Shopify CEO Warns Bill C-22 Could Trigger Canadian Tech Exodus

TL;DR: Shopify CEO Tobi Lütke calls Bill C-22 a huge mistake that could devastate Canada's tech sector. Cybersecurity expert Yanik Guillemette warns the bill’s mandated backdoors create unavoidable attack surfaces and threaten Canada’s standing in AI, cloud, and encryption markets.

Bill C-22, introduced in 2026, seeks to compel communications providers to provide law enforcement access to encrypted data under certain conditions. The legislation has drawn scrutiny from international tech firms and privacy advocates who argue it undermines encryption standards.

Montreal‑based entrepreneur Yanik Guillemette says the debate has shifted from privacy to economic competitiveness, noting that global tech leaders view any mandated access as a liability that could push infrastructure, capital, and talent elsewhere.

Tobi Lütke posted on X that Bill C-22 is “a huge mistake” filled with nonsense that could deal a death blow to Canadian tech viability. He expressed concern that the bill’s provisions deter investment in domestic technology firms.

Yanik Guillemette stated that Bill C-22 represents a major clash between government surveillance goals and Canada's digital economic reality, warning that countries perceived as hostile to encryption lose infrastructure, capital, talent, and strategic relevance.

Guillemette also emphasized that there is no such thing as a secure backdoor; any exceptional access mechanism becomes an attack surface, a matter of basic security architecture rather than ideology.

For Canadian security teams, the bill could force them to evaluate and possibly implement backdoor controls in products, increasing complexity and weakening overall security posture. Organizations may need to assess compliance costs and consider relocating data processing to jurisdictions with stronger encryption protections.

Mitigations: security leaders should conduct threat modeling of any mandated access points, apply strict network segmentation (MITRE ATT&CK T1098), monitor for anomalous access using behavior‑based detection (e.g., UEBA), and maintain immutable logs to detect tampering. They should also advocate for transparent oversight mechanisms and participate in industry consultations to shape final language.

What to watch next: parliamentary committee votes on Bill C-22 later this summer, and any amendments that address encryption backdoor concerns will signal whether Canada retains its appeal as a hub for AI, cloud, and cybersecurity investment.