Canada Bill C-22 and VPN Privacy

Quick Verdict

What Happened?

Canada introduced Bill C-22 in March 2026 as a standalone lawful access bill. The government says the aim is to help law enforcement and CSIS investigate digital crime and national security threats using existing lawful authorities. The Department of Justice says the proposed tools would require police to explain how requested information relates to a crime and how it would help an investigation.

The VPN angle became louder in May 2026 as privacy-focused companies publicly objected. ExpressVPN, Proton VPN, NordVPN, Windscribe and Signal have all raised concerns in different ways. Their common argument is that mandatory retention or technical access obligations could undermine services built around collecting as little user information as possible.

What Bill C-22 Proposes

Bill C-22 has several parts, but the most relevant part for VPN and encrypted service users is the framework for electronic service providers. The bill text says the purpose is to ensure electronic service providers can facilitate authorised access to information when that access is already conferred under Canadian law.

Legal analysis and the bill text point to two areas that privacy companies are watching closely. First, certain providers could be required to maintain operational or technical capabilities that allow authorised access requests to be carried out. Second, regulations could require “core providers” to retain categories of metadata for reasonable periods of time, up to one year.

Why VPN Providers Are Concerned

A no-logs VPN is built on a simple promise: the provider should not store enough information to reconstruct what a user did online. That does not mean a VPN can ignore every lawful request. It means that, if the architecture is genuinely no-logs, the company should have little or no historical usage data to produce.

This is where Bill C-22 has triggered concern. If future regulations require metadata to be retained, or if technical capability orders require systems to be changed, VPN providers may argue that the law is asking them to create records or access paths they intentionally do not maintain. Proton VPN has said it will not compromise its no-logs policy. ExpressVPN has described its no-logs architecture and encryption as non-negotiable. Windscribe has warned that it may relocate if the bill forces identifying logging obligations on its Canadian operations.

The Government Position

The Canadian government presents Bill C-22 as a modernised legal framework for digital investigations, not a general surveillance order. Public Safety Canada says the bill is intended to help CSIS and law enforcement detect, deter and respond to crime and threats. The Department of Justice Charter Statement says the bill would support activities under existing authorities and would not grant new authorities to lawfully access information and data.

The government has also pushed back on claims that the bill would require encryption to be weakened by default. Reuters reported Public Safety Canada’s position that the law would not require firms to make changes that introduce a “systemic vulnerability” into electronic protections such as encryption. Critics respond that the practical meaning of that safeguard will depend on the details of regulations, orders and enforcement.

What This Could Mean For VPN Users

For users in Canada, the most immediate impact is uncertainty. If the bill passes without changes that satisfy privacy providers, some VPN companies could challenge its application, alter operations, remove Canadian infrastructure, or leave the Canadian market. That does not mean all VPNs would disappear, but it could affect which providers are willing to operate under Canadian jurisdiction.

For users outside Canada, the story still matters. Major lawful access laws can influence international standards. If one democratic country successfully requires stronger access or retention obligations, other governments may point to that model. If the bill is amended to protect no-logs and encryption more clearly, that may also set a useful precedent.

• Casual VPN users: keep using a trusted VPN, but follow provider updates if you connect through Canadian servers.
• Privacy-focused users: check whether your provider has a clear no-logs policy, independent audits and a public legal response plan.
• High-risk users: avoid relying on one tool alone. Combine VPN use with secure browsers, careful account separation, strong device security and safe communications practices.

What To Watch Next

The next meaningful updates are likely to come from committee hearings, amendments and provider statements. The most important questions are not just whether Bill C-22 passes, but how “core provider”, “metadata”, “technical capability” and “systemic vulnerability” are finally interpreted.

1. Committee amendments: watch whether lawmakers narrow metadata retention or add stronger encryption safeguards.
2. Provider responses: check whether VPN companies keep Canadian servers, change legal structures or publish compliance statements.
3. Regulations after passage: many practical obligations may depend on later regulations, not only the headline bill text.
4. Court challenges: privacy groups or providers may test parts of the law if they believe it conflicts with constitutional or privacy protections.