Canada’s Bill C-22 Raises Privacy Concerns – VPN Providers Respond
Last updated
If you use a VPN in Canada, or care about online privacy in general, Canada’s proposed Bill C-22 is something worth paying attention to.
The bill has raised concerns around encryption, lawful access, user privacy, and whether privacy-focused services could eventually be pushed to change how they operate in Canada. For everyday users, that leads to important questions:
- Could VPN providers be forced to log user activity?
- Could privacy protections become weaker over time?
- Would some VPN companies leave Canada instead of complying?
- And most importantly, what are VPN providers themselves planning to do if this bill moves forward?
Instead of guessing or relying on outside opinions, we decided to go directly to the companies involved. As part of an outreach initiative organically hosted and coordinated by Rachita Jain, we contacted major VPN providers including NordVPN, ExpressVPN, Surfshark, Windscribe, and others to ask them: “In light of Canada’s proposed Bill C-22, we’d like your views on the following:
- If the bill becomes law, what would your company do (for example: change your systems or policies, challenge the law, continue as usual, or reconsider operating in Canada)?”
- What is your company’s position on this bill, especially around privacy, encryption, and data protection?
- How do you think this bill would affect everyday internet users in terms of privacy and online safety?
This article brings those responses together in one place so readers can better understand how some of the world’s largest VPN companies are viewing Canada’s proposed privacy legislation, and what it could mean for the future of online privacy in Canada. Let's see what different providers have to say on it.
Yegor Sak, CEO and Co-Founder of Windscribe
Our stance on Bill C-22 is obviously strong opposition as it greatly affects our business and users. If the Canadian government wants to protect citizens from crime, reducing everyone's digital privacy rights collectively is a backwards way to go about it.
People in Canada deserve a level of data protection and should be allowed to have access to privacy tools like VPNs and encrypted messengers without worrying that the government can still get their hands on private data.
The bill, if it passes in its current form, will have widespread implications for anyone who uses the internet in Canada. Parliament is trying to mandate retention policies and data collection for all electronic service providers in Canada. However, due to the bill's broad language, electronic service providers can include just about anyone who does any business online. Security companies who take great care of their data might not be affected too much, but a small online business not spending great resources on protecting data sill has to follow the same mandates. This leaves the door open for more data breaches, hacks, identity theft and privacy violations. On top of that, having no way to keep your online activities private in Canada is a step towards government control over how you are allowed to use the internet.
If the bill passes in its current form and becomes law, we will be left with few choices. We could instate the data collection and retention systems that would be required for us to not break the law, but that nullifies the trust people have put into our privacy protections for the last decade, and would make our service virtually meaningless. The more likely alternative is that we would have to move our headquarters to a new jurisdiction not subject to these sort of data retention laws. In this case, both sides lose - Windscribe has to spend years relocating our business and Canada loses a tax-paying tech company.
ExpressVPN Team
ExpressVPN is carefully reviewing Canada's Bill C-22, particularly Part 2’s provision on access to user data and the requirement for covered online service providers to build technical capabilities supporting government access to encrypted user communications.
Our position on the underlying principles is clear: ExpressVPN’s no-logs architecture and encryption are non-negotiable. They protect users from a wide range of threats, including bad actors who would exploit any technical capabilities built for one purpose to use them for another. Legislation that mandates data retention or technical access, however well-intentioned, undermines the security that millions of users rely on.
We are monitoring the legislation closely as it unfolds and engaging with the broader conversation about how Canada balances law enforcement needs with the security and privacy of its citizens. We will be transparent with our users as the situation develops.
Gytis Malinauskas, Head Of Legal at Surfshark
Uncompromised encryption and a strict no-logs policy are core to how Surfshark operates. Any requirement to weaken them or build technical interception capabilities goes against our principles.
If Bill C-22 passes and imposes mandatory obligations that conflict with our principles, we will assess all options available to us, including leaving the Canadian market.
The wider concern is that the bill could make Canadians less safe and less private online. If providers are forced to build interception tools and stockpile user metadata, large amounts of sensitive data end up collected in one place. That's exactly the kind of target hackers, hostile states, and bad actors go after. Once a backdoor exists, it cannot be limited to lawful actors alone.
Laura Tyrylytė, Privacy Advocate at NordVPN
The problem with Bill C-22 is not what it does today, but what it permits tomorrow. It grants to the government overbroad, unsupervised and opaque Ministerial Order powers that could effectively compel any electronic service provider to build technical surveillance capabilities undermining end-to-end encryption, insert backdoors, or perform surveillance. This is not something that we can support.
The bill assumes that technical capabilities can be engineered to allow targeted government access without degrading security for everyone else. That assumption is false. Any access capability introduced creates a vulnerability that can be discovered and exploited by insiders, criminals, or hostile states. There is no selective weakness that only benevolent actors can use. Similarly, requiring providers to collect new data on all users to serve a negligible number of potential investigations is disproportionate and dangerous. We are already living through an era of escalating data breaches, fraud, and identity theft and minimal data protects users from those risks.
In modern society where most of our communication and activity happens online, encryption and privacy protections are fundamental. Weakening those protections will jeopardize everyone's security and, importantly, will break trust in digital services in Canada. It can push users toward less regulated and, eventually, less safe alternatives. It can even leave users without some of their security protections altogether, as happened in the UK where Apple withdrew its Advanced Data Protection following a governmental technical capability order.
Public safety depends on secure technology. We should not be passing laws that give governments the power to undermine the very tools that provide it.
The current draft of the Bill C-22, even if passed, would not in itself impose obligations on VPNs that would force us to compromise security protections of our users. Its implementation, including determinations on currently undefined scope and conditions, would necessarily require subsequent governmental action. Therefore it is unlikely that the passage of this bill alone would lead us to leave Canada.
However, we have a long-held conviction, one we uphold in every market, that if we were ever required to systemically compromise the security protections our users rely on, that would be a fundamental problem. Users' privacy and security are core to our business, and that position has never changed. Therefore, if the Bill is passed, we will closely monitor how these powers are used.
Subbu Sthanu, General Manager, Consumer Cybersecurity at IPVanish
We value our customers in Canada and would prefer to continue operating there under a framework that respects privacy rights and supports strong encryption. However, as a provider with a strict, independently verified no-logs policy, we won’t compromise our core protections or weaken our infrastructure standards to align with any single market.
If legislation ultimately required logging user activity, undermining encryption, or fundamentally changing how our systems are designed, we would evaluate all options including, reconsidering operations in Canada. We have historically made difficult decisions to limit or remove infrastructure in regions where privacy requirements were incongruent with our security commitments, and we would take the same approach here.
For everyday internet users, this bill risks normalizing broader data collection. If companies are required to retain more metadata or make systems easier to access, that can create new privacy and security risks for all, not just individuals under investigation. Metadata can reveal unique or sensitive patterns about an individual’s personal life, while weakened encryption can make consumers more vulnerable to scammers, criminals, and threats.
The average consumer shouldn’t have to sacrifice their fundamental privacy for basic safety. We will continue to champion users’ rights to privacy and freedom, and will remain committed to providing a secure and private environment for online activity.
IPVanish is closely monitoring Bill C-22. While we support lawful investigations, we are concerned about any law that could weaken encryption, expand metadata retention, or require providers to build new surveillance capabilities into trusted consumer privacy tools. Privacy and security are not opposing ideals; both strong encryption and data minimization are critical to keeping people safe online.
Atif Farooqui, Head of Infra at PureVPN
PureVPN is committed to maintaining strong encryption and a no-logs architecture as core elements of our privacy by design approach. We will not weaken either.
Based on the bill as it stands at committee stage, Bill C-22 includes provisions around technical capabilities and metadata retention for periods of up to one year. It also grants the Minister of Public Safety power to issue orders compelling service providers to build technical access capabilities. While the government states providers will not be required to introduce a "systemic vulnerability," that framing is actively contested by major technology companies and leading privacy advocates, who argue the technical capability provisions create the same outcome regardless of the label. The language as written does not resolve that tension, and we believe it needs to before the bill progresses further.
For everyday users, the biggest concern is that broad technical-access or metadata-retention requirements normalise collecting more information than is necessary. Data minimisation is not just a privacy preference, it is a security principle.
There is also a wider safety risk that is easy to overlook. Encryption protects ordinary people every day: when they bank online, work remotely, use public Wi-Fi, or access personal accounts. Legislation that creates uncertainty around encryption, or pushes companies toward access mechanisms that reduce security, can make users less safe. Weakening encryption does not create access exclusively for law enforcement; it can also increase exposure to cybercriminals, hostile actors, and unauthorized access if vulnerabilities are exploited.
PureVPN is committed to maintaining strong encryption and a no-logs architecture as core elements of our privacy by design approach. We will not weaken either.
If any legal obligation directly conflicted with those commitments, we would pursue all available options. We also publish transparency reports on a quarterly basis documenting any material change that could affect our users' privacy, and also use all lawful mechanisms available to us - to maintain that transparency.
We are monitoring the bill’s non-disclosure framework, which would restrict a provider’s ability to notify users about certain government requests or orders. We believe any lawful-access framework must include meaningful transparency mechanisms.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular