Bill C-8

Madam Speaker, let me begin by saying that I will be splitting my time with the member for Vancouver East.

I am very pleased to rise today to speak in support of Bill C‑8, an act respecting cyber security. This critical piece of legislation will strengthen Canada's resilience against public and private cyber-threats.

I believe that all of my parliamentary colleagues would agree that cyber-threats are now a major security concern in Canada. Bad actors are going to extreme lengths to disrupt our daily lives by carrying out cyber-threats against critical infrastructure. These disruptions have very serious consequences given our day-to-day reliance on technology. Whether for banking, communications or government services, cyber-incidents can affect every aspect of our lives. That is why it is imperative that we update our laws in order to mount an adequate and agile response to modern-day threats.

In June, our government introduced Bill C‑8, which represents an important step in combatting cybercrime and protecting our critical infrastructures from cyber-threats. The possibility that the critical infrastructures Canadians rely on for essential services could be hit by cyber-incidents poses a threat to our public safety, national security and economic prosperity.

Cyber-threats are becoming more and more frequent and sophisticated, and are increasingly sponsored or supported by states. Moreover, Canada's critical infrastructure is becoming increasingly digitized and interconnected, particularly with the emergence of new technologies such as 5G and 5G+. Any compromise in the telecommunications, energy, finance or transport sectors could jeopardize the security of Canadians or cause significant damage to the Canadian economy.

Passing this bill represents an important step in the government's ongoing work to combat cyber-threats, address vulnerabilities and ensure the security of Canadians and Canadian private, public and quasi-public businesses. This bill aims to strengthen national security, public safety and economic prosperity by better protecting Canada's telecommunications system against threats and enhancing the cybersecurity of federally regulated critical infrastructure.

Bill C‑8 will help strengthen our economic prosperity, as resilient infrastructure is precisely what global investors are looking for. Digital sovereignty is also a global objective. It is unrealistic to believe that investments or investors will come if we do not demonstrate a clear commitment to protecting our critical infrastructure.

To that end, this bill introduces security-related amendments to the Telecommunications Act and establishes a new cybersecurity framework aimed at strengthening the resilience of our country's critical cyber systems. The amendments to the Telecommunications Act are intended to ensure the security of Canada's telecommunications system. In particular, they are intended to protect it from threats posed by high-risk providers. These amendments will give the government clear and explicit legal authority to require telecommunications operators to take the necessary measures to protect their systems.

The bill also enacts the critical cyber systems protection act, which requires designated operators in the finance, telecommunications, energy, and transportation sectors to protect their critical cyber systems. This obligation includes implementing a cybersecurity program and reporting cybersecurity incidents to the Canadian Centre for Cyber Security.

Through cybersecurity incident reporting, our intelligence agencies will be better equipped to monitor trends and new methods used by bad actors. Let me say it again: Bad actors are much more agile and improve much faster. Unfortunately, they tend to find their way around systems. At times, this renders all government systems out-of-date.

The critical cyber systems protection act also provides the government with a new tool for taking action to fight cybersecurity threats or vulnerabilities as needed, and to protect Canadian cyber systems more effectively. This legislation will help our government fulfill its security mandate and meet its security priorities.

This government is committed to fighting modern threats like foreign interference, transnational repression and cybercrime. Because these crimes are often interconnected, this bill would play a key role in this fight by enabling the government to take action to promote the safety and security of Canada's critical infrastructure.

It is time to update our legislation so that it is able to address 21st-century threats and challenges. If this bill receives royal assent, the provisions of the critical cyber systems protection act will be implemented gradually, and the consultations under way between the government and industry stakeholders regarding the development of regulations will continue in order to minimize the potential impacts on the sectors affected.

By giving the government the capacity to take direct measures against cyber-threats or vulnerabilities, this bill will strengthen the cybersecurity of Canada's essential infrastructure through its regulatory framework, while enabling the Communications Security Establishment to be better informed of the cyber-threats facing that infrastructure. The new powers granted by the bill will help us to proactively monitor the ever-changing landscape of cyber-threats and take quick action to stop threats and address vulnerabilities.

It often seems that not a day goes by without us hearing about a cyber-incident that has occurred somewhere in the world or in Canada. Canadians hear about these incidents and are rightly concerned about the security of their personal information and the disruptions that could be caused to the systems they rely on every day, such as financial and banking systems. We need to respond to these concerns. As legislators, it is our duty to do all we can for them.

Cybersecurity is not a partisan issue. That is why I invite my hon. opposition colleagues to support us in our efforts to strengthen our collective security. We are monitoring developments in Canada and abroad, and we are taking appropriate action. The government will continue to consult stakeholders and interested parties throughout the regulatory process. While changes are definitely needed to strengthen our systems and infrastructure, we want to ensure that there is as little disruption as possible to industry, which will be a key partner in combatting cybercrime and in strengthening our resilience.

In closing, I once again invite all of my parliamentary colleagues to support this bill in order to protect Canada and Canadians from cyber-threats.

Madam Speaker, I am happy to see you in that chair.

I commend my colleague from Bourassa on his speech, which I enjoyed.

We all understand that cybersecurity is a 21st-century topic that does not just affect Quebec City, Quebec and Canada. The entire planet is subject to cyber-threats. Obviously, this bill presents approaches that are worth considering. However, if we want to keep people safe, we also have to protect their personal information. We believe that the bill should better define what constitutes personal information, since everything hinges on that. We all want to be protected from cyber-attacks, but we also want to be sure that our personal information is not being given out to everyone.

Could the member elaborate on that?

Madam Speaker, that is an excellent question.

There are two dimensions here. The first has to do with cyber-threats. We are talking about criminals and how to deal with them.

With regard to my speech, at one point I mentioned that service providers must be required to comply. That being said, it is my opinion and that of the government, that, to complement this bill, we need to establish digital sovereignty as a government and as a country, so that we have our own infrastructure and so that we are not dependent on international service providers.

In this case, once we have full control over our data, storage and clouds, we can really talk about securing the data of our fellow citizens.

Madam Speaker, the bill spells out in black and white that the federal government intends to collaborate on cybersecurity with the provinces and territories. This caught my attention, and I want to come back to the word “collaborate”.

Collaboration often means that Ottawa imposes its will and everyone else does as they are told.

I would like to know whether, this time, the word “collaborate” means true collaboration, where the government consults the other parties concerned, gathers their advice and ultimately reaches a joint decision. In other words, Ottawa does not impose a decision.

Since the government claims that it wants to collaborate on this bill, there should perhaps be some guarantee that Ottawa has held consultations with the Government of Quebec and Hydro-Québec, which will have to live with the consequences of this bill.

Madam Speaker, I want to reiterate what I said earlier and I will repeat it again, to make it very clear.

Collaboration involves all stakeholders, including provinces, territories, and, as I said earlier, all industries, whether public or quasi-public. Why? It is because we want to act quickly, because the threat is there. In the meantime, we do not want to cause any disruption to industry. That is very important.

Stakeholders will be consulted and gradual action will be taken. We will consult with all stakeholders, including the provinces and industries.

Far be it from our government to want to disrupt industry.

Madam Speaker, I listened carefully to my colleague's very thoughtful speech.

I wonder if my colleague sees what else this law can bring. Can we have tools in this bill that can help inform and educate our communities so that people understand how to protect themselves in cyberspace?

Of course, the bill focuses on institutions, but I wonder if we can bring in tools to teach and educate people who spend time in cyberspace.

Madam Speaker, I talked about cracking down on crime, but my colleague is absolutely right to mention education.

I am not just talking about public safety, but also about other sectors and other areas. Departments need to have communication strategies that educate users so that their data is as secure as possible.

Madam Speaker, I want to thank my colleague, the member for Bourassa, for splitting his time with me.

Cybersecurity is no longer a distant concern of experts in back rooms; it is a kitchen table issue. Canadians expect their lights to come on, their paycheque to be deposited, their medical records to be private and their phone to connect them to loved ones without interruption. They expect those things to be safe from hackers, hostile states, nefarious actors and, yes, overreach by their very own government. Cybersecurity is not an abstract concern; it is about whether families can trust their power grid to stay on, whether a rural clinic can keep its patient records safe and whether small businesses can keep their doors open without fear of being taken down by hackers.

Canadians deserve real protections against cyber-threats. They are a reality in today’s world, and we all recognize that. In that respect, I acknowledge that Bill C-8 reflects a pressing reality: Canada must strengthen the resilience of our critical infrastructure. However, in our rush to act, we must also ensure that we get the right balance. If we protect our systems but undermine our rights, if we secure our networks but destabilize our economy, then we will have built a fortress with the doors left open.

Bill C-8 as it stands raises several concerns. The Liberals tell us the bill is proof of their so-called innovation agenda, but when we look closely at the fine print, the reality is far more complicated. Bill C-8 is a near carbon copy of Bill C-26, a bill that died when Parliament was prorogued earlier this year, and while some minor improvements have been made, some fundamental flaws remain. This is where I would like to focus my remarks as I and my colleagues in the NDP consider the ramifications of the bill. Allow me to bring those questions forward with the hope of bringing some clarity and changes to the bill.

First is the scope of ministerial powers. Under the bill, the Minister of Industry could compel telecommunications providers to rip out equipment, ban entire suppliers or suspend agreements. Imagine that a company might have to pass the costs of that on to its customers or close its doors entirely.

While the minister explained that safeguards exist to prevent disproportionate orders from crippling providers and leaving rural Canadians disconnected, Bill C-8 would grant sweeping powers to cabinet and the Minister of Industry: powers to ban telecom companies from using certain equipment, to force its removal, to suspend services and to terminate contracts. These orders could be issued without prior judicial approval, without parliamentary review and without independent oversight. When we concentrate this much power in the hands of a single minister, we need checks and balances. Where are they in the bill?

Second are the risks to privacy and civil liberties. The bill would allow for mandatory information sharing between telecoms, regulators and federal agencies, and possibly onward to foreign governments. The standard for this disclosure is simply the minister’s own judgment of what is “necessary”. This is vague, subjective and wide open to abuse. Why are there no requirements in the bill for privacy impact assessments? Why are there no guarantees that collected data would not be repurposed for unrelated purposes?

Third is the absence of compensation or worker protection. If a company is ordered to rip out equipment or shut down services, there would be no compensation. For small Internet providers, that could mean bankruptcy. For their workers, it could mean layoffs. For rural and remote communities, it could mean disruptions in already fragile service. Where is the government’s plan to support the workers, providers and communities that would bear the costs of compliance?

Fourth are the penalties. Bill C-8 envisions fines of up to $15 million a day for corporations and up to $1 million a day for individual employees. Think about that: A frontline worker following orders from management could face personal ruin under the regime. Where are the safeguards to ensure fairness, due process and appeal rights?

Fifth is the one-size-fits-all approach. The bill would lump together banks, telecoms, nuclear facilities and energy co-operatives under a single compliance framework. All of them would face the same 90-day timeline to stand up cybersecurity programs, no matter their size or capacity. For large corporations, perhaps this is feasible, but for small operators or co-ops, it could be impossible. Should compliance obligations not be tailored to the realities of different sectors?

Sixth are international consequences. Canada’s adequacy status under the European Union’s GDPR is the foundation of much of our digital economy. It is what allows European data to flow into Canadian systems, supporting banks, airlines and cloud providers, but the European Commission reviews adequacy every four years. If it sees that Canada is granting unchecked surveillance powers, or if it sees data repurposed without necessity and proportionality, we risk losing that adequacy decision. We have already seen what happened to the United States under Schrems II. Does the government truly want to put Canada in the same position?

New Democrats agree that cybersecurity is essential, but cybersecurity must not come at the expense of democracy, accountability, privacy or fairness for workers and communities.

Here are the questions we are putting on the record for the Minister of Public Safety and the government to answer. Why has the government chosen to concentrate so much power in cabinet without requiring independent judicial and parliamentary review? Why would there be no independent oversight body to ensure that orders are proportionate and justified? Why would the bill not guarantee privacy impact assessments or limit onward disclosure of Canadians’ personal data to foreign governments? Why has the government not proposed compensation or transition supports for workers and small providers who would bear the financial burden? Why would penalties be so extreme that individual employees could be personally liable for millions of dollars, even when following management orders? Why would the same compliance framework be applied to banks, nuclear facilities and small ISPs alike? Has the government conducted and published a risk assessment of how Bill C-8 could affect Canada’s adequacy standing with the European Union?

The Liberals say the bill would modernize our telecom laws and defend Canada, but democracy must not be sacrificed in the process. Strong cybersecurity should also mean strong democracy. It should protect Canadians from foreign threats without opening the door to unchecked government overreach.

New Democrats will continue to push for changes, independent oversight, stronger privacy protections, fair treatment for workers and communities, proportional penalties and sector-specific flexibility. We can protect Canadians from cyber-threats without trampling on rights, without ignoring workers and without undermining our economy. Bill C-8 is an opportunity to strike the right balance, but right now it does not seem well equipped to do that.

Canadians want more answers, transparency and oversight from overreach, as we have seen the tendency of the new Prime Minister to move headlong toward centralization without considering the consequences for public policy and its effects on everyday Canadians.

Madam Speaker, the member talked a lot about the protective measures, but the bill is one that has been in the House before. I think she supported it in the past as well.

Are amendments to establish a regulatory framework to strengthen the baseline of cybersecurity something the member would like to bring to committee to discuss and support, going forward with the bill?

Madam Speaker, yes, the bill, in the form of Bill C-26, has gone before Parliament. Some amendments were adopted, but having said that, I think more work needs to be done.

I raised a series of questions in my speech. I would like answers from the government. I would like to hear experts respond to those concerns, and then we can move forward with amendments to address, truly, a bill that would balance the need to enhance cybersecurity infrastructure for Canadians with protecting our rights.

Madam Speaker, let me congratulate and express deep gratitude to the hon. member for that excellent speech. I too am terribly concerned by the civil liberties restrictions that this bill would impose. I note that when this bill was in the last Parliament, several civil society organizations, including the Canadian Civil Liberties Association and the David Asper Centre for Constitutional Rights, penned an open letter saying it tramples our civil liberties.

To the deputy House leader's point, I would just like to point out that this bill has already been to committee. It has already been criticized by these civil liberties organizations.

Why did the Liberals not make the amendments these civil society groups asked for?

Madam Speaker, I cannot really answer why the government is doing what it is doing. It is doing many things I do not agree with, such as what it is doing with Canada Post right now. I cannot answer for the government.

What I can do, though, is to raise these concerns again and to put them forward. I expect we will hear from expert witnesses at committee. I expect amendments will be put forward, and I hope they will be taken seriously. I hope we can work collaboratively, because cybersecurity for Canadians is really important, but so too are our rights and our democracy. We can strike the right balance.

I really urge the government to stop centralizing all the power and making decisions behind closed doors and giving ministers, in this instance the Minister of Industry, this expansive power without transparency.

Madam Speaker, I also congratulate my colleague on her speech. She raised a number of very relevant points, particularly regarding the centralization of power within cabinet, which has ultimately resulted in a law marked by numerous ambiguities.

Of course, the Bloc Québécois wants to ensure that we have the means to deal with cyber-attacks, but we are very concerned about Quebec's jurisdiction being respected.

Given the excessive centralization of authority within cabinet, is my colleague prepared to work with the Bloc Québécois to ensure that the jurisdictions of Quebec and the provinces are respected?

Madam Speaker, it is important to respect jurisdictional authority, and I am not sure if the government actually struck the right balance in this bill. I am not sure it has struck the right balance in ensuring that respect is in place, but more importantly, to respect the privacy rights and those measures the government put forward that meet the standard of transparency and accountability.

There is a lot of stuff in this bill that comes without independent oversight, as an example. That is not good for Canadians; that is not good for anyone. We will see what happens at committee. I expect amendments will be put forward. The NDP does not have a seat at the committee table, but we will be watching to see how things progress and we will make a determination of how we can enhance Bill C-8 for all Canadians.