Canada’s Bill C-22 Faces Strong Pushback Over Privacy Concerns
Privacy watchdog and tech giants oppose Canada’s Bill C-22 over encryption and data rules.
Why it matters: This bill could reshape lawful access standards affecting cross-border data requests and set new privacy precedents for tech regulation, impacting legal compliance worldwide.
- Bill C-22 requires service providers to retain metadata for up to one year and build capabilities for government access to encrypted communications.
- Canada’s Privacy Commissioner, Philippe Dufresne, demands stronger privacy protections and amendments to the bill.
- Apple, Google, and Meta warn that Bill C-22 could weaken encryption, creating security vulnerabilities.
- VPN providers like ExpressVPN, Proton VPN, and Windscribe threaten to exit Canada if the bill passes.
- The bill has passed second reading and is now under review by the Standing Committee on Public Safety and National Security.
Canada's Bill C-22, known as the Lawful Access Act, aims to modernize law enforcement's ability to access electronic evidence by requiring service providers to retain metadata for up to a year and build systems for government access to encrypted communications.
Introduced by the Liberal Party and currently debated in the House of Commons, the bill has passed its second reading as of April 20, 2026, and awaits further scrutiny by the Standing Committee on Public Safety and National Security (parliament audit).
The Privacy Commissioner of Canada, Philippe Dufresne, has publicly urged Parliament to strengthen privacy safeguards within the bill to better protect Canadians' data.
Major tech companies like Apple, Google, and Meta have expressed clear opposition. Google's submission to the House committee warns the bill’s broad definitions might "break end-to-end encryption and create significant cybersecurity risks," potentially opening backdoors that compromise global user privacy (Japan Times).
Similarly, Apple’s senior director for user privacy and child safety, Erik Neuenschwander, noted ongoing discussions aimed at amending the bill to preserve encryption protections.
VPN providers, including ExpressVPN, Proton VPN, and Windscribe, have threatened to withdraw from the Canadian market, citing user trust concerns and the impossibility of maintaining no-logs policies under the bill’s mandates (TechRadar).
With Bill C-22 facing intense scrutiny and opposition, legal professionals should closely monitor its progression, as it may set influential precedents for data privacy, encryption standards, and lawful access policies across jurisdictions.
By the numbers:
- 1 year — duration for metadata retention mandated by Bill C-22
- April 20, 2026 — Bill C-22 passed second reading in Canadian House of Commons
- 3+ VPN providers — ExpressVPN, Proton VPN, Windscribe threaten Canadian exit if bill passes
Yes, but: The government has yet to clarify if or how it will amend Bill C-22 to address privacy and security concerns raised by stakeholders.
What's next: Bill C-22 is under review by the Standing Committee on Public Safety and National Security, with potential amendments before a final parliamentary vote.