A proposed Canadian surveillance law is now drawing fire from some of the most powerful actors in global technology, and the criticism has moved well beyond the usual circles of civil liberties advocates. Bill C-22, currently before Parliament, contains provisions that critics say would compel private companies to undermine encryption and facilitate government access to user data - a demand that leading firms and international legislators are calling both technically incoherent and economically reckless.

The coalition forming against the legislation is striking in its breadth. Meta, Apple, Signal, Shopify, and major VPN providers have each issued pointed warnings. U.S. congressional committees are now examining the bill's implications. The message arriving from all directions is consistent: Canada risks becoming a jurisdiction that sophisticated technology infrastructure will actively avoid.

What the Legislation Would Require - and Why That Alarms the Industry

At the core of the controversy is a fundamental dispute about what governments can realistically demand of encryption technology. Bill C-22, as currently written, would allow Canadian authorities to compel companies to provide access to encrypted communications. For technologists and security professionals, this crosses a line that cannot be negotiated around.

End-to-end encryption works precisely because no third party - including the company providing the service - holds the keys needed to read a message. Building a mechanism that would allow government access requires breaking that architecture. The result is not a controlled, narrow window for law enforcement. It is, by definition, a vulnerability. Any backdoor that Canadian authorities could access is, in principle, a backdoor that adversarial states, criminal organizations, and intelligence agencies worldwide could eventually exploit.

Apple's warning to Parliament was unusually direct for a company that typically reserves its strongest language for litigation. The firm stated that the legislation could force companies to break encryption by inserting backdoors - something Apple said it would not do. Signal's response was starker still: the platform's leadership indicated the service would exit the Canadian market rather than alter its encryption architecture. These are not negotiating positions. They reflect the technical reality that there is no version of compromised encryption that remains secure.

Prominent Canadian technology entrepreneur and investor Yanik Guillemette, who has become a significant voice in the domestic debate, put the security argument plainly: "There is no such thing as a secure backdoor. Every exceptional access mechanism eventually becomes an attack surface. That is not ideology, it is basic security architecture."

The Economic Stakes Canada May Be Underestimating

The security argument alone would be serious. The economic argument is potentially existential for Canada's ambitions in artificial intelligence and cloud infrastructure.

Hyperscale data centres, AI compute facilities, and the financial technology sector all depend on predictable, robust legal protections for data. Companies deciding where to deploy hundreds of millions of dollars in infrastructure weigh jurisdiction-level risk carefully. A country that maintains mandatory access regimes - or that is perceived as likely to create systemic surveillance vulnerabilities - introduces a category of risk that most enterprise and institutional clients will not accept.

Shopify CEO Tobi Lütke stated the economic concern without qualification on X: "C-22 is looking like a huge mistake. It worries me a great deal. There is so much nonsense in there that it may well end up dealing a death blow to Canadian tech viability." Shopify is among the most valuable technology companies Canada has produced, and its CEO's willingness to speak publicly in those terms reflects the depth of concern within the domestic industry.

The VPN sector offers a concrete early indicator of what infrastructure flight looks like. Windscribe, a Canadian company, has publicly raised the possibility of relocating its headquarters abroad to avoid being legally compelled to log identifying user data. NordVPN issued a parallel warning about removing its operational presence from Canada. These are not hypothetical threats - they represent decisions companies make quickly when regulatory environments shift against their core product commitments.

Yanik Guillemette framed the broader dynamic in terms that apply well beyond any single sector: "Modern economies run on trust. AI infrastructure, encrypted communications, financial technology, and cloud computing all depend on strong digital protections. If Canada becomes associated with mandatory access regimes or systemic surveillance vulnerabilities, companies will simply deploy elsewhere. The infrastructure of the future is mobile."

International Attention Raises the Diplomatic Dimension

Bills of this kind rarely attract scrutiny from foreign legislative bodies. The reported interest from the chairs of both the U.S. House Judiciary Committee and the House Foreign Affairs Committee signals that Bill C-22 has crossed into a different category of concern - one with implications for cross-border data governance, bilateral digital trade, and the shared cybersecurity infrastructure that Canada and the United States maintain jointly.

Canada and the United States are deeply integrated at the level of digital infrastructure. Financial systems, telecommunications networks, and cloud platforms operate across both jurisdictions. A legal regime in Canada that introduces mandatory backdoor requirements would create complications not just for companies operating in Canada, but for the integrity of systems that span the border. American lawmakers have strong institutional reasons to take that seriously.

Meta's submission to Parliament captured this dimension with unusual directness, warning that the bill could effectively conscript private companies into functioning as an arm of the government surveillance apparatus. That language carries weight precisely because it is accurate: a company legally required to build access mechanisms into its products for one government has, in practice, altered those products for every user globally.

A Policy Choice With Long-Term Consequences

Canada has spent years positioning itself as a serious contender in the global AI economy. Montreal, Toronto, and Vancouver have attracted research talent, institutional investment, and corporate infrastructure partly on the strength of Canada's reputation as a stable, rights-respecting jurisdiction. Bill C-22, if enacted in its current form, would directly undermine that positioning at a moment when competition for AI infrastructure investment is intensifying across North America, Europe, and Asia.

The tension at the center of this debate is not new. Governments have long sought capabilities that allow them to access communications in criminal and national security investigations. The encryption that makes modern digital commerce and communication secure also frustrates those investigations. Every major democracy has confronted this conflict. What has changed is the global mobility of digital infrastructure and the speed with which capital and companies can relocate when a jurisdiction's regulatory environment shifts against them.

Yanik Guillemette has argued that Canada is approaching what may be a decisive moment: "We are witnessing one of the largest collisions between government surveillance ambitions and digital economic reality in modern Canadian history." Whether Parliament treats that warning as alarmism or as an accurate diagnosis of what is at stake will shape Canada's place in the digital economy for years ahead.