Canada’s fight over digital privacy has moved from Parliament Hill into the apps and services Canadians use every day. Bill C-22, the federal government’s proposed lawful access legislation, was designed to help police and national security agencies move faster in digital investigations. Instead, it has triggered warnings from privacy advocates, major technology firms, and VPN providers that say the bill could force them to rethink doing business in Canada.
The government says the proposal is about modernizing outdated investigative tools, not mass surveillance. Critics argue the wording still leaves too much room for technical mandates, metadata retention, and pressure on encrypted services. Now, with the bill in committee and Ottawa signalling openness to amendments, the question is whether Parliament can narrow the law before the backlash grows.
Why Bill C-22 Suddenly Became a Flashpoint
Bill C-22 is the federal government’s latest attempt to create a modern “lawful access” framework for the internet age. The bill was introduced after earlier lawful-access provisions in Bill C-2 faced heavy criticism and were separated into standalone legislation. Supporters argue police need clearer tools to identify online suspects, especially when investigations involve digital accounts, IP addresses, messaging platforms, or foreign service providers.
The controversy comes from how broad the bill still appears to many critics. It would create new rules around subscriber information, transmission data, technical capabilities, and some forms of metadata retention. For the average Canadian, that can sound abstract. In practical terms, it touches the digital trail left behind by phones, apps, web accounts, and online services — the kind of information that can reveal patterns even when message content is not directly exposed.
VPN Providers Are Drawing a Hard Line
The most attention-grabbing warning came from VPN providers, whose entire business model depends on promising users that their browsing activity is not logged or exposed. NordVPN said it was reviewing the bill and would consider limiting or removing its presence from Canadian jurisdiction if required to compromise its no-logs architecture or encryption protections. That matters because many Canadians use VPNs for privacy, public Wi-Fi protection, travel, streaming access, or workplace security.
Windscribe, a Canadian-headquartered VPN company, went even further by warning it could move its headquarters if the bill passes in a form that undermines its service. That makes the dispute more than a symbolic fight with foreign tech firms. A Canadian privacy company saying it may leave Canada turns the bill into an economic and reputation issue as well as a civil-liberties debate.
Ottawa Says It Is Not Trying to Spy on Canadians
The federal government has pushed back against claims that Bill C-22 is a surveillance bill. Public Safety officials have said the proposal is not intended to require companies to install surveillance capabilities or create systemic vulnerabilities in encryption. The government’s argument is that law enforcement already has legal authorities to seek certain information, but digital providers are not always technically able or legally structured to respond quickly.
That distinction is central to the government’s defence. Officials say Part 2 of the bill does not create new powers to intercept communications or obtain information; instead, it is meant to ensure providers can comply when lawful access has already been authorized. Critics counter that requiring companies to build and maintain access capabilities can still change the security design of digital services, even if the government says the goal is lawful compliance rather than broad spying.
The Metadata Issue Is Bigger Than It Sounds
One of the most sensitive parts of the bill involves metadata. Bill C-22 would allow regulations requiring certain “core providers” to retain categories of metadata, including transmission data, for reasonable periods of time up to one year. Metadata does not usually mean the content of a message, but it can still reveal who communicated, when, through what service, and sometimes from where.
That is why privacy experts often say metadata can be deeply revealing. A message that says nothing publicly can still create a pattern when paired with time, location, device, and contact records. A journalist speaking with a source, a small business negotiating a confidential deal, or a family member contacting a lawyer may all care less about the words themselves than the fact of the contact being recorded and retained.
Encryption Has Become the Red-Line Issue
Apple and Meta have warned that Bill C-22 could force companies to weaken encryption or build technical workarounds that undermine user security. Their concern is not just about Canada. Major technology firms design security systems across borders, meaning a mandate in one country can create pressure on products used globally. That is why encryption debates often become international almost immediately.
The government says the bill would not require companies to introduce a systemic vulnerability. The problem is that companies and privacy advocates want that protection written with enough clarity that future regulations, secret orders, or technical interpretations cannot water it down. For services like WhatsApp, iMessage, Signal, and VPNs, even small changes to encryption architecture can become a trust crisis.
The Bill Has Already Been Softened Once
Bill C-22 is not the first version of this fight. The earlier Bill C-2 drew criticism for being too broad, including concerns over who could be compelled to provide information and what could be demanded. Bill C-22 narrows some of those powers, including the new confirmation-of-service demand, which is focused on telecommunications providers and asks whether a service is or was provided to a specific subscriber, account, or identifier.
Those changes matter, but they have not ended the debate. Some legal observers say the bill is an improvement over C-2, while still raising serious questions about production orders, metadata retention, ministerial orders, and oversight. In other words, Ottawa may have fixed the most obvious political problem, but not the deeper trust problem facing digital privacy legislation.
Parliament Is Now the Real Battleground
Bill C-22 has passed second reading and is being studied by the House of Commons Standing Committee on Public Safety and National Security. Committee study is where witnesses, legal experts, industry representatives, civil-liberties groups, and law enforcement can press MPs on the wording. That stage matters because small wording changes can decide whether a law is narrowly targeted or open to wider interpretation later.
There are already signs the government may accept changes. Parliamentary debate includes references to the public safety minister being open to amendments, and CBC reporting has said the minister’s office is open to amendments while still hoping to pass the bill by summer. That creates a narrow window: enough time to adjust the bill, but not necessarily enough for a full rethink.
Law Enforcement Says the Digital World Has Changed
The government’s case rests on a real challenge: crime, fraud, extortion, and national security threats increasingly happen through digital tools. Police often need to connect an online identifier to a real person before they can move to the next stage of an investigation. The Department of Justice says the bill responds to Supreme Court decisions requiring lawful authority for certain kinds of basic identifying information.
Supporters argue that without updated rules, investigators can lose time while suspects move across platforms, hide behind disposable accounts, or rely on foreign service providers. The Canadian Centre for Child Protection has also argued that stronger tools could help police act earlier in serious online investigations. The political challenge is ensuring those tools are precise enough that public safety gains do not come at the cost of broad data collection on everyone else.
What Changes Could Calm the Backlash
The clearest path forward would be to turn the government’s assurances into explicit legal limits. That could mean stronger language protecting encryption, narrower definitions of metadata, tighter rules around which providers can be designated as core providers, and more transparent reporting on how powers are used. Privacy advocates are also likely to push for stronger independent review before technical orders take effect.
For Canadians, the issue is not whether police should ever access digital information. The sharper question is whether Bill C-22 gives agencies targeted tools with meaningful oversight, or whether it creates infrastructure that future governments could expand. VPN threats to leave Canada have made the stakes easier to understand: if privacy companies no longer trust Canadian law, ordinary users may start asking why they should.
