Thank you for the question.
As I mentioned in my opening remarks, CSIS is presently prohibited by its governing statute from sharing all but the most generalized information with the business community. This is because, for lack of a better word, the federal government is CSIS's exclusive client. Therefore, the private sector can't get access to information. Academic institutions can't get access to information, and neither can municipalities or indigenous governments.
The only exception to this general rule is once a national security threat materializes into an imminent national security event. At that point, if CSIS can satisfy some very stringent legal requirements, it can use its threat reduction mandate to alert a specific company about a specific threat.
This means of sharing information is very much a legislative workaround. These threat reduction powers were not designed for information sharing, so this process is deeply flawed. The main reason it's flawed is that, as I mentioned, there's a very strict legal requirement that must be met before information can be shared. That means these powers are rarely used.
Second of all, the regime is reactive in nature. Threat information can only be disclosed after a material and immediate threat has emerged. At that point, that information provides very little utility for a business, as its options to mediate or mitigate the threat are very few. Moreover, as I mentioned, the disclosure can only be made to a specific business that has been targeted.
If the goal is to strengthen the overall resiliency of the Canadian economy, the current set of tools is inadequate. That's why the Business Council has been very supportive of the adoption of subclause 34(3), which allows CSIS to proactively share threat intelligence with a broader set of stakeholders, including the business community.
You mentioned that the Business Council, as a part of advocating for these changes, has been very clear from the start that any new amendments must be reflective of the values that we share in our society, including the protection of individuals' rights and freedoms. Therefore, we were very pleased to see—and I can get into this more in another question—that there are a number of checks and balances to protect individuals' and corporations' privacy, as well as accountability mechanisms.
For instance, if there's a disclosure of personal information or corporate information that is otherwise prohibited, that information needs to be shared with NSIRA. There also needs to be ministerial authority granted, and the minister, in that case, must be of the view that the disclosure is essential to the public interest and that the benefit of the disclosure to Canada's national security clearly outweighs the privacy implications.