Signal Said It Will Leave Canada Before Complying With Bill C-22's 12 Month Metadata Retention Rule—And the US House GOP Just Sent Ottawa a Letter Warning the Bill Threatens American National Security Too

Key Takeaways

• Bill C-22, the Lawful Access Act, was introduced in March 2026 by Public Safety Minister Gary Anandasangaree as the successor to the failed Bill C-2 from 2025.
• Part 2 of the bill would force telecoms, internet providers, and messaging apps to retain subscriber and traffic metadata for 12 months and provide police and CSIS with the technical capacity to intercept communications under a warrant.
• Signal, Windscribe, and NordVPN have publicly stated they would leave the Canadian market rather than comply, with Apple and Meta filing formal objections to the encryption and lawful intercept provisions.
• On May 11, 2026, the chairs of the US House Judiciary and Foreign Affairs Committees wrote to Anandasangaree warning that the bill endangers American national security because cross border data flows under the bill would expose US citizens' information to Canadian retention and sharing rules.
• A Center for Democracy and Technology poll released in May 2026 found Canadians broadly oppose mass metadata retention and overwhelmingly support strong encryption.

What Is Bill C-22?

Bill C-22 is the Government of Canada's second attempt in two years to legislate broad lawful access powers. The first attempt, Bill C-2, collapsed in 2025 after intense civil society and industry opposition. The replacement was tabled in the House of Commons in March 2026 by Public Safety Minister Gary Anandasangaree as part of a border security and cybercrime package.

The bill has two main parts. Part 1 deals with border enforcement and cross border crime, and is the part the government uses to frame the legislation publicly. Part 2 contains the lawful access powers and is the part civil society organizations, technology companies, and now US lawmakers have organized to oppose. Part 2 would require telecommunication providers, ISPs, and social media and messaging companies to do three things: retain subscriber and traffic metadata for up to 12 months, build the technical capacity to allow lawful interception of communications when served with a warrant, and respond to expanded information sharing requests from foreign governments under cross border data agreements.

Metadata in this context is not the message content. It is the record of who communicated with whom, when, from where, on which device, for how long. Privacy researchers have published extensively on how telling that data is. A pattern of evening calls between two phones, alternating with location pings near a clinic, is a story even without any words exchanged.

Why Did Signal Threaten to Leave Canada?

Signal's position is that the technical capacity required by Part 2 is incompatible with end to end encryption. Signal does not store message content. It also deliberately does not store the metadata that Bill C-22 would require providers to retain. The architecture is designed to make it impossible for the company to hand over information it never collected, which is precisely the point.

Compelling Signal to retain 12 months of metadata about who messages whom, and to build a lawful intercept capability for the messages themselves, would require Signal to rebuild its protocol. That rebuild would weaken the privacy guarantee that drives users to Signal in the first place. Signal president Meredith Whittaker has said publicly the company would pull Signal from Canadian app stores rather than weaken the protocol globally to satisfy a single jurisdiction.

Windscribe, a Canadian based VPN provider, has said it would relocate its corporate headquarters out of Canada to avoid the retention rule. NordVPN has warned it would consider similar action. Apple has filed an objection through the public consultation focusing on the bill's effect on iMessage and FaceTime. Meta has raised concerns about WhatsApp.

Why Did the US House GOP Get Involved?

On May 11, 2026, the chairs of the US House Judiciary Committee and the House Foreign Affairs Committee jointly wrote to Public Safety Minister Anandasangaree. The letter said the bill, if enacted, would threaten US national security and the integrity of cross border data flows under the CLOUD Act bilateral framework.

The mechanism is straightforward. US citizens who communicate with Canadian residents, or whose traffic transits Canadian infrastructure, would have their metadata retained for a year by Canadian providers. Foreign sharing provisions in Part 2 expand the categories of information that can flow back to US law enforcement under existing bilateral arrangements, but they also expand the categories that could flow to other foreign partners with weaker oversight. The letter described that combination as creating an unacceptable risk that Americans' data would be exposed without the protections US law would normally provide.

The political optics are striking. The US Republican party, which has historically supported aggressive lawful access in domestic law, found itself filing a letter against a foreign country's lawful access bill because that bill would reach Americans. Civil society groups in Canada have used the letter to argue that even allied national security establishments view Bill C-22's design as overreach.

What Do Canadians Think?

The Center for Democracy and Technology published polling in May 2026 showing Canadian opinion is sharply against the surveillance powers in Part 2. A majority opposed allowing law enforcement to access encrypted communications. A larger majority opposed mandatory metadata retention. Support for strong default encryption ran well above 70%. The polling was reinforced by an open letter to the Prime Minister organized by the Centre for Free Expression and signed by privacy researchers, civil liberties groups, and technology firms.

The opposition Conservatives have ramped up parliamentary pressure on the government, attempting to split the bill so that Part 1's border enforcement provisions could pass without Part 2's lawful access powers. The government has so far refused to split the bill, arguing the two parts function as one coherent package.

Why Should Email Users Care?

Email is the canonical example of a service where metadata is far more revealing than content. The headers on every message you send and receive log sender, recipient, timestamps, server path, client device, and frequently location. A 12 month retention rule applied to Canadian email infrastructure would create a continuously updated graph of who communicates with whom across every Canadian Gmail, Outlook, ProtonMail, and Hey user.

The same principle applies to the third party trackers embedded in marketing email. Most commercial email today loads tracking pixels and link redirects that send your open time, IP address, device fingerprint, and click pattern to marketing platforms the moment you view a message. Those marketing platforms are themselves subject to retention and disclosure rules in whatever jurisdiction they operate in. Bill C-22 would extend Canadian retention obligations to a broader set of those platforms than the existing rules cover.

If you are a Canadian resident concerned about how much your inbox already records about you, the practical defense is the same regardless of what Bill C-22 ultimately requires. Stop loading the trackers that put your data into the system in the first place. Block remote images in your mail client by default. Use an extension that strips tracking pixels and rewrites tracker laden links before they reach the server. None of those measures reach the metadata your provider is forced to keep, but they shrink the amount of behavioral data that third parties get to log alongside the records the government may eventually demand.

What Happens Next?

The bill is in second reading in the House of Commons. Committee study is expected in June 2026, where the technology industry, civil society organizations, and likely the US Congressional staff that authored the May 11 letter will appear as witnesses. The earliest the bill could pass into law is late 2026.

For the providers threatening to leave, the trigger is not the bill's introduction but the moment compliance regulations are gazetted. That step is typically twelve to eighteen months after royal assent. Signal, Windscribe, and the others have a clear window to decide whether to make good on the threat or attempt to negotiate technical carveouts during committee study.

For privacy researchers, the bill is a live experiment in whether a Five Eyes country can pass mandatory metadata retention and lawful intercept against the public opposition of its largest tech partners and its closest ally. Compare this to the Texas surveillance machinery lawsuit against Netflix or the EU's high risk AI guidelines released three months late—the global pattern is the same regulatory machinery grinding through the same questions, with different answers in each jurisdiction.