Bill C-26

Madam Speaker, this is a very relevant question. Is it the right time for a bill like this? I would like to give a very brief answer: Yes, it is absolutely the right time for this. Is it the right bill yet? No, it is a good starting point. That is how we can look at this bill. I am happy to vote in favour of this bill, to get it to committee. I am hopeful, from the comments I have heard from members of the Bloc and the NDP, that they are eager to give this bill a robust study and make the necessary amendments that will address the cybersecurity requirements in our country to keep critical infrastructure and our citizens safe, but also to respect the privacy of Canadians. Those are equally important elements. I am looking forward to the study on this bill.

Uqaqtittiji, I would like to thank the member for his very informative intervention, where he very clearly stated his concerns with the broad powers the government seems to want to grant itself.

Can the member talk about what concerns regular Canadians might have, regular Canadians who have not done anything wrong, and how they may be impacted by the extreme ministerial powers that might emerge from this bill if it is not changed?

Madam Speaker, I am just going to read an excerpt from the bill, because it really encapsulates the answer to the member's question. It states the bill would authorize the Governor in Council, which is cabinet, “to designate any service or system as a vital service or vital system”. It would also authorize the Governor in Council “to establish classes of operators in respect of a vital service or vital system”. It also “provides for the exchange of information between relevant parties”.

We cannot currently do that. Our security and law enforcement agencies cannot transfer information without a judicial warrant. Why would we allow the government and cabinet to do that?

Madam Speaker, it is an honour, as it always is, to rise in the House of Commons of the Canadian people and speak to Bill C-26, an act respecting cybersecurity, which seeks to amend the Telecommunications Act and make subsequent amendments to others acts.

I want to say from the outset that cybersecurity is a critically important issue. For those of us who have been watching the news, we have even seen bookstores like Indigo impacted by ransomware, and we know that no Canadian, business or government agency is immune to cybersecurity threats. As Conservatives, we obviously support taking robust action on cybersecurity and we look forward to the bill going to committee, where we can hear from stakeholders who have expressed uncertainty about what the impact of the bill is going to be. Certainly, I hope we can work across lines to make a better piece of legislation and address the very real challenges we are facing in this cybersecurity age, in this cyber age that we are facing.

I am going to go into a bit of background on the bill, because my constituents might not have heard of this legislation. For their benefit, I am going to give a bit of summary of what I understand the changes to be.

The threat of malware in our telecommunications sector and critical infrastructure does pose a serious threat to Canada. It is important that we respond to these threats proactively, in light of the inevitable future attacks that will happen in our cyberspace. As I said, Conservatives will support legislation to defend our telecommunications sector and our other critical infrastructure from threats, the likes of which, as I stated earlier, have been levied against Canadian individuals, corporations and government agencies repeatedly.

In order to evaluate this legislation, I would like to take some time to consider how the proposed bill might impact our economy, our national security and our commitment to protecting the civil rights of Canadians. Although legislation relating to cybersecurity threats is now long overdue, we should remain vigilant to protect the rights of Canadians and our domestic corporate actors, who could be seriously impacted by the unintended consequences of this legislation. Notably, I am somewhat concerned by the sweeping discretionary powers that are granted to the minister and the Governor in Council in this legislation. I would also like to talk about some of the objectives of the bill and then describe how this current proposed legislation could fail in achieving its intended purpose.

The bill is presented in two parts. The first would amend the Telecommunications Act to promote the security of the Canadian telecommunications sector, and the second part of the act would enact the critical cyber systems protection act. The amendments to the Telecommunications Act are intended to protect against ongoing threats of malware, which poses a threat to the Canadian telecommunications system, and the critical cyber systems protection act aims to strengthen the cybersecurity systems that are so vital to our national security and public safety, and it would allow the government to respond to these cyber-threats.

The aim of this legislation would implicate operators in a broad variety of fields, including the finance, telecommunications, energy and transportation sectors, just to name a few, all critical parts of our infrastructure. With these aims in mind, it is important to consider how expansive the government powers being talked about here are, new powers to the government, how these new powers will affect all these sectors that affect our day-to-day lives, and whether these new measures are proportionate and necessary to be implemented.

To begin, the powers afforded to the minister present economic and financial risk for critical systems operators and telecommunication system providers. The first consideration is the minister's ability to direct telecommunication service providers to comply with an order to prohibit a provider from using or providing certain products or services to a specific individual or entity. Those are pretty broad powers. The bill would implicate the operations of private telecommunications organizations, and therefore the legislation requires safeguards to protect the economic viability of these companies. The bill would also allow the minister to compel telecommunications companies to obey government directives or face the consequences of significant monetary penalties.

In giving the minister such expansive powers, the government may have failed to consider the potential economic impact of these unchecked provisions on service provisions. Telecommunications revenues contribute over $50 billion to Canada's GDP, yet the government has not provided clear and adequate safeguards in this legislation to limit the extent to which or the frequency with which it might use these service provisions and how they might be restricted under the instance of even a minor cyber-threat.

Large, medium and small regional market players would be impacted by this legislation if appropriate safeguards are not adopted in the amendment stage. Large telecommunications service providers make up about 90% of the market share, and any directive to suspend a service by these large market players could impact a significant amount of the Canadian population. Although we hope that such orders will seldom be issued, the vagueness of the language in the bill does not guarantee this.

Meanwhile, we see small and medium-sized players who disproportionately service under-serviced areas in Canada; I am thinking of rural and remote communities. These small and medium-sized players often have trouble dealing with the regulatory complexity and the financial investments needed to meet regulatory thresholds, and we could see these small and medium-sized players just fold up or get bought out at a fraction of what their value would have been. We would really see this as a consequence for rural and remote communities, which are struggling, even today, to get access to basic services like high-speed Internet.

For these reasons, the overbroad provisions in the bill do not lend themselves to a standard of proportionality.

A stakeholder group, Citizen Lab, released a research report on Bill C-26 from the Munk School, authored by Dr. Christopher Parsons. The report outlines, in its recommendations, that the legislation should be amended to allow telecommunications service providers to obtain forbearance and/or compensation for orders that would have “a deleterious effect on a telecommunications provider’s economic viability”.

The Business Council of Canada is likewise concerned about the CCSPA requiring that all critical systems operators undertake the same precautionary actions to protect themselves from cyber-threats. The Business Council of Canada notes that the legislation would require a singular standard of all service providers “irrespective of their cyber security maturity”. We know that there are highly funded firms with a lot of resources that have highly superior cybersecurity systems, and then we have our more infant, junior tech companies that are trying to grow so that they can attract capital. These regulatory requirements of holding them to the same standard could have a negative effect on growing the tech ecosystem here in Canada.

Moreover, the Business Council of Canada notes that the legal threshold for issuing the directives is too low. The low threshold to issue these orders to an operator would allow the possibility of lost revenue for operators because of an absence of due diligence on the part of the government, a government that has had its own cybersecurity problems. I have serious reservations that a government that is unable to run its own IT systems will have a better capability of telling private companies how to run their IT systems.

The council further notes that the monetary penalties are unduly high and are not proportionate, given the benefits of compliance in the event of a perceived or actual cyber-threat. These companies in Canada want to live by the rules. They want to work with the Canadian government. Their reputations are at stake, yet the government is treating them like they are bad actors by putting these fines in place, when maybe we should be looking at working and engaging more with our telecom sector to have a more friendly relationship on this issue.

Another group, Norton Rose Fulbright, noted that there is still considerable uncertainty as to how detailed the cybersecurity plans must be and how it would alter industries' existing policies and agreements. Clearly, there is a lot of uncertainty about this, but it is too important to let it go aside, so I am looking forward to this coming to committee, where we can have some of these stakeholder witnesses come and talk about things so that we can clear up the uncertainty and we can have targeted cybersecurity measures that actually result in benefits to Canadians.

Other technical experts, academics and civil liberties groups have serious concerns about the size, scope and lack of oversight around the powers that the government would gain under this bill. Civil liberties groups are particularly concerned about the government's ability to direct telecommunications providers to do anything needed by secret order. While the legislation lists what might be included by the minister or Governor in Council, the ambiguity of the wording leaves open the possibility of compelling a telecommunications company to do more than is officially stated. This is particularly noteworthy because of the significant monetary penalties that can be levied against these companies, to the tune of up to $10 million a day.

Liberals, in many cases, have perhaps neglected to consider the privacy of Canadians through this legislation.

Bill C-26 would allow the government to bar any person or company from receiving specific services, which raises concerns about the discretion the government has in making these decisions. Again, it is very unclear. This is too important. We should bring the bill to committee and vote on it, but there are lot of things we need to get right in the legislation. We look forward to looking at that.

Mr. Speaker, my colleague had a very insightful speech and talked a bit about how there are some concerns related to the oversight that would be associated with the wide and sweeping powers the government may be granting itself in the bill. I am wondering if he could expand a bit more on why it is important that, through the processes of debate in this place and through committee work, we ensure that we have the appropriate balances in place to ensure we get that oversight side of things right.

Mr. Speaker, Parliament exists to defend the rights and liberties of the Canadian people. Oftentimes, I find this legislation is highly technical. The technical legislation is often where we see the biggest changes that would impact people's lives. When the government proposes to give sweeping powers to the minister to have control over sectors that impact every facet of Canadian lives, we need to do our due diligence as parliamentarians. We need to bring forward the stakeholders, the witnesses and the civil liberties advocates to ensure that the rights and liberties of Canadians are protected.

Madam Speaker, it took eight long years for the Liberal government to recognize that cybersecurity threats exist in this country and around the world. Congratulations to them for coming to the party a little late.

The Liberals have now presented a bill to try to address issues of cybersecurity in the country. As I said, it took them eight years to get there, but I have to say I am pleased that the Liberals have decided to finally do something. I look forward to this bill being passed so that it can be extensively studied at committee.

There are some things in this bill that are good. I know praising the Liberal government is strange territory for me, but I will say that the bill would give the government some tools to respond quickly to cyber-threats. There is currently no explicit legislative authority in the Telecommunications Act to ensure that telecom providers are suitably prepared for cyber-attacks. This is a good reason why this bill should probably move forward to committee to be studied.

The challenge I have, though, includes a whole number of things. My issue with the government is trust. While I do want this legislation to go to committee, I have extraordinary concerns about this bill. Many of these concerns have been raised by many groups across the country, and I do want to speak to some of those in the probably somewhat whimsical hope that the government will listen and take some of these amendments seriously.

There has been a very bad track record of the government responding to concerns from the opposition or from outside organizations with respect to legislation. There is a view that the Liberals are going to do what they want to do on pieces of legislation and that they really do not care what other people have to say. I am very concerned that the government is not going to listen to the very serious concerns that have been raised about this bill.

I have my own concerns when I look at how the government has behaved with respect to other pieces of legislation. We have to look at Bill C-11. There has been a multitude of organizations that have said the bill needs further amendment. Margaret Atwood has said that she has grave concerns about the legislation, that she supports the intent but has grave concerns about the implementation and how it is going to affect artists and content creators. We have had folks who compete in the YouTube sphere who have raised all kinds of concerns about Bill C-11, and the government's response has been that it does not care what they have to say, and that it is going forward with the legislation as it is.

The Senate has made a number of amendments to Bill C-11. I suspect the government's attitude is going to be the same, which is that it does not care what the amendments are and that it is going to proceed with the bill as it sees fit.

We also have only to look to Bill C-21 as well. We had the minister clearly not aware of what constituted a hunting rifle and a hunting gun. The Liberals introduced amendments at committee, and it took extraordinary push-back from Canadians from coast to coast to coast to get them to wake up and withdraw those amendments that they had put in at the last minute.

What it speaks to is that, despite having at its disposal the entire apparatus of the Canadian government, the Liberals are still unable to get legislation right. It takes an enormous amount of effort and hue and cry across the country saying that this has to stop and that this has to be changed. If there is not a massive uprising, the government tends not to listen to the legitimate concerns of other constituents or other groups when it introduces legislation.

With that context, it is why I have real concerns that the government is not going to listen to some of the serious concerns that have been raised with respect to Bill C-26. I am going to go through some of those.

The Canadian Civil Liberties Association has some very serious concerns. It has issued a joint letter that says that the bill is deeply problematic and needs fixing, because it risks undermining our privacy rights and the principles of accountable governance and judicial due process. This is a big bell that is going off, and I hope the government is listening. As I have said, I do not have a lot of faith, given other pieces of legislation where thoughtful amendments have been put forward and the government decided not to do anything with them.

I want to enumerate a few of the concerns from the Canadian Civil Liberties Association. On increased surveillance, it says that the bill would allow the federal government “to secretly order telecom providers” to “do anything or refrain from doing anything necessary...to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption”.

That is a pretty broad power. Where is the government putting the guardrails in that would limit the effects of this or protect the privacy rights of Canadians? That is something I think is incredibly concerning.

On the termination of essential services, Bill C-26 would allow the government to bar a person or a company from being able to receive specific services and bar any company from offering these services to others by secret government order.

Where are we going to have the checks and safety checks on this? Unfortunately, I am not in a position where I think I can trust the government to do the right thing on these things. We have seen it through vaccine mandates, in the legislation on Bill C-21 and in how the Liberals are trying to push through Bill C-11 without listening to reasoned amendments. If reasonable concerns are raised about Bill C-26, I just do not have faith the Liberals are going to take those concerns seriously and make the amendments that are necessary. I really hope they do.

On undermining privacy, the bill would provide for the collection of data from designated operators, which would potentially allow the government to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations. When someone takes the de-identified personal information of Canadians and does not say how they are going to deal with it or what protections they have in place to make sure it is not misused, what happens in the event that they take that information and somehow there is a government breach? Where does that information go? These are things I think we should be extraordinarily concerned about.

There was also an analysis provided with respect to this by Christopher Parsons, in a report subtitled “A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”. Parsons raises concerns about vague language. The report notes that key terms in the bill, such as “interference”, “manipulation” and “disruption”, which trigger the government's ability to make orders binding on telecom service providers, are unidentified.

Where are the guardrails in the legislation to prevent government overreach and therefore protect Canadians? This is something that I think all Canadians should be watching and be very concerned about. They should be letting their voices be heard by the government on this.

The report talks about how the minister of industry's scope of power to make orders is also undefined. We would be giving a whole host of undefined powers to the minister and the government that would allow them to have all kinds of sensitive information. These are things that may be necessary, but I do not know. They are highly concerning to me. They should be highly concerning to Canadians, and I hope the government will hear from real experts at committee.

Let us not have a two-day committee study where we think Bill C-26 is perfect as it is and bring it back to the House of Commons, bring in time allocation or closure and pass it through. We have seen that story before, and we do not want to see it with the piece of legislation before us. My really big hope is that the government is going to take the time to really consider the seriousness and breadth of Bill C-26 and make sure we have the ways to protect Canadians.

I just want to add that the Business Council of Canada has released its own letter to the Minister of Public Safety, expressing its incredibly deep concerns with respect to the bill: there is a lack of a risk-based approach, information sharing is one-way and the legal threshold for issuing directions is too low.

There are three reports, right there, that are outlining significant concerns with Bill C-26, and I, for one, just do not believe the government is going to listen or get it right. It does not have the track record of doing so, but I am hoping it will, because cybersecurity is incredibly serious as we move toward a digital economy in so many ways. I really hope the government is going to listen to these things, take them seriously, do the hard work at committee and bring forward whatever amendments need to be brought forward, or, if the amendments are brought forward by the opposition, listen to and implement those amendments.

Madam Speaker, the NDP sees the growing threat of cybersecurity, and we also see that Canada is far behind. However, we have concerns about transparency, and I know that the NDP member for Cowichan—Malahat—Langford has been instrumental in strengthening and making bills that the Liberals have brought to the floor more appropriate, so I have more than enough confidence that the NDP will ensure Canadians get the transparency and protection they believe in.

My question for the member is whether he could speak to the point that the government legislation before us would allow for a complete exemption from the Statutory Instruments Act. That would mean such orders could not be reviewed by Parliament through the scrutiny of the regulations committee. I wonder if I could get some comments on that.

Madam Speaker, I would just add that to the list of things I am concerned about with this particular piece of legislation. I am glad and encouraged that the member has stated that New Democrats are going to try to strengthen this piece of legislation. I hope they do that. They talk about wanting transparency and I hope they are going to work really hard for transparency on this.

Conservatives would love to see transparency at a different committee, where we are trying to get someone to come and testify. Maybe the New Democrats can bring their love for transparency to that other committee and we can have PMO officials testify there.

Madam Speaker, one of the things I have heard in talking to universities and different groups is that one of the faults of this piece of legislation is that they have to share this information with the government when they have been attacked, but it is a one-way street. When they see an attack happen, they share it with the government, but there is no information given to other businesses to help them protect against attacks similar to that in nature.

Could the member talk about why it is important and what it means to companies when they are attacked and how it can hurt not only their bottom line? Indigo, for instance, would be a good example of what happens when there is a cybersecurity attack.

Madam Speaker, everyone here knows how serious cyber-attacks are. I often get a notification from Google that says it believes one of my passwords was exposed in a hack of some other organization and that I should take steps to make sure the password is not used in any other applications. We know that the threat of cyber-attacks exists and we know the damage caused.

What I go back to is that we know we need to do something, and I am glad that the government is doing it. It has taken it eight years, but it is finally here trying to deal with this issue. What it has to do is make sure that every voice on this is heard, whether it is industry saying it needs some information back, or whether it is others saying the threshold for some of these things is too low or asking what guardrails are put in place on some of the things.

The government has a lot of work to do and I hope it is willing to do it at committee.

Madam Speaker, I think everybody in the House agrees that we need to up our game in this country to protect Canadians and our society from cyber-attacks.

My specific question has to do with certain specific vulnerable groups. I am thinking of young people, particularly teenagers between the ages, say, of 13 and 19. Even more particularly I am thinking of young girls and women who may be subject to all sorts of cyber-bullying and other offences, as well as seniors who can be victims of cyber-fraud.

I am wondering if my hon. colleague has any thoughts as to how Bill C-26 might impact those particularly vulnerable groups and what suggestions he may have legislatively to help protect them.

Madam Speaker, that is a pretty tough question to answer in about two minutes.

As the father of a 16-year-old daughter, I am constantly worried about what is going on in the cybersphere for her, whether or not there is an instance of bullying going on. There have certainly been episodes of bullying in her real life. I know that at one point she was eating her lunch in the bathroom because she was being bullied by some folks. Online harassment and bullying are serious problems. I do not know enough about this particular piece of legislation to know if it would actually deal with that, but if not, I really hope that it would.

We have a lot of work do for seniors who are vulnerable to these things. This is something the government has to take on. Whether or not it is just waking up to it now as part of this bill, we need to educate seniors. I host events like this with seniors, where we let them know about the threats of cybersecurity and other things. The government needs to pick up the ball on that a little more as well.