Meta urges Canada to change Bill C-22 over metadata retention

Meta urged the Canadian government to amend Bill C-22 after company executives testified at a parliamentary hearing on May 7, warning that Part 2 could force technology firms to build surveillance capabilities into their systems and require up to one year of metadata retention.

Part 2, formally titled the Supporting Authorized Access to Information Act, would allow the Public Safety Minister to order “core providers” to retain transmission information, device identifiers, routing details and location records for up to 12 months. The text excludes the content of communications, web browsing history and social media content. Privacy experts note that metadata can reveal movement and contact patterns over time.

Meta separated its view of the bill into two parts, supporting Part 1 as a framework to help law enforcement obtain evidence while warning that Part 2 “could have a significant negative impact on Canadians’ privacy and cybersecurity.” The company told members of Parliament the ministerial power to expand retention obligations to “any electronic service provider” could reach cloud platforms, encrypted messaging services and crypto infrastructure depending on later regulations.

Apple raised related objections a day earlier, warning the legislation “could allow the Canadian government to force companies to break encryption by inserting backdoors into their products, something we will never do,” and indicating it might withdraw products rather than comply.

A spokesperson for Public Safety Minister Gary Anandasangaree responded that the legislation “does not compel companies to weaken encryption or create systemic vulnerabilities” and that the bill would align with the Charter of Rights and Freedoms. The minister has said he is open to reviewing opposition amendments as the bill moves through Parliament.

Privacy scholars and security researchers have cited a 2024 intrusion by state-linked hackers, known as Salt Typhoon, which exploited lawful-intercept systems U.S. carriers maintain. The intrusion affected multiple major carriers and exposed metadata and active surveillance targets, a precedent critics warn should be considered before requiring similar infrastructure in Canada.

Bill C-22 was introduced March 12, 2026, after the government split an earlier proposal: Bill C-2 was abandoned and border-related measures moved into Bill C-12. How Parliament amends or approves Bill C-22 will determine whether mandatory retention is narrowed, which providers are covered and how far the minister’s authority to expand obligations by order will reach.

Parliamentary committees are scheduled to review the bill’s technical requirements and definitions. Lawmakers will consider how to balance lawful-access powers, the scope of covered providers and protections for encryption and cybersecurity as the bill proceeds through the House of Commons.