How Windscribe's Bill C-22's Data Mandates Risk Making Canadian SMBs reshapes the landscape for Self-funded VPN, online privacy technology

Yegor Sak, the CEO and co-founder of Canada’s self-funded VPN service Windscribe, has highlighted significant vulnerabilities posed by Bill C-22. The proposed legislation aims to equip law enforcement with greater lawful access tools for investigating digital threats, but its current structure threatens fundamental online privacy for every Canadian user and business.

This mandates a profound operational shift: every targeted business must now invest in secure data infrastructure, comply with complex regulations, and manage the associated legal liabilities. For small and medium-sized businesses (SMBs), this required overhead—security teams, system engineers, and dedicated compliance officers—is often unattainable, creating significant technical debt and security risk.

Metadata itself is valuable; it acts as a map of a person’s digital life, revealing connections, timing, and location, even if the content remains encrypted. But by forcing businesses to collect or retain this data against their natural business model (data minimization), they fundamentally undermine both user privacy and their own security architecture.

Ultimately, Windscribe argues that while law enforcement needs better tools, the fix requires narrowing C-22's scope. Mandatory retention should apply only to highly specialized, technically mature entities genuinely necessary for investigations, and must be accompanied by rigorous judicial oversight and transparency mechanisms.