Bill C-26

This is a similar amendment, although the wording is slightly different. That tells me where my fellow members stand, but I will move it anyways.

The amendment would add the following provision:

(2) Any law of a province relating to cybersecurity that provides for more stringent rules than those prescribed by regulations made under subsection (1) is to prevail in that province.

Quebec, for instance, has a ministry of cybersecurity and digital technology. It's reasonable to think that Quebec's rules are pretty relevant, if not more stringent, as may be the case in other provinces. If so, the amendment would ensure that the rules of the province in question overrode the federal rules set out in Bill C-26.

Thank you very much, Mr. Chair.

This is regarding the issue of Bill C-26 and to ask whether it needs operators to immediately report a cybersecurity incident.

The reality is that we heard testimony from the Canadian Chamber of Commerce and other witnesses about a 72-hour reporting period, with “immediate” being defined as 72 hours.

It's important to note that in the U.S., the Cyber Incident Reporting for Critical Infrastructure Act also talks about a 72-hour reporting time frame.

Our witnesses said very clearly that “immediately” made it potentially difficult for them to resolve the issue and to respond to the cyber-attack, because they would be concerned about the impacts of not reporting in that immediate time frame. A 72-hour window would provide the ability to combat the cybersecurity incident and do the reporting in a very timely way.

I'd like to move what we heard from witnesses and move NDP-10 to essentially provide an amendment such that the designated operator must report the cybersecurity incident within 72 hours from the time the operator reasonably believes the incident occurred.

I call the meeting to order.

Welcome to meeting 101 of the House of Commons Standing Committee on Public Safety and National Security.

Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders. Members are attending in person in the room and remotely by using the Zoom application.

I would like to make a few comments for the benefit of the witnesses and members.

Please wait until I recognize you by name before speaking. To prevent disruptive audio feedback incidents during our meeting, we kindly ask that all participants keep their earpieces away from any microphone. Audio feedback incidents can seriously injure interpreters and disrupt our proceedings. I will remind you that all comments should be addressed through the chair.

I will also quickly remind you of an informal meeting with the Norwegian delegation at 5:30 today, for those interested.

Pursuant to the order of reference of Monday, March 27, 2023, the committee is resuming its study of Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. Today the committee resumes its clause-by-clause consideration, beginning with clause 12.

I will now welcome the officials who are with us. They are available to answer questions regarding the bill, but will not deliver any opening statements.

From the Department of Industry, we have Andre Arbour, director general, strategy and innovation policy sector; from the Department of Public Safety and Emergency Preparedness, we welcome Colin MacSween, director general, national cybersecurity directorate, and William Hartley, acting manager; and from the Communications Security Establishment, we have Stephen Bolton, director general, strategic policy, and Richard Larose, senior technical adviser.

Thank you for joining us today. With that, we will begin—

Yes, Mr. Shipley, please go ahead.

Thank you, Mr. Chair.

This is another key decision point, and it's what we've repeatedly heard is the best route forward to improve Bill C-26. We heard from members of the coalition, and I'll remind you that the organizations involved include the Privacy and Access Council of Canada, OpenMedia, the National Council of Canadian Muslims, the Ligue des droits et libertés, the International Civil Liberties Monitoring Group and the Canadian Civil Liberties Association. All of them have said that an important component for ensuring that the public interest is protected is a provision for special advocates.

What this would do is add, after line 13 on page 8, the following:

(a.1) the judge must appoint a person from a list established by the Minister to act as a special advocate in the proceeding after hearing representations from the applicant and the Minister and after giving particular consideration and weight to the preferences of the applicant;

It would also add, after line 28 on page 8, the following:

(c.1) on the request of the Minister, the judge may exempt the Minister from the obligation to provide the special advocate with a copy of information if the judge is satisfied that the information does not enable the applicant to be reasonably informed of the case made by the Minister;

I won't read all of the amendment. I know that my colleagues around the table have had a chance to thoroughly review NDP-9, but the reality is that special advocates are top secret, security-cleared private practice lawyers, independent of government. We've already seen special advocates protecting the interests, for example, of permanent residents or foreign nationals subject to a security clearance certificate or other proceedings under the Immigration and Refugee Protection Act.

Currently, there is a list of special advocates who are cleared to defend individuals in matters like this, with the Immigration and Refugee Protection Act. There are apparently 10 special advocates available.

This is clear testimony we heard from numerous witnesses among the coalition members I mentioned. They are some of Canada's most reputable groups, and there is no doubt that having in place a special advocate would improve the legislation, so I want to move NDP-9.

I'll just follow up on that.

I know there are often exceptions for national security and whatnot. How can Canadians trust that, when an exception is laid out in Bill C-26...? This is larger than the conversation about this current proposed section. The minister is given discretion quite often to ensure they can use information if it's related to national security, etc. How can Canadians trust that the right balance is struck? This is a bigger conversation, but I think it will help speed up some of the forthcoming amendments.

Could you outline the processes in place to ensure that privacy is in fact protected and that, when an exemption is laid out in legislation, it's not opening it up for abuse?

Thanks very much, Chair.

My other committee is the access to information, privacy and ethics committee. While it notably prosecutes Liberal scandals, it also does a lot with privacy.

I would ask the officials if they could weigh in. I appreciate Ms. O'Connell's statement about it not being necessary, but I would ask if the officials could weigh in on the specific application of the privacy-related sphere in this and whether the amendments would make a notable difference compared to what is currently listed in the act versus what is in Bill C-26, as well as its applications of the myriad privacy rules that overlap here.

Thank you, Mr. Chair.

The Conservatives did agree to go through Bill C-26 without filibustering. I hope Mr. Kurek now has a copy of that memo because we really need to get through this bill.

Thank you, Chair.

G-3.2 is similar to G-1.2. We are concerned about being too prescriptive and limiting the ability to consult with required people as to threats. Obviously, when we look at administrative law, there's a zone of expertise that we allow the agencies to have.

I move to amend Bill C-26, in clause 2, by replacing line 28 on page 2 with the following, which is referring, I assume, to the Minister of Emergency Preparedness:

Emergency Preparedness and with the persons the Minister considers appropriate,

Thank you, Chair.

This is coordinating with G-1.1, which the committee agreed to. We're saying that Bill C-26, in clause 2, should be amended by replacing lines 25 and 26 on page 2 with the following:

tem against any threat, including that of interference, manipulation, disruption or degradation, the Minister may, by order and af-

Thank you.

Thank you, Mr. Chair.

I apologize to my Conservative colleagues in advance for CPC-4 not being able to be moved if we adopt NDP-3.

We had a persistent theme in testimony before the committee that we need to ensure transparency around Bill C-26. What NDP-3 would accomplish is ensuring that orders are published “in the Canada Gazette within 90 days after the day on which it is made”. This has been suggested by coalition members who appeared before the committee, and it would ensure more transparency in the bill.

I move the amendment, Mr. Chair.

As we know, Bill C‑26 enables the government to issue confidential orders applicable to telecommunications service providers. While confidentiality can certainly be justified in certain situations, it shouldn't be the default rule. A number of civil liberties organizations have told us as much.

These organizations recommend a mandatory Federal Court order as a check and balance against government overreach. This could be an effective way to ensure that the government isn't hiding disproportionately intrusive actions. It adds some checks and balances to the legislation.

I'll read amendment BQ‑2, which proposes an amendment by replacement:

(2) On application by the Minister, the Federal Court may, by order, prohibit any person from disclosing some or all of the order's contents if it is satisfied that there are reasonable grounds to believe that such disclosure could be injurious to international relations, national defence or national security or endanger the safety of any person.

I'm wondering about part of line 3 of the amendment. The wording is “disclosing some or all of the order's contents.” That sounds funny to me. Again, I think that the legislative clerks are the experts on how to write this. If it sounds good in the legislative language, so much the better. I just wanted to make sure.

I have a question for the officials before we move on with the discussion.

I want to make sure that adopting this amendment wouldn't add lengthy delays to the process. Would it?

Thank you, Chair.

This is related to NDP-1 but has alternative language in G-1.2. We're moving that Bill C-26, in clause 2, be amended by replacing line 17 on page 1 with the following:

cil may, by order and after consultation with the persons the Governor in Council considers appropriate,

That's the amending language. Again, this is alternative language to NDP-1.

(Amendment agreed to)

I actually thought you were talking about interpretation for a different language. It's okay. They speak English very well.

All right. Now we have our study on Bill C-26.

Pursuant to the order of reference of Monday, March 27, 2023, the committee resumes its study of Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts. Today, the committee commences clause-by-clause consideration.

I will now welcome the officials who are with us. They are available for questions regarding the bill but will not deliver any opening statements. From the Department of Industry, we have Andre Arbour, director general, strategy and innovation policy sector, and Wen Kwan, senior director, spectrum and telecommunications sector. From the Department of Public Safety and Emergency Preparedness, we have Colin MacSween, director general, national cyber security directorate, and Kelly-Anne Gibson, acting director, national cyber security directorate.

Thank you for joining us today.

We're going to move right into clause-by-clause.

The chair calls clause 1. Shall clause 1 carry?

Mr. Lloyd.