Public Safety Committee on Feb. 12th, 2024

Yes. In the situation where an individual or institution would seek to challenge the collection powers or orders under Bill C-26, there is a judicial review mechanism that's available. There are other complaint proceedings that are available in law outside of the scope of Bill C-26.

In this case, it contemplates secret evidence. In this case, there is some language that is included. Unlike the minister's discretion to keep secret the orders themselves—and that discretion doesn't appear to have any limits—there is some language in the bill at least with respect to the secret evidence proceedings. However, we've recommended that it be tightened and aligned with that which is set out in the Canada Evidence Act, because there's no justification for diluting that requirement or the court's ability to balance the public interest in disclosure in contrast to the government's interest in confidentiality. That's essential, in our view, with respect to the constitutionality of the scheme.

Similarly, I think it's subscriber account information, communication data, website visits, metadata, location data and financial data that may not be what is ultimately requested, but we want to make sure that the bill doesn't allow for it.

What we're recommending is that notion of necessity and proportionality that would bring that rigour to say, “You may need it, but also consider whether there are less privacy-intrusive means to achieve the goal.”

I think a lot would depend on the regulations, but as the committee will be well aware, there are a number of different expected outcomes associated with the legislation relating to identifying, managing, preventing, detecting and limiting damage associated with cyber-attacks. We're already quite active in a lot of those areas, and we have a lot of levers through our supervisory work to be able to try to encourage financial institutions to respond to those different expectations.

I think the difference here is that if this legislation were to be introduced and regulations were to be introduced, rather than having us rely on our supervisory oversight as a lever to try to encourage good practices, it would be the case that there are different expectations that would have the force of law, which would then be subject to regulatory enforcement.

In terms of the specifics around those different levers, I suspect others would be better placed to speak to them than I.

We have an incident-reporting protocol whereby we set out for financial institutions our expectations of when and how they report incidents to us. Now, in a sense, one could say they're voluntary, but I'll give you a bit of background, if you'll permit me.

As a prudential regulator, we have a general responsibility when it comes to overseeing financial institutions and making sure that they're engaging in sound risk management practices. What we do, then, instead of issuing regulations that have the force of law, is articulate for them our expectations of them, which we then supervise them against.

When we issue, for example, a reporting protocol, which we have in place, more often than not the case is that financial institutions comply with it, because if they don't, we may consider that as part of our ongoing supervisory oversight of them.

This legislation would be a bit different from what we currently have in place for reporting. Under our reporting protocol, banks report to us. If something happens, we have a mechanism for them to indicate to us within 24 hours that an incident has occurred.

Here, with this legislation, the reporting would be to a cybersecurity centre, so there would basically be dual reporting. We'd have to figure out, for example, how we effectively and efficiently facilitate that, because we have a form for reporting and there would undoubtedly be one under this particular regime as well. However, that's something we would be able to tackle with banks to make sure that the reporting expectations were clear to both coordinate parts of government.

There are a number of recommendations, including those identified in my comments of the last date as well as in today's proceedings, in addition to those identified by Commissioner Dufresne.

We have set out recommendations relating to the need for proportionality and reasonableness limits as an overarching framework that guides both the minister and the government in the implementation of the bill, but also the oversight mechanisms that should be attendant to the privacy interests and other interests that are at stake in this type of legislation.

We have recommended that there be a formalization through the legislation of the role for independent regulators in the assessment of the proportionality criterion when considering potential orders to be put in place under the act.

In light of the really sweeping nature of the types of privacy interests that are engaged by the institutions at issue, including telecommunication providers, we've recommended, being mindful of the constitutional obligations of the government in legislating, that judicial oversight be applicable to private information, de-identified information that has a reasonable expectation of privacy, which is absent from the legislation at this time.

Thank you for the question. My apologies for responding in English.

Our recommendations here intersect with the public policy implications of the legislation, as well as potential constitutional risks around the equity impacts or potential discrimination impacts of the legislation in the order-making power. In terms of the need for standards for telecommunication providers, to protect the security of individuals in Canada, it's absolutely necessary on a platform-neutral level. However, there are potential impacts for Canadians in certain regions, including in rural or indigenous communities, who may suffer from the adverse impacts of smaller, orbit-size providers being unable to maintain viability in implementing security measures.

We have noted that the CRTC has found recently that there have been successive years of decline in competition in Canada. This was particularly noted in Quebec and Ontario, where the declines have been most significant, so this is where we've identified the need for appropriate balance.

There are a number of models. I would have a hard time identifying one model as the best option.

For example, the European model sets out the key privacy expectations of necessity, proportionality and transparency. It gives a prominent role to privacy organizations. In addition, this model requires other countries to have a proper system in place. These countries are assessed. Canada has recently been granted the status of a country that ensures a proper level of protection. This model makes sure that these criteria are strictly enforced.

Other countries have reached agreements or signed treaties to this end. Quebec adopted Law 25. This legislation requires a privacy impact assessment if data is shared outside Quebec.

These are all examples of discipline and rigour. We must think about privacy from the outset, as soon as we come up with an initiative, as soon as we decide to use a tool.

Priority ones are basically high-impact incidents that cause disruption of service or leakage of data, so any that meet that definition would constitute priority one and be accordingly reported to us.