The House Judiciary and Foreign Affairs committees sent a letter to Canada's Minister of Public Safety on Thursday, expressing concern that a new cybersecurity bill making its way through the country's legislature could pose privacy and security risks to Americans.

The Canadian parliament is currently considering the "Lawful Access Act of 2026," also referred to as Bill C-22, which looks to modernize how Canadian law enforcement investigates serious threats in cyber investigations.

House Judiciary Chairman Jim Jordan and House Foreign Affairs Chairman Brian Mast said the letter is part of their oversight of actions by foreign governments that threaten to weaken the security, privacy, and constitutional rights of American citizens.

"Canada’s Bill C-22, currently under consideration in Parliament, would drastically expand Canada’s surveillance and data access powers in ways that create significant cross-border risks to the security and data privacy of Americans," the lawmakers wrote in the letter, which was shared with Just The News exclusively. "We write to express our concerns that, if enacted, Bill C-22 would allow Canadian government officials to compel American companies to build backdoors into their encrypted systems, thereby introducing systemic vulnerabilities that could be exploited by hackers, foreign adversaries, and cybercriminals."

The chairmen expressed concern over the vagueness of the language in the bill and the power it gives Canadian Minister of Public Safety Gary Anandasangaree to issue "secret ministerial orders," which would only be subject to the review of the Intelligence Commissioner.

The men claimed that the United States is already seeing the consequences of similar laws in the United Kingdom, where its government allegedly issued a "secret order" to Apple, which is an American company, to give them access to users’ encrypted cloud data.

"If a U.S. based provider is forced to redesign its system to facilitate Canadian authorized access to content that is currently inaccessible even to the provider itself, the resulting capability cannot be geographically limited," they wrote. "This directly threatens the privacy of U.S. persons who expect and depend upon robust encryption to protect sensitive communications, health data, financial records, and personal correspondence from unwarranted intrusion."

The lawmakers urged Canada to work with the U.S. to protect American data, suggesting that the countries create an agreement under the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, which allows U.S. law enforcement to compel American technology companies to provide data via subpoenas regardless of whether the data is stored within or outside the U.S.

"The United States and Canada maintain a close partnership in matters of security, intelligence cooperation, and cross-border law enforcement," the lawmakers concluded. "We look forward to your prompt collaboration on this issue, with the goal of safeguarding the privacy and civil liberties of our citizens."

The Canadian government with the House committees' interpretation of the measure.

"Cybersecurity is a top-of-mind concern in the development of Canada’s lawful access framework," Tim Warmington, a Public Safety Canada spokesperson said Saturday. "The Government of Canada does not support, nor do the proposed Bill C-22 or the proposed Supporting Authorized Access to Information Act (SAAIA) require, the creation of “backdoors” or the weakening of other electronic protections.

"In fact, subsections 5(5) and 7(5) of SAAIA provide explicit safeguards that would ensure the Government cannot force Electronic Service Providers (ESPs) to comply with regulatory requirements or Ministerial Orders (MOs) that would create systemic vulnerabilities or prevent them from being rectified. This means that if an ESP were to assess that they cannot comply with a requirement without introducing a systemic vulnerability into their electronic protections, which includes encryption, they would not have to abide by it.

"Moreover, both in the making of the regulations and the issuance of MOs, the Government of Canada will be required, by law, to consult the impacted ESP and take into account the potential impact on cybersecurity and privacy protections before an MO can be issued. Additionally, MO are subject to the review and approval of the Intelligence Commissioner before the Minister of Public Safety can issue an MO to an electronic service provider.

"Experts from across Government were consulted in the development of this Bill and its safeguards against systemic vulnerabilities. The threat of malicious cyber activity already exists for organizations across Canada. Bill C-22 will improve cyber security by driving consistency in lawful access approaches – moving away from Ad Hoc and voluntary solutions to standardized approaches that are managed at the enterprise level.

"While the Government will set requirements for ESPs through regulations or an MO it will not impose a particular technical solution for them to abide by. Bill C-22 does not alter the existing responsibility of ESPs to protect their networks from hacking or other unauthorized access. This is why the Government already provides detailed technical guidance to Canadians on how to protect themselves against malicious cyber activity. This is also why the legislation articulates the ability for ESPs to push back when they determine that a solution could introduce a systemic vulnerability – they know their systems and have a vested interest in keeping them secure."

This story was revised Monday, May 11, 2026, to include the Canadian government's comments.