ExpressVPN has joined a growing coalition of privacy advocates and technology firms opposing Canada's proposed Bill C-22, arguing that its requirements for data retention and mandated technical access undermine essential encryption and no-log principles.
- Bill C-22 mandates government access to encrypted communications and metadata retention.
- ExpressVPN stresses no-logs and encryption are essential and must not be compromised.
- Proposals risk creating backdoors that could be exploited by malicious actors.
What happened
Canada’s proposed Bill C-22, also referred to as the Lawful Access Act, aims to require digital service providers to build tools that enable government access to encrypted user communications and to retain metadata for up to one year. This legislation directly challenges the operational models of VPN providers that promise privacy through no-log policies and strong encryption.
In response, ExpressVPN has publicly opposed the bill, stating its core principles around encryption and no-logs architecture are non-negotiable. The company emphasized that it is carefully reviewing the bill’s provisions, especially clauses that demand built-in technical capabilities for government surveillance. Other industry leaders, including NordVPN, Proton VPN, Windscribe, and Signal, have voiced similar concerns or threatened to exit the Canadian market if the bill passes.
Why it matters
The implications of Bill C-22 extend beyond Canadian borders because many users worldwide depend on VPNs and encrypted messaging for their digital privacy. Forced implementation of surveillance backdoors not only undermines privacy but creates systemic vulnerabilities that can be exploited by cybercriminals and hostile actors, weakening overall cybersecurity.
Security experts strongly warn that no technical backdoor can be restricted to government use only. Any mandated access points inherently increase the attack surface of encrypted communications, compromising the integrity and trust users place in these services. The bill therefore threatens to erode the protections that millions rely on to safeguard their identities and activities online.
What to watch next
The situation remains fluid as ExpressVPN and other providers continue to monitor and respond to developments around Bill C-22. Given the strong backlash from major privacy companies and international attention, the Canadian government may face increasing pressure to reconsider or amend the legislation.
Meanwhile, privacy advocates and industry stakeholders are closely watching regulatory hearings and public consultations. The potential fallout includes significant changes in the Canadian market landscape for VPNs and encrypted services, along with broader discussions about balancing law enforcement access with fundamental digital rights.