Canada’s lawful access bill has turned VPN privacy into a political stress test, and the first companies to blink are not telecom giants.
Quick Take
- Bill C-22’s Part 2 creates a framework for electronic service providers to support lawful access requests [3][5]
- Public Safety Canada says the bill does not create new interception powers or order surveillance backdoors [5]
- VPN and encrypted service providers say the law could force them to abandon no-logs and encryption promises [1][2]
- The real fight is over scope: whether “electronic service provider” reaches VPNs, messaging apps, and other digital services [2][3]
The Fight Is About Scope, Not Just Surveillance
Bill C-22 has become a test of how far a government can stretch lawful access without breaking the business model of privacy-first services. Public Safety Canada says Part 2 does not create new powers to intercept communications or obtain information [5]. Critics answer that the bill’s structure still reaches deep into provider architecture, because it requires designated electronic service providers to develop capabilities that help authorized officials get access to information [3][5].
That gap explains the public threat from companies like NordVPN, Signal, and Windscribe. NordVPN said it would consider leaving Canada if the law forced it to compromise its privacy protections [1]. Signal reportedly made the same point, and Windscribe said it would leave if the bill passed [1]. For ordinary readers, the meaning is simple: these firms sell trust, and once trust turns into mandatory cooperation, their product changes into something else.
Why Privacy Companies Read the Bill So Literally
The most important words in the debate are buried in the definition of “electronic service provider.” Michael Geist’s analysis argues that the phrase covers far more than traditional phone carriers, extending to platforms, messaging applications, VPN services, and device manufacturers [2]. That reading matters because modern VPNs do not advertise themselves as logging intermediaries. They promise the opposite. If the law can reach them, it can pressure the very feature that makes them valuable.
The government’s own backgrounder leaves room for that fear, even while denying the strongest version of it. Public Safety Canada says select providers could be required to develop and maintain capabilities needed for lawful access, and ministerial orders could compel specific capabilities [5]. That sounds technical because it is technical. A rule that sounds harmless in a news release can become a business-ending mandate once lawyers and engineers map it onto real systems, real encryption, and real no-logs commitments [2][5].
Metadata Retention Is the Quiet Pressure Point
The sharpest privacy concern may not be content interception at all. Public Safety Canada says the bill would allow regulations on prescribed metadata retention for no longer than one year, while excluding content, web-browsing history, and social media activity [5]. That distinction sounds reassuring until you remember what metadata does: it can reveal who contacted whom, when, and how often. For a privacy service, being forced to retain traces can be almost as corrosive as being forced to read the message itself.
That is why the argument has teeth with conservative readers who care about both liberty and common sense. The state should have tools to pursue criminals, but it should not casually redesign private infrastructure just to make policing easier. A system that preserves limited, court-supervised access is one thing. A system that pushes broad categories of private companies into quiet retention and secret capability-building is another. The difference is not rhetorical; it is structural [3][5].
What the Government Says, and What It Still Has Not Proven
The government’s strongest defense is also its simplest: this bill, it says, is about helping agencies carry out lawful orders already authorized by law [5]. That claim will reassure people who assume the text is narrow. It does not settle the practical question. The sources provided do not show a final regulation, a ministerial order, or an enforcement action proving that a VPN must log users or weaken encryption [1][3][5]. That absence matters. So does the fact that companies are already planning for the worst.
BREAKING
Proton VPN joins list of companies who will boycott the Canadian market if Bill C-22 passes.
"The EU has already struck down a similar law. There is no world where we violate our no logs policy"
— Tablesalt 🇨🇦🇺🇸 (@Tablesalt13) May 19, 2026
In the end, Bill C-22 has created a classic modern collision: government confidence versus provider alarm. Officials say there is no surveillance scheme here [5]. Privacy companies hear a different message in the definitions, secrecy obligations, and capability mandates [2][3]. The public should care because the fight is not abstract. If Canada can tell privacy businesses to compromise their design or leave, then the next question is obvious: who decides which services can still be trusted?
Sources:
[1] Web – Lawful access bill could lead to exit from Canada, major VPN …
[2] Web – Tech Exodus: Why Bill C-22’s Privacy and Security Risks Will Drive …
[3] Web – Bill C-22, An Act respecting lawful access
[5] Web – Supporting Authorized Access to Information Act (Bill C-22 – Part 2)