Bill C-8

Madam Speaker, I am rising on a point of order. The interpretation stopped working during my colleague's speech.

The minister is moving papers around near the microphone and it is affecting the sound quality and making it hard for the interpreters to hear.

The minister has to be careful when moving his sheets of paper, because they are covering the mic. Apparently it interrupts the interpretation.

Interpretation is now working.

The hon. minister.

Madam Speaker, I thank my colleague.

Canada's critical infrastructure providers and enterprises are increasingly targeted. It is not just our government that is aware of these threats. The Canadian public is increasingly seeing these threats in headlines. They see that malicious cyber-actors are breaching our country's IT systems, accessing sensitive information and putting lives in danger. They see that cybercriminals are holding our businesses for ransom, and they see that hostile state actors are stealing information and gaining access to systems that are critical to our national security and public safety.

Unfortunately, these threats are spreading around the world.

The cyber centre's most recent national cyber-threat assessment found:

Canada is confronting an expanding and complex cyber threat landscape with a growing cast of malicious and unpredictable state and non-state cyber threat actors, from cybercriminals to hacktivists, that are targeting our critical infrastructure and endangering our national security.

It has also warned that Canada's oil and gas sector is a likely target for disruptions. At one point last year, the CSE said a cyber-actor “had the potential to cause physical damage” to a piece of critical infrastructure in Canada.

The threat is real.

In July 2025, Colabor Group, a Quebec-based food wholesaler, was affected by a cybersecurity incident that impacted its internal IT systems. Before this, Pembroke Regional Hospital, in Ontario, experienced service delays and had to cancel certain appointments and procedures because of a cybersecurity incident.

Earlier this year, a cyber-incident impacted WestJet, resulting in the theft of personal and travel-related data, though no credit or debit card information was compromised. As we will recall, last week, some airports in Europe were also disrupted because of cyber-threats.

In March 2024, the City of Hamilton in Ontario was hit with a ransomware attack that shut down many of its online services.

While Hamilton's critical services were not affected, cyber-incidents in municipal networks can lead to dangerous situations if an attack tampers with emergency water and waste-water systems. The high-value data held by these enterprises and governments, including sensitive personal information and financial data, makes them an attractive target for cybercriminals and state-sponsored actors or their proxies.

These incidents highlight the ongoing cybersecurity challenges faced by Canadian organizations across various sectors and jurisdictions. We need to act urgently to enhance our preparedness and improve the resilience of our critical infrastructure so that we can tackle these threats head-on before damage is done.

Bill C-8 is essential to achieving this.

Bill C-8 would help promote increased cybersecurity across four major sectors: finance, telecommunications, energy and transportation. Part 1 would amend the Telecommunications Act to enshrine security as a policy objective and bring the security framework regulating the sector in line with those of other critical infrastructure. The amendments to the Telecommunications Act would enable the Governor in Council and the Minister of Industry to direct telecommunications service providers to take specific actions to secure the Canadian telecommunications system.

This change would enable the government to act quickly in an industry where milliseconds make all the difference between security and risk.

When necessary, this means that Canadian telcos could be prohibited from using products or services from high-risk suppliers, which would prevent these risks from being passed on to users.

With these changes, the Governor in Council and the Minister of Industry would have the ability to take security-related measures, just as other federal regulators can do in their respective critical infrastructure sectors. These authorities do not just focus on cybersecurity but can equally address situations of human error or climate-based disruptions that can cause a risk of outages to these critical services.

Second, Bill C-8 would introduce the new critical cyber systems protection act, which would legally compel designated operators to protect their critical cyber systems. Currently, the list of vital services and systems is composed of the Canadian telecommunications services, banking systems and other federally regulated industries, such as energy and transportation. However, the Governor in Council may also add new vital services and systems if needed.

This part of the bill would provide the tools the government needs to take further action to address a range of vulnerabilities. To do so, designated operators of vital services and systems would be obligated to develop and implement cybersecurity programs, mitigate supply chain and third party risk, and comply with cybersecurity directions.

It would also increase the sharing of information on cyber-threats by requiring the reporting of cybersecurity incidents above a certain threshold. Currently, there are no such legal requirements for industry to share information on cyber-incidents and no legal mechanism for the government to compel action in the face of known threats or vulnerabilities.

That means that the government may not be aware of the threats and may not be able to respond to them.

When it comes to national security, we cannot rely on the goodwill of industry alone. We must enshrine a more robust cybersecurity framework into law.

We heard from witnesses during committee study of Bill C-26, which was introduced in the last session of Parliament and adopted in the House in June 2024, that mandatory reporting on cybersecurity incidents is essential to protecting our country's national security and critical infrastructure. Mandatory reporting provides the government with increased visibility into the cyber-threat landscape and allows for more accurate and targeted sharing of technical advice and guidance to combat the exploitation of vulnerabilities.

This section of Bill C-8 also aims to serve as a model for our provincial, territorial and municipal partners to protect critical cyber-infrastructure in sectors under their respective jurisdictions. It would support all sectors in the prevention of and recovery from a wide range of malicious cyber-activities, including cyber-incidents, cyber-espionage and ransomware.

Since the introduction of Bill C-26, our government has undertaken widespread consultations with a broad range of stakeholders. Among those consulted were provinces, territories and municipalities; critical infrastructure owners and operators; civil liberty organizations; and academia.

We listened carefully to the concerns raised during debates on Bill C-26, as well as those raised at committee discussions of the bill in both the House and the Senate. Among the concerns was a need for more oversight and transparency, as well as the need to ensure that privacy is protected.

Bill C-8 would further protect Canadians' fundamental rights under the Privacy Act.

While Canadians' privacy is already protected through a number of constitutional and legislative instruments, this legislation would provide greater certainty to Canadians that their privacy and personal information will be protected. It is also now clear that confidential information must continue to be treated as such when it is necessary for it to be shared, and its recipients must similarly be respectful of that confidentiality.

The bill provides assurances to Canadians that directions issued under both part 1 and part 2 of the legislation would not be used to engage in surveillance or to intercept private communications. This responds directly to the concerns we heard from civil liberty groups.

The act also includes provisions to increase the government's transparency and accountability while still balancing the need for confidentiality, quick action and the public's desire for transparency. The bill includes an obligation for the government to notify the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency within 90 days after an order or direction is made. Furthermore, annual reports to Parliament would need to include information such as the number of orders or directions that were issued and the number of impacted operators.

Civil liberties groups and industry experts also expressed concerns about the new broader powers granted to the government under former Bill C-26.

For example, stakeholders said there was a potential for orders or directions to be issued without the government consulting or considering relevant factors, such as whether reasonable alternatives exist to issuing the order or direction. As a result of these concerns, the bill includes a reasonableness standard and a non-exhaustive list of factors the Governor in Council must first consider before issuing an order or direction. When issuing, amending or revoking an order or direction, the Governor in Council would be able to consult governments and industry, recognizing the need to do so in an expedient manner given the urgency of the situation.

While the Governor in Council already has checks and balances on their powers, criteria qualifying the government's order-making and direction-making powers are expected to prevent their misuse and improve accountability. In fact, the addition of the reasonableness standard and relevant factors for consideration before issuing an order or direction, such as operational, financial and public safety impacts, would provide the Governor in Council with further clarity and fairness around the use of these new powers.

Bill C-8 would provide transparency and accountability to Canadians. It would also provide further reassurances to Canadians that their privacy and personal information will be protected.

I hope my fellow parliamentarians will agree that Bill C-8 would provide a strong foundation for securing Canada's critical infrastructure against the dynamic and sophisticated threats that are becoming increasingly common and dangerous.

In today's world, there is no shortage of bad actors who seek to exploit vulnerabilities in our cyber systems across all of our country and society. Whether it has to do with our financial systems, telecommunications, energy sector or other critical infrastructure, we now live in a world where cyber-threats are commonplace.

By using critical infrastructure, individuals, the government, businesses and owners are all experiencing this new reality every day.

Successful cyber-incidents have severe, lasting and alarming consequences for every entity impacted but most of all for the economic and mental well-being of individuals whose lives are disrupted and whose data is compromised. Nowadays, our cyber systems are understandably complex and increasingly interdependent with other critical infrastructure. This means the consequences of security breaches are far-reaching. This malicious threat activity has the potential to seriously compromise Canada's national security and public safety, and our economy.

Bill C-8 would bring us a much-needed, consistent, cross-sectoral approach to cybersecurity. It would allow our government and industry to do more to prepare for and prevent debilitating cyber-incidents when and if they occur. This is a crucial piece of legislation to make sure our defences meet the moment, in order to protect our national security and our economy. It would demonstrate that we are a capable and sovereign ally and position our country as a global leader in cybersecurity, ensuring that Canada remains secure, competitive and connected.

Our government knows that, more than ever, secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. As lawmakers, we have the power, through the passage of Bill C-8, to ensure that Canadians and businesses continue to thrive in the digital economy and that their banks and telecommunications providers continue to provide them with reliable service.

Cybersecurity is national security. This legislation would protect Canadians, businesses and the cyber systems they depend on well into the future so they can continue to work and live their lives comfortably and securely, safe in the knowledge that their government is doing all it can to ensure we have reliable and secure services and systems.

Our government's top priority will always be to keep Canadians safe.

That is exactly what Bill C-8 would help us do.

Madam Speaker, it is always a pleasure to rise on behalf of the people of Kamloops—Thompson—Nicola.

My colleague gave a speech and spoke about increasing cybersecurity. It is no secret that everything has increased under the Liberals, whether it be the cost of living, the amount of tax we are paying or the cost of groceries, which the Prime Minister said we should judge him on. It has gone up. Right now, we have a cost of living crisis.

Small businesses are the engine of the Canadian economy. How will these regulatory burdens impact small businesses when it is death by a thousand cuts already as a result of Liberal inaction on so many different fronts?

Madam Speaker, I would argue that Bill C-8 would in fact help small businesses.

If members recall, this is about securing critical infrastructure, whether it is in telecommunications, transportation, finance or other critical infrastructure. For example, if the banking system were to be taken down or was off-line for several days or even hours, it could severely impact the ability of small businesses to do their job. The telecommunications infrastructure is an example. If someone were to try to pay through the Interac system, but it was down because of a cyber-attack, this bill would ensure small businesses are protected. This bill is meant to ensure that critical infrastructure, which is important for the operation of small businesses, is protected. This is what Bill C-8 would do.

I look forward to other questions from the member opposite.

Madam Speaker, I listened carefully to the minister. I also reviewed the bill and read the legislative summary from the Library of Parliament. As a side note, the work of the Library of Parliament's analysts and researchers is outstanding. They are really great.

Although the minister is trying to reassure us, the fact is that some doubt remains in terms of the protection of privacy in this bill. The bill will be supported by the Bloc Québécois, which will vote for it at second reading in order to refer it to a committee.

Is the minister open to the idea of further improving Bill C‑8 through amendments that the Bloc Québécois may introduce?

Madam Speaker, the predecessor bill to Bill C-8 was Bill C-26. A lot of work went into ensuring that it is the best bill we can bring forward. A number of changes were made. As members will recall, Bill C-26 was almost completed in the previous session.

Having said that, we are always open to ensuring the bill is strengthened. The privacy rights of Canadians are essential to the government. We are governed by the Charter of Rights and Freedoms. We will ensure that we work closely and in collaboration with opposition parties to strengthen and pass this bill.

Madam Speaker, I would like to thank the minister for tabling this bill, which we are now studying at second reading.

I sit on the Standing Committee on Access to Information, Privacy and Ethics. I would like the minister to tell us a bit more about the importance and impact of protecting privacy and personal data in Bill C‑8.

Madam Speaker, I want to thank my colleague, who has returned to Parliament. I am very excited to work with her again in her capacity as a member.

I want to highlight that there are a number of provisions in the bill that would ensure the security of privacy information in the course of this bill's implementation. For example, the personal, confidential information of individuals or businesses could not be shared. It would need to be shared in the context of ensuring the security and safety of critical infrastructure and for no other purpose.

We have done a fair bit of work to ensure that privacy rights are protected. Of course, in anything we do, we are still governed by the Charter of Rights and Freedoms, which protects Canadians against breaches where their individual information may be shared. This is a bill to ensure that businesses, such as the business my friend opposite used to run in her riding, could continue to work without disruptions in the banking or telecommunications sector, for example, or from loss of hydro. It is so that small businesses would not be impacted whatsoever at times when there may be incidents of cyber-attacks.

Madam Speaker, when this bill came forward in the last Parliament as Bill C-26, it went to the Senate. Senator Denise Batters was the critic for the file, and the Privacy Commissioner said that there was an amendment needed to address privacy. The senator has reviewed Bill C-8 and said that the amendment was not incorporated.

Why did the minister not take the advice of the Privacy Commissioner?

Madam Speaker, as this bill goes through the parliamentary process, whether here, at committee or in the other place, we will of course welcome the opportunity to discuss additional measures we need to take.

Bill C-8 was introduced in the form that was completed when Bill C-26 went through all the processes. This is just a continuation of that process. I believe that we have incorporated all the proposals from the previous version of this bill, but we look forward to having a robust discussion at committee.

Madam Speaker, the minister is correct. It is true that Bill C‑26 from the last Parliament and the current Bill C‑8 are almost identical. However, he is forgetting that the opposition parties proposed amendments in committee. Those amendments were rejected, but they will come up again because the Bloc Québécois feels that some of them are important.

The question I would like to ask the minister reflects the concerns shared by small and medium-sized businesses. There are no provisions to help them enhance their security measures to protect their systems.

Even though the standards are welcome and urgently needed, given the current difficult economic climate, are there not things that could be done to support SMEs in becoming cybersecure?

Madam Speaker, it is important to recognize that this bill would not impact or impose conditions on SMEs. It is much more for bigger telecommunications companies, transportation companies and critical infrastructure across Canada that are quite large enterprises. They are not small businesses per se. In fact, the work we do protecting and ensuring cybersecurity is to protect and support small businesses, at its core.

Madam Speaker, certainly Bill C-8 has a number of improvements based on the debates we had in this place before Bill C-26 died on the Order Paper and, as my hon. friend from Sarnia—Lambton—Bkejwanong just mentioned, on work done in the Senate as well. However, these persist.

As the minister knows, under part 2, proposed section 35, there remain very serious privacy concerns that this would open a back door to surveillance on Canadians, as would Bill C-2, which is not being debated today. There is a pattern here of reducing the threshold for Canadians' private information to be not just obtained by our government but also shared with other governments and actors.

Is the minister open to amendments to repair these flaws?