Earlier this year, on March 12th, Bill C-22 was introduced in Parliament by the Minister of Public Safety, Gary Anandasangaree. If passed, this will not only drastically increase mass government surveillance but also chase companies out of Canada that work in the technology privacy sector.
These ideas are not new to Parliament. Similar surveillance provisions were previously bundled into Bill C-2, or the Strong Borders Act, which encompassed not only government surveillance but also border security and immigration measures. Due to intense pushback from the private and technology sectors, the bill was ultimately split into two, with Bill C-22 covering surveillance and Bill C-12 focusing on immigration and border control.
So what does this bill actually mean for you?
The bill aims to grant the government sweeping authority over electronic service providers, compelling them to hand over private consumer metadata if under a warrant. But it goes further than that. Under the bill, companies must also store all consumer metadata for up to a year in anticipation of a potential handover. This means that your data is being held before anyone even asks for it.
WHAT IS METADATA
To understand why that’s alarming, it helps to know what metadata actually is. Think of it like a letter and an envelope. The message itself is the letter, but the metadata is everything on the envelope: who you sent it to, when you sent it, and where you were when you did. Critically, while the bill outlines a one-year retention period, it also allows the government to extend this through ministerial orders, meaning that the window could grow.
THE INDUSTRY REACTS:
This requirement has driven major tech companies to threaten to leave Canada entirely if the bill passes. NordVPN, one of the largest VPN providers in the world, posted on X that “we will consider all viable options, including limiting or, if necessary, removing our presence from Canadian jurisdiction.” Signal, the encrypted messaging app relied on by members of Parliament themselves, has made the same threat.
The risks from this bill don’t stop at government surveillance. Forcing companies to retain metadata they wouldn’t otherwise collect creates a goldmine for hackers, and the bill makes no account for what companies may do while this data sits in their servers. Bill C-22 represents a serious invasion of online privacy. Canadians should be asking not just what this bill does, but where it stops.
