People walking near the Canadian Parliament building in Ottawa

TL;DR:

  • What: Bill C-22, the Lawful Access Act, would force Canadian service providers to build surveillance backdoors and retain metadata for one year
  • Who's leaving: Signal threatened to exit Canada. Windscribe said it'll relocate HQ. NordVPN is considering "all viable options" including leaving
  • The opposition: EFF, Apple, Meta, Michael Geist, the U.S. House Judiciary Committee, and the Canadian Chamber of Commerce have all publicly opposed the bill
  • Current status: Passed second reading April 20, 2026. Now in committee. Could become law this year
  • Why it matters: If Canada succeeds, it becomes the template for Five Eyes partners to demand the same, including the U.S.

What Bill C-22 Actually Requires

Minister of Public Safety Gary Anandasangaree introduced Bill C-22 on March 12, 2026. Behind the bureaucratic title sits the most aggressive surveillance legislation attempted by a Western democracy since Australia's Assistance and Access Act in 2018.

The bill has two heads. Part 1 mandates that telecom providers, messaging apps, email services, and cloud platforms retain metadata (who you communicated with, when, from where, for how long) for a full year. Section 5(2)(d) requires "core providers" to retain metadata categories that create what University of Ottawa law professor Michael Geist calls "a comprehensive surveillance map of virtually every Canadian." [1]

Part 2 is worse. It grants the Minister authority to demand any service provider build "technical capabilities" for law enforcement interception. Translation: backdoors. The bill specifically requires companies to develop systems that "extract and organize information authorized to be accessed." [2]

There's a gag order built in. Companies cannot publicly reveal the existence of these surveillance orders.

The "No Systemic Vulnerability" Fiction

The government's pitch: these capabilities won't introduce "systemic vulnerabilities." The bill says so right in the text.

The EFF's response is blunt: "Surveillance of encrypted communications is fundamentally a systemic vulnerability." [3] You can't build a door that only good guys can walk through. Every backdoor is a vulnerability. That's not a political opinion: it's mathematics.

The definitions in Bill C-22 leave "wiggle room for the government to demand that companies circumvent encryption," according to the EFF's analysis. What counts as a "systemic vulnerability"? The bill doesn't say clearly. What counts as "encryption"? Also vague.

We've already seen what happens when governments build these systems. The 2024 Salt Typhoon hack, where Chinese state-sponsored hackers exploited lawful intercept infrastructure at U.S. telecoms, demonstrated exactly this risk. "When you build these systems, hackers will come," the EFF warned. [3]

The Companies Heading for the Exit

Signal's Meredith Whittaker made the organization's position clear: they would pull out of Canada rather than compromise their encryption. This follows Signal's established pattern: they made identical threats over the EU's Chat Control proposal and Australia's existing surveillance laws.

Windscribe, the Toronto-headquartered VPN provider, was even more direct. CEO Yegor Sak: "Not happening. We'll move HQ and take our taxes elsewhere." And: "If we start logging our users to comply with this moronic legislation then we might as well shut our doors ourselves." [4]

NordVPN's statement was more measured but no less clear: "Should Bill C-22 pass in its current form and if we are subjected to mandatory obligations, there isn't a scenario in which we would compromise our no-logs architecture or encryption protections." They said they would consider "all viable options, including limiting or, if necessary, removing our presence from Canadian jurisdiction." [4]

The pattern is the same in every case: these companies will leave rather than build surveillance tools. That's not posturing. Apple already pulled its Advanced Data Protection feature from the UK rather than comply with a similar order in 2024. [3]

The Coalition Against C-22

The opposition list reads like a who's-who of tech, civil liberties, and (unusually) foreign governments.

The U.S. House Judiciary Committee and Foreign Affairs Committee sent a joint letter expressing concerns about backdoor threats to American citizens' communications. When U.S. Congressional committees write formal letters opposing Canadian legislation, you know something unusual is happening.

Apple and Meta have both publicly opposed Part 2 of the bill. The Canadian Chamber of Commerce warned about the chilling effect on business. Michael Geist, Canada's foremost digital law scholar, published a series comparing the government's approach to the "disastrous Online News Act playbook," dismissing expert criticism until it's too late to fix. [2]

European courts have already struck down exactly this kind of regime. The Court of Justice of the European Union killed similar metadata retention mandates in Digital Rights Ireland and Tele2 Sverige. Germany's Federal Constitutional Court reached the same conclusion. [1]

The Evidentiary Standard Nobody's Talking About

Lost in the encryption debate: Bill C-22 also lowers the threshold for accessing subscriber information to "reasonable grounds to suspect," what Geist identifies as "the lowest investigative threshold in Canadian criminal law." [1]

That's a shift from "reasonable grounds to believe." The difference sounds academic. It's not. "Suspect" is gut feeling territory. "Believe" requires actual evidence. This means police need even less justification to demand your metadata than they currently need.

Combined with one-year mandatory retention, the result is a surveillance architecture where virtually every Canadian's communication patterns are stored and accessible with minimal oversight.

The Five Eyes Domino Effect

Australia passed its Assistance and Access Act in 2018. The UK followed with the Online Safety Act and secret orders to Apple. Now Canada. The pattern within the Five Eyes intelligence alliance is clear: each country's law becomes the justification for the next.

If C-22 passes, the argument in Washington becomes: "Our closest allies already require this. American companies already comply in those markets. Why not here?" The FBI has wanted this for decades. Canada would hand them the precedent.

This isn't speculation. It's how the Online News Act played out: Australia went first, Canada followed, and other countries used both as justification for their own versions.

What Happens Next

Bill C-22 passed second reading on April 20, 2026. It's now being reviewed by committee. Apple and Meta are expected to make formal submissions. The committee could amend the bill, or rubber-stamp it.

If it passes committee relatively intact, it goes back to the House for third reading, then to the Senate. The government has a majority. The bill could become law before the end of 2026.

For Canadians who use encrypted messaging, VPNs, or any cloud service that promises privacy: the companies you rely on are telling you, publicly, that they will leave rather than comply. Believe them. Start thinking about what your communications infrastructure looks like if Signal, Windscribe, and NordVPN follow through.

What You Can Do

  • Contact your MP: Bill C-22 is in committee. This is the last stage where public pressure can force amendments
  • Support the opposition: The EFF, OpenMedia, and the Canadian Civil Liberties Association are leading the legal fight
  • Diversify your tools: Don't rely on a single provider that might exit your jurisdiction
  • Watch for the gag order: If your VPN or messaging service suddenly changes its terms of service or privacy policy, that might be all the warning you get

Sources

  1. Michael Geist: "The Lawful Access Two-Headed Surveillance Monster: How Bill C-22 Went Off the Rails"
  2. Michael Geist: "Bill C-22's Groundhog Day"
  3. EFF: "Canada's Bill C-22 Is a Repackaged Version of Last Year's Surveillance Nightmare"
  4. iPhone in Canada: "NordVPN and Windscribe Say They'll Leave Canada Before Spying on Citizens"
  5. Canada's National Observer: "Kiss Your Online Privacy Goodbye"
  6. BNN Bloomberg: "Major VPN Provider Says It Could Leave Canada Over Lawful Access Bill"
  7. Fasken: "Bill C-22: The Lawful Access Act Reintroduces Lawful Access in Parliament"