Public Safety Committee on April 8th, 2024

Evidence of meeting #101 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.

A recording is available from Parliament.

On the agenda

An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts
Committee Business

MPs speaking

Heath MacDonald
Doug Shipley
Jennifer O'Connell
Peter Julian
Ron McKinnon
Pam Damoff
Kristina Michaud
Glen Motz
Larry Brock

Also speaking

Andre Arbour  Director General, Strategy and Innovation Policy Sector, Department of Industry
Colin MacSween  Director General, National Cyber Security Directorate, Department of Public Safety and Emergency Preparedness
Stephen Bolton  Director General, Strategic Policy, Communications Security Establishment
Richard Larose  Senior Technical Advisor, Communications Security Establishment
Clerk of the Committee  Mr. Jean-François Pagé

4:50 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

For the purposes of this particular clause, we need to ensure there's not information floating out there needlessly, but if it's too broad to have “for as long as is necessary”, how do you define it so that the officials and private operators whose information we want to protect is comfortable? What's a reasonable term? I can't think of reasonable language, other than a set date.

Generally, there are a set number of days, months or years that you can retain information, and then it has to be destroyed.

4:50 p.m.

Liberal

The Chair Liberal Heath MacDonald

Go ahead, Monsieur Larose.

4:50 p.m.

Richard Larose Senior Technical Advisor, Communications Security Establishment

Thank you, Mr. Chair.

For data that are not particularly useful, the retention period is a maximum of one year. That is for sure. Furthermore, when working with organizations that report incidents, we have agreements with them on how long we can retain their information.

If a product is created by a cybersecurity incident, we have to retain the information from that product as long as it's useful. As I said, if the product is useful, we retain the data. If the analysis is complete or the incident is over, we stop and destroy all the data related to the incident.

4:50 p.m.

Liberal

The Chair Liberal Heath MacDonald

Is there any further discussion?

I believe we'll vote on this amendment. It's BQ-17, just so we're all clear. We're voting on this amendment.

(Amendment agreed to [See Minutes of Proceedings])

We're on BQ-18. If BQ-18 is moved, CPC-25 cannot be moved, as they are identical.

Is there any discussion?

4:50 p.m.

Bloc

Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC

Thank you, Mr. Chair.

BQ‑18 is also pretty straightforward.

It would add the following provision:

(2) A person or entity that collects or receives information under subsection (1) must not use it for any purpose other than that set out in section 5.

That was recommended by one of the organizations the committee heard from, the Canadian Internet Registration Authority.

4:50 p.m.

Liberal

The Chair Liberal Heath MacDonald

Thank you, Ms. Michaud.

Is there any discussion?

4:50 p.m.

Liberal

Jennifer O'Connell Liberal Pickering—Uxbridge, ON

I'm sorry, Mr. Chair, but I'm just catching up.

4:50 p.m.

Liberal

The Chair Liberal Heath MacDonald

Ms. O'Connell, go ahead, please.

4:50 p.m.

Liberal

Jennifer O'Connell Liberal Pickering—Uxbridge, ON

Thank you.

I have concerns about the exchange of information. I feel that this is a little bit redundant, since we, in our earlier amendment, dealt with the issues around confidentiality and that any of that information must not....

This amendment reads, “must not use it for any purpose other than that set out in section 5”. I think it's a little redundant, in the sense that we've already clarified that the confidentiality continues. We've also clarified that the collection of data is specifically for its use; it's not expanding powers.

The intention is fine. I just think we've already addressed it in other amendments.

4:50 p.m.

Liberal

The Chair Liberal Heath MacDonald

Thank you, Ms. O'Connell.

Are there any further comments?

Shall we vote on this?

(Amendment negatived [See Minutes of Proceedings])

We're on CPC-26. Go ahead, Mr. Shipley.

4:55 p.m.

Conservative

Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON

Thank you, Mr. Chair.

I would actually like to ask for unanimous consent to try to speed things up a little bit today. We might be able to get through this.

With unanimous consent from the committee, we would like to withdraw CPC-26 right through to CPC-50.

Oh, it seems we don't need unanimous consent. We'll just do it, then.

4:55 p.m.

Liberal

The Chair Liberal Heath MacDonald

Okay, we're on BQ-19.

Go ahead, Ms. Michaud.

4:55 p.m.

Bloc

Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC

I won't be moving BQ‑19 or BQ‑20, Mr. Chair.

4:55 p.m.

Liberal

The Chair Liberal Heath MacDonald

Thank you. Then we're on BQ-21.

4:55 p.m.

Bloc

Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC

The purpose of BQ‑21 is merely to add definitions for the terms “de‑identify” and “personal information”.

Since the bill contains other definitions, I thought it was appropriate that these two be added.

4:55 p.m.

Liberal

The Chair Liberal Heath MacDonald

Is there any further discussion?

4:55 p.m.

Liberal

Jennifer O'Connell Liberal Pickering—Uxbridge, ON

Mr. MacSween, what would the implications of this amendment be? My concern would be that it removes the ability of disclosure from an operator. Am I reading that incorrectly? It's if an order is actually issued.

I'm sorry. I'm reading, thinking and speaking at the same time. However, my understanding is that this would be a little contrary to, I think, the intentions of the act.

4:55 p.m.

Liberal

The Chair Liberal Heath MacDonald

Thank you, Ms. O'Connell.

4:55 p.m.

Liberal

Jennifer O'Connell Liberal Pickering—Uxbridge, ON

Wait. I'm sorry. I had a question for Mr. MacSween.

4:55 p.m.

Liberal

The Chair Liberal Heath MacDonald

Go ahead, Mr. MacSween.

4:55 p.m.

Director General, National Cyber Security Directorate, Department of Public Safety and Emergency Preparedness

Colin MacSween

The disclosure and use provisions of the CCSPA only include protections for confidential information right now. That's partially because, again, the act was constructed in such a way that it only contemplated the collection of technical information, information related to commercial interests, and that type of thing.

Similar to what I explained earlier, the way the law is set up is that because it only intends to collect that type of information, it defers responsibility for, say, personal information to existing statutes—for example, the charter and the Privacy Act and the requirements therein. Then, as well, for any of the statutory requirements that may be found in the acts of the agencies that are involved in the administration of the act, there are many safeguards built in there.

One of the challenges here is that it introduces two new concepts to part 2: the de-identified information and the personal information that the government would need to consider when disclosing this. Taken together, the consequences of accepting this amendment could be that information regarding the protection of critical cyber-systems is not shared because it does apparently raise the statutory requirement to share that information.

4:55 p.m.

Liberal

Jennifer O'Connell Liberal Pickering—Uxbridge, ON

What does that mean in the real world? Can you give me an example of information that could be shared but isn't shared and of how that looks—if that's what I'm understanding—or are you saying that this limits even the information that can be shared?

4:55 p.m.

Director General, National Cyber Security Directorate, Department of Public Safety and Emergency Preparedness

Colin MacSween

It could potentially limit the information that could be shared. It is a bit difficult to say, because it does introduce, as I said, these two new concepts.

There are two concerns. One is that depending on who is doing the disclosing, they would now need to consider these requirements above and beyond whatever safeguards are already in place. I think the other key component is just simply that it does seemingly raise the overall threshold beyond, say, what is currently in the Privacy Act.

5 p.m.

Liberal

Jennifer O'Connell Liberal Pickering—Uxbridge, ON

Okay. I think one of my concerns here is that it's confusing in that what is being added is above and beyond disclosure. Why would we want to limit disclosure? If there is an ability to disclose something, notwithstanding some of the challenges, why would we limit that even further? That's why I have issues with that idea.

Unless colleagues can make a more compelling or stronger argument, I don't see why we would want to limit where we can disclose any of that information.

5 p.m.

Liberal

The Chair Liberal Heath MacDonald

Is there any further discussion?

(Amendment negatived [See Minutes of Proceedings])

We are on G-16.

Ms. O'Connell, go ahead, please.