Canada’s federal government wants every digital service in the country to record who you communicate with, when, from where, and on what device — and keep those records for a full year. Bill C-22, the Lawful Access Act, would create one of the most expansive metadata surveillance regimes in any Western democracy.
Signal has warned it will leave Canada rather than comply. ProtonVPN says compliance would violate Swiss law. Windscribe, a VPN provider headquartered in Toronto, has threatened to relocate entirely. Apple and Meta have publicly opposed the bill. Even the US House Judiciary Committee sent a letter warning that it threatens cross-border data security.
When the companies that build encrypted communication tools would rather abandon an entire national market than comply with your law, that should tell you something about the law.
What the Bill Actually Requires
Bill C-22 has two main components. The first narrows some warrantless access provisions from the failed Bill C-2 (2025). The second — the part drawing the most opposition — creates a mandatory metadata retention and technical capability regime.
Under Section 5(2)(d), the Minister of Public Safety can require any “core provider” to retain prescribed categories of metadata for up to one year. The definition of “electronic service provider” is broad enough to cover telecoms, messaging apps, VPN services, email providers, and potentially any entity offering digital services to Canadians.
The retained metadata would include who you contacted, who contacted you, when and how long you communicated, what device you used, and your location. The bill excludes message content, browsing history, and social media activity — but metadata alone paints a remarkably detailed picture. It reveals your movements, your relationships, your routines, and places you might want to keep private: protests, medical appointments, legal consultations.
As University of Ottawa law professor Michael Geist put it, this creates “a comprehensive surveillance map of virtually every Canadian.”
The Encryption Problem
Beyond metadata, Bill C-22 empowers the Minister to order providers to develop and maintain technical capabilities for intercepting communications. The bill includes language stating these orders shouldn’t create “systemic vulnerabilities” — but the EFF identified the core contradiction: “Surveillance of encrypted communications is fundamentally a systemic vulnerability.”
The bill also prohibits companies from revealing that these orders exist. So a service could be compelled to build interception infrastructure, and its users would never know.
This directly conflicts with the architecture of end-to-end encrypted services. Signal, for example, cannot access message content by design. A capability mandate would require fundamentally changing how these services work — weakening security for everyone, not just investigation targets.
Europe Already Tried This. Courts Said No.
The Court of Justice of the European Union has struck down blanket metadata retention laws twice — in Digital Rights Ireland (2014) and Tele2 Sverige (2016). Germany’s Federal Constitutional Court reached the same conclusion independently. These courts found that indiscriminate retention of communications metadata violates fundamental rights to privacy and data protection.
The Canadian government’s own Charter Statement for Bill C-22 says nothing about the metadata retention regime and ignores this international jurisprudence entirely. Michael Geist called this omission “remarkable.”
Swiss Law as a Shield
ProtonVPN’s response exposed a practical enforcement problem. The company’s General Manager stated that complying with foreign surveillance orders without Swiss legal process would violate Swiss criminal law. ProtonVPN operates under Swiss jurisdiction, maintains a no-logs architecture by design, and has pledged to challenge the legislation “by every means available.”
This transforms Bill C-22 from a privacy debate into a jurisdictional enforcement question. Canada cannot compel a Swiss company operating under Swiss data protection law to build surveillance capabilities that Swiss law prohibits. The same applies to any provider that operates outside Canadian jurisdiction and refuses to comply.
It also highlights why jurisdiction matters when choosing digital services. A provider based in a country with strong privacy protections isn’t just offering better terms of service — it’s operating under a legal framework that actively resists this kind of government overreach.
The Industry Exodus Threat
The list of companies and organisations opposing Bill C-22 is long:
- Signal — threatened to exit Canada entirely
- ProtonVPN — cited Swiss law as making compliance impossible
- Windscribe — Toronto-headquartered VPN that would relocate rather than comply
- NordVPN — indicated potential departure
- Apple and Meta — raised public concerns about encryption impacts
- Canadian Chamber of Commerce and the Cybersecurity Advisors Network
- US House Judiciary and Foreign Affairs Committee chairs
During Commons debate, Justice Minister Sean Fraser devoted a single paragraph to the metadata retention provisions. Secretary of State Ruby Sahota described the bill as “a first step” — implying future expansions are planned.
Why This Matters
Bill C-22 is part of a pattern. Governments in the Five Eyes alliance — the US, UK, Canada, Australia, and New Zealand — have spent years pushing for weakened encryption and expanded surveillance powers. Australia’s Assistance and Access Act (2018) already gives authorities similar capabilities. The UK’s Online Safety Act includes provisions that could force platforms to scan encrypted messages.
Canada is following the playbook: introduce sweeping surveillance architecture, include vague safeguards that sound reassuring but lack legal teeth, and rely on secrecy provisions to keep the public from knowing how the powers are actually used.
The strongest response isn’t legislative — it’s architectural. Services that don’t collect metadata can’t be forced to hand it over. End-to-end encryption that the provider can’t break can’t be backdoored by government order. And providers operating under jurisdictions like Switzerland, where privacy protections are constitutional rather than statutory, have legal ground to refuse.
The tools you choose and where those tools are based aren’t just technical decisions. They’re decisions about which legal system protects your data when a government comes asking.