Archived link

Over the past week, a growing number of tech companies have warned that they may be forced to leave Canada if Bill C-22, the lawful access bill, remains unchanged. The government’s response to warnings from Signal, Windscribe, NordVPN, Apple, and Meta is that the companies are misreading the bill. But the prospect of a tech exodus from Canada rests on clear-cut privacy and security risks that do not apply in the U.S. or Europe.

…

The Act’s definition of “electronic service provider” captures any service involving the creation, recording, storage, processing, transmission, or reception of information, provided either to persons in Canada or by an entity carrying on business activities in Canada.

The breadth intentionally covers far more than just telecom companies and internet providers, extending to platforms, messaging applications, VPN services, and device manufacturers. Every ESP is subject to a general assistance obligation under section 7 and to a secrecy obligation that bars disclosure of the existence of requests.

…

[Signal’s Vice President of Strategy and Global Affairs Udbhav] Tiwari put the point bluntly in his statement to the Globe: “End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it.”

What places the Canadian tech sector at risk of an exodus is that U.S. law imposes neither obligation. There is no federal mandatory data retention law in the United States, as the Electronic Frontier Foundation has documented across more than a decade of failed legislative proposals. The closest analog, the preservation provision in 18 U.S.C. § 2703(f) of the Stored Communications Act, allows the government to compel a provider to preserve existing records for up to 90 days while it obtains a court order, with a single 90-day extension available. It is a reactive, targeted mechanism tied to a specific account, not a forward-looking retention mandate covering every user of the service.

…

A U.S.-based VPN or messaging service can therefore lawfully maintain a no-log approach, which is precisely how the no-log policies are built. Given the choice, VPNs and other services will surely leave Canada rather than architect their systems to retain metadata on every single user for a year.

…

In Europe, the Court of Justice of the European Union struck down general data retention regimes in Digital Rights Ireland in 2014 and Tele2 Sverige in 2016, and has continued to constrain them in later rulings. Germany’s Federal Constitutional Court has imposed similar limits, and general retention obligations on email providers remain unlawful there. The jurisdictions that have moved in C-22’s direction are precisely the ones where major services have begun to exit or restrict features.

…

The United Kingdom’s Investigatory Powers Act sparked Apple’s withdrawal of its Advanced Data Protection feature from the U.K. market rather than comply with a Technical Capability Notice ordering it to create access to encrypted iCloud data, and Apple is now litigating that order before the Investigatory Powers Tribunal.

Switzerland’s recent attempt to extend its surveillance ordinance to VPN providers and encrypted messaging services prompted Proton to begin moving infrastructure out of the country to Germany before the Swiss Federal Council paused the amendment pending an impact study. Where jurisdictions impose obligations of the kind Bill C-22 contains, privacy-protective services have either left, scaled back, or restricted features.

…

The compliance obligations on Canadian electronic service providers under Bill C-22 do not apply to a U.S.-based competitor, are limited or unconstitutional in much of Europe, and have led to exits or feature withdrawals in jurisdictions that have imposed them.

The companies aren’t bluffing, and they aren’t misreading the bill. Rather, they are responding to an outlier approach that threatens the Canadian tech landscape with obligations that place the privacy and security of millions at risk.