Canada’s Bill C-22: Why Signal, Apple, and top VPNs are fighting the 'surveillance' law

The tech giants are pushing back against Canada's Bill C-22. Companies are raising the alarm over the cybersecurity and privacy risks that these new obligations will pose.

Encrypted messaging app Signal and Windscribe VPN went as far as to vow to leave the country if it becomes law.

And the Canadian government appears to be listening to these concerns and has agreed to clarify contentious points around encryption and metadata. However, Canada's Minister of Public Safety, Gary Anandasangaree, remains firm that tech companies are "misinterpreting" the bill.

In a statement to TechRadar, the ministry "categorically rejects" claims that Bill C-22 would enable surveillance, arguing that the provisions are meant to "modernize" lawful access to data in line with similar requirements existing in other G7 countries.

"For international companies, to claim that Bill C-22 would somehow undermine their ability to offer robust privacy and security features is simply misleading," Simon Lafortune, Deputy Director of Communications and Press Secretary to the Minister of Public Safety, told TechRadar.

Tech giants, alongside some of the best VPN providers and encrypted messaging services, aren't convinced, though. Google has warned of "surveillance infrastructure" and, together with Apple, urged lawmakers to add explicit protections for encryption.

Meanwhile, a joint report from Citizen Lab and the Canadian Civil Liberties Association recently branded the proposed legislation "almost certainly constitutionally fatal".

So, what is the actual threat to Canadian privacy? Why are tech providers so worried? And, most importantly, will they manage to make the government actually rethink its surveillance law?

The encryption debate

Lafortune maintains that the government has made it clear that strong encryption is essential to cybersecurity, economic growth, and the protection of Canadian citizen personal information.

"We want to reassure Signal, Windscribe, NordVPN, and all service providers that we are not legislating to require them to install capabilities to enable surveillance, and any assertions otherwise are false," Lafortune told TechRadar.

One of the major areas of contention surrounds the draft's definition of encryption and vulnerabilities. In a May 13 submission, Google called for clearer definitions, while privacy advocates have warned about the law's potential future impact.

Laura Tyrylyte, privacy advocate at NordVPN, told TechRadar: "In its current form, Bill C-22 grants the government overbroad, unsupervised and opaque Ministerial Order powers that could effectively compel any electronic service provider to build technical capabilities that compromise end-to-end encryption, insert backdoors, or perform surveillance."

The VPN industry is largely united in its opposition to the bill, with representatives from ExpressVPN, Proton VPN, and Windscribe all echoing similar concerns.

ExpressVPN's Chief Research Officer, Pete Membrey, told TechRadar: "Even well-intentioned requirements can create pressure for providers to build technical capabilities that weaken security or undermine trust in encrypted services."

Meanwhile, Proton VPN's David Peterson said that politicians are at risk of misunderstanding how encryption works. "If you create a backdoor in encryption, it cannot be selective — it allows both good and bad actors in equally," he said.

For Yegor Sak, CEO of Windscribe, the issues with encryption are linked to another contentious point — greater data retention. He told TechRadar: "[The bill] forces companies to build technical capabilities and retain data in ways that make it nearly impossible to maintain strong encryption without major changes to how the service works."

Metadata privacy matters

Bill C-22 seeks to significantly expand providers' data retention obligations.

The government maintains that the bill introduces "limited retention requirements strictly for metadata," and the text does include restrictions on collecting data that could reveal the "content" of communications, users' "web browsing history," and their "social media activities."

For Sak, however, forcing companies to build data logging systems and "retain large amounts of metadata" directly undermines encryption.

"You can have strong encryption and effective law enforcement. You just can’t have both if you’re also forcing companies to weaken their architecture, which will put users at risk," he told TechRadar.

Even though metadata does not explicitly reveal the content of online activities, its privacy implications are vast. Powered by modern AI tools, tracking this information enables law enforcement — or any malicious actor with the necessary skills — to build a highly accurate picture of a user's digital life without ever breaking encryption.

RCMP’s justification for mandatory metadata retention? The ability to track everyone in the vicinity of a crime scene. In other words, Bill C-22 will create a national surveillance map capable of tracing where you have been and with whom you communicate.https://t.co/NKoUhSM97NMay 21, 2026

Michael Geist, Canada Research Chair in Internet and E-Commerce Law at the University of Ottawa, warned that mandatory metadata retention will "create a national surveillance map" of Canadians' movements and communications.

Tyrylyte also views this level of data collection as "disproportionate and dangerous," especially in an era where citizens are increasingly targeted by data breaches, fraud, and identity theft.

Will the government find a compromise?

It remains unclear how the government intends to improve transparency and accountability. Minister Anandasangaree has said that he intends to pass the bill before Parliament breaks for the summer on June 19.

Conservatives also recently moved a motion to split the legislation in half to allow further study of the controversial encryption and metadata provisions.

However, Proton and Windscribe are not optimistic that any concrete changes will materialize.

"It is difficult to see how the privacy of Canadian citizens can truly be preserved while simultaneously granting law enforcement broad access to their most sensitive data," Peterson said.

Sak shares this skepticism, saying that potential amendments "will mostly be fluff."

Regardless, the government's stance remains firm. "The government remains committed to protecting both public safety and the fundamental rights of Canadians, and we look forward to Bill C‑22 proceeding through Parliament and receiving Royal Assent as soon as possible," Lafortune told TechRadar.

As a G7 nation and a member of the Five Eyes intelligence alliance, Canada's final lawful access framework could set a global precedent.

And with a growing list of countries attempting to "modernize" law enforcement's ability to access citizens' data, the implications stretch far beyond Canadian borders.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!