Shopify CEO Warns Bill C-22 Could Deal 'Death Blow' to Canadian Tech as U.S. Lawmakers Scrutinize Legislation

Canada’s Bill C-22 would compel communications providers to give law enforcement exceptional access to encrypted data, a measure critics label a mandatory backdoor. The bill sits at the intersection of public safety goals and the country’s ambitions to lead in AI, cloud infrastructure, and cybersecurity. As global scrutiny rises, Canadian tech leaders argue the law undermines the trust foundations that underpin modern digital services.

Yanik Guillemette described the legislation as a major clash between government surveillance aims and Canada’s digital economy, warning that nations seen as hostile to encryption lose infrastructure, capital, and talent. Shopify CEO Tobi Lütke called the bill a huge mistake that could deal a death blow to Canadian tech viability, echoing concerns that excessive access requirements deter investment. Meanwhile, the chairs of the U.S. House Judiciary and Foreign Affairs committees have begun examining Bill C-22 for its potential effects on cross‑border data flows, digital security, and international business operations.

For security teams, the bill’s passage would force a reassessment of vendor risk: any Canadian‑based service that must embed exceptional access could become a liability for multinational clients. Organizations may need to audit data‑flow maps, evaluate whether providers can guarantee end‑to‑end encryption, and consider shifting workloads to jurisdictions with stronger privacy guarantees. The legislation also raises the prospect of increased attack surfaces, as any mandated access mechanism could be exploited by threat actors using techniques such as credential abuse or supply‑chain compromise (MITRE ATT&CK T1078, T1195).

What defenders should do: monitor official parliamentary updates and U.S. committee reports for amendments; prioritize vendors that can attest to no backdoor requirements; implement strict access controls and encryption key management aligned with NIST SP 800‑57; deploy detection rules for anomalous access to privileged accounts (e.g., unusual lateral movement); and engage in industry coalitions advocating for privacy‑preserving lawful access frameworks.

Watch for the next parliamentary vote on Bill C-22 and the forthcoming U.S. committee findings, which could shape whether Canada maintains its reputation as a trusted hub for AI and cloud workloads.