Canada’s Bill C-22 Raises Privacy Concerns – VPN Providers Respond
Published
If you use a VPN in Canada, or care about online privacy in general, Canada’s proposed Bill C-22 is something worth paying attention to.
The bill has raised concerns around encryption, lawful access, user privacy, and whether privacy-focused services could eventually be pushed to change how they operate in Canada. For everyday users, that leads to important questions:
- Could VPN providers be forced to log user activity?
- Could privacy protections become weaker over time?
- Would some VPN companies leave Canada instead of complying?
- And most importantly, what are VPN providers themselves planning to do if this bill moves forward?
Instead of guessing or relying on outside opinions, we decided to go directly to the companies involved. As part of an outreach initiative organically hosted and coordinated by Rachita Jain, we contacted major VPN providers including NordVPN, ExpressVPN, Surfshark, Windscribe, and others to ask them: “In light of Canada’s proposed Bill C-22, we’d like your views on the following:
- If the bill becomes law, what would your company do (for example: change your systems or policies, challenge the law, continue as usual, or reconsider operating in Canada)?”
- What is your company’s position on this bill, especially around privacy, encryption, and data protection?
- How do you think this bill would affect everyday internet users in terms of privacy and online safety?
This article brings those responses together in one place so readers can better understand how some of the world’s largest VPN companies are viewing Canada’s proposed privacy legislation, and what it could mean for the future of online privacy in Canada. Let's see what different providers have to say on it.
Yegor Sak, CEO and Co-Founder of Windscribe
Our stance on Bill C-22 is obviously strong opposition as it greatly affects our business and users. If the Canadian government wants to protect citizens from crime, reducing everyone's digital privacy rights collectively is a backwards way to go about it.
People in Canada deserve a level of data protection and should be allowed to have access to privacy tools like VPNs and encrypted messengers without worrying that the government can still get their hands on private data.
The bill, if it passes in its current form, will have widespread implications for anyone who uses the internet in Canada. Parliament is trying to mandate retention policies and data collection for all electronic service providers in Canada. However, due to the bill's broad language, electronic service providers can include just about anyone who does any business online. Security companies who take great care of their data might not be affected too much, but a small online business not spending great resources on protecting data sill has to follow the same mandates. This leaves the door open for more data breaches, hacks, identity theft and privacy violations. On top of that, having no way to keep your online activities private in Canada is a step towards government control over how you are allowed to use the internet.
If the bill passes in its current form and becomes law, we will be left with few choices. We could instate the data collection and retention systems that would be required for us to not break the law, but that nullifies the trust people have put into our privacy protections for the last decade, and would make our service virtually meaningless. The more likely alternative is that we would have to move our headquarters to a new jurisdiction not subject to these sort of data retention laws. In this case, both sides lose - Windscribe has to spend years relocating our business and Canada loses a tax-paying tech company.
ExpressVPN Team
ExpressVPN is carefully reviewing Canada's Bill C-22, particularly Part 2’s provision on access to user data and the requirement for covered online service providers to build technical capabilities supporting government access to encrypted user communications.
Our position on the underlying principles is clear: ExpressVPN’s no-logs architecture and encryption are non-negotiable. They protect users from a wide range of threats, including bad actors who would exploit any technical capabilities built for one purpose to use them for another. Legislation that mandates data retention or technical access, however well-intentioned, undermines the security that millions of users rely on.
We are monitoring the legislation closely as it unfolds and engaging with the broader conversation about how Canada balances law enforcement needs with the security and privacy of its citizens. We will be transparent with our users as the situation develops.
Gytis Malinauskas, Head Of Legal at Surfshark
Uncompromised encryption and a strict no-logs policy are core to how Surfshark operates. Any requirement to weaken them or build technical interception capabilities goes against our principles.
If Bill C-22 passes and imposes mandatory obligations that conflict with our principles, we will assess all options available to us, including leaving the Canadian market.
The wider concern is that the bill could make Canadians less safe and less private online. If providers are forced to build interception tools and stockpile user metadata, large amounts of sensitive data end up collected in one place. That's exactly the kind of target hackers, hostile states, and bad actors go after. Once a backdoor exists, it cannot be limited to lawful actors alone.
Laura Tyrylytė, Privacy Advocate at NordVPN
The problem with Bill C-22 is not what it does today, but what it permits tomorrow. It grants to the government overbroad, unsupervised and opaque Ministerial Order powers that could effectively compel any electronic service provider to build technical surveillance capabilities undermining end-to-end encryption, insert backdoors, or perform surveillance. This is not something that we can support.
The bill assumes that technical capabilities can be engineered to allow targeted government access without degrading security for everyone else. That assumption is false. Any access capability introduced creates a vulnerability that can be discovered and exploited by insiders, criminals, or hostile states. There is no selective weakness that only benevolent actors can use. Similarly, requiring providers to collect new data on all users to serve a negligible number of potential investigations is disproportionate and dangerous. We are already living through an era of escalating data breaches, fraud, and identity theft and minimal data protects users from those risks.
In modern society where most of our communication and activity happens online, encryption and privacy protections are fundamental. Weakening those protections will jeopardize everyone's security and, importantly, will break trust in digital services in Canada. It can push users toward less regulated and, eventually, less safe alternatives. It can even leave users without some of their security protections altogether, as happened in the UK where Apple withdrew its Advanced Data Protection following a governmental technical capability order.
Public safety depends on secure technology. We should not be passing laws that give governments the power to undermine the very tools that provide it.
The current draft of the Bill C-22, even if passed, would not in itself impose obligations on VPNs that would force us to compromise security protections of our users. Its implementation, including determinations on currently undefined scope and conditions, would necessarily require subsequent governmental action. Therefore it is unlikely that the passage of this bill alone would lead us to leave Canada.
However, we have a long-held conviction, one we uphold in every market, that if we were ever required to systemically compromise the security protections our users rely on, that would be a fundamental problem. Users' privacy and security are core to our business, and that position has never changed. Therefore, if the Bill is passed, we will closely monitor how these powers are used.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular