Proton VPN’s refusal to bend on Bill C-22 is more than a privacy dispute. It’s a warning to startups that regulatory risk now reaches deep into product architecture.
Proton VPN has drawn a hard line in Canada, and the point isn’t subtle. If Ottawa’s proposed Lawful Access Act forces privacy companies to retain metadata or build access capabilities that undermine secure products, Proton says its no-logs model will not be the thing that gives way.
That matters because VPNs aren’t just consumer privacy tools anymore. They sit inside the working habits of founders, crypto teams, journalists, remote employees and security-conscious operators who move across borders while depending on encrypted infrastructure. When a government tries to pull that infrastructure into a surveillance framework, the business issue becomes immediate: can a company keep its promise to users and keep operating in the market at the same time?
Bill C-22 was introduced on March 12, 2026 as Canada’s Lawful Access Act and is now at the committee stage after second reading in the House of Commons. The government says the bill is meant to help police investigate crime and help CSIS investigate national security threats in a digital environment, with tools for subscriber information, service confirmation and technical readiness from electronic service providers.
Privacy companies are reading the same proposal differently. Their concern is that broad provider definitions, secrecy rules and ministerial orders could push VPNs, encrypted messaging apps and other security tools toward logging or access systems they were built to avoid.
Proton VPN’s general manager David Peterson argued that complying with foreign surveillance demands without Swiss legal process would conflict with Proton’s legal position under Swiss and European rules. That is the core of Proton’s bet. The company isn’t only defending a feature. It’s defending the jurisdictional structure that makes the feature credible.
A no-logs VPN is valuable because the provider designs itself not to know what the user is doing. That’s a business claim, but it’s also an engineering claim. If the system starts retaining identifying metadata for a year, the product becomes something else. It may still route traffic. It may still encrypt a connection. But the reason many people chose it in the first place has been weakened.
This is where the Canada fight becomes useful for entrepreneurs to watch. Some regulatory burdens can be handled with legal review, compliance staff and better reporting. Others reach into the architecture of the service. For a privacy startup, the difference is existential. Once the government requires a company to collect data it previously avoided, compliance is no longer a back-office function. It becomes product redesign.
Proton isn’t alone in pushing back. NordVPN, Windscribe, ExpressVPN and Signal have all raised concerns about the bill in different ways, with some providers warning they could leave Canada if the final law forces them to compromise encryption or no-log systems. Windscribe’s position carries particular weight because it’s headquartered in Toronto, which makes the question less theoretical. For Canadian privacy-tech companies, the exit option is harder, messier and more expensive.
The Canadian debate also fits into a broader policy cycle. Governments don’t usually describe these measures as backdoors. They talk about lawful access, child protection, organized crime, human trafficking, espionage and urgent investigations. Those are serious problems. No responsible company can shrug them off.
But privacy firms argue that secure systems don’t become selectively insecure. A capability built for lawful access can become a capability that attackers, hostile states or future governments try to use. That’s why the comparison with other markets matters:
- In the United States, lawful interception rules apply heavily to telecom carriers but haven’t been extended in the same way to over-the-top messaging apps or VPN services
- In Europe, courts have repeatedly pushed back against broad data-retention mandates
- In India, when rules required VPN providers to store customer information for five years, several major providers removed physical servers from the country rather than rebuild their products around logging
For Proton, resistance may create legal friction in Canada, but it also strengthens the brand everywhere else. Privacy infrastructure runs on trust, and trust is built when a company absorbs costs to keep a promise. That isn’t sentimental. It’s a competitive advantage when users are choosing between tools that otherwise look similar on price, speed and server count.
The risk is that hard lines can narrow a market. If Bill C-22 passes in a form that regulators interpret aggressively, companies like Proton may face orders they can’t satisfy, penalties they will contest, or a need to limit Canadian operations. That would be a bad outcome for users, but it would also be a signal to founders building security products: pick your jurisdiction carefully, because your legal base can become part of your product.
The next thing to watch is whether Parliament narrows the bill’s reach or gives privacy providers clearer protection from logging and exceptional-access demands. If it doesn’t, Canada may discover that modern surveillance powers can push the most security-focused companies to compete from somewhere else.