Shopify CEO Warns Bill C-22 Could Harm Canada's Tech Sector Amid U.S. Review

Context Bill C-22 proposes new powers for law enforcement to access encrypted communications under certain conditions. Critics argue that creating exceptional access mechanisms weakens overall security and creates exploitable vulnerabilities.

The legislation has sparked concern among technology firms that rely on strong encryption for product integrity and customer trust. Security experts warn that mandated access mechanisms expand the attack surface, making systems more susceptible to exploitation by threat actors.

Key Facts Shopify CEO Tobi Lütke called Bill C-22 a huge mistake that could deal a death blow to Canada's tech sector.

Yanik Guillemette described the bill as a major clash between government surveillance goals and Canada's digital economic reality.

The chairs of the U.S. House Judiciary and Foreign Affairs committees are examining Bill C-22 for its effects on cross-border digital security, data governance, and international business operations.

What It Means If Bill C-22 passes in its current form, Canadian firms may face pressure to weaken encryption or store data in ways accessible to authorities. Security teams could need to reassess data residency strategies, evaluate alternative jurisdictions for cloud workloads, and update incident response plans to account for possible compelled disclosure. International partners might view Canada as a less trustworthy hub for AI infrastructure, financial technology, and hyperscale data centers, prompting investment shifts elsewhere.

Organizations should monitor legislative amendments, engage with industry groups advocating for strong encryption, and prepare contingency plans for data relocation or enhanced technical safeguards. To watch next: the outcome of the U.S. committee review and any subsequent Canadian parliamentary votes that could shape the final version of Bill C-22.