balance law enforcement needs with Canadians’ privacy rights. Failure to do so will result in some of the world’s most privacy-protective services exiting the market, leaving behind a law that is vulnerable to constitutional challenge with millions of Canadians facing genuine privacy and cybersecurity risks.

The post The Lawful Access Two-Headed Surveillance Monster: How Bill C-22 Went Off the Rails appeared first on Michael Geist.

Metadata retention has emerged as one of the biggest lawful access concerns, with requirements that providers retain metadata for all subscribers for up to one year. As I argued before the Standing Committee on Public Safety and National Security last week, when retained at scale, the retention becomes a comprehensive surveillance map of virtually every Canadian with information on where and when they go and who they interact with. Under Bill C-22, this data would apply to every subscriber regardless of suspicion. The government’s Charter Statement remarkably fails to address the regime, despite the fact that bulk retention frameworks of this kind have been struck down by the European Court of Justice in Digital Rights Ireland and Tele2 Sverige, and by Germany’s Federal Constitutional Court.

One year is itself enough to raise serious privacy concerns, yet comments from both the government and from police witnesses at the committee studying Bill C-22 suggest that one year may only be a starting point. The first signal came during the second reading debate, when Conservative MP Glen Motz, a former police officer, asked Secretary of State for Combatting Crime Ruby Sahota whether law enforcement had made any requests for powers not yet in the bill. As I noted at the time, Sahota acknowledged that police would likely support an even broader scope, describing C-22 as a first step. Sahota said the government needed to get the bill passed to take further steps and added that she was open to going further.

Last Thursday’s Bill C-22 committee hearing gave a sense of just how much further the metadata retention requirements might go. Asked whether one year was the appropriate retention period, Darcy Fleury, Chief of Police in Thunder Bay, told MPs: “I think 12 months is a good start but obviously, yes, you’re right, if the investigations are prolonged, and they can be very long in some of these cases, then retention beyond the 12 months – 24 months, 36 months, would be ideal.” My own evidence at the same panel went in the opposite direction, arguing that a thirty-day retention default with court authorization to extend would meet immediate investigative needs without entrenching a permanent surveillance archive.

My post last month on the House debate closed by suggesting that the question Canadians should be asking is not whether Bill C-22 goes too far but how much further the government plans to go. The committee process has now begun to provide the answer, with Sahota describing Bill C-22 as a first step and a police chief outlining, on the record last week, what at least one piece of the next step would look like. Bill C-22 continues to grab the spotlight for all the wrong reasons, with U.S. Congressional concerns about the bill emerging, and Signal stating that it may leave the market altogether. But for those who remain, the metadata requirements would create significant privacy and security risks and require substantial costs that will ultimately raise consumer bills.

Some tend to claim that criticism of lawful access veers into conspiracy theories about government surveillance. Yet no one is trying to hide anything here: the government says lawful access is a first step and that it is prepared to go further, while the police state on the record at committee that years of metadata retention would be ideal. If the government follows through, Canada would have the most extensive (and most expensive) mandated metadata retention regime in the world.

The post How Much Further Will Lawful Access Go?: Police Chief Tells Bill C-22 Hearing That Three Years of Metadata Retention Would Be “Ideal” appeared first on Michael Geist.

Secure messaging service Signal yesterday became the latest company to warn that Bill C-22, the lawful access bill, could force it to leave the Canadian market rather than comply with provisions it says would compromise its end-to-end encryption and create new cybersecurity risks. Signal vice-president Udbhav Tiwari told the Globe and Mail that the company “would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users.” The comments are part of a steady stream of similar warnings from Apple, Meta, the Canadian Chamber of Commerce, the Cybersecurity Advisors Network, and the chairs of the U.S. House Judiciary and Foreign Affairs Committees. Despite growing concern, the government’s response has been to launch a misleading social media campaign and repeatedly insist that the experts and companies are mistaken.

The pattern will be familiar for anyone who lived through the Online News Act. Supporters of then-Bill C-18 dismissed warnings from Meta and Google that the bill’s mandated payments for news links were unworkable and that they would comply by blocking the links in Canada. Witnesses confidently told Senate committees that the companies were bluffing and that, “when legislated to do so, they will come to the table.” But by the end of summer 2023, Meta had stripped news links from Facebook and Instagram, an approach that continues to this day.

The government’s defence of Bill C-22 follows much the same script. Public Safety Minister Gary Anandasangaree has accused the U.S. tech giants of “misinterpreting” his bill and his department insists the legislation is “encryption-neutral.” When Apple released a statement warning that the bill “could allow the Canadian government to force companies to break encryption by inserting backdoors into their products, something Apple will never do,” officials replied that it “categorically rejected” the claims. When the U.S. House Judiciary and Foreign Affairs chairs wrote that providers of end-to-end encryption “will inevitably face directives to create backdoors and architectural changes that bypass or weaken encryption,” the minister’s spokesperson said the letter reflected “a misunderstanding of how Bill C-22 would function in practice.” When Signal said it would leave, it responded that the concerns regarding installing capabilities to enable surveillance are false. In other words, the government thinks everyone is wrong and the risk of market exits are overblown.

Yet the warnings about Bill C-22 are not idle threats. Apple withdrew its Advanced Data Protection feature from the United Kingdom rather than comply with a Technical Capability Notice ordering it to create access to encrypted iCloud data, and is now litigating the order before the Investigatory Powers Tribunal. Signal previously warned it would leave Sweden over a comparable lawful access proposal, leading to long delays on the Swedish bill (it has still not passed). Given that Signal’s product is end-to-end encryption, compliance with a mandatory access regime would mean ceasing to be the service its users have chosen.

End-to-end encrypted services are among the most privacy-protective communications tools available, regularly used by journalists, lawyers, activists, government officials, and millions of others. If those encrypted messaging services exit the Canadian market because they cannot operate under Bill C-22’s secret ministerial orders, mandated metadata retention requirements, and a poorly defined “systemic vulnerability” carve-out, Canadians lose access to tools the rest of the world will continue to use, while replacement services with less privacy protection fill the gap.

There is still time for the government to engage with the substance of these warnings, including by accepting some of the targeted amendments proposed by a long list of expert witnesses. But the early signs are that it is again convinced that the companies are bluffing, that the critics are misreading the bill, and that everything will somehow work out fine in practice. It is time for the government to stop the gaslighting and start listening to the concerns by extending the committee hearings and opening the door to much needed amendments.

The post Bill C-22’s Groundhog Day: Why the Government’s Dismissal of Signal, Apple and the U.S. Congress Concerns Runs Back the Disastrous Online News Act Playbook appeared first on Michael Geist.

With opposition to Bill C-22, the lawful access bill, mounting, Public Safety Minister Gary Anandasangaree has turned to social media with a video defending the bill as one that “respects Canadian privacy and Charter rights.” The video signals that the government has noticed the growing public concern. But the case against the bill, which I argued in committee testimony last week and in a series of earlier posts, raises at least four issues on which the government has not engaged: mandated metadata retention (which is ignored in its Charter Statement), a lower threshold for access to subscriber information that hurts privacy, security risks now alarming Canada’s closest allies, and an oversight architecture the oversight body itself says is incomplete.

The mandatory metadata retention obligation in the bill would compel providers to retain transmission data, including the date, time, duration, and type of communication, the identifiers of the devices involved, and information identifying device location, on virtually every Canadian for up to a year, without any individualized suspicion. As I set out in this post, the government’s own Charter Statement on the bill remarkably says nothing about this provision. That silence is striking given the Spencer and Bykovets decisions that recognize the informational privacy interest in data that links online activity to identity, and given that the Court of Justice of the European Union struck down precisely this kind of regime in Digital Rights Ireland and extended that reasoning to mandated private-sector retention in Tele2 Sverige. Robert Diab has reached the same conclusion on the Charter Statement’s silence on metadata retention. The refusal to address the most Charter-vulnerable element of its own bill leaves the government unable to credibly insist that the bill respects the Charter.

Further, claims that the bill respects privacy ring hollow in light of the reduced threshold for access to subscriber information. Bill C-22 creates a new, dedicated production order for subscriber information, but sets the standard at “reasonable grounds to suspect”. This is the lowest evidentiary threshold in Canadian criminal law and below the “reasonable grounds to believe” standard that has governed subscriber data production orders for more than a decade. Law enforcement has used the production order hundreds of thousands of times, yet now wants to reduce the standard, thereby undermining the privacy balance.

Meanwhile, the government’s position on encryption and systemic vulnerability is facing criticism from a wide range of groups. Despite insisting that the bill brings Canada into line with its Five Eyes partners, Apple, Meta, the Canadian Chamber of Commerce, the Cybersecurity Advisors Network, and even the chairs of the U.S. House Judiciary and Foreign Affairs Committees have all warned that Bill C-22’s technical capability requirements would create systemic vulnerabilities that adversaries could exploit. When the U.S. Congress writes to Canada’s Public Safety Minister to say a Canadian bill threatens U.S. national security and the integrity of cross-border data flows, the government’s defence that the bill is needed to catch-up to allies no longer holds water.

Finally, even established oversight committees are sounding the alarm. In a letter to the SECU committee studying Bill C-22, the National Security and Intelligence Review Agency wrote that the bill creates oversight at the front end of a Ministerial order, through Intelligence Commissioner approval, but provides no mechanism for NSIRA to review the activities conducted under that order afterward. It proposed targeted amendments to require the same level of notification and information sharing that its counterpart receives under Australia’s lawful access regime. Insisting that the bill includes meaningful independent review is on shaky ground when the body responsible for independent review tells Parliament it does not have the necessary level of access for effective review.

These issues have been raised by virtually every expert submission on Bill C-22, yet the government implausibly argues that its bill respects privacy and Charter rights. Rather than another video, it should commit to extending the committee hearings to ensure proper expert scrutiny, address the Charter issues the Charter Statement has thus far avoided, and open the door to the real amendments to the bill.

The post Slick Videos Won’t Save Lawful Access: Why The Government’s Bill C-22 Defence Avoids the Charter, Privacy and Security Concerns Raised By Critics appeared first on Michael Geist.

The question of children’s social media and AI chatbot ban has emerged as one of the most talked-about digital policy issues in recent memory. Premiers, the Liberal convention, and the media have all jumped on board. But has the debate been driven by misinformation, leading to a moral panic? Dr. Sara Grimes has been working on children’s rights and digital policy for over twenty years. As the Wolfe Chair in Scientific and Technological Literacy and a Full Professor in the Department of Art History and Communication Studies at McGill University, she brings a unique perspective to the issue, having applied a children’s rights lens to areas such as social media regulation and age verification technologies. She joins the Law Bytes podcast to discuss her work and perspectives on the hot digital issue of the moment.

The podcast can be downloaded here, accessed on YouTube, and is embedded below. Subscribe to the podcast via Apple Podcast, Spotify or the RSS feed. It can also be found at the Michael Geist Substack.

Show Notes:

Kids Play Tech, What that Angus Reid Poll of Public Opinion on Banning Children from Social Media Actually Shows

Credits:

The Canadian Press, Ministers Weigh In On Social Media Ban, April 15, 2026

The post The Law Bytes Podcast, Episode 268: Sara Grimes on the Moral Panic Behind Banning Kids from Social Media and AI Chatbots appeared first on Michael Geist.

Just as Bill C-22, the Lawful Access Act, is under study at the House Standing Committee on Public Safety and National Security (I review my appearance yesterday in this post) U.S. Congressional leaders have written to Public Safety Minister Gary Anandasangaree warning that the bill threatens to harm “U.S. national security and economic interests by undermining trust in American technology and inviting reciprocal demands from other nations.” The message is clear: U.S. leaders are concerned that lawful access demands go so far as to compromise the privacy not only of Canadians, but of Americans too.

It is a safe bet that co-authors Jim Jordan, the chair of the House Judiciary Committee, and Brian Mast, the chair of the House Foreign Affairs Committee, did not suddenly become concerned about Canadian privacy. But when a Canadian bill would “drastically expand Canada’s surveillance and data access powers in ways that create significant cross-border risks to the security and data privacy of Americans,” that is bound to draw attention. Their core concern is that the bill could compel U.S. technology companies to build backdoors into their encrypted systems, introducing systemic vulnerabilities for users in both countries.

As I’ve previously posted, the provisions in question are part of the Supporting Authorized Access to Information Act (SAAIA), the second half of Bill C-22. Providers would be required to develop, implement, assess, test, and maintain operational and technical capabilities to allow authorized persons to access encrypted data and information. The bill includes a non-compliance caveat where compliance would introduce a “systemic vulnerability,” but the letter correctly notes that the term is “vague and ultimately subject to a future regulatory process.” They also flag the secret ministerial order power in clause 7(1), under which the Minister can issue targeted demands to providers that are subject only to Intelligence Commissioner review and kept confidential by design.

The chairs are not pulling punches on what those obligations mean in practice. They warn that “providers offering end-to-end encryption services will inevitably face directives to create backdoors and architectural changes that bypass or weaken encryption to enable ‘lawful’ interception or data extraction.” They invoke the UK’s secret 2025 Technical Capability Notice to Apple, which led the company to disable Advanced Data Protection for UK users rather than build a global backdoor. Their concern is that “a backdoor built to satisfy one government’s demands inevitably becomes a target for adversaries.”

I raised similar thoughts yesterday, warning that U.S. providers may withdraw privacy enhancing services from Canada or exit the Canadian market altogether rather than re-engineer their global products to satisfy Canadian capability orders.

The letter makes the same point in plainer terms: “American companies operating in Canada would face a difficult choice: compromising the security of their entire user base – including U.S. citizens – or risking exclusion from the Canadian market.”

Canadian officials have insisted that Bill C-22 does not undermine encryption and that it brings us into line with our five eyes partners. But it is clear that many, now including U.S. congressional leaders, disagree. Bill C-22’s privacy and security risks have been the subject of many posts over the past few months but this latest warning suggests that the possibility of a U.S. response to opposition to Canada’s lawful access plans is another risk to consider.

The post U.S. Congressional Leaders Warn Canadian Lawful Access Plans Harm U.S. National Security and Economic Interests appeared first on Michael Geist.

Fresh off appearing before a Senate committee on AI on Wednesday, yesterday I provided expert testimony to the Standing Committee on Public Safety and National Security as part of its study on Bill C-22, the government’s latest lawful access plan. Appearing alongside David Fraser and Robert Diab (the same trio that discussed the bill on my Law Bytes podcast), I opened my remarks by noting that technologies change, the governments may change, but the challenge with lawful access has always been the same: to give law enforcement and security agencies the tools they need to address serious crime while respecting Canadians’ privacy rights and the constitutional framework the Supreme Court has built around privacy in decisions such as Spencer and Bykovets. I focused on three major concerns with the bill, including mandatory metadata retention, the inadequacy of the systemic vulnerability safeguards, and the lowering of the production order threshold for subscriber information. My full opening statement is embedded below.

Two other brief exchanges from the appearance stand out. First, I tried to convey the risk that may arise from outlier rules that could force companies to remove privacy protections from the Canadian market or to exit the market altogether.

Second, I pointed to the inconsistency of prioritizing cybersecurity when discussing AI policy one day, only to debate legislation that would arguably weaken cybersecurity the next. As I noted in closing, make it make sense.

Appearance before the House of Commons Standing Committee on Public Safety and National Security, May 7, 2026

Good afternoon and thank you for the invitation. My name is Michael Geist. I’m a law professor at the University of Ottawa where I hold the Canada Research Chair in Internet and E-commerce Law. I appear in a personal capacity representing only my own views.

In preparation for today’s hearing, I looked back at the history of my engagement with lawful access policy. I found that I wrote my first op-ed on the issue more than 20 years ago and first began appearing before committees on various bills a few years after that. As I’m sure you know, lawful access has been the subject of legislative debate in Canada for decades, under both Liberal and Conservative governments. The technologies change, the governments may change, but the challenge has always been the same: to give law enforcement and security agencies the tools they need to address serious crime while respecting Canadians’ privacy rights and the constitutional framework the Supreme Court has built around privacy in decisions such as Spencer and Bykovets.

Bill C-2 is what happens when the balance is not well struck, as its warrantless information demand power envisioned compelling disclosure of subscriber information from any provider of a service in Canada without court oversight. The decision to drop that power was the right one and replacing it with a confirmation of service demand is a meaningful change.

Bill C-22 nevertheless contains some serious problems. I’ll focus on three in my remarks.

The first is the mandatory metadata retention regime, which would require providers to retain metadata for up to a year, on every subscriber, regardless of suspicion. On a mobile network, that data includes the cell towers each phone connects to and when. Retained at scale, the aggregate amounts to a comprehensive surveillance map of virtually every Canadian: where and when they go and who they interact with.

This is the kind of bulk data retention regime that the European Union Court of Justice struck down in the Digital Rights Ireland case and, in the Tele2 Sverige case, extended to mandated private-sector retention of traffic and location data. Germany’s Federal Constitutional Court has reached similar conclusions. Yet the Charter Statement on Bill C-22 remarkably fails to address the regime, despite the obvious Charter implications. The committee is being asked to entrench a surveillance architecture and accept the security risks that come with it. The obvious approach is to remove this entirely, as it is disproportionate and likely to be struck down by the Supreme Court. Alternatively, a 30-day cap on metadata retention would surely be sufficient to meet immediate investigative needs while allowing for a court order if a longer period is required.

The second concern is the systemic vulnerability safeguard in the technical capability provisions. Sections 5(5) and 7(5) of SAAIA say providers are not required to comply with an order if doing so would create a systemic vulnerability. But sections 12 and 13 make compliance unconditional and provide that orders prevail over inconsistent regulations. That leaves a safeguard that exists in name only, that is cloaked in secrecy, with the burden of invoking it falling on the provider.

The consequence is a back-door capability mandate that could weaken encryption, place user data at risk, and lead companies to remove privacy-enhancing services from Canada. This needs a fix that should include amending Section 12 to make compliance subject to the provisions of Sections 5 and 7. Further, the definition of “systemic vulnerability” should be expanded in the statute by clarifying that there will be no requirement that would weaken or break encryption or introduce any security weakness.

The third concern is the production order threshold for subscriber information. Bill C-22 sets the standard at reasonable grounds to suspect, rather than the current reasonable grounds to believe. The Spencer and Bykovets decisions establish a high informational privacy interest in subscriber data. Yet, the Charter Statement nevertheless asserts that the subscriber information sought does not, by itself, constitute particularly sensitive information. That sentence is difficult to reconcile with both Supreme Court jurisprudence and the technical reality of what subscriber information may reveal. Setting the bar lower invites further Charter litigation, placing the provision on shaky legal ground.

None of these changes would be incompatible with effective law enforcement. Rather, they are about ensuring that the framework can withstand Charter scrutiny, respect Canadians’ privacy rights, avoid creating a surveillance infrastructure, and sustain public trust and confidence. I look forward to your questions.

The post Make It Make Sense: My Appearance Before the Standing Committee on Public Safety and National Security on Bill C-22’s Lawful Access Plan appeared first on Michael Geist.

The Standing Senate Committee on Social Affairs, Science and Technology is one of several committees in the House and Senate conducting hearings on artificial intelligence. I appeared before the committee yesterday (my fourth appearance on the issue in recent months), but rather than reiterate previous testimony on privacy, copyright, and transparency, I focused on the big issue of the moment: bans on social media and AI chatbots for children. The committee had been hearing from many supportive witnesses who emphasized the risk of harm associated with AI. Indeed, one Senator asked the panel before mine to raise their hands if they supported a ban, and virtually all hands went up. I was unsure about how my comments would be received, but I found the Senators open to debate on the issue. A video of my opening remarks, together with the transcript, is posted below. A future Law Bytes podcast episode will delve into the discussion that followed.

Appearance before the Standing Senate Committee on Social Affairs, Science and Technology, May 6, 2026

Good afternoon and thank you for the invitation. My name is Michael Geist. I’m a law professor at the University of Ottawa where I hold the Canada Research Chair in Internet and E-commerce Law. I appear in a personal capacity representing only my own views.

I have appeared before several parliamentary committees on AI policy in recent months, focusing on three priorities: privacy, copyright and transparency. I touch on some of these in my opening remarks, but given the growing political momentum behind banning young Canadians from AI chatbots, alongside similar proposals for social media, I want to use my opening time to address that directly. The case for these bans is weak, the harms they would create are significant, and they should be rejected in favour of broad-based AI regulation.

The concerns motivating these proposals are real. But the discussion conflates two different questions: how to regulate AI chatbots and whether to layer a kids-specific access ban on top.
AI chatbots are not social media. The category itself is not well-defined: the same underlying models are accessible not just through ChatGPT and Claude but through APIs and AI features now standard in Google search, Microsoft Office, and Apple operating systems. These definitions matter for regulatory purposes.

Further, the inputs and outputs with AI chatbots raise different regulatory problems. The input side – AI prompts – resemble search queries or private messages, not public posts. Treating prompts as something companies must monitor and report on builds a system of corporate surveillance over interactions that users reasonably expect to be private.

The AI responses – the output side – is where the focus should lie: accuracy, safety on topics like self-harm, and design choices that draw users into emotionally intense interactions. Those are best addressed through regulation, not a ban. Other jurisdictions have already chosen this path. California rejected an age ban but has passed legislation requiring disclosure, crisis-response protocols, and restrictions on sexually explicit content for known minors.

I have written about how a social media ban for kids raises a host of concerns, including the failure to address risks affecting all users, the privacy and surveillance risks of age verification, and, thus far, the demonstrated ineffectiveness of a ban.

But a kids-specific AI chatbot ban would be worse than the social media version on every relevant factor. Age verification extends a surveillance infrastructure across an open-ended and growing set of services, effectively requiring all Canadians to verify themselves in ways that sacrifice privacy by sending IDs to services at risk of security breaches and that may evade Canadian privacy law. Further, age estimation frequently relies on user surveillance by monitoring their friends and messages and opens the door to bias against racialized minorities. Don’t take my word for it. Hundreds of scientific experts have said the same. Moreover, the costs of cutting young Canadians off AI are concrete: the tools have demonstrated educational, productivity, and accessibility benefits that no comparable social media analysis can match.

Canada should move forward with effective AI regulation. First, an AI Transparency Act mandating disclosure of corporate safety policies, training-data inclusion, government and law-enforcement demands, and the age-related restrictions that major commercial chatbots already apply. It shouldn’t take the AI minister having to meet with executives to get this information. All Canadians should be able to see what is already happening before legislating around it.

Second, a modernized privacy law that addresses both the inputs to AI systems and the outputs. Data sovereignty concerns are not solved by Canadian data centres. They are solved by Canadian privacy law that actually applies with real penalties. And we need privacy laws that directly address the risks posed by re-identifying de-identified data, a risk that is exacerbated by the power of AI inference and which was scarcely addressed by today’s Privacy Commissioner finding on OpenAI.

Third, an enforceable duty to act responsibly tailored to the chatbot context. The architecture of chatbots, where output is generated in response to prompts rather than pushed by an algorithmic feed, makes age-tiered design genuinely feasible. A duty that mandates and audits developmentally appropriate design across different ages is the version of age-related regulation that fits the technology. A binary access cutoff borrowed from social media is not.

The political appeal of bans is obvious. But the case for them on AI is weak. We need to move on the harder and more useful work of building an effective Canadian model for AI regulation. I look forward to your questions.

The post Why Social Media and AI Chatbot Bans for Kids Are Bad Policy: Making the Case at the Senate Social Affairs, Science and Tech Committee appeared first on Michael Geist.

The frenzy to ban kids from social media continues to grow with Culture Minister Marc Miller telling a House of Commons committee that the government has no choice but to act. Miller’s comments are consistent with the federal Liberal policy convention vote backing a minimum age of 16 and Manitoba Premier Wab Kinew announcing that his government will be the first in Canada to ban kids from both social media and AI chatbots. The problem, as I documented in detail last week, is that good intentions do not make for good policy. In this case, a social media ban is bad policy because it does not address the underlying problems with the platforms, evidence to date suggests it doesn’t work, and it creates its own harms. But the bad policy does not end there, as the possibility of extending that same framework to AI chatbots is now squarely on the table. This post examines the implications of a ban on kids’ use of AI chatbots, arguing that such an approach is even worse than a social media ban. To be clear, regulation of AI chatbots is needed, but a ban leaves the genuine concerns associated with AI chatbots largely untouched.

Concerns about AI chatbots are not imagined. As the services have become increasingly popular, so too have the risks, with tragic incidents such as the death of Adam Raine and the belief that OpenAI might have identified the risk of potential harm in advance of the Tumbler Ridge shooting tragedy. While research into chatbot effects is still in its early stages, there is a growing conversation about the need for regulation. That discussion at times conflates two issues. The first is whether and how to regulate AI chatbots at all, which is a genuinely complex policy problem that affects every user. The second is whether AI chatbots warrant a kids-specific access ban on top of whatever general regulation might apply. The post unpacks three issues: what makes AI chatbots different from social media, why an AI chatbot ban for kids is a bad idea, and what a more effective regulatory model would look like.

What makes AI chatbots different from social media

Several considerations should shape any AI chatbot regulatory framework, and none of them point toward an age-based ban as the right answer. The first is the definitional problem. “AI chatbot” is not an established regulatory category, unlike “social media platform” when the Online Harms Act was drafted. A narrow definition limited to consumer-facing products such as ChatGPT or Claude captures the products of immediate concern but leaves the same underlying models accessible through APIs, third-party wrappers, embedded uses, and the AI features that have rapidly become standard infrastructure in everyday digital tools. In short, AI is everywhere: Google search now responds to queries with AI Overviews, Microsoft has integrated Copilot across its Office products, and Apple’s operating systems include AI features at the system level. Identifying what would be covered in a regulatory model is much more complex than it is with social media.

The second is the input-output distinction, which I discussed in detail in the wake of the Tumbler Ridge shootings and the question of whether OpenAI should have reported the shooter’s account activity to police. Concerns about what users tell chatbots as opposed to what chatbots produce as outputs are not the same regulatory problem. Chatbot prompts are far closer in character to search queries and private messages than to public social media posts. Treating the input side (i.e., prompts) as something platforms should be obliged to monitor and potentially report leads quickly to a system of widespread corporate surveillance over what people may reasonably expect to be private interactions. The output side is different. Concerns about the accuracy of information returned, the safety of responses on topics like self-harm, and the design choices that draw users into emotionally intense interactions all involve what the system itself generates. These are conventional questions of product design, algorithmic accountability, and corporate safeguards that are better addressed through a legislated duty to act responsibly framework than a surveillance regime.

Other jurisdictions have begun to legislate on AI chatbots, with a clear pattern of choosing regulation over prohibition. For example, California’s Senate Bill 243, signed by Governor Gavin Newsom, which took effect in January, regulates “companion chatbots” through a targeted set of requirements that include clear disclosure that users are interacting with AI, mandatory crisis-response protocols for content involving suicide or self-harm, restrictions on sexually explicit content for users known to be minors, periodic reminders for minors that the chatbot is not human, and a private right of action for people injured by violations. What California specifically chose not to do was equally significant. The same week he signed SB 243, Newsom vetoed Assembly Bill 1064, which would have prohibited AI companions for minors unless the products were “not foreseeably capable” of harm. His veto message warned that the prohibition was so broad it could effectively amount to a total ban on AI use by minors. New York’s S-3008C, enacted earlier in 2025, took a similar disclosure-and-safety-protocol approach without an access ban.

Why a kids-specific AI chatbot ban would make things worse

While there are real benefits to properly targeted AI chatbot regulation, a ban for those 16 and under would be a mistake. The reasons echo my earlier post on a potential social media ban, but are even more pronounced in the context of AI.

First, the age verification problem is considerably worse. An AI chatbot age verification regime extends that surveillance infrastructure across an open-ended and growing set of services into which AI is being integrated, which would effectively make Canadians’ online activity contingent on submitting ID to third-party verification services. Law professor Eric Goldman has labelled this regulatory model “segregate-and-suppress”, capturing how age authentication compels verification of every user to suppress some users’ access.

Second, the costs of cutting young Canadians off from AI are concrete and substantial in ways the corresponding social media analysis is not. AI tools have demonstrated educational, productivity, and accessibility benefits. A kids’ ban sacrifices those benefits in exchange for an enforcement regime whose effectiveness is at best unknown.

Third, the substitution problem is worse. A teen blocked from using Instagram migrates to less-moderated social platforms, but a teen unable to access ChatGPT or Claude is likely to migrate to open-source models running locally on a laptop or offshore services with no safety teams at all. The major commercial AI companies have their problems, but they are the ones with dedicated trust and safety operations, suicide-prevention routing, and the public reputational stakes that drive ongoing investment in safety research. A regulatory framework that pushes minors away from those products and toward whatever they can find through a free VPN increases the risk to kids.

Fourth, the Charter analysis is at least as serious as on the social media side and likely more so. Section 2(b) protects expression, and Supreme Court of Canada jurisprudence has long recognized that the guarantee covers both the conveying of ideas and the receiving of them. A teenager researching a medical condition, learning to code, exploring identity questions, doing homework with AI assistance, or asking factual questions about the world is engaged in receiving expression at the core of what section 2(b) protects, not at its periphery. Children are increasingly recognized as rights-bearers under the Charter and under international instruments such as the United Nations Committee on the Rights of the Child’s General Comment 25 on children’s rights in digital environments. A wholesale denial of their access to a major source of information and expression is incompatible with that recognition.

Fifth, there is no good test case yet for whether an AI chatbot ban actually works. Australia’s under-16 social media ban has produced three months of compliance data showing roughly 70 per cent of previously-active under-16 users still have access to at least one regulated platform. In other words, thus far social media bans haven’t been shown to work. The verification failures the eSafety Commissioner has documented for social media will be more severe for AI services because the same models can be reached through more interfaces. Manitoba and the federal government would be moving onto policy ground that has not been tested anywhere, on a more difficult version of a problem that the only existing test case has not solved.

Toward a more effective regulatory model

My post arguing against the kids’ social media ban garnered considerable attention, but some asked what alternatives are available to address the problem. Properly scoped regulation could address most of these concerns. I would point to three measures, none of which is an age-based access ban.

The first is an AI Transparency Act of the kind I have argued for in committee testimony and elsewhere. The Tumbler Ridge debate demonstrated that few had a clear picture of what OpenAI’s safety policies were or how they were enforced. A transparency framework would require disclosure of corporate safety policies, protocols for handling content involving suicide and self-harm, practices involving law enforcement reporting, and the age-related restrictions companies themselves apply. Some of what governments are now considering is already the operating policy of the major commercial chatbots. Anthropic’s terms of service for Claude require users to be 18 or older. OpenAI requires users to be at least 13, with parental consent up to 18, and has tightened its controls in the wake of the Raine litigation. Mandatory disclosure of those policies and how they operate in practice would let policymakers and the public see what is already happening before legislating around it.

The second is modernized privacy legislation that addresses both ends of the chatbot interaction. The first piece is conventional and well-developed in Canadian privacy law: rules governing the collection, use, retention, and security of the personal information that users provide as inputs to AI systems. The second piece is newer and likely the more important issue going forward, as I argued in a recent Globe and Mail op-ed on the limits of de-identification in an AI environment. The concern is not what personal data goes into AI systems but rather what personal information comes out. Modern AI systems can access publicly available data from multiple sources, combine fragments that are individually harmless, and draw inferences that re-identify individuals from information that was never intended to be personally identifiable. A privacy framework that addresses only the input side will not do the work that needs to be done on AI, no matter how well it handles inputs.

The third is an enforceable duty to act responsibly tailored to the AI chatbot context. The tailoring matters because the chatbots are genuinely different from social media. Further, the duty must be enforceable since voluntary commitments are insufficient, as Anthropic’s recent walk-back of the central pledge of its Responsible Scaling Policy made clear. But the duty must be tailored to the specific technology. For example, the architectural reality of chatbots, with output generated in response to user prompts rather than pushed by an algorithmic feed, makes age-tiered design genuinely feasible in ways it is not for social media. A duty that mandates and audits developmentally appropriate design across different ages is the version of age-related restriction that fits the technology. In other words, regulation shouldn’t treat 10-year-olds and 16-year-olds the same when it comes to AI.

If governments really have no choice but to act, they should know that AI transparency, privacy protection, and an enforceable duty to act responsibly would address many of the concerns associated with AI chatbots. Meanwhile, an age-based ban would leave most of these issues untouched in favour of a politically appealing but largely ineffective approach. I ultimately believe that governments have a choice. They should reject the age-gating impulse and get on with the harder and more useful work of building an effective Canadian model for AI regulation.

The post Government Has a Choice: Why an AI Chatbot Ban for Kids is an Even Worse Idea Than a Social Media Ban appeared first on Michael Geist.

The committee hearings on Bill C-22, the lawful access bill, kick off later today with an appearance by Justice Minister Sean Fraser and Public Safety Minister Gary Anandasangaree, who will presumably use the opportunity to affirm their support for the bill and reject concerns that certain elements are inconsistent with the Charter of Rights and Freedoms. That position reflects the government’s Charter statement on the bill, which was released late last month. The statement walks through the Charter implications of new provisions such as the confirmation of service demand, yet what makes it particularly notable is that it avoids addressing some of the bill’s biggest concerns altogether with scant or no attention paid to mandated metadata collection and the risks associated with systemic vulnerabilities. Indeed, it is as if the government believes that if it ignores the potential violation of fundamental rights, the issue magically disappears.

The wilful blindness is particularly problematic in the case of mandated metadata collection for up to a year. This includes transmission data such as date, time, duration, and type of communication, the identifiers of the devices involved, and information identifying the device’s location. This is the architecture of a national surveillance database that covers virtually every Canadian, with data retention for up to a year regardless of whether any user is suspected of wrongdoing. Despite the obvious concerns and Supreme Court of Canada jurisprudence, such as Spencer and Bykovets, that recognize the informational privacy interests in identifying online activity, the Charter Statement is silent on the issue.

The silence is particularly hard to defend given the international experience with similar regimes. The Court of Justice of the European Union struck down the EU Data Retention Directive in 2014 in Digital Rights Ireland, holding that blanket retention of all users’ metadata is a disproportionate interference with the rights to privacy and data protection guaranteed by the EU Charter. The Court reaffirmed and expanded that conclusion in Tele2 Sverige in 2016 and La Quadrature du Net in 2020, holding that general and indiscriminate retention of traffic and location data is incompatible with EU law and that targeted retention linked to specific threats is the constitutionally permissible alternative. Moreover, national courts in Europe that apply constitutional protections substantially equivalent to section 8 of the Canadian Charter have repeatedly held that such a regime cannot stand. To ignore that body of jurisprudence in a Charter Statement on a directly analogous Canadian regime is a discouraging refusal to engage with the question that should have been at the centre of any Charter review.

The metadata silence is the most important omission, but it is not the only one, as the statement glosses over much of Part 2 of the bill. The Statement does not address the systemic vulnerability provisions or the internal contradiction between the safeguards in subsections 5(5) and 7(5), which preserve a provider’s right to refuse compliance that would introduce a systemic vulnerability, and section 12, which requires unconditional compliance with orders, and section 13, which provides that orders prevail over regulations. It does not address the cross-border architecture beyond two short paragraphs on the international production request in section 487.0181. And the SAAIA’s design for CLOUD Act and Second Additional Protocol equivalence is entirely absent from the analysis.

Under the Department of Justice Act, a Charter Statement must be tabled in Parliament for every government bill introduced in Parliament. The government claims that “Charter Statements help inform parliamentary and public debate on a bill.” However, Parliamentarians and the public can’t be viewed as informed if the government avoids addressing the most Charter-vulnerable elements of its legislation. Some amendments to Bill C-22 are essential, but they aren’t likely if the government insists on remaining wilfully blind by not even acknowledging the risks to Charter rights posed by Bill C-22.

The post Wilful Blindness?: How the Lawful Access Charter Statement Skips Bill C-22’s Most Constitutionally Vulnerable Provisions appeared first on Michael Geist.