Bill C-8

Madam Speaker, I am pleased to rise and speak to Bill C-8 today. For those watching at home, in the previous Parliament, Bill C-8 was Bill C-26.

I was pleased to sit on the public safety and national security committee, which went over that bill. I want to provide a quick overview, because part of the debate we are having in the House today is about why we are discussing the legislation again when it was discussed and advanced, pretty much to the finish line, in the last Parliament.

Bill C-26 went through committee. There were numerous amendments made by all parties. It came out and went to the Senate. The government asked the House of Commons to fast-track a different bill on foreign interference. In the government's own incompetence, it did not seem to realize that its foreign interference bill contained provisions that nullified the entire second part of Bill C-26. The Senate actually identified this problem. This caused such a delay to the bill that when the Liberal government decided to prorogue Parliament, despite the fact that it had not tested the confidence of the House, it actually resulted in the legislation being killed.

The government has been saying, “The dog ate my homework.” The fact is that the Liberal government was the one that killed the legislation in the last Parliament. That is the reason we are back here today.

Cybersecurity is an issue of critical importance. Cybersecurity has an impact on all aspects of our life. More and more of our daily life is being spent online, and we are becoming dependent on services and infrastructure that are vulnerable to cybersecurity threats. The threats posed by malicious actors are touching every aspect of society. They are touching industry, hospitals, pipelines and individual households.

As we know, with the government's implementation of soft-on-crime bail policies, criminals will always follow the path of least resistance. It is no different in the cybersecurity environment. When a country has poor cybersecurity legislation, it makes itself a target for these malicious actors and encourages that behaviour.

The Liberal government originally introduced Bill C-26 in June 2022, over three years ago. We only started to study the bill two years after it was introduced. We heard repeatedly from the Liberals that cybersecurity has been a high priority and that this is critically important legislation, but here we are, three years later, in an entirely new Parliament, going over the same legislation again.

These delays could have been prevented, but the Liberal government failed. It is unfortunate because we have heard repeatedly that Canada's cybersecurity has been neglected and remains a vulnerable and soft target.

The bill proposes to give sweeping powers to the government, and Conservatives believe that we cannot give the government a blank cheque. We need to study the legislation to ensure that we are creating effective mechanisms for combatting cybercrime without creating unnecessary red tape, bureaucracy or charter rights implications.

The bill has two key objectives. First, it seeks to amend the Telecommunications Act, to give the government the power to secure the telecommunications systems. Basically, the government would have the power to tell the telecommunications companies and others to do things or to not do things, such as removing equipment provided by a hostile foreign power that is being used in our telecommunications systems.

Second, it seeks to create the critical cyber systems protection act; in theory, this would allow the government to impose cybersecurity requirements on federally regulated industries. These industries could include the energy sector, pipelines, nuclear plants, the financial sector, banks, the health sector and other areas.

I believe there are some positive steps towards enhancing public safety in the bill. It is important for Conservatives to point out that there are some serious weaknesses that remain in Canada's cybersecurity posture. In fact, we are the last G7 country without a robust regulatory framework for cybersecurity.

Last summer, the Auditor General released a damning report on the government's capacity to combat cybercrime. I am going to quote her conclusions, because they were scathing:

...the Royal Canadian Mounted Police (RCMP), Communications Security Establishment Canada, and the Canadian Radio-television and Telecommunications Commission (CRTC) did not have the capacity and tools to effectively enforce laws intended to protect Canadians from cyberattacks and address the growing volume and sophistication of cybercrime. We found breakdowns in response, coordination, enforcement, tracking, and analysis between and across the organizations responsible for protecting Canadians from cybercrime.

This raises an important point. We can have all of the laws we want that say all the right things, and we do have some laws on cybersecurity, but it is clear from the Auditor General's report that the government has not invested in the capacity, the resources or the tools to implement the current cybersecurity laws that we have. We need to be assured that, by bringing the legislation forward, the government is not only planning to grant itself these powers but also giving law enforcement the capability to do something with these powers. That is something that it has not really done.

The trend continues to worsen. The Canadian Anti-Fraud Centre projects that losses from cybercrime will surpass over $1 billion annually by 2028. There are actual insurance products being created to protect people from cybercrime. That is not just money being lost to fraud. That is broken lives and ongoing mental health challenges that are devastating our citizens.

We know that coordinated and strategic attacks on our national infrastructure by criminals or foreign adversaries have wreaked havoc, and will continue to wreak havoc, on our society. A cyber-attack on our power grid in the middle of winter would be devastating to hospitals with vulnerable patients or to pipeline infrastructure. Canada has already faced concentrated cyber-attacks against its telecommunication companies since at least 2021, with the Communications Security Establishment saying that it is aware of malicious cyber-activities from People's Republic of China state-sponsored actors.

Canada and our allies have already been the target of cyber-attacks carried out by hostile state-sponsored or aligned groups. In fact, the RCMP, FINTRAC and Global Affairs Canada, just to mention a few, have all been previously breached by cyber-attackers. The seriousness posed by these attacks on our nation's most sensitive information cannot be understated. We need to know that the government is taking action to secure its own systems, not just telling the private sector that it has to secure its systems.

We know that the private sector is taking proactive measures to invest in cyber-defence. With hundreds of thousands of cyber-attacks, and that is not hyperbole, targeting Canada in the first six months of 2025, they have been forced to step up and the government has not.

I hear from constituents on a regular basis that they are concerned that the government's own cybersecurity measures are not up to snuff, particularly in regard to the Canada Revenue Agency. As malicious criminals become more sophisticated, Canadians need to know that their data is being stored in a safe and secure way. Therefore, it is common sense that the Liberal government should hold itself to the same standards that it is holding the private sector to in the legislation.

Bill C-26 was introduced way back in June 2022. This was in the wake of the government's decision to finally, after tremendous political pressure, ban ZTE and Huawei from the Canadian 5G networks. This was long after decisive action had already been taken by all of our Five Eyes partners.

I am pleased to say that I think Bill C-26 left committee in better condition than when it went in, but we have heard from many witnesses who are concerned about the over-centralization of powers that this is giving to cabinet ministers. There is also concern that the bill in its current form gives the government excess executive authority without full proper oversight and guardrails. In Bill C-8, the government has continued to take a “trust us” approach to legislating Canada's cybersecurity, which is alarming to the many Canadians who are concerned that the government may overreach.

Conservatives believe that trust needs to be earned. As a great Conservative politician once said, “Trust, but verify”. Considering the Liberal government's habit of limiting free speech in bills like Bill C-11 and Bill C-18 in the last Parliament, and the illegal use of the Emergencies Act, I believe that many of these concerns are valid and should be addressed. Conservatives need to be able to study the bill, so we can provide amendments and listen to further witness testimony to ensure that accountability and oversight mechanisms are effective and that they are improved.

Another area of concern that was flagged by witnesses was the absence of a special national security-cleared lawyer to act on an applicant's behalf during a judicial review. This is actually a standard practice in other areas of national security when sensitive information is brought forward. Therefore, we find this omission questionable.

Basically, to explain that, part of the provision of the bill is to allow the government to conduct court hearings in secret. When we are dealing with top secret or sensitive information, we can see that there is a justification for that. We need to ensure that anyone who is caught up in that is getting the appropriate legal representation. That is a critically important factor.

Conservatives want to ensure transparency and accountability. We need strong oversight measures, clear retention limits and restrictions on how data can be collected, used and shared, especially with our foreign intelligence partners. We need to define “personal information”. The bill clearly fails to define what personal information is, which leaves the privacy of Canadians vulnerable. We need to ensure that the government is not allowed to keep these orders secret indefinitely without just cause, and we need to ensure there is no overreach of the powers it is giving itself.

Conservatives want to ensure there are appropriate consultations with and involvement of the Privacy Commissioner, the Intelligence Commissioner and other stakeholders in civil society in improving this legislation. We need independent oversight to ensure strong judicial oversight in accessing personal information. We need strong privacy safeguards to ensure that incident reports involving personal information are shared with the Privacy Commissioner. We need limitations so this data is only used in cases of cybersecurity. We need transparency requirements to mandate the disclosure of the secret orders after a reasonable period and consequences for failing to table those reports.

In summary, given the growing geopolitical tensions around the world, we cannot afford to be naive on matters of cybersecurity. We have sensitive research being conducted at our universities. We need to assert our sovereignty in the Arctic. Canada is a target for hostile powers wanting to undermine our country's national interests and go after our citizens.

We know that hostile states like North Korea, China, Russia and Iran have demonstrated the ability to hack into our critical infrastructure and will continue to take hostile action unless we take decisive steps to improve our cyber-defences. While this bill would be a step in securing our telecommunications systems and other federally regulated industries, it is not all-encompassing and there are some gaps. As Canadian society moves increasingly into a digital space, the government needs to remain vigilant and take proactive steps to ensure we are keeping up, because this landscape is always changing.

In conclusion, our Conservative team is looking forward to seeing this bill come back to committee, where we can propose meaningful amendments and listen to key witnesses and the concerns of Canadians so that they are addressed.

While this legislation is important, we need to ensure that we are not giving the government a blank cheque. We need to ensure that the government is held accountable so the powers it would be giving itself would only be used in a justified and proportionate manner.

It being 2:30 p.m., the House stands adjourned until Wednesday, October 1, at 2 p.m. pursuant to Standing Orders 28(1) and 24(1).

(The House adjourned at 2:30 p.m.)

Mr. Speaker, first, I will be sharing my time with the member for Saint‑Hyacinthe—Bagot—Acton.

I am honoured today to have an opportunity to speak in support of the bill on cybersecurity. Now more than ever, it is crucial that we take action to protect our most important pieces of infrastructure against ever-changing security threats and cyber-threats. This is without a doubt a key piece of legislation, perhaps even a life-saving one for Canada.

As we all know, this bill is the result of extensive consultations carried out by the government with numerous stakeholders. We consulted with the provinces, territories, municipalities, critical infrastructure owners and operators, cybersecurity experts, civil liberties groups and the academic community. We listened closely to the concerns they raised about the bill, as well as those raised by stakeholders in committee. One of the stakeholders' key concerns is the need to increase oversight and transparency while strengthening privacy protections.

I want to assure all parliamentarians that the government has taken these concerns into account and has made significant changes to the bill to address them. Although a number of legislative and constitutional instruments already protect Canadians' privacy, Bill C‑8 provides greater certainty when it comes to protecting their privacy and personal information.

In addition, “for greater certainty” clauses have been added to reassure Canadians that orders and directions cannot and will not be used to conduct surveillance activities or intercept private communications. Rather, these powers are intended to be used in rare and serious circumstances where there is an urgent need to respond to a known threat or vulnerability. These amendments are a direct response to concerns expressed by civil liberties organizations.

Bill C‑8 also clarifies that confidential information must continue to be treated as such by anyone who receives it and must only be shared if it is absolutely necessary to do so.

Other amendments also seek to improve government transparency and accountability. When the previous bill was examined in committee, stakeholders expressed concerns about the lack of public reporting requirements for the orders set out in part 1 of the bill. As a result, an amendment was passed to balance respect for confidentiality with the public's need for transparency.

Another amendment now sets out the information that must be included in annual reports to Parliament, such as the number of orders and directions issued and the number of service providers affected. What is more, in response to stakeholders' concerns regarding accountability, the bill was amended to require the government to notify the National Security and Intelligence Review Agency and the National Security and Intelligence Committee of Parliamentarians within 90 days after an order or confidential direction is issued.

During review in committee, civil liberty groups and industry experts expressed concerns regarding the scope of the new powers granted to the government under this legislation. Some stakeholders pointed out that there was a risk that the government could issue orders or directions without consulting or considering relevant factors, such as the existence of reasonable alternatives.

Although the Governor in Council already has a mechanism in place to control its powers, Bill C‑8 addresses these concerns by introducing a reasonableness standard and a non-exhaustive list of factors that the Governor in Council must first consider before issuing an order or direction. When issuing, amending or revoking an order or direction, the Governor in Council may consult with governments and industry, recognizing the need to do so in an expedient manner given the urgency of the situation.

These amendments will ensure that any new powers granted to the government are accompanied by appropriate controls to prevent abuse and strengthen accountability.

They will provide the Governor in Council with greater clarity and fairness in the exercise of these new powers. In particular, the Governor in Council will have to take into account factors such as the operational and financial impacts on public safety before issuing any given order or direction.

Thanks to all these changes, Bill C‑8 has been strengthened and will provide greater transparency and accountability to Canadians. It also provides additional safeguards for Canadians with respect to the protection of their privacy and personal information.

Security threats and cyber-threats are becoming more frequent, complex, sophisticated, and politically motivated. The government is committed to defending Canada and its critical infrastructure. Cyber-threat programs sponsored or supported by states such as China, Russia, Iran, and North Korea represent the greatest strategic threats to Canada today. They are part of global campaigns of espionage, sabotage, and subversion carried out by these states. These malicious cyber-threat activities can seriously compromise Canada's national security, public safety, and economy.

This bill is therefore essential to protect Canadians. It will enable the government to act quickly to promote the security of Canada's telecommunications system by minimizing risks to users.

When we hear stakeholders express their concerns, we take them seriously. We work diligently in committee, guided by a spirit of collaboration and our commitment to the national interest. As several other hon. members have already pointed out, this bill is long overdue. Passing Bill C‑8 will mark an important stage in the government's ongoing efforts to counter security threats and cyber-threats. It will protect the safety of Canadians and Canadian businesses. I urge my hon. colleagues to support it without delay.

Mr. Speaker, the Privacy Commissioner highlighted several amendments that did not make it into the bill. We all know that cybersecurity threats are a very serious issue that we need to work diligently on, but privacy is paramount. Would the member agree that improvements should be made to the bill in the committee process?

Mr. Speaker, let me remind members that this bill was brought before the House in the last Parliament. Obviously, we would be more than willing to consider amendments on anything that has changed since that time. I think it would be rather tedious to have the parliamentary committee repeat the same work done during the previous Parliament.

In my view, the amendments we proposed are significant. They guarantee privacy. We are convinced that Canadians will view that as entirely reasonable.

Mr. Speaker, I want to thank my colleague for his speech. I have a question for him. Although we agree on the general objective of securing our infrastructure, we have concerns related to individual freedoms and the right to privacy.

What guarantees can my colleague give us that information collected by the federal government will not be used for purposes other than the purpose it was collected for?

Mr. Speaker, we had the same concerns as my colleague. We made sure to strengthen those safeguards in the bill. There is now a reasonableness standard that the Governor in Council will be required to consider before issuing a direction or order. I think those safeguards are entirely satisfactory at this stage.

Mr. Speaker, I thank my colleague, the Parliamentary Secretary to the Minister of Public Safety, for his excellent speech.

I am proud of our government, which has proven that it takes public safety seriously with Bill C‑2, the strong borders act, Bill C‑9, the combatting hate act, and our upcoming bail reform.

I would like to hear my colleague's thoughts on why it is so important, in the current context, to have a strong legislative framework for cybersecurity.

Mr. Speaker, the consequences of any breach in our telecommunications and cybersecurity would be catastrophic. It could paralyze the country. That is why we are taking action. We have a legislative model that will be the envy of all G7 and G20 countries. We are confident that we are fulfilling our obligations while respecting the privacy of all Canadians.

Mr. Speaker, in the NDP, we have highlighted that there would be risks to privacy and civil liberties, and the bill would allow for mandatory information sharing between telecom regulators and federal agencies, as well as possibly onward to foreign governments.

One of our questions is this: What is the standard for this disclosure? Simply having the minister's judgment on what is necessary as a standard is vague, subjective and wide open to abuse, so maybe my colleague can answer this: Why are there no requirements for privacy impact assessments in the bill?

Mr. Speaker, we already have a number of constitutional and legislative instruments guaranteeing privacy. Bill C‑8 is very clear on this. It simply allows information collection when faced with a risk that is serious and known. There will be no fishing expeditions. We have established the parameters that will guarantee Canadians' civil rights and liberties.

Mr. Speaker, I am pleased to rise in the House today to speak to this issue. In fact, I spoke to the previous version of the bill, Bill C‑26, in the last Parliament. It is easy to get lost in all these “C” bills.

Since the elements of Bill C‑8 are absolutely identical to those in the previous version, our hopes and fears are exactly the same as well. I could copy and paste what I said last time. Having said that, I am still going to make an attempt at originality today.

I think there is consensus in the House that the goal is so fundamental and that this issue of cybersecurity is so important that it goes without saying we need to give Bill C‑8 a chance at second reading.

The bill will then be studied in committee, where we will have the opportunity to examine it in greater depth. We all agree that this bill is filled with good intentions. However, the road to hell is paved with good intentions, so who knows what else we might find in there. That is often the case with this type of bill. There are issues, and the Privacy Commissioner of Canada has raised some concerns, as have we, while still agreeing with the bill's objective.

I want to start by talking about the objective of the bill. Everyone agrees that cybersecurity is a major issue, including for everyone here in Parliament. In a few days, on October 21, it will be six years since I became a member of Parliament here in the House. I have lost count of the number of emails I have received warning of cyber-attacks. We already know that cyberspace is at the heart of economic and geopolitical warfare in this increasingly dangerous world. Some would say that cyber-attacks are better than military attacks, but unfortunately, they are not mutually exclusive.

Let us look at several examples to show that this issue is not just theoretical. Let us remember that, in 2020, Parliament adopted a motion to force the government to make a decision regarding Huawei and Chinese interference in general. The federal government recently banned Huawei from the 5G network after years of dithering and warnings from intelligence services.

Let us briefly review what the 5G network is to help us understand why there is a clear need for legislation in this area. The 5G network is a new telecommunications technology with bandwidth that is 10 to 100 times greater than that of the current LTE networks. The technology stands out for more than just its speed. It stands out for its extremely low latency, which is the time it takes for one computer to communicate with another and receive a response. This opens the door to many possibilities in different areas, but to achieve such performance, 5G uses a multitude of pathways. To simplify, let us say that something that is sent from Montreal to a computer in Paris could have a portion pass through New York, another through London, another through Barcelona, and so forth. That is the interconnected world we live in today. This makes the technology particularly vulnerable because it becomes difficult to track the path that the data takes.

Huawei has already been implicated in a scandal involving China spying on the African Union headquarters. I do not know if anyone remembers that, but it is extremely worrying. In 2012, China gave the African Union a fully equipped ultramodern building. China told the African Union that it could get set up, that the networks, computers and telecommunications systems would be provided by Beijing. In 2017, after a few years of operation, African computer scientists realized that the servers were sending out huge amounts of data at night, when nobody was working in the building. It was odd. They wondered why that was happening.

They discovered that the data was going to servers in China that were being used to spy on political leaders and staff. As it turned out, Huawei was the main supplier of the network infrastructure. Microphones were discovered in the walls and tables.

In 2017, China adopted a new national intelligence law where all Chinese companies are obligated to contribute to Chinese intelligence work, be it military or civilian intelligence. A company could be told to spy on behalf of another Chinese company to give China an advantage on the world stage.

China has always denied that its companies had to engage in espionage in foreign countries. Western intelligence agencies, however, say otherwise, and also agree that Chinese laws apply abroad. In any case, we know that China's large companies have close ties to the Chinese Communist Party, the Chinese military and the Chinese government, and that all four have an extremely incestuous relationship with Beijing.

In any case, any company that shows the slightest defiance toward the Chinese Communist Party has no chance of prospering. China, of course, is not a market economy. It is a highly controlled and centralized economy even though, on paper, private companies have officially existed in areas known as special economic zones since the death of Mao Zedong, undergoing constant expansion ever since. For a while, it was thought that China would evolve into a market economy, but that has obviously not turned out to be the case.

For all of these reasons, experts are leery of using Chinese equipment in critical infrastructure such as telecommunications infrastructure. Digital technology played a key role in the so-called new silk roads strategy, launched by the Chinese regime in Beijing.

Once again, the British felt that the risk could be mitigated by not using Chinese equipment in certain specific areas, such as the military and embassies. These are such strategic areas that the British excluded them. However, they have since reconsidered their position and banned the company altogether in 2023.

The U.S. intelligence agency, the CIA, and the Canadian criminal intelligence agency, CSIS, believe that the threat is too great and that the company should be banned, just as the Canadian government recently banned Huawei's 5G technology. The United States has banned Huawei from developing 5G technology in the United States and is pushing for its NATO allies to follow suit, which Australia, New Zealand and now Britain have done.

It is important to note that Huawei was way ahead of the game in terms of developing 5G technology, which prompted many companies, including Canadian companies, to consider using Huawei equipment. Since then, many other companies, such as Nokia, Ericsson and Samsung, have caught up. This means there are more options on the market today, and the Canadian telecommunications industry has shifted away from Huawei services to develop 5G technology. Therefore, it is entirely possible. We are not that dependent on what China has to offer.

In addition, countries such as Australia and New Zealand have denied Chinese companies access to 5G technology development, even though these countries are much more dependent on China than Canada is. Justin Trudeau's government could not make up its mind for the longest time, but it finally woke up. Things started to move. The same is true when it comes to concerns about TikTok. The government is concerned that China could be using certain apps to steal information, and rightly so. As we have seen, China is the queen of data collection.

This bill obviously seeks to address a very real problem, to ward off these potential cyber-attacks, but we are concerned about interference from Ottawa. The Privacy Commissioner asked whether there was any evidence that this bill, which does not clearly rule out the possibility of tracking old emails or searches, would not infringe on the most fundamental aspects of people's privacy. The answer is in the question, in that we should likely clarify things and include more specifics to reassure people who may be concerned about their privacy. Right now, there is no evidence to show that the bill will not infringe on privacy, and we certainly do not have any guarantees that it will not.

That is why it is imperative that the committee conduct a thorough study, that we do the study right, that we hear from witnesses and experts. In any case, some of the work was done during the study of the previous version of the bill, Bill C‑26. Unfortunately, that study was not very reassuring. We need to amend the current bill to ensure that Ottawa is not able to infringe on people's privacy.

Mr. Speaker, I thank my hon. colleague for his presentation, which summed up the geopolitical issues and all the challenges posed by certain governments that are more autocratic than democratic.

This bill contains all the necessary parameters to protect people and data. I would also like my colleague to tell us what he thinks are the strengths of the institutions protecting us in Canada. There is no need for fearmongering. Canada does have robust institutions.

Is my colleague familiar enough with these concepts to explain them to Canadians?