Bill C-26 (Historical)

Madam Speaker, I will be sharing my time with the member for Okanagan Lake West—South Kelowna.

Before I begin, I want to thank the people of Richmond Centre—Marpole for bestowing their trust in me and electing me as their member of Parliament. I am deeply honoured by their confidence, and I am committed to serving them faithfully, with their interests always my top priority. Every time I rise in the House, it is with their voices in mind.

We are debating Bill C-8, the government's latest attempt at a cybersecurity framework. To understand Bill C-8, we must remember where it comes from. This is essentially the reintroduction of Bill C-26, which the government first brought forward in 2022. Conservatives supported the principle of Bill C-26, the idea that Canada needs stronger protections for critical cyber systems. However, we also raised serious, legitimate concerns about how the bill was drafted.

We warned that Bill C-26 would concentrate too much unchecked power in the hands of the ministers. We warned that its secrecy provisions would undermine transparency and accountability. We warned that the cost of compliance would inevitably be passed down to ordinary Canadians through higher phone bills and banking fees. We warned that the legislation was focused on the wrong targets, federally regulated banks, pipelines and telecom companies, while leaving out the institutions Canadians actually see attacked most often: hospitals, municipalities and schools.

Those warnings were echoed not only by Conservatives but also by industry leaders, civil liberty groups and privacy experts. The Standing Committee on Public Safety and National Security heard those criticisms over many months. What happened? Bill C-26 stalled in committee and never passed. It died on the Order Paper because it could not overcome its flaws.

Now the government has come back with Bill C-8, and to be fair, there has been one improvement. The government removed the so-called secret evidence clause, the provision that would allow ministers to rely on confidential materials in court challenges without disclosure to affected parties. It was a step in the right direction, and Conservatives acknowledge that change.

However, let us be clear: Beyond that one tweak, almost everything else is the same. The sweeping ministerial powers are still there. The indefinite secrecy is still there. The lack of oversight is still there. The downloading of costs onto consumers is still there. Most importantly, the narrow scope of the bill, covering only federally regulated industries while excluding hospitals, municipalities and schools, is still there. Canadians deserve better than a reheated version of a flawed bill. A single fix does not change the reality that this legislation would fail in its core purpose, which is protecting Canadians where they are most vulnerable.

Let me bring this closer to home. Cyber-attacks are not theoretical, and they are not distant. They are happening right now, and they are hitting our communities hard. In British Columbia, the B.C. government itself was breached. State-sponsored actors infiltrated its email systems and accessed sensitive personal information. Vancouver Coastal Health, which cares for more than a million people, was hit with ransomware that disrupted hospital operations and delayed patient services. The City of Richmond, my own city, faced cyber-intrusions and compromised email systems, threatening the delivery of municipal services. Even the Richmond School District fell victim to a cyber-attack that exposed private and financial information of teachers, staff and families.

These are not hypotheticals. They are real attacks on real people. Not one of these institutions would be protected under Bill C-8.

That is the first fatal flaw. Bill C-8 offers Canadians a false promise of security. The government says it would protect vital systems, but the very systems Canadians interact with every day, their hospitals, their local governments, their children's schools, would be left outside the law's reach. A cybersecurity bill that does not secure hospitals, cities or schools is like locking the front door and leaving the back door wide open.

The second flaw is secrecy. Just like Bill C-26, Bill C-8 would grant sweeping powers to ministers and to cabinet. With the stroke of a pen, the government could order a company to block a service, rip out equipment or suspend operations, and those orders could be kept secret indefinitely. Companies could even be kept from telling Canadians that the government had interfered with their networks. Operational secrecy during an active attack may be justified, but secrecy without time limits or oversight is simply unacceptable. That is not transparency, that is not accountability, and it does not inspire public trust. Canadians deserve to know, after the fact, what actions were taken in their name.

The third flaw is cost. Bill C-8, like Bill C-26 before it, makes it explicit: There would be no compensation for companies forced to comply with government orders. If a telecom company was told to strip out hundreds or millions of dollars of equipment, Ottawa would not pay a cent. Those costs would land on Canadians, who would see higher phone bills, higher bank fees and slower upgrades to essential services. National security should be funded fairly, not through hidden taxes on consumers.

The fourth flaw is scope. The government may argue that by forcing telecom companies to strengthen their networks, hospitals and schools that rely on those networks are indirectly protected, but that argument does not hold up. The attacks we have seen in British Columbia did not come through telecom backbones; they came through local servers, outdated software and ransomware emails. Protecting the pipes does not protect the people.

The government may also claim that the bill would help stop foreign interference, but again, this is spin, not substance. Bill C-8 would deal with cyber-intrusions into networks. It would do nothing to address the broader reality of foreign interference, such as disinformation campaigns, covert political financing, intimidation of diaspora communities or manipulation of democratic institutions. Suggesting that Bill C-8 would stop foreign interference misleads Canadians and risks creating dangerous complacency.

What would Canadians really get with Bill C-8? They would get a law that still misses the real victims of cyber-attacks. They would get a law that still hides decisions from public view. They would get a law that still sticks consumers with the bill. They would get a law that still does almost nothing to address the broader threat of foreign interference.

That is not cyber-resilience. That is not leadership. That is smoke and mirrors. Conservatives believe in stronger cybersecurity, but we believe in getting it right. What Canada needs is legislation that actually works with provinces and municipalities to protect the services Canadians rely on most: hospitals, schools and local governments. We need legislation that provides oversight and accountability, not blank cheques for secrecy. We need legislation that shares the cost of national security fairly, instead of forcing families to pay through hidden charges. We need legislation that integrates—

Madam Speaker, yes, the bill, in the form of Bill C-26, has gone before Parliament. Some amendments were adopted, but having said that, I think more work needs to be done.

I raised a series of questions in my speech. I would like answers from the government. I would like to hear experts respond to those concerns, and then we can move forward with amendments to address, truly, a bill that would balance the need to enhance cybersecurity infrastructure for Canadians with protecting our rights.

Madam Speaker, I want to thank my colleague, the member for Bourassa, for splitting his time with me.

Cybersecurity is no longer a distant concern of experts in back rooms; it is a kitchen table issue. Canadians expect their lights to come on, their paycheque to be deposited, their medical records to be private and their phone to connect them to loved ones without interruption. They expect those things to be safe from hackers, hostile states, nefarious actors and, yes, overreach by their very own government. Cybersecurity is not an abstract concern; it is about whether families can trust their power grid to stay on, whether a rural clinic can keep its patient records safe and whether small businesses can keep their doors open without fear of being taken down by hackers.

Canadians deserve real protections against cyber-threats. They are a reality in today’s world, and we all recognize that. In that respect, I acknowledge that Bill C-8 reflects a pressing reality: Canada must strengthen the resilience of our critical infrastructure. However, in our rush to act, we must also ensure that we get the right balance. If we protect our systems but undermine our rights, if we secure our networks but destabilize our economy, then we will have built a fortress with the doors left open.

Bill C-8 as it stands raises several concerns. The Liberals tell us the bill is proof of their so-called innovation agenda, but when we look closely at the fine print, the reality is far more complicated. Bill C-8 is a near carbon copy of Bill C-26, a bill that died when Parliament was prorogued earlier this year, and while some minor improvements have been made, some fundamental flaws remain. This is where I would like to focus my remarks as I and my colleagues in the NDP consider the ramifications of the bill. Allow me to bring those questions forward with the hope of bringing some clarity and changes to the bill.

First is the scope of ministerial powers. Under the bill, the Minister of Industry could compel telecommunications providers to rip out equipment, ban entire suppliers or suspend agreements. Imagine that a company might have to pass the costs of that on to its customers or close its doors entirely.

While the minister explained that safeguards exist to prevent disproportionate orders from crippling providers and leaving rural Canadians disconnected, Bill C-8 would grant sweeping powers to cabinet and the Minister of Industry: powers to ban telecom companies from using certain equipment, to force its removal, to suspend services and to terminate contracts. These orders could be issued without prior judicial approval, without parliamentary review and without independent oversight. When we concentrate this much power in the hands of a single minister, we need checks and balances. Where are they in the bill?

Second are the risks to privacy and civil liberties. The bill would allow for mandatory information sharing between telecoms, regulators and federal agencies, and possibly onward to foreign governments. The standard for this disclosure is simply the minister’s own judgment of what is “necessary”. This is vague, subjective and wide open to abuse. Why are there no requirements in the bill for privacy impact assessments? Why are there no guarantees that collected data would not be repurposed for unrelated purposes?

Third is the absence of compensation or worker protection. If a company is ordered to rip out equipment or shut down services, there would be no compensation. For small Internet providers, that could mean bankruptcy. For their workers, it could mean layoffs. For rural and remote communities, it could mean disruptions in already fragile service. Where is the government’s plan to support the workers, providers and communities that would bear the costs of compliance?

Fourth are the penalties. Bill C-8 envisions fines of up to $15 million a day for corporations and up to $1 million a day for individual employees. Think about that: A frontline worker following orders from management could face personal ruin under the regime. Where are the safeguards to ensure fairness, due process and appeal rights?

Fifth is the one-size-fits-all approach. The bill would lump together banks, telecoms, nuclear facilities and energy co-operatives under a single compliance framework. All of them would face the same 90-day timeline to stand up cybersecurity programs, no matter their size or capacity. For large corporations, perhaps this is feasible, but for small operators or co-ops, it could be impossible. Should compliance obligations not be tailored to the realities of different sectors?

Sixth are international consequences. Canada’s adequacy status under the European Union’s GDPR is the foundation of much of our digital economy. It is what allows European data to flow into Canadian systems, supporting banks, airlines and cloud providers, but the European Commission reviews adequacy every four years. If it sees that Canada is granting unchecked surveillance powers, or if it sees data repurposed without necessity and proportionality, we risk losing that adequacy decision. We have already seen what happened to the United States under Schrems II. Does the government truly want to put Canada in the same position?

New Democrats agree that cybersecurity is essential, but cybersecurity must not come at the expense of democracy, accountability, privacy or fairness for workers and communities.

Here are the questions we are putting on the record for the Minister of Public Safety and the government to answer. Why has the government chosen to concentrate so much power in cabinet without requiring independent judicial and parliamentary review? Why would there be no independent oversight body to ensure that orders are proportionate and justified? Why would the bill not guarantee privacy impact assessments or limit onward disclosure of Canadians’ personal data to foreign governments? Why has the government not proposed compensation or transition supports for workers and small providers who would bear the financial burden? Why would penalties be so extreme that individual employees could be personally liable for millions of dollars, even when following management orders? Why would the same compliance framework be applied to banks, nuclear facilities and small ISPs alike? Has the government conducted and published a risk assessment of how Bill C-8 could affect Canada’s adequacy standing with the European Union?

The Liberals say the bill would modernize our telecom laws and defend Canada, but democracy must not be sacrificed in the process. Strong cybersecurity should also mean strong democracy. It should protect Canadians from foreign threats without opening the door to unchecked government overreach.

New Democrats will continue to push for changes, independent oversight, stronger privacy protections, fair treatment for workers and communities, proportional penalties and sector-specific flexibility. We can protect Canadians from cyber-threats without trampling on rights, without ignoring workers and without undermining our economy. Bill C-8 is an opportunity to strike the right balance, but right now it does not seem well equipped to do that.

Canadians want more answers, transparency and oversight from overreach, as we have seen the tendency of the new Prime Minister to move headlong toward centralization without considering the consequences for public policy and its effects on everyday Canadians.

Mr. Speaker, I have a question for my colleague, who did a good job explaining how Quebec is already doing a lot to ensure its security. Hydro-Québec is doing a lot in this area, because its infrastructure is massive and important to us. We want to protect it, because we care about it so much.

The federal government is proposing new standards and new ways of doing things that would create jurisdictional overlap and even force Quebec to do things differently, even though it already has the expertise and is capable of countering these threats. It is not really surprising to me that this is coming from the Liberals, given their penchant for centralizing everything in Ottawa.

Bill C-8 looks a lot like Bill C-26. Why were the reservations and concerns that the Bloc Québécois previously expressed not taken into account in Bill C‑8, given that the government already had the opportunity to hear these arguments? It also already had the opportunity to hear Quebec's concerns.

How did the Liberals respond to these concerns?

Madam Speaker, I cannot begin my speech without noting that next Tuesday, September 30, we will be observing National Truth and Reconciliation Day. We will therefore not be sitting on that day. I would like to stand with my colleagues from the Bloc Québécois who, like me, have the privilege of living near a reserve. I work with the Akwesasne reserve, so I would like to say hello to my friend Grand Chief Abram Benedict, for whom I have great respect. He is responsible for the Ontario portion of the Akwesasne reserve, which is divided into three sections, located in the United States, Quebec and Ontario. I also want to say hello to Grand Chief Lazore, who was elected just a year ago and for whom I also have great respect.

During a meeting, Grand Chief Abram Benedict shared his main complaints with me. Since I am the Bloc's public safety critic, we discussed Akwesasne's need for legislation to regulate all police forces on its territory. Policing is currently managed provincially, and the people of Akwesasne would like to have one police force covering their entire territory.

He also told me about travel issues. Sometimes, people have to cross the American border to access the Akwesasne reserve, which poses problems for people who live on the reserve.

We had some good discussions. I believe that honest and sincere discussion is imperative to walk the path of truth and reconciliation. That was a brief word of introduction to set the stage for a very special day coming this September 30.

This legislation is fairly technical. As mentioned by my colleague, the Conservative Party critic for public safety, I do not think that anyone here would claim to be an expert in cybersecurity, considering its complexities. However, we recognize the importance of implementing a legislative framework to protect sectors and systems of critical importance to Quebec, the provinces and Canada.

What is Bill C‑8 exactly? Allow me to read a few paragraphs from the bill to give members a quick idea.

The first part is quite simple. It amends the Telecommunications Act by adding a part on cybersecurity that empowers the government “to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” Obviously, that is very important.

The bill also provides for a penalty scheme to promote compliance with orders and regulations made to secure the Canadian telecommunications system. This will allow the government to prohibit companies from using products and services from high-risk suppliers.

The second part of the bill would enact the critical cyber systems protection act to provide a framework for the protection of critical cyber-infrastructure or cyber-businesses in the federally regulated sector. Basically, the bill will authorize the government to designate any service or system as a vital service or system and to establish classes of operators for those services and systems. In the bill, the government says that this will serve as a model for provinces, territories and municipalities to secure critical infrastructure. The second part of the bill will apply more to operators in the telecommunications, energy, finance and transportation sectors, which are all critical sectors related to national security.

The legislation will make it possible to designate certain systems and services in the federally regulated sector as vital to national security or public safety.

The bill is very clear. It lists six vital services and vital systems in schedule 1. Let us look at them together. Obviously there are telecommunications services. Then we have interprovincial or international pipeline and power line systems, nuclear energy systems and federally regulated transportation systems, such as ports, trains, planes and airports. There are also banking systems, followed by clearing and settlement systems.

I would like to note, as all my colleagues have, that Bill C‑8 is practically a carbon copy of Bill C-26, with just a few exceptions.

I read the legislative summary when I was preparing this speech, and I would like to mention once again that the analysts at the Library of Parliament do extraordinary work. They help us better understand the bills, they provide us with the tools to improve bills and they raise concerns for us to clarify. I would like to thank them today because they are doing a truly extraordinary job of supporting us in our work every day, especially our legislative work.

I was saying that Bill C‑8 is almost a carbon copy of Bill C‑26. There are a few small changes. We know that Bill C‑26 died on the Order Paper. It had almost made it all the way through the legislative process in the House, but it died on the Order Paper in the Senate.

I want to point out that a lot of work was done in committee. The committee held eight meetings. My colleague at the time, Kristina Michaud, studied Bill C‑26 carefully with her assistant and the Bloc Québécois's research team and proposed some 26 amendments, most of which were considered, voted on and adopted. That just goes to show that the opposition's work, particularly in committee, also serves to improve government bills.

I am saying that because the Bloc Québécois is a party that is often praised for its diligence and professionalism. We are a party that works hard. We always look at bills from the same angle: Is the bill good for Quebec? Often, if a bill is good for Quebec, it is also good for the other provinces in Canada.

However, if it is not so good for Quebec, we are able to take advantage of the opportunity for debate to try to point out to our colleagues that there are some provisions that are not in Quebec's interest. That is really our mission here in the House of Commons, or part of it, at least. I would really like to thank Kristina Michaud, her assistant and the research team for doing such a great job throughout the study and for improving Bill C‑26 through amendments.

Of course, during this process, we submitted amendments that were not adopted. These amendments were rejected by the NDP, the Conservatives and the Liberals. The situation is different now, and we hope that we will be able to convince the government that the amendments we proposed to Bill C‑26 are relevant and should be incorporated into Bill C‑8.

That being said, I would like to reassure the government right away that the Bloc Québécois is in favour of the bill. It is true that Canada is lagging behind on the issue of cybersecurity for countering cyber-attacks and cyber-threats. However, the committee will still need to spend a few hours hearing from witnesses who have concerns, and it will also need to take into account the Bloc Québécois's amendments.

The amendments we proposed focused on government accountability. We wanted to include a reporting requirement and a requirement for greater transparency. I have to say that Bill C‑8 gives the minister a number of powers. We therefore felt it was important that the minister be required to table reports.

On the privacy issue, the amendments we proposed were adopted. However, I think that section of the bill warrants further analysis. It would be useful to hear from witnesses who specialize in the management of private information and in documentation. I think we will continue this work on privacy protection by consulting experienced witnesses in order to enrich our thinking.

Despite the work that was accomplished and the amendments we proposed, certain concerns remain, particularly regarding the businesses covered by the bill. Are the businesses willing to invest? Will they be able to quickly comply with the requirements set out in the bill? That is one of our concerns, because it seems that businesses will have a lot of work to do, and we are wondering whether better support would be needed.

It is clear to us that the government has been mindful of the lack of clarity surrounding the designation of classes of operators. In fact, research conducted by the Library of Parliament found that there is some ambiguity, a lack of legislative clarity, in the way operators are designated. We hope that the work done in committee will allow us to delve deeper into this issue and explore the possibility of clarifying the definition of “designated operator”.

We also have concerns about the unlimited power to make orders and collect information, particularly with respect to telecommunications service providers and designated operators of critical cyber systems. Legal experts have expressed reservations about the protection of personal and confidential information, including information covered by solicitor-client privilege. Protecting this type of information could be challenging, given the new search powers. More improvements are needed to ensure that Bill C-8 includes every measure necessary to protect privacy and personal information.

That brings me to the part that concerns us more, the part about Hydro-Québec. As we have said time and again in this House, the Bloc Québécois objects to federal government intrusion in Quebec's jurisdictions. As we know, Hydro-Québec owns all the transmission lines in our territory, and as far as we are concerned, this ownership is not up for discussion. It represents a pivotal gain dating back to the Quiet Revolution that enables us to produce green, affordable electricity for all Quebeckers. As we see it, the bill infringes on provincial jurisdiction over electricity.

Let me explain so that it is clearer, since we will have to discuss this in committee. The Canadian Energy Regulator Act states that provincial laws apply to parts of an international power line that are within a province. A province may therefore designate a regulatory agency to exercise its powers, rights, and privileges over those parts. For a line to fall under the jurisdiction of the federal government and the Canada Energy Regulator, the interprovincial line must be designated by order. In Quebec, no lines are under federal jurisdiction or subject to the Canadian Energy Regulator Act.

This poses a significant problem for us. This was already the case with Bill C-26 and it is still the case with Bill C-8. Bill C‑8 technically affects interprovincial lines. The Canadian Energy Regulator Act and Bill C‑8 are contradictory on the issue of jurisdiction. However, the Canadian Energy Regulator is designated as the regulator of vital systems in Bill C-8. In our opinion, this is a combination of inconsistency and interference.

Under the guise of cybersecurity, Bill C‑8 expands the jurisdiction of the Canadian Energy Regulator to cover the entirety of an international line, even the intraprovincial parts. In our view, the law should acknowledge the jurisdictions of the provincial regulatory agencies, like Hydro-Québec. We see Bill C‑8 as a blatant encroachment, and it certainly does not address the matter of overlapping jurisdictions or even duplication of responsibility.

At a time when the government is imposing budget cuts on Quebec and on Canada, we find it hard to understand why, through Bill C‑8, the federal government is imposing standards on Hydro-Québec and claiming supremacy, given that Hydro-Québec has its own cybersecurity protection systems.

The provinces even have the authority to impose penalties if reliability standards are violated. In our view, Bill C‑8 interferes in an area already covered by the critical infrastructure protection, or CIP, standards of the North American Electric Reliability Corporation. These standards apply to the critical infrastructure that the bill seeks to implement. As a result, an operator could be penalized twice for the same violation. Which would take precedence? These are some of the things we are wondering about. We think that the jurisdiction of Quebec and Hydro‑Québec should be respected.

The bill enabled the federal government to fine Hydro-Québec if Hydro-Québec did not comply with the federal standards. That is rather absurd because Quebec has been managing a hydroelectric system for a long time and Hydro-Québec, which experiences cyber-attacks nearly every day, has a rather robust system.

There could even be penalties of up to $15 million if the business is found to be non-compliant, which is considered to be a separate violation, when Hydro-Québec is already adhering to standards. That is my point.

Hydro-Québec already follows North American standards. Since we supply electricity to the United States, we must meet North American standards. It seems like Bill C‑8 ignores what is currently happening with Hydro-Québec's actual responsibilities and tries to encroach on its jurisdiction. I am not sure whether the Government of Quebec was consulted. I am not sure whether Hydro-Québec was consulted either.

Yes, the government needs to collaborate nationally with the provinces and territories on a bill, but it needs to reassure Hydro-Québec and Quebec that certain provisions of Bill C‑8 will be reviewed in order to respect the jurisdiction of Hydro-Québec and the provinces.

On that note, I invite my colleagues to ask me a few questions if they want to better understand our view, which is that Bill C‑8 is an important bill but needs to be amended to ensure that the federal government is not interfering in Quebec's affairs and jurisdictions.

Madam Speaker, my question is on Bill C-8, which we know is kind of a replacement, with some modifications, of Bill C-26. The member himself introduced a private member's bill just last week, talking about how it was reformative and about the many changes that would result as a direct response. That is programmed, so we know that after two hours of debate, it is going to committee.

This particular bill has already gone to committee, passed third reading, gone to the Senate and come back in a somewhat different form. I wonder whether the member would agree that there has been a lot of debate. He said he wants the bill ultimately to go to committee. Can he give us some sense of how long he believes the bill should stay in the House before it goes to committee?

Madam Speaker, it is always a pleasure to rise on behalf of the people from Kamloops—Thompson—Nicola, and it is an even greater pleasure to rise on behalf of the people from Kamloops—Thompson—Nicola as a critic for a bill. I have been fortunate to be a member sitting in this House, which is itself one of the greatest honours that a Canadian could ever have. Let us bear in mind that there are 38 million or 40 million Canadians, and only 343 of us get to sit in this chamber and to walk on this green carpet.

That in itself is an honour, but I am just so grateful to be a critic as well. It is a job I absolutely love, and I thank my leader and my party for that and for the support I receive, whether it be on this bill, Bill C-2, or on the private member's bill I just put forward on intimate partner violence last week. I am grateful for those around me and for this opportunity.

Before I begin, I want to recognize a life very well lived. It is my great sadness to say that a pillar of Kamloops—Thompson—Nicola, Chris Rose, recently passed away. Those in the community will know that Chris Rose was an exceptional humanitarian. In fact, the Chris Rose Therapy Centre for Autism is a centre on the north shore, about six blocks from where I grew up, that helps children with autism. It is a school that they can attend, with resources that it provides. Those who know me and my family well will know that autism is a cause that is close to my heart.

Chris passed away just this week, and I express my deepest condolences to Mr. Rose's family. I wish them all the best in this difficult time. May perpetual light shine upon Chris Rose.

At this point, I also want to highlight the life of Dana Evans. I was saddened to read this obituary. Ms. Evans was the mother of a friend of mine from high school, Derek Luce. I can recall staying over at Derek's house when we were about 15 or 16; Ms. Evans would make us pancakes in the morning and then send us on our way. I never forgot that hospitality. I know that her son Derek, whom I run into sometimes in the Kamloops area, has gone on to do wonderful things. He is certainly a reflection of her stewardship and the maternal influence that she had on his life. My deepest condolences go to her siblings, who are left to mourn her memory and their loss, and also to her sons, Derek and Louie.

I noticed that she went to Thorp high school, which is in a tiny community. I always used to make fun of Thorp and how small it was, because I had some friends who grew up in Thorp, and Derek's mom also went to high school there. I wish great condolences to the family, and may perpetual light shine upon her.

The minister, in his opening comments, talked about Orange Shirt Day and September 30, and that is something very important. For those who watch the news, Kamloops is a very important centre when it comes to the National Day for Truth and Reconciliation. In fact, I moved a unanimous consent motion a number of years ago that spoke about bringing the flag to half-staff on every September 30, so I appreciate the minister's highlighting that.

Last, before I really launch in, I would be remiss if I did not recognize that yesterday was my mom's birthday. I was not in the House at all yesterday, so I wish my mom a happy day-late belated birthday. Happy birthday, mom.

Let us get into the crux of this. My hon. colleague from the Bloc raised a critical point. I have actually got the Library of Parliament report right here. My Bloc colleague mentioned the exceptional work, and this is great work when we are dealing with a highly technical bill. I do not know how many people in this chamber out of the 343 of us can say, “I am an expert on cybersecurity.” We have a very technical bill. The work that was done and that was distilled into this report is incredibly helpful.

By way of background, Bill C-8 came before Parliament as a renewal of Bill C-26. It is virtually identical to Bill C-26, which made it to third reading but did not make it to royal assent. We are grateful to the Senate, because it found a glaring hole in the bill, which was ameliorated by the Senate's work. However, the bill died on the Order Paper. For history, Conservatives voted for the bill at second reading, and I anticipate we will do so again.

My position as critic is that, yes, the bill passed third reading, on division, here in the House, and then went to the Senate and passed there on third reading over the votes of the Conservative senators. However, at the end of the day, as my Bloc colleague pointed out, as the commentary in the Library of Parliament report stated and academic discourse has stated, we should not be content to just accept the bill, to take a bill that previously passed and not make it better.

The concerns remain alive. Obviously, the public safety minister has been quite embattled of late. However, as much as we can be told by the government that this is the be-all and end-all, that we should pass the bill quickly and that there are no concerns, we are part of His Majesty's loyal opposition; we should be scrutinizing the bill, especially a highly technical bill, with a fresh set of eyes. I have no problem saying that the bill, with the Conservative vote, will likely go to committee, but at committee we will be scrutinizing it closely, particularly as it relates to privacy concerns.

My colleague, the member for Sarnia—Lambton—Bkejwanong, just asked the hon. minister about privacy concerns and about the Privacy Commissioner. When I reviewed the proceedings, I found that the previous bill was at committee for about eight meetings, which is a fairly long time. This tells me that there was a fair amount of contention around many of the bill's provisions.

I really look forward to scrutinizing the bill. It addresses an area in which Canada lags behind. After 10 years of Liberal government, I can say that we lag behind our Five Eyes intelligence partners greatly. It feels as though there is an undertone when we hear from international media that Canada is no longer trusted, that Canadian intelligence is no longer well regarded. I remember Justin Trudeau saying, “Canada is back”. No, we are not, if we are not trusted by our allies or respected by our allies. The government had 10 years to bring this forward; we are now seeing it done, and we will scrutinize it.

As has been stated, the bill has two parts. The first part would amend the Telecommunications Act and aim to strengthen the resilience of Canada's critical infrastructure. There is no doubt that our critical infrastructure is vulnerable. Any expert, I am sure, would come to committee or to the House and tell us that. There is absolutely no doubt about it. The need for the bill is not disputed. I would never say, “Wow, why are we bringing the bill forward?” I would say that on a number of other bills, and the Online Streaming Act would be one of them, thinking, “Why is the government doing this other than to further an agenda that a number of Canadians disagree with?”

As I stated earlier, Bill C-8 is largely a reinvention of Bill C-26. The first part of the bill would amend the Telecommunications Act and bring about changes to ensure that we can counter cyber-threats, and the second part would enact the critical cyber systems protection act, imposing new cybersecurity measures on federally regulated entities operating in sectors that are considered vital to public and national safety.

I will not get into the response to a number of government reports, but when we look at the Telecommunications Act, one thing that was a really big issue, which I think the government took far too long on, was the issue of Huawei.

For context, I was elected in September 2021. When I first got here, there was this issue of Huawei. Unfortunately, the government dithered when we needed decisive action on whether to ban 5G. It took until May 2022, when the decision was finally made to ban Huawei and its 5G networks for national security reasons. Our Five Eyes allies, which are the United States, the U.K., Australia and Japan, had already acted on this. One has to wonder why we took so long. Australia, as well, acted on cybersecurity.

What does Bill C-8 really do? What are some of the issues?

The bill does not include some of the proposed amendments to the Canada Evidence Act. Bill C-8 makes the judicial review process more transparent by removing the government's ability to make confidential submissions to the court and refuse to disclose information.

For those people who are watching Bill C-2, it is a parallel piece of legislation. It is also a piece of legislation that has been sponsored and put forward by the public safety minister. I understand the notion of confidentiality. I worked as a lawyer for many years, and I know that confidentiality has to happen, but far too often what I see in the House is something that is a laudable cause, a cause that we should be embracing, going further.

Sometimes secret things have to remain secret. The problem is that, far too often in the House, what I see is the Liberal government going further. Yes, we have to keep some things secret, but it is just keeping everything secret. Yes, we have to do this in this regard, but we are going to go one step further. That puts the opposition in a really awful place; we might agree with the goal of the legislation, but we do not agree with the mechanism by which we get to the goal. That is when we have protracted debate and then sometimes go to committee for a committee meeting.

This results in vigorous debate, which is actually wonderful. We should have vigorous debate in this place, but at the end of the day, the government will often hear from stakeholders, as they did with Bill C-26 formerly, and then it is walked back. There were so many amendments. I believe all but one or two of the Conservative amendments that were put forward for Bill C-26 were adopted. I do not understand that.

I can see the same thing in Bill C-2 as I see here in Bill C-8, for example, with respect to the mail provisions in Bill C-2. The government can open a person's mail. Why is that? The whole purpose of Bill C-2 is to amend the Canada Post Corporation Act, as I believe it is called. This is because the government is worried about fentanyl being sent through the mail, which is a notable concern, a laudable concern. Anything under 500 grams cannot be opened, so let us make sure that letters under 500 grams can be opened so that 499 grams of fentanyl and fentanyl precursors cannot get through. That is the goal. Great. Now how do we go about achieving that goal? In Bill C-2, we go about achieving that goal by saying that if Canada Post, not a peace officer, has reasonable suspicion, then it can open a person's mail without a warrant.

Madam Speaker, certainly Bill C-8 has a number of improvements based on the debates we had in this place before Bill C-26 died on the Order Paper and, as my hon. friend from Sarnia—Lambton—Bkejwanong just mentioned, on work done in the Senate as well. However, these persist.

As the minister knows, under part 2, proposed section 35, there remain very serious privacy concerns that this would open a back door to surveillance on Canadians, as would Bill C-2, which is not being debated today. There is a pattern here of reducing the threshold for Canadians' private information to be not just obtained by our government but also shared with other governments and actors.

Is the minister open to amendments to repair these flaws?

Madam Speaker, the minister is correct. It is true that Bill C‑26 from the last Parliament and the current Bill C‑8 are almost identical. However, he is forgetting that the opposition parties proposed amendments in committee. Those amendments were rejected, but they will come up again because the Bloc Québécois feels that some of them are important.

The question I would like to ask the minister reflects the concerns shared by small and medium-sized businesses. There are no provisions to help them enhance their security measures to protect their systems.

Even though the standards are welcome and urgently needed, given the current difficult economic climate, are there not things that could be done to support SMEs in becoming cybersecure?

Madam Speaker, as this bill goes through the parliamentary process, whether here, at committee or in the other place, we will of course welcome the opportunity to discuss additional measures we need to take.

Bill C-8 was introduced in the form that was completed when Bill C-26 went through all the processes. This is just a continuation of that process. I believe that we have incorporated all the proposals from the previous version of this bill, but we look forward to having a robust discussion at committee.

Madam Speaker, when this bill came forward in the last Parliament as Bill C-26, it went to the Senate. Senator Denise Batters was the critic for the file, and the Privacy Commissioner said that there was an amendment needed to address privacy. The senator has reviewed Bill C-8 and said that the amendment was not incorporated.

Why did the minister not take the advice of the Privacy Commissioner?

Madam Speaker, the predecessor bill to Bill C-8 was Bill C-26. A lot of work went into ensuring that it is the best bill we can bring forward. A number of changes were made. As members will recall, Bill C-26 was almost completed in the previous session.

Having said that, we are always open to ensuring the bill is strengthened. The privacy rights of Canadians are essential to the government. We are governed by the Charter of Rights and Freedoms. We will ensure that we work closely and in collaboration with opposition parties to strengthen and pass this bill.

Madam Speaker, I thank my colleague.

Canada's critical infrastructure providers and enterprises are increasingly targeted. It is not just our government that is aware of these threats. The Canadian public is increasingly seeing these threats in headlines. They see that malicious cyber-actors are breaching our country's IT systems, accessing sensitive information and putting lives in danger. They see that cybercriminals are holding our businesses for ransom, and they see that hostile state actors are stealing information and gaining access to systems that are critical to our national security and public safety.

Unfortunately, these threats are spreading around the world.

The cyber centre's most recent national cyber-threat assessment found:

Canada is confronting an expanding and complex cyber threat landscape with a growing cast of malicious and unpredictable state and non-state cyber threat actors, from cybercriminals to hacktivists, that are targeting our critical infrastructure and endangering our national security.

It has also warned that Canada's oil and gas sector is a likely target for disruptions. At one point last year, the CSE said a cyber-actor “had the potential to cause physical damage” to a piece of critical infrastructure in Canada.

The threat is real.

In July 2025, Colabor Group, a Quebec-based food wholesaler, was affected by a cybersecurity incident that impacted its internal IT systems. Before this, Pembroke Regional Hospital, in Ontario, experienced service delays and had to cancel certain appointments and procedures because of a cybersecurity incident.

Earlier this year, a cyber-incident impacted WestJet, resulting in the theft of personal and travel-related data, though no credit or debit card information was compromised. As we will recall, last week, some airports in Europe were also disrupted because of cyber-threats.

In March 2024, the City of Hamilton in Ontario was hit with a ransomware attack that shut down many of its online services.

While Hamilton's critical services were not affected, cyber-incidents in municipal networks can lead to dangerous situations if an attack tampers with emergency water and waste-water systems. The high-value data held by these enterprises and governments, including sensitive personal information and financial data, makes them an attractive target for cybercriminals and state-sponsored actors or their proxies.

These incidents highlight the ongoing cybersecurity challenges faced by Canadian organizations across various sectors and jurisdictions. We need to act urgently to enhance our preparedness and improve the resilience of our critical infrastructure so that we can tackle these threats head-on before damage is done.

Bill C-8 is essential to achieving this.

Bill C-8 would help promote increased cybersecurity across four major sectors: finance, telecommunications, energy and transportation. Part 1 would amend the Telecommunications Act to enshrine security as a policy objective and bring the security framework regulating the sector in line with those of other critical infrastructure. The amendments to the Telecommunications Act would enable the Governor in Council and the Minister of Industry to direct telecommunications service providers to take specific actions to secure the Canadian telecommunications system.

This change would enable the government to act quickly in an industry where milliseconds make all the difference between security and risk.

When necessary, this means that Canadian telcos could be prohibited from using products or services from high-risk suppliers, which would prevent these risks from being passed on to users.

With these changes, the Governor in Council and the Minister of Industry would have the ability to take security-related measures, just as other federal regulators can do in their respective critical infrastructure sectors. These authorities do not just focus on cybersecurity but can equally address situations of human error or climate-based disruptions that can cause a risk of outages to these critical services.

Second, Bill C-8 would introduce the new critical cyber systems protection act, which would legally compel designated operators to protect their critical cyber systems. Currently, the list of vital services and systems is composed of the Canadian telecommunications services, banking systems and other federally regulated industries, such as energy and transportation. However, the Governor in Council may also add new vital services and systems if needed.

This part of the bill would provide the tools the government needs to take further action to address a range of vulnerabilities. To do so, designated operators of vital services and systems would be obligated to develop and implement cybersecurity programs, mitigate supply chain and third party risk, and comply with cybersecurity directions.

It would also increase the sharing of information on cyber-threats by requiring the reporting of cybersecurity incidents above a certain threshold. Currently, there are no such legal requirements for industry to share information on cyber-incidents and no legal mechanism for the government to compel action in the face of known threats or vulnerabilities.

That means that the government may not be aware of the threats and may not be able to respond to them.

When it comes to national security, we cannot rely on the goodwill of industry alone. We must enshrine a more robust cybersecurity framework into law.

We heard from witnesses during committee study of Bill C-26, which was introduced in the last session of Parliament and adopted in the House in June 2024, that mandatory reporting on cybersecurity incidents is essential to protecting our country's national security and critical infrastructure. Mandatory reporting provides the government with increased visibility into the cyber-threat landscape and allows for more accurate and targeted sharing of technical advice and guidance to combat the exploitation of vulnerabilities.

This section of Bill C-8 also aims to serve as a model for our provincial, territorial and municipal partners to protect critical cyber-infrastructure in sectors under their respective jurisdictions. It would support all sectors in the prevention of and recovery from a wide range of malicious cyber-activities, including cyber-incidents, cyber-espionage and ransomware.

Since the introduction of Bill C-26, our government has undertaken widespread consultations with a broad range of stakeholders. Among those consulted were provinces, territories and municipalities; critical infrastructure owners and operators; civil liberty organizations; and academia.

We listened carefully to the concerns raised during debates on Bill C-26, as well as those raised at committee discussions of the bill in both the House and the Senate. Among the concerns was a need for more oversight and transparency, as well as the need to ensure that privacy is protected.

Bill C-8 would further protect Canadians' fundamental rights under the Privacy Act.

While Canadians' privacy is already protected through a number of constitutional and legislative instruments, this legislation would provide greater certainty to Canadians that their privacy and personal information will be protected. It is also now clear that confidential information must continue to be treated as such when it is necessary for it to be shared, and its recipients must similarly be respectful of that confidentiality.

The bill provides assurances to Canadians that directions issued under both part 1 and part 2 of the legislation would not be used to engage in surveillance or to intercept private communications. This responds directly to the concerns we heard from civil liberty groups.

The act also includes provisions to increase the government's transparency and accountability while still balancing the need for confidentiality, quick action and the public's desire for transparency. The bill includes an obligation for the government to notify the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency within 90 days after an order or direction is made. Furthermore, annual reports to Parliament would need to include information such as the number of orders or directions that were issued and the number of impacted operators.

Civil liberties groups and industry experts also expressed concerns about the new broader powers granted to the government under former Bill C-26.

For example, stakeholders said there was a potential for orders or directions to be issued without the government consulting or considering relevant factors, such as whether reasonable alternatives exist to issuing the order or direction. As a result of these concerns, the bill includes a reasonableness standard and a non-exhaustive list of factors the Governor in Council must first consider before issuing an order or direction. When issuing, amending or revoking an order or direction, the Governor in Council would be able to consult governments and industry, recognizing the need to do so in an expedient manner given the urgency of the situation.

While the Governor in Council already has checks and balances on their powers, criteria qualifying the government's order-making and direction-making powers are expected to prevent their misuse and improve accountability. In fact, the addition of the reasonableness standard and relevant factors for consideration before issuing an order or direction, such as operational, financial and public safety impacts, would provide the Governor in Council with further clarity and fairness around the use of these new powers.

Bill C-8 would provide transparency and accountability to Canadians. It would also provide further reassurances to Canadians that their privacy and personal information will be protected.

I hope my fellow parliamentarians will agree that Bill C-8 would provide a strong foundation for securing Canada's critical infrastructure against the dynamic and sophisticated threats that are becoming increasingly common and dangerous.

In today's world, there is no shortage of bad actors who seek to exploit vulnerabilities in our cyber systems across all of our country and society. Whether it has to do with our financial systems, telecommunications, energy sector or other critical infrastructure, we now live in a world where cyber-threats are commonplace.

By using critical infrastructure, individuals, the government, businesses and owners are all experiencing this new reality every day.

Successful cyber-incidents have severe, lasting and alarming consequences for every entity impacted but most of all for the economic and mental well-being of individuals whose lives are disrupted and whose data is compromised. Nowadays, our cyber systems are understandably complex and increasingly interdependent with other critical infrastructure. This means the consequences of security breaches are far-reaching. This malicious threat activity has the potential to seriously compromise Canada's national security and public safety, and our economy.

Bill C-8 would bring us a much-needed, consistent, cross-sectoral approach to cybersecurity. It would allow our government and industry to do more to prepare for and prevent debilitating cyber-incidents when and if they occur. This is a crucial piece of legislation to make sure our defences meet the moment, in order to protect our national security and our economy. It would demonstrate that we are a capable and sovereign ally and position our country as a global leader in cybersecurity, ensuring that Canada remains secure, competitive and connected.

Our government knows that, more than ever, secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. As lawmakers, we have the power, through the passage of Bill C-8, to ensure that Canadians and businesses continue to thrive in the digital economy and that their banks and telecommunications providers continue to provide them with reliable service.

Cybersecurity is national security. This legislation would protect Canadians, businesses and the cyber systems they depend on well into the future so they can continue to work and live their lives comfortably and securely, safe in the knowledge that their government is doing all it can to ensure we have reliable and secure services and systems.

Our government's top priority will always be to keep Canadians safe.

That is exactly what Bill C-8 would help us do.

Mr. Speaker, the member raises a very important issue about the Internet, and threats on the Internet, in a number of ways. He spent a great deal of his time focused on Bill C-27, and understandably so since that is what the motion is about. The government has taken a very holistic approach in dealing with all aspects of the Internet in the form of legislation and regulations.

Quite often in legislation, we see a framework that is absolutely essential to support healthy and strong regulations that, ultimately, protect the interests of Canadians. It has been somewhat frustrating, as the member was frustrated when talking about what is taking place in committees; on the floor of the House of Commons, it has also been frustrating. The member referred to Bill C-27 being held up in committee, but he tried to put the blame on the government.

One of the biggest differences between the government today and the government while Stephen Harper was prime minister is that we are very open to ideas, constructive criticism, and looking at ways we can improve legislation. That means we have been open to amendments and changes. There have been a number of recommendations, but there was also an extensive filibuster on Bill C-27. It was not just government members but opposition members, much like we see filibusters taking place now on other aspects of the safety of Canadians.

For seven or eight weeks now, there has been a Conservative filibuster on the floor of the House of Commons, and there are other pieces of legislation dealing with the Internet that the Conservatives continue to filibuster. I am referring to Bill C-63, which deals with things such as intimate images being spread on the Internet without consent and child exploitation. We are talking about serious issues facing Canadians, including Bill C-63, that we cannot even get to committee because the Conservative Party has made the decision to filibuster on the floor of the House of Commons.

When the member opposite talks about Bill C-27, I can assure the member that the government is very keen on the legislation. We do not see how Canadians would benefit by splitting the legislation because both aspects are really important to Canadians. We should look at where it can be improved and we are open to that. We have clearly demonstrated that, but we need a higher sense of co-operation, whether dealing with Bill C-63 in the chamber or Bill C-27 at committee. Bill C-26 deals with cybersecurity. As I said, the government is very aware of what is happening on the Internet and our responsibility as legislators to advance legislation that helps establish a framework that will protect the interests of Canadians.

Earlier, I referred to a trip I took to the Philippines in the last five days. One of the companies we visited was a Canadian company, Open Text, that employs 1,500-plus people. We sat in a room that had this huge monitor of the world, and Open Text talked about how threats to infrastructure and to individuals occur every second. We are talking about a trillion type of number when it comes to computer threats occurring on a monthly basis. Open Text can tell where they are coming from and where they are going. It was a very interesting presentation.

No government has invested more in issues around AI than this government has, recognizing the potential good but also the extreme harm out there. We can think about different types of data banks. There are government data banks, such as Canada Revenue at the national level and health care records at the provincial level. There are the Tim Hortons, the private companies, and the data they acquire in their applications. The amount of information about Canadian individuals on the Internet is incredible. Technology has changed the lives of each and every one of us, whether we know it or not.

We can take a look at the number of cameras on our public streets, in malls and so on. We can think of the number of interactions we have on a daily or weekly basis, whether that is banking, which contains very sensitive information, or medical reports—