It's online and easy to read, and is a modernizing of laws around online systems. It is a deeply imperfect bill -- personally I think it is basically DOA and will not receive assent -- but a lot of the reaction to it are classic partisan hysterics (you can already see a bunch of those people throughout this discussion).
https://www.parl.ca/DocumentViewer/en/45-1/bill/C-22/first-r...
The parts that are garnering a lot of negative feedback is
1) requiring core providers (a list as yet undefined), and any others if specifically directed to, to maintain a rolling year of metadata that the government can request on a targeted individual with a warrant. This is obviously at odds with "no log" VPNs in particular. And let's be real: 99% of the industry already logs everything.
2) "the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;"
The #2 could potentially imply secondary decryption keys and the like, though the bill explicitly says the requirement cannot impose a systematic vulnerability, and the government has pointed to that and said they want no such thing.
So VPN providers are saying "we don't want to log", and encryption providers are saying "be much clearer in what you mean by systematic vulnerability. Define this explicitly".
> It's online and easy to read
That's not true. Most people are not legal experts with extensive expertise in technology, knowledge of how Canadian courts will interpret the legislation, and knowledge of how governments around the world are trying to attack encryption (ex: they do their best to hide and not to explicitly say it in the legislation).
> And let's be real: 99% of the industry already logs everything.
That's your opinion. That's not a real scientific claim, and yet you are using it to justify an unprecedented attack on privacy rights.
Suspicionless metadata retention has been illegal in the European Union since 2014, and it violates the Charter. There is no world in which it is acceptable.
An RCMP witness speaking about the bill during a recent committee meeting literally said the legislation will help them "solve the problem of encryption": https://www.michaelgeist.ca/2026/05/rcmp-confirms-bill-c-22-...
how would they force vpns like mullvad to turn over the log when there isn't any?
are they just going to ban specific vpn providers then ? this is absurd!
The Canadian government can't compel companies, who have no hardware in Canada, to comply with Canadian law. Proton Mail has already made a statement that they will not comply with any foreign anti-privacy laws.
At most, Canada could force Canadian ISPs to block connections to known 'offenders' like Proton or other non-compliant VPNs. Then it's a cat and mouse game of using different and new VPNs to access to safe, non-compliant, services.
You could also rent a VPS in Europe to act as your own private tunnel but there's no telling if or when that would be blocked.
Well that's the crux of it and why some VPN providers have pushed back. If the law passed, and if those VPNs got added as core providers, they would either need to log the metadata or stop operating in Canada, and several have said they would stop operating in Canada.
There are arguments for all sides, and I do think the narrative gets monopolized by the hysterical. On the one side I like torrenting without concern, but on the other it would be nice if services didn't provide cover for people to send death threats, bomb threats to schools because they fly a pride flag, VoIP swatting, and so on. Though ultimately limiting just VPNs directly operating in Canada just offshores the problem so the solution doesn't really achieve anything.