Canada is quietly building one of the more restrictive digital regulatory environments among Western democracies, even as it positions itself as an open-market economy. The country's proposed Bill C-22, introduced to Parliament in March, would compel internet providers, telecom companies, and social media platforms to store user data for up to a year - available to government agencies with judicial authorization. Combined with the Online News Act, the Streaming Act, and a steadily expanding set of digital trade barriers, Canada has climbed into the top half of the most restrictive countries on the Trade Barrier Index, a trajectory that alarms privacy advocates, foreign technology firms, and civil liberties organizations alike.
What Bill C-22 Actually Does - and Why It Matters
The bill, proposed by the governing Liberal Party, which secured a parliamentary majority last month, is a successor to last year's Bill C-2, the so-called "Strong Borders Act." That legislation was withdrawn after a coordinated backlash from hundreds of civil society organizations who objected to its provisions allowing law enforcement agencies to install eavesdropping mechanisms on digital infrastructure. C-22 is a revised but arguably more expansive version of the same impulse.
Part 2 of C-22 requires digital service providers to retain a broad category of user data - including location records, health information, browsing history, and communications - for up to twelve months. The language of the bill is wide enough to capture not just traditional internet service providers but also VPN services, which typically avoid storing such data as a core feature of their business model. Forcing these providers to log what they have long declined to log does not simply change a technical requirement; it removes the underlying privacy guarantee that makes such services meaningful in the first place.
The bill's proponents, including the Department of Public Safety, have insisted that C-22 does not constitute an attack on encryption. Privacy experts and affected technology companies dispute this framing vigorously. End-to-end encryption works precisely because data is scrambled at the sender's device and can only be unscrambled by the intended recipient - no intermediary, including the service provider, holds a readable copy. Mandatory data retention requirements are structurally incompatible with this model. When a provider must store your communications, it must first be able to read them. Policy experts from the Tholos Foundation, Chamber of Progress, and Consumer Choice Center raised these concerns publicly at the Canada Strong and Free Network panel in May, warning that C-22 amounts to a de facto undermining of encryption regardless of what the bill's language formally states.
A Pattern With Precedent - and Predictable Consequences
Canada is not writing this playbook from scratch. The United Kingdom's Investigatory Powers Act, implemented in 2024, established a similar framework compelling technology companies to create access pathways - commonly described as "back doors" - into otherwise encrypted services. The real-world consequences have extended well beyond national security applications. British authorities have used expanded digital surveillance powers in connection with policing online speech, including arrests of residents for statements that, while controversial, fell within recognized categories of free expression. The chilling effect on public discourse has been widely documented by digital rights organizations.
Apple's response to the UK law was instructive. The company was forced to discontinue its Advanced Data Protection feature - which provided end-to-end encryption for iCloud backups - for British users, rather than comply with an order to build in government access. The feature, once removed, cannot simply be restored for individual users who want it back. Privacy protections do not degrade gracefully; they tend to break entirely. India provides another data point: when data localization and access requirements took effect in 2022, several prominent VPN providers exited the Indian market rather than comply, leaving users with fewer secure options.
The security argument for mandatory data retention has also been empirically undermined by events in the United States. In 2024, the Chinese hacking group Salt Typhoon successfully infiltrated major American internet service providers - AT&T, Lumen Technologies, and Verizon - by exploiting the very access pathways those companies had constructed for authorized law enforcement use. The intrusion demonstrated a fundamental problem with the back-door model: a pathway built for one authorized party cannot be reliably sealed against unauthorized ones. Every dataset stored for government access is also a dataset that can be stolen, leaked, or coerced by actors the government never intended to accommodate.
The Broader Digital Trade Picture - and What Comes Next
C-22 does not exist in isolation. Canada's digital regulatory posture has grown measurably more restrictive over the past several years. The Online News Act, which compels major digital platforms to negotiate compensation agreements with Canadian news publishers, generated significant friction in U.S.-Canada trade relations and prompted Meta to block Canadian news content on its platforms rather than enter into payment agreements. The Streaming Act imposes Canadian content requirements on international streaming services. Although Canada withdrew its Digital Services Tax last year - a move that temporarily eased bilateral tensions - these other measures have continued to accumulate, pushing the country up the Trade Barrier Index.
Several major technology companies have already signaled their opposition to C-22. Meta and Proton have both warned publicly about the bill's consequences for user trust and data security. Signal, which operates on a model of collecting essentially no user data, and NordVPN have been cited among the services that could exit the Canadian market entirely if forced to comply with mandatory retention requirements. A government that drives privacy-focused technology services out of its domestic market does not thereby enhance its citizens' security; it leaves them with fewer tools to protect themselves.
Given that surveillance provisions of this scope poll as widely unpopular among Canadians, and given the documented security failures that mandatory back-door access has enabled elsewhere, the Liberal government faces a straightforward choice: withdraw C-22, or substantially rewrite it to protect rather than erode the encryption infrastructure that underpins both individual privacy and national cybersecurity. The bill as written does not protect Canadians. It exposes them.
