Marco Mendicino Liberal
At consideration in the House of Commons of amendments made by the Senate, as of Dec. 5, 2024
Subscribe to a feed (what's a feed?) of speeches and votes in the House related to Bill C-26.
This is from the published bill. The Library of Parliament has also written a full legislative summary of the bill.
Part 1 amends the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system. It also establishes an administrative monetary penalty scheme to promote compliance with orders and regulations made by the Governor in Council and the Minister of Industry to secure the Canadian telecommunications system as well as rules for judicial review of those orders and regulations.
This Part also makes a consequential amendment to the Canada Evidence Act .
Part 2 enacts the Critical Cyber Systems Protection Act to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are delivered or operated as part of a work, undertaking or business that is within the legislative authority of Parliament. It also, among other things,
(a) authorizes the Governor in Council to designate any service or system as a vital service or vital system;
(b) authorizes the Governor in Council to establish classes of operators in respect of a vital service or vital system;
(c) requires designated operators to, among other things, establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions;
(d) provides for the exchange of information between relevant parties; and
(e) authorizes the enforcement of the obligations under the Act and imposes consequences for non-compliance.
This Part also makes consequential amendments to certain Acts.
All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
Thank you, Mr. Yalkin.
I'll turn my questions over now to Ms. Robertson. Thanks for being with us today.
I'm very interested in hearing more about some of the oversight mechanisms you would like to see put in place. You mentioned them earlier in the line of questioning. Can you expand on those and perhaps comment a bit on how Bill C-26 intersects with the Privacy Act?
Is there anything in there that you see as problematic? How can that be mitigated here in committee? What can we do?
February 12th, 2024 / 4:45 p.m.
Senior Research Associate, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual
Yes. In the situation where an individual or institution would seek to challenge the collection powers or orders under Bill C-26, there is a judicial review mechanism that's available. There are other complaint proceedings that are available in law outside of the scope of Bill C-26.
In this case, it contemplates secret evidence. In this case, there is some language that is included. Unlike the minister's discretion to keep secret the orders themselves—and that discretion doesn't appear to have any limits—there is some language in the bill at least with respect to the secret evidence proceedings. However, we've recommended that it be tightened and aligned with that which is set out in the Canada Evidence Act, because there's no justification for diluting that requirement or the court's ability to balance the public interest in disclosure in contrast to the government's interest in confidentiality. That's essential, in our view, with respect to the constitutionality of the scheme.
February 12th, 2024 / 4:45 p.m.
Senior Research Associate, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual
Yes, that's a function of the absence of publicity requirements with respect to the orders themselves, as well as the absence of any notice obligation set out under Bill C-26.
We've recommended in our brief that the constraints on secrecy must be defined and strictly curtailed to what is absolutely necessary. Language exists in the bill to support that amendment, as well as the need for notice obligations, which is an essential function for review mechanisms that would be necessary for this level of collection and sharing power, of course.
Peter Julian NDP New Westminster—Burnaby, BC
Thank you.
I'd like to go to you, Mr. Yalkin.
You raised some important issues through OSFI. I have two questions for you.
First off, have you been consulted at all on Bill C-26? Was the banking sector consulted before the legislation was tabled, or afterwards?
Second, how many cyber-attack incidents have we had in the financial institutions covered by OSFI's mandate? How many cyber-attacks were there in 2023? Is that number increasing, decreasing or staying stable?
February 12th, 2024 / 4:40 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
As it stands, Bill C-26 does not include a requirement to conduct privacy impact assessments. The Treasury Board does, however, have a policy with such a requirement. We consult with departments regularly. We have a government advisory directorate, and we provide advice to departments.
In some cases, the assessments are done after the fact, once the tool has already been used. In fact, I recently appeared before the Standing Committee on Access to Information, Privacy and Ethics on the subject.
It undermines trust when Canadians find out that the government is using a tool or developing a program without conducting a privacy impact assessment first. That's why privacy impact assessments should be conducted at the outset.
In addition, people should know that our office has been consulted. That way, when the information becomes public, they know that we were consulted, that discussions were held and that advice was given.
That is what I'd like to see in Bill C-26, given the potential impact of those powers.
Peter Julian NDP New Westminster—Burnaby, BC
Thank you, Mr. Chair.
Thank you, Mr. Dufresne, for your service as law clerk and parliamentary counsel of the House of Commons, as well as your work in your current role as the Privacy Commissioner of Canada.
Thank you to all the witnesses for the information they have shared with the committee.
Commissioner, I have two questions for you.
You mentioned the importance of having Bill C-26 require government organizations to conduct privacy impact assessments.
First, have government or non-government organizations ever consulted your office? The bill was introduced in June 2022, so certainly, there will be an impact.
Second, has an organization consulted your office to learn how to conduct the assessments? What impact will Bill C-26 have?
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
Thank you to the witnesses for being with us.
In your opening remarks, Mr. Dufresne, you raised your concerns with respect to privacy. Most of the witnesses we've heard from actually share your concerns.
What you're recommending—that your office be consulted—differs from what most of the other witnesses have proposed. The mandate of the Office of the Privacy Commissioner is to oversee “compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act”.
You are recommending that, should Bill C-26 be passed, the Department of Public Safety or the minister responsible consult your office.
In the case of other bills, do departments or ministers consult your office on privacy considerations? If so, can you provide an example? It would give us a sense of how things would work.
Iqwinder Gaheer Liberal Mississauga—Malton, ON
We know that during the course of the committee's study on Bill C-26 so far we've heard a lot of stakeholder reaction around privacy rights and information sharing. You touched a bit on this in your opening testimony as well. Do you have any suggestions for how these concerns can be mitigated through regulations, especially when the data is crossing national boundaries?
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thank you, Chair.
I would just like to point out that if it weren't for Conservative filibusters, we would have been finished with Bill C-26 and we would be on auto theft right now.
If this were such a serious issue, they wouldn't have brought up Emergencies Act motions—at least six of the same thing, just changing how many meetings—and they would have gotten to the point. I believe that, just at the last meeting, it was the first time a Conservative member actually asked witnesses a question on Bill C-26. If it were such a concern, we would have already been studying auto theft—which was Ms. Michaud's motion to begin with, which we all agreed with.
I think it's crucially important that we finish Bill C-26 and move forward with auto theft, and we can do that. We still have to submit amendments and things like that and then get to clause-by-clause, but we can go to auto theft in the meantime.
I will just confirm that the ministers, both Minister LeBlanc and Minister Champagne, are scheduled on Bill C-26 for February 15, and Minister LeBlanc is also confirmed for his appearance for the week when we're sitting in March. He's there on his mandate, and that's been confirmed to the clerk. Those are both scheduled.
I would like to point out that the minister was available sooner, but we were in a different study, and it was decided to invite other witnesses to come before that. I recognize the frustration in terms of scheduling the minister. I have been taking that back, but if it weren't for all of the continuous filibusters, we would have been in a very different place as a committee.
We need to finish Bill C-26. We have only two meetings left after this. We have the ministers and then one more, I believe, and then we can move forward, but if we continue to get filibustering motions from the Conservatives and they're not serious about talking about Bill C-26, then we're not going to be able to get to auto theft. It's a shame that they've done that, since it's really important.
I would very much hope that we can finish this study and move to auto theft, which was always the plan. Again, we would have been there if it weren't for Conservatives wasting committee time and taxpayer money talking about motions that they actually never even wanted to vote on.
Peter Julian NDP New Westminster—Burnaby, BC
Thank you, Mr. Chair.
I want to welcome the students from Saint‑Hyacinthe high school and thank them for joining us today.
The motion covers a number of elements, and my preference in those cases is always to have the steering committee discuss the matter. I'm all for inviting the minister, but I think it's unlikely that he'll be able to make time in his schedule on Thursday.
While I think it's important to get started on Ms. Michaud's study, which we all support, as soon as possible, doing so would delay our study of Bill C-26. For the past month, we've had a number of challenges in holding discussions and meeting with witnesses. I think we need to improve Bill C-26 right away. Then, we could move on to the auto theft study, which I think is important.
For that reason, I will be voting against the motion, but I will raise it with the steering committee. I think the committee should meet as soon as possible.
That said, I think we need to work out a schedule and invite the minister again. Mr. Shipley rightly pointed out that the minister has hardly been here, and that needs to change. We can discuss the auto theft issue as soon as we wrap up the study on Bill C-26.
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
I'd like to comment on the motion, if I may.
It's been a while since we've had a chance to discuss a motion. I just want to say that it is true that the minister still hasn't been here to talk about his mandate generally, even though that should happen at the very beginning of the year—and even in the middle of 2023, after he was appointed. I therefore agree with that part of the motion.
Since I proposed the auto theft study, I'm certainly not opposed to moving it up. I do want to say, however, that my intention is not to hold up the study on Bill C-26 either. I think it would be reasonable to do both at the same time.
I'm not sure whether the plan was to vote on this motion today, but I would support the motion.
Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON
Thank you, Chair.
Thank you to the witnesses for being here today.
Bill C-26 is a very important issue. I'm going to ask for a little time on this. I have no intention of infringing on anybody else's time today, Chair, but I would like to quickly move a motion that's on notice, and hopefully get back to Bill C-26 quickly. It's a short motion.
I move:
That the committee acknowledge that auto theft is a pressing issue facing Canadians and pursuant to the motion agreed upon regarding auto thefts on October 23, 2023, the committee commence this study on Monday, February 26, 2024 and dedicate the following six Monday meetings to this study, while reserving the committee’s Thursday meetings for the study of Bill C-26. Additionally, pursuant to the motion agreed upon regarding the Rights of Victims of Crime, Reclassification, and Transfer of Federal Offenders on Monday, October 23, 2023, that the committee extend its meeting on Thursday, February 15, 2024 for an additional hour and the Minister be invited to appear for the full three hours in order to discuss all matters related to his mandate.
Chair, I feel this is a reasonable approach and motion to prioritize a serious issue. I think all of us around this table agree that auto theft is a serious issue.
The reason we added trying to get a little extra time with the minister is that we have not had a minister report to this committee since May 30, 2023. The last time a minister came for estimates was May 19, 2022. We all passed a motion on October 23, 2023, “that the committee invite immediately the Minister of Public Safety and department officials to appear for two hours to discuss his mandate.” I was hoping to consolidate some of those meetings together and make our time work a little better. Perhaps the minister, if he can fit it in his schedule, could find the time to talk to us about many pressing issues that are going on here right now.
With that, I will cede the floor, Chair.
Kate Robertson Senior Research Associate, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual
Thank you, Mr. Chair and members of the committee. As you know, I attended this committee last week in relation to this bill.
I'm a senior researcher at the Citizen Lab, which is based at the Munk School of Global Affairs and Public Policy at U of T. I have submitted a written brief to this committee along with a colleague, Lina Li of McGill Law, which builds upon the research and analysis of my former colleague at the Citizen Lab, Dr. Christopher Parsons.
Today I will readopt my comments from last week and supplement them as follows.
First, several concerns have been raised throughout these hearings focusing on malicious targeting by, for example, ransomware of aspects of the economy that are outside federal responsibility, such as hospitals. The need for protection in other areas is important, but this committee can also be mindful of the proper scope of its responsibility in its work on Bill C-26.
I also appreciate other committee witnesses raising threats facing Canadian society today. However, it is never a good idea to legislate out of fear. This is an important issue that requires careful due diligence and reflection as to what goes into any amendments. I would suggest the committee carefully look at what it is doing. Making the right decision now could improve the security, safety, privacy and charter rights of all people in Canada for decades going forward. It's incredibly important that lawmakers are thoughtful, nuanced and reflective of the kinds of amendments they propose for the legislation.
Second, our brief sets out recommendation 12—including recommendations 12A through 12C—pertaining to judicial review proceedings under Bill C-26. This includes the recommended appointment of special advocates in judicial review proceedings, and the need to align Bill C-26 with analogous provisions under the Canada Evidence Act applicable to secret evidence. These amendments are not only important but also fair, simple and common-sense enhancements.
Lastly, I also wish to address our recommendation that government entities empowered with new information collection and sharing powers be required to limit the use of that information to cybersecurity and information assurance.
The collection or use of information by national security intelligence agencies like the CSE about Canadians or persons in Canada is a core matter of public and constitutional concern. The concern that the CSE may repurpose information it receives through Bill C-26 into its other intelligence activities is not a speculative one. Recent reporting from the National Security and Intelligence Review Agency, or NSIRA, documents that, at this time, the CSE does not consider itself prohibited under its home statute from repurposing information about Canadians across its mandates.
However, only a few years ago, in Bill C-59, an important equilibrium was struck by Parliament concerning the need for important limits, given the prohibition against intelligence agencies directing their activities towards people in Canada. Bill C-26 could destabilize this important equilibrium. It currently contemplates broad and even secretive government collection and sharing powers about information concerning people in Canada. While the Department of Justice's charter statement on this bill referred to the government's potential use of only technical information and not sensitive personal information, there are no caveats or safeguards to stipulate this in the legislation. Clarity is needed.
Telecommunications providers, for example, are quite literally conveyors of the most private information known to our legal system. I agree with witnesses from CIRA and OpenMedia that this is a core matter of public trust. The public should not have to be asking itself whether the government's cybersecurity bill is actually a spy bill under a different name.
As noted by Mr. Hatfield last week, NSIRA has reported a chronic problem in reviewing the lawfulness of the CSE's activities since its inception. Lawmakers here should be very cautious when considering whether extending additional new powers is appropriate or necessary under Bill C-26, and what corresponding judicial oversight mechanisms are necessary and fit for purpose to protect the privacy of all people in Canada.
Thank you. I'm happy to answer any questions you may have.
Tolga Yalkin Assistant Superintendent, Regulatory Response Sector, Office of the Superintendent of Financial Institutions
Thank you so much.
Good afternoon, Mr. Chair, and ladies and gentlemen of the committee.
The mandate of the Office of the Superintendent of Financial Institutions, or OSFI, contributes to public confidence in the Canadian financial system by regulating and supervising approximately 400 federally regulated financial institutions. In this role, we ensure that these institutions maintain sound financial conditions, continually assess risks and industry trends, and safeguard against threats to their integrity and security, including cyber-threats.
There’s no question that financial institutions are vulnerable to cyber-attacks. In fact, OSFI has highlighted cyber-risk as a key risk to Canada’s financial stability in our annual risk outlook, which is available online.
Given this, it won't surprise you that we have been, for some time, active as a regulator in expecting our financial institutions to adopt appropriate risk management practices in the face of cyber risks. More specifically, we've taken pains to clarify in our guidelines our expectations for how financial institutions should manage technology and cyber risks to prevent things like outages and data breaches and to improve overall technology and cyber resilience.
This also includes an expectation that financial institutions respond to tech and cybersecurity incidents quickly and effectively and, more importantly, notify us whenever an incident happens. That reporting really helps us to identify areas where individual institutions—or the industry more broadly—need to take steps to prevent issues from arising.
We also provide tools to financial institutions. A good example of this would be our cybersecurity self-assessment, which helps them evaluate their current level of cyber-preparedness and develop effective cybersecurity practices. There is also our I-CRT—that stands for intelligence-led cyber resilience testing—framework, which provides instructions to financial institutions on how to implement a sophisticated approach to what is known as red teaming.
These efforts, and others, are critical, in my opinion, as there's little question that cyber-attacks will continue to increase in frequency and sophistication. Moreover, this is a risk environment that, in our experience, changes rapidly, and failure to protect against it can have serious consequences. A successful cyber-attack could impact the confidentiality, integrity, and availability of data and systems, which in turn could result in loss of public trust, reputational damage and financial loss.
That’s why OSFI is so focused on promoting the sound management of cyber-risks and technology risks generally at all federally regulated financial institutions.
As an identified regulator within a critical sector, OSFI is standing by and ready to support committee members in their reflection around Bill C-26. We want to help to improve the resiliency of Canada’s financial system.
I would be pleased to answer the committee members' questions.
Thank you, Mr. Chair.
Philippe Dufresne Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Thank you, Mr. Chair.
Members of the committee, I am pleased to be here to assist the committee in its study of Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.
Cybersecurity is an area of significant importance, in Canada and globally. Digital services that are delivered through cyber-systems and telecommunications networks are central to the ways that we live, work and interact, and impact large volumes of personal information and data. That is why it is critical to protect Canada’s cyber-infrastructure from potential threats.
At the same time, we must ensure that efforts to secure these systems and networks also protect and respect Canadians' fundamental right to privacy. This is not a zero-sum game. Privacy and the public interest are not only compatible; they build on and strengthen each other. I strongly support the objectives of Bill C-26 and believe that it's imperative that we as a society have the necessary tools and the ability to address this important public interest goal.
In my testimony today, I will share ways in which the bill could be strengthened in order to further protect the fundamental right to privacy and address potential privacy implications while achieving its important objectives.
Under Bill C-26, specified persons or entities would be able to collect and analyze a wide range of information, including sensitive personal information that is held by banks, telecommunications operators and energy services providers. The bill would also allow for the sharing of that information with organizations such as intelligence agencies, provincial and foreign governments and organizations established by foreign states.
As drafted, these powers are broad. In order to ensure that personal information is protected and that privacy is treated as a fundamental right, I would recommend that the committee consider making the thresholds for exercising these powers more stringent, and placing stricter limits on the use of those powers. One way of doing so would be to require that any collection, use or disclosure of personal information be both necessary and proportionate. This is a core principle for the handling of personal information that is recognized internationally.
Requiring government institutions to conduct privacy impact assessments, or PIAs, and to consult my office on new programs or initiatives created under the authorities in Bill C-26 would also strengthen privacy protections while supporting the public interest and generating trust. PIAs, which are currently a policy requirement under the Treasury Board Secretariat's directive on PIAs but not a legally binding requirement under privacy legislation, are an important tool for identifying, analyzing, addressing or mitigating privacy issues before initiatives are put in place. They can help reduce inadvertent harms to privacy as initiatives roll out. This is why I've recommended that the preparation of PIAs should be made a legal obligation for the government under the Privacy Act.
Bill C-26 would also allow the Minister of Innovation, Science and Industry to prohibit public disclosures of certain orders and directions made under the proposed act. It's important that any such confidentiality provisions that have the effect of reducing public scrutiny regarding the bill's implementation, including the collection, use and disclosure of personal information, be accompanied by appropriate transparency measures. These could include requiring the government to report to Parliament and/or to my office regularly on the number, nature and purpose of such orders and directions, especially when they involve sensitive personal information. This would reassure Canadians that their privacy is protected at all times.
I would also recommend that the bill be amended to include stronger accountability measures to ensure the protection of personal information that is shared outside Canada. These could include additional oversight mechanisms and established criteria that must be included in information-sharing agreements with foreign jurisdictions, such as restrictions on any onward transfers of the personal information, establishing safeguards that must be applied, and penalties for non-compliance.
Finally, should Bill C-26 be adopted, it will be important that my office have the necessary flexibility to coordinate, as appropriate, with other regulatory and oversight bodies that are involved in responses to cybersecurity incidents in cases that may involve a breach of personal information.
I would be happy to take your questions.