Bill C-26

Madam Speaker, that was an excellent question. I wish I had written it myself, but apparently someone, or something, else already had.

Prior to question period, I was sitting with my colleague from Scarborough—Rouge Park. He wrote a speech for me, through ChatGPT, on my modern slavery bill. We just sat there, and after he had fed in a few words, an entire speech was spit out. Yet again, we have another challenge for us as legislators.

I sometimes think that we are so far behind that we do not even know how far behind we are. Cheney said that we do not even know what we do not know. Bill C-26 is an opportunity to bring ourselves into the game.

Mr. Speaker, in some respects, Bill C-26 is quite complicated, but it is also quite simple. It aspires to have the risks of cybersecurity systems identified, managed and addressed so we are at much less risk because of our cyber system.

In the last while, I have had the good fortune to be the chair of the public safety committee in the previous Parliament, and I am now the chair of the defence committee. As such, I have listened to literally hours of testimony from people who are quite well informed on this subject matter. My advice to colleagues here is this: It behooves us all to be quite humble and approach this subject with some humility because it is extremely complex.

The first area of complexity is with respect to the definitions.

For instance, cybersecurity is defined as “the protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information”. Cyber-threat is defined as “an activity intended to compromise the security of an information system”.

Cyber-defence, according to NATO, is defensive actions in the cyber domain. Cyberwarfare generally means damaging or disrupting another nation-state's computers. Cyber-attacks “exploit vulnerabilities in computer systems and networks of computer data”.

Therefore, with respect to the definitions, we can appreciate the complexity of inserting yet another bill and minister into this process.

Let me offer some suggested questions for the members who would be asked to sit on the committee to look at this bill if it passes out of the House. I do recommend that the bill pass out of the House and, if it does, that the committee charged with its review take the appropriate amount of time to inform itself on the complexities of this particular space.

The first question I would ask is this: Who is doing the coordination? There are a number of silos involved here. We have heard testimony after testimony about various entities operating in various silos.

For instance, the Department of Defence has its silo, which is to defend the military infrastructure. It also has some capability to launch cyber-attacks, but it is a silo.

Then there is the public safety silo, which is a very big silo, because it relies on the CSE, CSIS and the RCMP, and has the largest responsibility for the protection of civilian infrastructure.

While the CSE does not have the ability to launch cyber-attacks domestically, it has the ability to launch a cyber-attack in international cyberspace. It is a curious contradiction, and I would encourage members to ask potential witnesses to explain that contradiction, because the more this space expands, the more the distinctions between foreign attacks and domestic attacks become blurred.

The bill would charge the Minister of Innovation, Science and Industry with some responsibility with respect to cybersecurity.

I would ask my colleagues to ask questions about how these three entities, public safety, defence and now the Minister of Innovation, Science and Industry, are going to coordinate so that the silos are operating in a coordinated fashion and sharing information with each other so that Canada presents the best possible posture for the defence of our networks. Again, I offer that as a suggestion of a question to be asked. We cannot afford the luxury of one silo knowing something that the other silo does not know, and this is becoming a very significant issue.

CSIS, for instance, deals in information and intelligence. The RCMP deals in evidence. Most of the information that is coming through all of the cyber-infrastructure would never reach the level of evidence, whether the civil or criminal standard of evidence. This is largely information, largely intelligence, and sometimes it is extremely murky. Again, I am offering that as a question for members to ask of those who come before the committee as proponents of the bill.

The other area I would suggest is to question is how this particular bill would deal with the attributions of an attack. To add to all of the complications I have already put on the floor of the House, there is also a myriad of attackers. There are pure state attackers, hybrid state criminal attackers and flat-out criminals.

For the state attackers, one can basically name the big four: China, Russia, North Korea and Iran. However, there are themes and variations within that. Russia, for instance, frequently uses its rather extensive criminal network to act on behalf of the state. It basically funds itself by with proceeds of its criminal activities, and the Russians do not care. If one is going to cripple a hospital network or a pipeline or any infrastructure on can name, then they do not care whether it happens by pure criminal activity or hybrid activity or state activity. It is all an exercise in disruption and making things difficult for Canadians in particular. We see daily examples of this in Ukraine, where the Russians have used cyber-attacks to really make the lives of Ukrainians vulnerable and also miserable.

The next question I would ask, and if this is not enough, I have plenty more, is on the alphabet soup of various actors. We have NSICOP, CSE, CSIS and the RCMP. I do not know what the acronym for this bill will be, but I am sure that somebody will think of it. How does this particular initiative, which, as I say, is a worthy initiative to be supported here, fit into the overall architecture?

Finally, CAF and the defence department are now doing a review of our defence posture, our defence policy. Cyber is an ever-increasing part of our security environment and, again, I would be asking the question of how Bill C-26 and all of its various actors fit into that defence review.

Mr. Speaker, I am sure the hon. member across the way, having not had an opportunity to ask the Thursday question and not having been granted that opportunity, might be somewhat confused about the nature of the Thursday question or what it would be about, so of course we excuse him for that.

This afternoon, we are going to be concluding second reading debate of Bill C-26, concerning the critical cyber systems protection act. I would also like to thank all parties for their co-operation in helping to conclude that debate.

As all members are aware, and as I am sure you are aware of and quite excited for, Mr. Speaker, the House will be adjourned tomorrow for the address of the United States President, President Joe Biden.

On Monday, we will be dealing with the Senate amendments in relation to Bill C-11, the online streaming act.

Tuesday, we will continue the debate at second reading of Bill C-27, the digital charter implementation act, with the budget presentation taking place later that day, at 4 p.m.

Members will be pleased to know that days one and two of the budget debate, which I know members are anxiously awaiting, will be happening on Wednesday and Thursday, respectively.

On Friday, we will proceed to the second reading debate of Bill C-41, regarding humanitarian aid to vulnerable Afghans.

Mr. Speaker, as we know, technology is evolving at a frightening and unpredictable pace. It is exponential, according to all the experts.

I wonder if my colleague could comment on quantum computing, which is an extremely impressive technology that is evolving at an unbelievable pace.

I am wondering whether the contents of Bill C‑26 and the agility we write into legislation are sufficient to respond to any concerns we may have about evolving technologies, which often mean that governments become outdated.

I would like my colleague to comment on that.

Mr. Speaker, I am reading from the summary of Bill C-26, which would amend the Telecommunications Act to “authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure” our telecommunications security.

Although it is a laudable goal, those are very broad powers to give to a minister. Does my colleague feel it is necessary to give such broad and unfettered authority to one person?

Mr. Speaker, it is wonderful to have an opportunity to speak to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.

I think this is such an important topic, and it is something we need to be very aware of, especially in this increasingly digital era. We are seeing more and more attacks on cybersecurity happening here in Canada and around the world. I support the overall concept of the bill, and I want to see it go to committee so that we can have further study, as well as some amendments to alleviate some of the concerns that I, some of my colleagues and different stakeholders have brought forward. However, I have some questions I want to pose and put forward in the hope that the minister will have a plan to address some of them.

One big question I have is that the bill is pretty vague when it comes to the definition of “critical infrastructure”. Coming from northern Alberta, critical infrastructure can look very different from what it would look like in a larger centre in an area further south. One of the things I immediately thought of was whether a pipeline would count as critical infrastructure. Frankly, in northern Alberta, at the very minimum, pipelines not only export our oil but also bring up gasoline and natural gas, which are the ways we heat our homes. Most homes, at least in the Fort McMurray area, are heated with natural gas. In the wintertime, specifically and especially, if somehow a natural gas pipeline were to be the target of a cybersecurity threat, that could actually have devastating consequences and cause thousands of people to freeze.

I think this is the kind of question we have as to what exactly critical infrastructure is.

One of the other big pieces is that critical infrastructure seems to be defined in terms of what small and medium-sized businesses and not necessarily different government actors have. Different layers of government have different pieces of infrastructure that could also be attacked by cybersecurity threats. I think of provincial governments. Some of the big pieces for cybersecurity threats would probably be in hospitals, but it could go far beyond just a hospital, depending on the community. In the case of a specific emergency, like a fire, flood or some other natural disaster, the definition of critical infrastructure might be very different.

While I understand the idea of keeping it broad, a hacker or bad actor could specifically target an area in the case of an emergency or natural disaster because they know we are already in a weaker state. I think it is important to have some pieces in place so there can actually be plans to ensure that is not going to happen. That is something the legislation needs to define, and I would urge us to define it and specifically include pipelines as part of critical infrastructure. This is especially the case because we have gone into this space where so much is digitized.

There is digitization in just about every aspect of our world, so it becomes a question of actually having to define some of these pieces. We cannot just leave this all up to regulation. I think some baselines need to be set out in this piece of legislation in order to make sure we are actually talking about the same things. In this way, we can plan for future pieces of infrastructure we do not currently know are important and part of this plan.

While the legislation would give absolutely broad and sweeping powers to government, it does not seem to have any safeguards in place. I think the lack of safeguards is very concerning. I think back to the floods that were experienced in southern Alberta in 2012. Through the process of those floods, for a number of reasons that were not necessarily well defined, the RCMP decided to go into High River and seize guns. The RCMP made a decision not to seize guns in Calgary or other communities, but in High River, it decided to go in and seize guns.

This is a piece where we need to be very careful and make sure we have some safeguards in place. Then, in the case where there is government overreach in trying to prevent a security threat, there is recourse available that is defined in the legislation. It should not be left to regulation, where it could be changed at the whim of a minister. This is so important.

Another big, important piece that is scary to me is the fact that the government has all this work in place to make sure that small and medium-sized businesses, and other businesses, have security plans, which they must send to the government. However, what work is the government doing specifically to ensure that it is prevented from being part of a security threat? How many times has the federal government been hacked? In recent memory, it has been hacked a number of different times in different ways. This may be our email system or the House of Commons intranet. Some of these pieces are very much at risk. Is it a smart idea, from a security standpoint, to have everything housed in one place? What kinds of safeguards would we have such that information is not accessible should that aspect of the government be hacked? In turn, we want to make sure hackers do not find out all of our security plans so they can get around them or mess with things they identify as unprotected. That is one of the interesting pieces.

The bill also stipulates that businesses are to share with government but not that the government has to share with businesses. While I understand part of why the government would do that, I think having a two-way dialogue when it comes to this information is going to be important. We should be trying to work towards best practices whenever possible. An organization in one part of the country might be doing something that is innovative and substantially safer for all Canadians that prevents security threats compared with another part. Such information should be shared, not just held by government, so we can build on best practices in case there is an emergency at some point.

The other big question I have with respect to this bill is: What has the government done to work with municipalities, provinces and first nations governments to ensure that this is going to respond to their cybersecurity threats and cybersecurity needs? This is a piece where I do not want to let perfect be the enemy of good. Quite frankly, we are not going to know what the next big threat is; however, we need to make sure we are protected and must try to apply as many best practices as possible so that we do not open ourselves up to unintended risks.

This is about making sure we are taking care of all the little links in the chain. We can have a very robust system and an amazing plan in place, but if we have one weak link, it counts for nothing. That is why we need to send the bill to committee now. We need to have some very robust conversations with security experts from around this country and the world to make sure we do not have any weak links in the chain. All it will take is one weak link for this entire pyramid to collapse. It will crumble apart. This is something that, as Canadians, we all need to be prepared for and ready to address, as well as having meaningful and robust conversations around it.

With that, I am thankful for this opportunity.

Mr. Speaker, it is a pleasure to rise and join the debate this morning in the House of Commons. I will be sharing my time with the member for Fort McMurray—Cold Lake.

Bill C-26 is a bill that addresses an important and growing topic. Cybersecurity is very important, very timely. I am glad that, in calling this bill today, the government sees this as a priority. I struggle with trying to figure out the priorities of the government from time to time. There were other bills it had declared as absolute must-pass bills before Christmas that it is not calling. However, it is good to be talking about this instead of Bill C-21, Bill C-11 or some of the other bills that the Liberals have lots of problems with on their own benches.

Cybersecurity is something that affects all Canadians. It is, no doubt, an exceptionally important issue that the government needs to address. Cybersecurity, as the previous speaker said, is national security. It is critical to the safety and security of all of our infrastructure. It underpins every aspect of our lives. We have seen how infrastructure can be vulnerable to cyber-attacks. Throughout the world, we have seen how energy infrastructure is vulnerable, like cyber-attacks that affect the ability to operate pipelines. We have seen how cyber-attacks can jeopardize the functioning of an electrical grid.

At the local level, we have experienced how weather events that bring down power infrastructure can devastate a community and can actually endanger people's health and safety. One can only imagine what a nationwide or pervasive cyber-attack that managed to cripple a national electrical grid would do to people's ability to live their lives in safety and comfort.

Cyberwarfare is emerging as a critical component of every country's national defence system, both offensively and defensively. The battlefield success of any military force has always depended on communication. We know now just how dependent military forces are on the security of their cyber-communication. We see this unfolding in Ukraine, resulting from the horrific, criminal invasion of that country by Putin. We see the vital role that communication plays with respect to the ability of a country to defend itself from a foreign adversary, in terms of cybersecurity.

I might point out that there is a study on this going on at the national defence committee. We have heard expert testimony about how important cybersecurity is to the Canadian Armed Forces. We look forward to getting that report eventually put together and tabled, with recommendations to the government here in the House of Commons in Canada.

We know that critical sectors of the Canadian economy and our public services are highly vulnerable to cyber-attack. Organized crime and foreign governments do target information contained within health care systems and within our financial system. The potential for a ransom attack, large and small, is a threat to Canadians. Imagine a hostile regime or a criminal enterprise hacking a public health care system and holding an entire province or an entire country hostage with the threat to destroy or leak or hopelessly corrupt the health data of millions of citizens. Sadly, criminal organizations and hostile governments seek to do this and are busy creating the technology to enable them to do exactly this.

The Standing Committee on Access to Information, Privacy and Ethics conducted three different studies while I was chair of that committee that were tied to cybersecurity in various ways. We talked about and learned about the important ways in which cybersecurity and privacy protection intersect and sometimes conflict. We saw how this government contracted with the company Clearview AI, a company whose business is to scrape billions of images from the Internet, identify these images and sell the identified images back to governments and, in the case of Canada, to the RCMP.

We heard chilling testimony at that committee about the capabilities of sophisticated investigative tools, spyware, used by hostile regimes and by organized crime but also by our own government, which used sophisticated investigative tools to access Canadians' cellphones without their knowledge or consent. In Canada, this was limited. It was surprising to learn that this happened, but it happened under judicial warrant and in limited situations by the RCMP. However, the RCMP did not notify or consult the Privacy Commissioner, which is required under Treasury Board rules. This conflict between protecting Canadians by enforcing our laws and protecting Canadians' privacy is difficult for governments, and when government institutions like the RCMP disregard Treasury Board edicts or ignore the Privacy Commissioner or the Privacy Act, especially when they set aside or ignore a ruling from the Privacy Commissioner, it is quite concerning.

This bill is important. It is worthy of support, unlike the government's somewhat related bill, Bill C-27, the so-called digital charter. However, this bill, make no mistake, has significant new powers for the government. It amends the Telecommunications Act to give extraordinary powers to the minister over industry. It is part of a pattern we are seeing with this government, where it introduces bills that grant significant powers to the minister and to the bureaucrats who will ultimately create regulations.

Parliament is really not going to see this fleshed out unless there is significant work done at committee to improve transparency around this bill and to add more clarity around what this bill would actually do and how these powers will be granted. There have been many concerns raised in the business community about how this bill may chase investment, jobs and capital from Canada. The prospect of extraordinary fines, without this bill being fleshed out very well, creates enormous liability for companies, which may choose not to invest in Canada, not fully understanding the ramifications of this bill.

There is always the capture. We have seen this time and time again with the government. It seems to write up a bill for maybe three or four big companies or industries, only a small number of players in Canada, and yet the bill will capture other enterprises, small businesses that do not have armies of lobbyists to engage the government and get regulations that will give them loopholes, or lawyers to litigate a conflict that may arise as a result of it. I am always concerned about the small businesses and the way they may be captured, either deliberately or not, by a bill like this.

I will conclude by saying that I support the objective. I agree with the concern that the bill tries to address. I am very concerned about a number of areas that are ambiguous within the bill. I hope that it is studied vigorously at committee and that strong recommendations are brought back from committee and incorporated into whatever the bill might finally look like when it comes back for third reading.

Mr. Speaker, I rise today to speak to Bill C-26, an act about cybersecurity. In the 21st century, cybersecurity is national security, and it is our responsibility to protect Canadians from growing cyber-threats. We have to take the necessary steps to protect Canadians and our telecommunications infrastructure. Canadians must have confidence in the integrity, authenticity and security of the products and services they use every day.

This bill reflects the values of Canadians and is in line with our closest allies, including our Five Eyes partners. That is why we are investing in cybersecurity, ensuring respect for the privacy of Canadians and supporting responsible innovation. We will continue to protect Canadians from cyber-threats in an increasingly digital world. As said in our international cybersecurity overview, a free, open and secure cyberspace is critical to Canada’s economy, social activity, democracy and national security.

Canada faces cybersecurity risks from both state and non-state actors. Protecting Canada’s and Canadians’ cyber-infrastructure from malicious actors is a serious challenge and a never-ending task. Canada works with allies and partners to improve cybersecurity at home and to counter threats from abroad. This includes identifying cyber-threats or vulnerabilities and developing capabilities to respond to a range of cyber-incidents.

A few years back, we put forward the national cybersecurity strategy, a vision for security and prosperity in the digital age. As mentioned there, virtually everything Canadians do is touched by technology in some way. We are heavily interconnected and networked, a fact that not only enhances our quality of life but also creates vulnerabilities. From commercial supply chains to the critical infrastructure that underpins our economy and our society, the risks in the cyberworld have multiplied, accelerated and grown increasingly malicious.

Major corporations, industries and our international allies and partners are engaged in the global cyber-challenge, but many others are not and that represents a significant risk. The strategy's core goals were reflected in budget 2018, where $500 million was invested in cybersecurity. Part of the funding was for the new Canadian Centre for Cyber Security, which is Canada’s technical authority on cybersecurity. It is part of the Communications Security Establishment, and it is the single, unified source of expert advice, guidance, services and support on cybersecurity for Canadians and Canadian organizations.

It regularly publishes the “National Cyber Threat Assessment”, and I would like to quote from their latest one for 2023-24. It states:

Canadians use the Internet for financial transactions, to connect with friends and family, attend medical appointments and work. As Canadians spend more time and do more on the Internet, the opportunities grow for cyber threat activity to impact their daily lives. There’s been a rise in the amount of personal, business and financial data available online, making it a target for cyber threat actors. This trend towards connecting important systems to the Internet increases the threat of service disruption from cyber threat activity. Meanwhile, nation states and cybercriminals are continuing to develop their cyber capabilities. State-sponsored and financially motivated cyber threat activity is increasingly likely to affect Canadians.

In the latest assessment, they chose to focus on five cyber-threat narratives that they judge are the most dynamic and impactful.

First, ransomware is a persistent threat to Canadian organizations. Cybercrime continues to be the cyber-threat activity most likely to affect Canadians and Canadian organizations. Due to its impact on an organization’s ability to function, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians. Cybercriminals deploying ransomware have evolved in a growing and sophisticated cybercrime ecosystem and will continue to adapt to maximize profits.

Second, critical infrastructure is increasingly at risk from cyber-threat activity. Cybercriminals exploit critical infrastructure because downtime can be harmful to industrial processes and the customers they serve. State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position themselves in case of future hostilities and as a form of power projection and intimidation.

Third, state-sponsored cyber-threat activity is impacting Canadians. State-sponsored cyber-threat activity against Canada is a constant, ongoing threat that is often a subset of larger, global campaigns undertaken by these states. State actors can target diaspora populations and activists in Canada, Canadian organizations and their intellectual property for espionage, and even Canadian individuals and organizations for financial gain.

Fourth, cyber-threat actors are attempting to influence Canadians, degrading trust in online spaces. Cyber-threat actors' use of misinformation, disinformation and malinformation, collectively referred to as MDM, has evolved over the past two years. Machine learning-enabled technologies are making fake content easier to manufacture and harder to detect. Further, nation-states are increasingly willing and able to use MDM to advance their geopolitical interests.

Fifth, disruptive technologies bring new opportunities and new threats. Digital assets, such as cryptocurrencies and decentralized finance, are both targets and tools for cyber-threat actors to enable malicious cyber-threat activity. Machine learning has become commonplace in consumer services and data analysis, but cyber-threat actors can deceive and exploit this technology. Quantum computing has the potential to threaten our current systems of maintaining trust and confidentiality online. Encrypted information stolen by threat actors today can be held and decrypted when quantum computers become available.

Simply put, cyber-threats pose a growing risk to all Canadians and institutions. We are confronting this threat head-on. Our government regularly engages with domestic and international cybersecurity partners to protect Canada’s critical infrastructure and the systems that underpin essential services. We are working closely with critical infrastructure stakeholders and partners to ensure that they are better prepared to face cyber-based threats.

Our cybersecurity framework continues to detect, deter and disrupt state and non-state actors attempting to take advantage of the Canadian cyber-landscape. Our government is, and will always be, ready to respond to any malicious cyber-acts that threaten Canadian interests.

To conclude, the purpose of this act is to help protect critical cyber systems in order to support the continuity and security of vital services and vital systems by ensuring that, first, any cybersecurity risks with respect to critical cyber systems are identified and managed; second, critical cyber systems are protected from being compromised; third, any cybersecurity incidents affecting, or having the potential to affect, critical cyber systems are detected; and finally, the impacts of cybersecurity incidents affecting critical cyber systems are minimized.

Madam Speaker, it is a pleasure to rise to talk about the important issue of finances and the direction in which the government has been leading Canada in order to support Canadians in every region of the country.

Before I get into that, I want to quickly make reference once again to the Conservatives' bringing forward a concurrence motion in order to prevent government legislation from being debated. In fact, today, we were supposed to be debating Bill C-26, which is about cybersecurity, something important to Canadians. However, it is not the first time we have seen the Conservative Party show disrespect for important issues Canadians want us to deal with. In fact—

Thank you, Mr. Chair.

Thank you to the witnesses for being here. It's great to see Ms. Cianfarani here again.

I would follow up on what Ms. Mathyssen was just saying. You mentioned the difficulty in getting people the national security clearances and top secret clearances. When we have a shortage in the workforce, that becomes even more difficult. We're having discussions around Bill C-26 right now, and the Business Council of Canada is saying we're short 26,000 people in the cybersecurity industry as it is right now. There are that many unfilled positions.

Aside from trying to produce more people here through our education system, would it be appropriate to employ foreign nationals who are coming from Five Eyes nation partners and who have been approved through their processes?

Madam Speaker, that is why I was reflecting on Bill C-26. If we look at the debate that took place yesterday on cybersecurity, dealing with the digital world, at the end of the day, Conservative member after member was standing up saying that, yes, they were going to support the bill but that they had a lot of problems with the legislation, and that the principle of Bill C-26 is something that they support.

I kind of made a leap, and apparently the wrong leap, by seeing the Conservatives, in principle, support the privacy of Canadians and the legislation that will give an enhanced privacy legislation. I guess I should not have made that particular leap.

Inconsistency from the Conservative caucus is fairly well known. I will try my best not to make that sort of mistake going forward.

Madam Speaker, it is a pleasure to rise to speak to Bill C-27 today. As I put forward to my friend in the form of a question, when we think of Bill C-27, I like to think that the government is on the right track in continuing to protect the privacy of Canadians in many different ways. Yesterday we had a debate on Bill C-26 on cybersecurity.

If we take a holistic look at what the government has been able to accomplish through legislation and, ultimately, in certain areas in terms of developing the industry through budgetary measures, Canada is indeed in a very good position in comparison to our peer countries around the world. I do not say that lightly, because I know that all members are very concerned about the issue of privacy. That is in good part why we have the legislation today.

The last time these changes we are proposing happened was two decades ago. Let us reflect on that time of 20 years ago. We did not have iPhones, and Facebook did not exist. Going back a little further than that to when I was first elected, when one clicked into the Internet, the first thing one heard was a buzzing sound, the dial tone and then clicking. Then one was magically connected to the world. How far we have advanced in a relatively short period of time. Last week, I was on the Internet making a purchase that would be delivered. I never had to go to the store. It involved my doing a little bit of design work on the computer before making the purchase. I was told yesterday that it was delivered to my home.

The amount of information out there is absolutely incredible, and it is very hard to imagine the types of data and the risk factors out there. That is why it is so important that, as a government, we bring forward substantive legislation that is going to protect the privacy of Canadians, to ensure companies are held accountable and, in the context of yesterday's debate, to protect them from security threats that are very strong and very viable. It was interesting yesterday listening to the debate for a number of hours.

I get the sense that a wide spectrum of support is shaping up today. The NDP is supporting the legislation. My understanding is that the Conservatives are supporting the legislation. The Bloc, in principle, is supporting the legislation. The Province of Quebec has actually made some significant gains on this whole front, so I am not surprised that the Bloc or members from Quebec within the Liberal caucus are very strong about these issues, whether they are cybersecurity issues or the privacy issues of Bill C-27 that we are debating today.

I raise this because I believe that it does not matter what side of the House one happens to sit on, as this is legislation worth supporting. As I indicated, it has been 20 years since we have seen substantial changes to the legislation. The expectation is very high that we will not only introduce the legislation but that, with the cooperation of members opposite, we will see it pass through in a timely fashion.

Being an optimist, I would like to see the bill pass before the summer, and it is possible. I realize that it would require a great deal of co-operation from opposition parties, but I do believe it is doable, especially after the comments I heard this morning.

The legislation is not meant to address every matter that Canadians are having to face in the digital world. That is not what it is designed for. As I indicated, the legislation, whether this one or Bill C-26, goes a long way in establishing a solid base for a framework that would enable the government of the day, which is held accountable by the opposition, to have the opportunity to do a lot of work in an area where we need to see a higher sense of security and protection.

One member across the way asked about engagement. There has been a great deal of engagement. I can assure the member that, whether it is from a constituency perspective, a ministerial perspective or, I would even suggest, the member would have to take some credit in terms of an opposition perspective, there has been a great deal of dialogue. This is not a new issue. This issue has been in the making for years now.

There have been some factors that are beyond the government's control in terms of the manner in which it can bring forward legislation, for example the worldwide pandemic and the requirement for substantial legislation in order to support Canadians and have their backs. There were issues of that nature, along with numerous other pieces of legislation. I would not want to give a false impression that this is not an important issue for the Government of Canada.

At the end of the day, based on comments I have heard on both Bill C-26 and Bill C-27, I believe the legislation would establish a solid footing or framework, whatever terminology we might want to use, and, at the very least, we should see it go to committee. The principles of the legislation are in fact endorsed and supported by all sides of the House, from what I can tell, and please correct me if I am wrong. No doubt we will have other legislation that might be somewhat more controversial, where there is real opposition to the legislation, and this would enable more time for debate on that type of legislation.

If we could somehow recognize the value of this legislation, given that there is so much support for its principles, we would allow it to go to committee, where members of Parliament are afforded the opportunity to get into the nuts and bolts, the details, where there is representation from different stakeholders at committee to express their thoughts and opinions on the legislation, and where members can find out directly from the minister what kind of consultation has taken place. The member does not to have to take my word for it, but I can assure him that there has been a great deal of consultation. He would be able to hear that first-hand from departmental officials, the minister and so forth.

I believe the government has done its work in bringing the legislation to the point where it is today. We have seen ministers, in their opening remarks and in their response to questions, in co-operation with opposition members. The government has demonstrated very clearly in the past that it is open to amendments that can improve upon legislation for the benefit of Canadians, and if there are ways we can improve this legislation, we will accept those types of amendments. We will support those types of amendments. I believe this is one of the areas where the Prime Minister has been very good in sending that message. It could be because of years in opposition, when the opposition never had amendments accepted by former prime minister Stephen Harper.

At the end of the day, if there are ways to do it, we can improve upon this bill. I heard yesterday on Bill C-26, and already today on Bill C-27, that members have genuine concerns. I do not question those concerns, but I do believe that it would be helpful if they can look at those concerns. If they already have ideas that they believe will improve the legislation, nothing prevents members of the opposition or government members from being able to provide those amendments or thoughts in advance to the ministry, which would potentially allow for a deeper look into it to see if, in fact, something is doable.

The NDP talked, for example, about digital rights for Canadians. There is a great deal of concern that we need to ensure and recognize them, whether they are consumer rights or privacy rights. These are things we all hold very close to our hearts. We all want to make sure the interests of Canadians are being served.

When I took a look at the specifics of the legislation, I highlighted three parts I wanted to make reference to. CPPA would strengthen privacy enforcement and oversight in a manner that is similar to that of certain provinces and some of Canada's foreign trading partners. It is important that we do not just look internally. There are jurisdictions, whether nations or provincial entities, that have already done some fine work in this area. We do not have to reinvent the wheel, and working with or looking at other forms of legislation that are there is a very positive thing. In particular, the CPPA would do so by granting the Privacy Commissioner of Canada order-making powers that can compel organizations to stop certain improper activities or uses of personal information and order organizations to preserve information relevant to an OPC investigation.

This is significant. We need to think in terms of the technology that I make reference to. I can remember a number of years back when a pizza store was becoming computerized. As someone called in and made an order, they recorded the telephone number, the name and the address, personal information such as that. I remember talking to the franchise owner, whom I happen to know quite well, explaining how the collection of data, if used appropriately, can not only complement the business, but also complement the consumer, and this was maybe 20 years ago.

We can contrast that to an iPhone and looking at some of those applications we see. The one that comes to mind is a true Canadian application and a true Canadian franchise: Tim Hortons. My wife never followed hockey, but nowadays she does because of Tim Hortons. One can win free cups of coffee by picking who is going to score goals or get assists. I am not exactly sure how it works, but Tim Hortons comes up with a program that is actually collecting data from people. It is a program that allows it to send out all kinds of notifications. It could be sales of product. It could be something like NHL standings. It really engages the consumers. An incredible amount of data is actually being collected.

Tim Hortons is not alone. One can go to virtually all the major franchises and find the same thing. It is not just the private sector. Yesterday we were talking about cybersecurity, and one can easily understand and appreciate the sensitivity of collecting information, even if one is a Tim Hortons or a Home Depot, but also many government agencies. For example, there is the amount of personal information Manitoba Health has, which is all computerized. There are also doctors' offices. The digital world, in a very real and tangible way, has changed to such a degree that many, including myself, would argue that things like Internet access have become an absolute and essential service nowadays. It is something we all require.

The incredible growth of data banks, both in the private sector and in the government, and I would throw in the non-profits and the many other groups that collect data, has been substantive in the last 15 or 20 years. That is the reason why today we have the type of legislation we have before us. Bill C-27 would ensure that we have something in place to provide consequences for offences. To give members a sense of those consequences, the new law would enable administrative monetary penalties for serious contraventions of the law, subject to a maximum penalty of 3% or $10 million of an organization's global revenue, whichever is greater, and fines of up to 5% of revenues or $25 million, whichever is greater, for the most serious offences.

I said I wanted to highlight three things, so I will move on to the second point. The personal information and data protection tribunal act would establish a new tribunal, which would be responsible for determining whether to assign administrative monetary penalties that are recommended by the Privacy Commissioner following investigations, determining the amount of penalties and hearing appeals of the Privacy Commissioner's orders and decisions. The tribunal would provide for access to justice and contribute to further development of privacy expertise by providing expeditious reviews of the Privacy Commissioner's orders.

The third point is that the AIDA would impose a duty to act responsibly by requiring organizations designing, developing, deploying or operating high-impact artificial intelligence technologies to put in place measures to proactively mitigate risks of harm and bias in the development of these technologies.

I have less than a minute left to talk, and I have not even touched on the AI file. I made reference at the very beginning to the financial investments of this government in encouraging the growth of that industry in the different regions of our country. The Government of Canada is not only bringing in the type of securities that are absolutely important for Canadians from a privacy perspective, to encourage continual growth in the area and have these protections in place, but also doing so through budgetary measures to ensure that we continue to enhance the opportunities of Canadians. If we take a look at the digital world today, it is very hard to imagine where it is going to be tomorrow, at least for myself, in witnessing the growth of the digital world over the last 20 or 30 years and how far it has gone.

This legislation is a modernization. It is legislation we can all get behind and support. I would encourage members, no matter what party they are from, to support it. Let us see it go to committee, where the committee can do its fine work and see if we can even improve—