Public Safety Committee on Feb. 12th, 2024

Thank you, Mr. Chair.

Members of the committee, I am pleased to be here to assist the committee in its study of Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.

Cybersecurity is an area of significant importance, in Canada and globally. Digital services that are delivered through cyber-systems and telecommunications networks are central to the ways that we live, work and interact, and impact large volumes of personal information and data. That is why it is critical to protect Canada’s cyber-infrastructure from potential threats.

At the same time, we must ensure that efforts to secure these systems and networks also protect and respect Canadians' fundamental right to privacy. This is not a zero-sum game. Privacy and the public interest are not only compatible; they build on and strengthen each other. I strongly support the objectives of Bill C-26 and believe that it's imperative that we as a society have the necessary tools and the ability to address this important public interest goal.

In my testimony today, I will share ways in which the bill could be strengthened in order to further protect the fundamental right to privacy and address potential privacy implications while achieving its important objectives.

Under Bill C-26, specified persons or entities would be able to collect and analyze a wide range of information, including sensitive personal information that is held by banks, telecommunications operators and energy services providers. The bill would also allow for the sharing of that information with organizations such as intelligence agencies, provincial and foreign governments and organizations established by foreign states.

As drafted, these powers are broad. In order to ensure that personal information is protected and that privacy is treated as a fundamental right, I would recommend that the committee consider making the thresholds for exercising these powers more stringent, and placing stricter limits on the use of those powers. One way of doing so would be to require that any collection, use or disclosure of personal information be both necessary and proportionate. This is a core principle for the handling of personal information that is recognized internationally.

Requiring government institutions to conduct privacy impact assessments, or PIAs, and to consult my office on new programs or initiatives created under the authorities in Bill C-26 would also strengthen privacy protections while supporting the public interest and generating trust. PIAs, which are currently a policy requirement under the Treasury Board Secretariat's directive on PIAs but not a legally binding requirement under privacy legislation, are an important tool for identifying, analyzing, addressing or mitigating privacy issues before initiatives are put in place. They can help reduce inadvertent harms to privacy as initiatives roll out. This is why I've recommended that the preparation of PIAs should be made a legal obligation for the government under the Privacy Act.

Bill C-26 would also allow the Minister of Innovation, Science and Industry to prohibit public disclosures of certain orders and directions made under the proposed act. It's important that any such confidentiality provisions that have the effect of reducing public scrutiny regarding the bill's implementation, including the collection, use and disclosure of personal information, be accompanied by appropriate transparency measures. These could include requiring the government to report to Parliament and/or to my office regularly on the number, nature and purpose of such orders and directions, especially when they involve sensitive personal information. This would reassure Canadians that their privacy is protected at all times.

I would also recommend that the bill be amended to include stronger accountability measures to ensure the protection of personal information that is shared outside Canada. These could include additional oversight mechanisms and established criteria that must be included in information-sharing agreements with foreign jurisdictions, such as restrictions on any onward transfers of the personal information, establishing safeguards that must be applied, and penalties for non-compliance.

Finally, should Bill C-26 be adopted, it will be important that my office have the necessary flexibility to coordinate, as appropriate, with other regulatory and oversight bodies that are involved in responses to cybersecurity incidents in cases that may involve a breach of personal information.

I would be happy to take your questions.

Thank you so much.

Good afternoon, Mr. Chair, and ladies and gentlemen of the committee.

The mandate of the Office of the Superintendent of Financial Institutions, or OSFI, contributes to public confidence in the Canadian financial system by regulating and supervising approximately 400 federally regulated financial institutions. In this role, we ensure that these institutions maintain sound financial conditions, continually assess risks and industry trends, and safeguard against threats to their integrity and security, including cyber-threats.

There’s no question that financial institutions are vulnerable to cyber-attacks. In fact, OSFI has highlighted cyber-risk as a key risk to Canada’s financial stability in our annual risk outlook, which is available online.

Given this, it won't surprise you that we have been, for some time, active as a regulator in expecting our financial institutions to adopt appropriate risk management practices in the face of cyber risks. More specifically, we've taken pains to clarify in our guidelines our expectations for how financial institutions should manage technology and cyber risks to prevent things like outages and data breaches and to improve overall technology and cyber resilience.

This also includes an expectation that financial institutions respond to tech and cybersecurity incidents quickly and effectively and, more importantly, notify us whenever an incident happens. That reporting really helps us to identify areas where individual institutions—or the industry more broadly—need to take steps to prevent issues from arising.

We also provide tools to financial institutions. A good example of this would be our cybersecurity self-assessment, which helps them evaluate their current level of cyber-preparedness and develop effective cybersecurity practices. There is also our I-CRT—that stands for intelligence-led cyber resilience testing—framework, which provides instructions to financial institutions on how to implement a sophisticated approach to what is known as red teaming.

These efforts, and others, are critical, in my opinion, as there's little question that cyber-attacks will continue to increase in frequency and sophistication. Moreover, this is a risk environment that, in our experience, changes rapidly, and failure to protect against it can have serious consequences. A successful cyber-attack could impact the confidentiality, integrity, and availability of data and systems, which in turn could result in loss of public trust, reputational damage and financial loss.

That’s why OSFI is so focused on promoting the sound management of cyber-risks and technology risks generally at all federally regulated financial institutions.

As an identified regulator within a critical sector, OSFI is standing by and ready to support committee members in their reflection around Bill C-26. We want to help to improve the resiliency of Canada’s financial system.

I would be pleased to answer the committee members' questions.

Thank you, Mr. Chair.

Thank you, Mr. Chair and members of the committee. As you know, I attended this committee last week in relation to this bill.

I'm a senior researcher at the Citizen Lab, which is based at the Munk School of Global Affairs and Public Policy at U of T. I have submitted a written brief to this committee along with a colleague, Lina Li of McGill Law, which builds upon the research and analysis of my former colleague at the Citizen Lab, Dr. Christopher Parsons.

Today I will readopt my comments from last week and supplement them as follows.

First, several concerns have been raised throughout these hearings focusing on malicious targeting by, for example, ransomware of aspects of the economy that are outside federal responsibility, such as hospitals. The need for protection in other areas is important, but this committee can also be mindful of the proper scope of its responsibility in its work on Bill C-26.

I also appreciate other committee witnesses raising threats facing Canadian society today. However, it is never a good idea to legislate out of fear. This is an important issue that requires careful due diligence and reflection as to what goes into any amendments. I would suggest the committee carefully look at what it is doing. Making the right decision now could improve the security, safety, privacy and charter rights of all people in Canada for decades going forward. It's incredibly important that lawmakers are thoughtful, nuanced and reflective of the kinds of amendments they propose for the legislation.

Second, our brief sets out recommendation 12—including recommendations 12A through 12C—pertaining to judicial review proceedings under Bill C-26. This includes the recommended appointment of special advocates in judicial review proceedings, and the need to align Bill C-26 with analogous provisions under the Canada Evidence Act applicable to secret evidence. These amendments are not only important but also fair, simple and common-sense enhancements.

Lastly, I also wish to address our recommendation that government entities empowered with new information collection and sharing powers be required to limit the use of that information to cybersecurity and information assurance.

The collection or use of information by national security intelligence agencies like the CSE about Canadians or persons in Canada is a core matter of public and constitutional concern. The concern that the CSE may repurpose information it receives through Bill C-26 into its other intelligence activities is not a speculative one. Recent reporting from the National Security and Intelligence Review Agency, or NSIRA, documents that, at this time, the CSE does not consider itself prohibited under its home statute from repurposing information about Canadians across its mandates.

However, only a few years ago, in Bill C-59, an important equilibrium was struck by Parliament concerning the need for important limits, given the prohibition against intelligence agencies directing their activities towards people in Canada. Bill C-26 could destabilize this important equilibrium. It currently contemplates broad and even secretive government collection and sharing powers about information concerning people in Canada. While the Department of Justice's charter statement on this bill referred to the government's potential use of only technical information and not sensitive personal information, there are no caveats or safeguards to stipulate this in the legislation. Clarity is needed.

Telecommunications providers, for example, are quite literally conveyors of the most private information known to our legal system. I agree with witnesses from CIRA and OpenMedia that this is a core matter of public trust. The public should not have to be asking itself whether the government's cybersecurity bill is actually a spy bill under a different name.

As noted by Mr. Hatfield last week, NSIRA has reported a chronic problem in reviewing the lawfulness of the CSE's activities since its inception. Lawmakers here should be very cautious when considering whether extending additional new powers is appropriate or necessary under Bill C-26, and what corresponding judicial oversight mechanisms are necessary and fit for purpose to protect the privacy of all people in Canada.

Thank you. I'm happy to answer any questions you may have.

Well, we do so at any appropriate time. Ideally, we would hope to be consulted prior to the bill being tabled, but the regular way is for my office and me to be called to committee to give a recommendation on a bill. We can also do the same for regulations and consultations with the government.

I hope so. We're certainly prepared for that. We expect that and we would call on the government to involve us in that.

Certainly in terms of data crossing national boundaries and being shared with other institutions, my recommendation is to make sure we have specific requirements for these information-sharing agreements so that the purpose, the retention and the safeguards regarding that information by our international partners—all of these—are set out and are strict, and there's a dispute resolution mechanism just so we bring in more rigour and guardrails to those exchanges of information. The concepts of necessity and proportionality should also be included when it is being determined whether to share the information in the first place.

The legislation currently doesn't provide a role for my office. The role would be specified under the Privacy Act. We have jurisdiction over the government's handling of information and we have jurisdiction over the private sector's handling of information.

One of our recommendations is to have more transparency mechanisms so that we can know what is happening and so that we can know what type of information is being collected, disclosed and used so that we can exercise our powers in that regard.

With regard to those reports, there's a provision in the bill for an annual report by the minister overall. We're recommending that this be more specific and that there be more details about what is happening.

We would also potentially have a role in working with the regulators in cases of cyber-breaches and cyber-incidents. One of my recommendations is that we be given the ability to collaborate with those regulators and, as needed, exchange information and work collaboratively when cyber-incidents involve personal information. We know that's a big area of concern for Canadians.