A legislative proposal that was framed as a national security measure is rapidly becoming one of the most consequential threats to Canada's digital economy in a generation. Bill C-22, currently before Parliament, would grant Canadian authorities broad powers to compel technology companies to provide access to encrypted communications - a move that has triggered public opposition from some of the largest names in global technology, drawn scrutiny from U.S. congressional leaders, and prompted VPN providers headquartered in Canada to weigh relocating abroad rather than comply.
The opposition is not limited to advocacy groups or privacy campaigners. It runs directly through the boardrooms of companies whose presence in Canada represents billions in infrastructure investment, employment, and tax revenue.
What Bill C-22 Actually Demands - and Why Encryption Experts Reject It
At the core of Bill C-22 is a mechanism that security professionals have argued against for decades: compelled exceptional access, commonly known as a backdoor. The concept is straightforward - governments want a guaranteed way to read encrypted communications when they deem it necessary. The technical and security reality is equally straightforward: there is no way to build a door that only the right people can walk through.
Encryption works precisely because it is unconditional. End-to-end encryption, the standard used by platforms like Signal and WhatsApp, ensures that only the sender and recipient can read a message. The moment a third-party access mechanism is introduced - regardless of who controls it - the mathematical integrity of the system is broken. Any vulnerability created for a government agency is, by definition, a vulnerability that can be discovered and exploited by criminal actors, foreign intelligence services, or anyone with sufficient technical capability.
Apple, which issued a direct statement against the bill, made this point without ambiguity: the legislation could force companies to break encryption by inserting backdoors into their products - something the company said it would never do. Signal's position was equally unequivocal. Executive Udbhav Tiwari warned that the platform would exit Canada entirely before altering its encryption architecture. These are not negotiating positions. They reflect the operational reality that a privacy tool which can be compromised on demand is not a privacy tool at all.
Meta went further in its parliamentary submission, warning that Bill C-22 could effectively conscript private companies as instruments of government surveillance - a framing that carries significant legal and reputational weight for any multinational operating under competing regulatory regimes across dozens of jurisdictions.
The Economic Stakes Canada's Government Appears to Be Underestimating
Shopify CEO Tobi Lütke, one of Canada's most prominent technology voices, delivered perhaps the bluntest assessment of the bill's trajectory, stating on X that C-22 "may well end up dealing a death blow to Canadian tech viability." That a founder of Shopify's stature would use that language publicly signals the depth of concern within the domestic technology sector - not just among international observers.
Montreal-based entrepreneur and strategic investor Yanik Guillemette has been among the most consistent voices connecting the legislation's surveillance ambitions to concrete economic risk. "We are witnessing one of the largest collisions between government surveillance ambitions and digital economic reality in modern Canadian history," Guillemette said. His concern is not abstract. Canada has spent years cultivating competitive positioning in artificial intelligence research, cloud infrastructure, and cybersecurity services - sectors that are exquisitely sensitive to perceptions of data sovereignty and legal certainty.
"Modern economies run on trust," Guillemette noted. "If Canada becomes associated with mandatory access regimes or systemic surveillance vulnerabilities, companies will simply deploy elsewhere. The infrastructure of the future is mobile." That observation points to something the legislative debate has not fully absorbed: digital infrastructure - data centers, cloud regions, development hubs - can and does move in response to regulatory environments. The decisions that determine where those assets land are made years before the consequences become visible in employment figures or GDP data.
Guillemette also pushed back on the technocratic argument that backdoors can be engineered safely: "There is no such thing as a secure backdoor. Every exceptional access mechanism eventually becomes an attack surface. That is not ideology - it is basic security architecture." The historical record supports this. Multiple government-mandated access systems have been compromised over the years, including infrastructure built to lawful intercept standards that was later breached by hostile state actors.
VPN Providers Signal Departure, U.S. Lawmakers Take Notice
The VPN industry's response to Bill C-22 is particularly telling because these companies exist specifically to protect user data from third-party access. Windscribe, a Canadian-founded VPN provider with a substantial global user base, publicly raised the possibility of relocating its headquarters outside Canada to avoid being legally required to log identifying user data. NordVPN issued a similar warning, stating it would remove its operational presence from Canada before abandoning its no-logs policy.
A no-logs policy is not a marketing phrase. It is a technical and legal commitment that a provider retains no data about user activity, identity, or connections - meaning that even under a court order or government demand, there is nothing to hand over. Legislation that requires providers to maintain such records fundamentally destroys that architecture. For users who rely on VPNs for genuine security - journalists, dissidents, corporate security teams, remote workers handling sensitive data - this is not a theoretical concern.
The reach of the controversy has now extended to Washington. Reports indicate that the chairs of the U.S. House Judiciary Committee and the House Foreign Affairs Committee have begun examining Bill C-22, specifically in the context of cross-border digital security, data governance, and the implications for U.S. companies operating in Canada. American congressional interest in a Canadian domestic bill is unusual and reflects how deeply integrated the two countries' digital economies are - and how quickly one jurisdiction's surveillance policy can become another's trade and security problem.
Guillemette's broader warning - that pushing legislation which echoes authoritarian surveillance states will initiate a mass exodus of corporate headquarters and market presence - now carries institutional weight that Parliament can no longer treat as commentary from the technology sector's margins. When the companies building Canada's digital future are publicly debating whether to remain, the question the government needs to answer has changed. It is no longer whether the bill's intentions are legitimate. It is whether the cost of pursuing them has been honestly calculated.
