Public Safety Committee on Oct. 30th, 2025

The information that is shared under this proposed legislation would be information that comes from a successful cyber-attack, a breach, if you will, where PII has been impacted or where other information has been leaked, taken, stolen or otherwise made inoperable. That's critically important for our government to be aware of, and it is critically important that it be reported, because unless we are reporting on cyber-attacks, we actually don't know the size and scale of the problem.

What I was referring to goes beyond that. I'm interested in the information that is perhaps not quite so successful an attack. That is the information where an organization is impacted by a cyber-attack, but it is not at the level of a breach. Their defences held, if you will. Maybe the outer defences failed and the inner defences held. That's the information that is important to share with the greater community.

Safe harbour legislation should never be restricted to sharing information with the same regulators and government officials that this bill represents. Safe harbour legislation needs to protect people and organizations when they share information with the broader community.

I'll give you a very quick example—

—in one second. We have one very large member that frequently tells me they are able to share cyber-information—TTPs and IOCs—with the FS-ISAC in the U.S., which is an information-sharing association for financial services, and that they cannot share in Canada because they're not protected. It's frustrating.

I sympathize with what you're saying.

It is clear that we are living in a world in which cyber-attacks have become the new tools of war. When we look at malicious actors, whether it's a country or someone demanding a ransom, we see they have a tremendous capacity to pierce through our layers of protection and gain access to what they want.

If you want to adequately protect your constituents, you need to give the government and police the same tools, so they can combat those malicious actors.

That said, your challenge is to find measures that take into account your concerns as an MP: people's privacy, on one hand, and national security, on the other.

I'll leave it there, but I think I've said what I wanted to say.

Thank you.

Thank you very much, Chair and members of the committee.

I'm going to do two things today. I will go to specific proposed sections of the legislation that I think warrant a further look and potential amendment. Then I will talk about a practical policy tool to encourage compliance. I'm going to propose a cybersecurity investment tax credit for Canadian businesses. We have a once-in-a-generation nation-building moment here, and I think a tax credit is the way to go.

My colleagues who preceded me did a good job, but I want to go through a couple of things.

Proposed subsection 15.1(3) and proposed subsection 15.2(5) are non-disclosure provisions that allow the Governor in Council or the minister to impose secrecy around orders without any guiding criteria. That's the point I want to come back to. Secrecy must be the exception, not the default. I think you should impose statutory criteria that need to be considered when determining whether or not to render an order secret.

I would propose the following if it were up to me: the degree to which disclosure could reasonably be expected to compromise the effectiveness of the order or jeopardize national security; the availability of less restrictive means, including partial or delayed publication to achieve the same objective; the impact of non-disclosure on the transparency and accountability of government decision-making; the necessity of non-disclosure in light of a threat's urgency, nature and duration; and any representations made by affected telecommunications service providers or regulators surrounding the need for confidentiality.

I'm okay with secrecy and understand the need for it here. I'm just saying that you need some criteria under which to make those determinations. The bill has criteria elsewhere for decision-making, just not around non-disclosure.

Next, I want to talk about proposed subsection 15.1(8) and proposed subsection 15.2(10), and I apologize for being so detailed. I'm a lawyer. It's an occupational hazard.

Here, the Crown would bear no financial responsibility arising out of an order. I think that's sound, but we would end up with a bit of a problem. Pairing the no-compensation rules with the non-disclosure rules would lead us to a situation where publicly traded companies could find themselves in breach of securities law. They could have a material change to their financial books. Suppose a telecommunications provider gets a rip-and-replace order, and it's $25 million. They couldn't disclose that to their shareholders if the order were secret. In that very moment, they would find themselves in breach of their fiduciary duty and the securities regulations. That's something we should consider.

There are ways you can deal with this. I propose that regulations could allow for cost recovery in discrete and exceptional circumstances. You should also create a secure disclosure channel for affected companies so they could make these disclosures to their security regulators and auditors under conditions that would satisfy the safeguards surrounding the classified information.

Somebody was talking about safe harbour earlier. I want to talk about a different safe harbour because, if this proceeds the way it's written, it could function as.... We need a limited form of legal protection for officers and directors of corporations who comply with Bill C-8 on a good-faith basis but who are then exposed to liability under their securities law. We need to make sure there's a safe way for them to do that without finding themselves on the horns of a very pronounced legal dilemma, where they cannot simultaneously comply with both obligations.

In proposed subsection 15.21(1) and proposed subsection 15.81(1), there is duplication of reporting. There are two proposed subsections that would require the minister to report to Parliament three months after the annual report. I think it's just a drafting error. You could easily clean that up. It's the same thing.

More pronounced, proposed section 15.4 would compel information. This would let the minister compel information from any person. This isn't important for compliance, but you're going to run into section 7 and section 11(c) challenges under the charter if the material is used for the purpose of prosecution down the road. Add an explicit immunity-use clause modelled after the Competition Act. This would make sure the information is only used for regulatory purposes, not criminal prosecution. That would preserve your confidentiality without weakening enforcement. That is present in the Competition Act.

Regarding proposed section 15.9 and judicial review, there's an issue there too. The judge would have to give back any irrelevant information the minister provided. There is a problem because, when a judge reviews something on a JR, they're looking at whether all the information the minister relied on is relevant. Judges could find themselves in an awkward spot, where they are not allowed to look at all the material they need to for the purpose of determining relevancy. That's something you will want to look at. It's a bit like putting a hockey player on the ice with one skate and no stick. You have to make sure the judge has all the information they need, and I think a simple amendment could solve that.

Moving to proposed section 142 under the CCSPA and proposed subsection 73(3.3) of the Telecommunications Act, I don't know if this was done on purpose, but under the Telecommunications Act the company is only liable if the employee who committed the offence was acting within the scope of their job or authority, while under the CCSPA that qualifier is missing. This means that two companies could face different standards of liability. I think that's worth a second look too.

Thank you very much.

Mr. Chair, members of the committee, I am here today as the chairman and co-founder of Crypto Québec, a non-profit organization and social economy enterprise. Our mission is to shed light on information security, intelligence and geopolitical issues, while promoting best practices.

Thank you for having me as a witness as part of your study on Bill C‑8.

Part of Crypto Québec's work is to foster a digital environment where protecting fundamental rights is central to securing data and infrastructure, while taking into account Quebec's context, first and foremost, and industry practices around the world. To that end, Quebec has a strong body of privacy legislation—Bill 25, in particular—as well as relevant institutions—including the access to information commission, which actively monitors compliance and respect for individuals' rights. I would also point out that many information security practices, standards and certifications govern Quebec's critical infrastructure activities.

My comments today on Bill C‑8 are informed by that dual requirement of privacy and security. At a time when the enemies of democracy are clearly and publicly demonstrating their desire to make people doubt government institutions, we, too, must be more transparent in our response.

The bill gives the federal government the power to direct telecommunications service providers and vital system operators to do anything, or refrain from doing anything, and that direction may constitute a state secret. This ability raises two major issues. First of all, there are no clear guardrails, no parameters around the necessity, proportionality or duration of the order, or recourse. Those problems have been discussed extensively in the submissions to the committee. Second, because the confidentiality that applies to the orders is not limited in any way, the regime goes beyond the legitimate objective of security; it makes transparency and accountability difficult, if not impossible.

In Quebec, privacy protection is based on clear principles: a privacy impact assessment must be conducted; measures must be documented; disclosure is required when individuals' rights are affected; and lastly, consent must be obtained. The adoption of a less stringent federal regime must not weaken Quebec's system. For that reason, I recommend that any order made under Bill C‑8 be subject to the following requirements: a public summary, annual reporting to a committee or the Quebec National Assembly, and a proportionality test explicitly set out in the legislation.

Quebec has demonstrated its ability and authority to oversee privacy and digital security. Bill 25, along with laws such as Bill 5, which pertains to health information, sets out strict requirements for public and private organizations in relation to privacy impact assessments, consent, incident reporting, data localization and respect for the language and rights of Quebeckers.

Bill C‑8 could create a parallel system, or override Quebec's regime for Quebec-based entities or foreign industrial entities operating in vital sectors such as energy, telecommunications and transportation. This opens the door to a fragmented system with watered-down responsibilities, not to mention public confusion, which would only help our enemies. It is crucial that the federal framework explicitly recognize two things: one, that organizations operating in Quebec are subject to Bill 25; and two, that Quebec's standards provide at least as much protection as federal requirements. That is not a given at this point.

Unlike the rest of Canada, Quebec has a sophisticated governance regime for securing its information systems. To begin with, Quebec has a cybersecurity and digital technology ministry, which ensures that all the entities under its jurisdiction adhere to high security standards. Second, Quebec has an access to information commission, an independent body responsible for protecting personal information, and unlike its counterparts in the rest of the country, Quebec's commission has punitive powers to deal with violations or non-compliance. Bill C‑8 would infringe on the responsibilities of these two organizations, while failing to provide a similar or higher level of security. Bill C‑8 would in fact be a step backwards for Quebec.

Another major issue is that the bill does not explicitly prohibit the government from compelling providers to undermine encryption or install internal monitoring mechanisms. This directly affects user trust, the security of communications and resistance to digital threats. The approach Quebec has chosen does not achieve security at the expense of privacy; rather, security is achieved through stronger controls, encryption, governance mechanisms and auditing.

I recommend that Bill C‑8 include an explicit ban on the undermining of encryption, that it clearly distinguish between cybersecurity measures and monitoring measures, and that it require Quebec-based entities to report the collection or sharing of sensitive data to the appropriate Quebec authorities.

In conclusion, I urge you to protect critical infrastructure systems, while respecting individuals' rights, preserving Quebec's authority, and adopting a clear, consistent, credible, transparent and proportionate framework. Bill C‑8 is not only an opportunity, but also a challenge. We already have a strong track record in Quebec, so use that expertise to build a reliable Canadian model that people can trust. Quebec can play a central role in that effort.

Thank you for your time. I would be happy to answer your questions.

Thank you for inviting me to address the committee today.

I am Sharon Polsky. I'm the president of the Privacy and Access Council of Canada, an independent, non-profit, non-partisan organization that is not funded by government or industry.

Since launching 30-some years ago, the Internet has infiltrated our lives. I spent those years consulting to governments and to small, medium-sized and Fortune 100 businesses, seeing how they apply the law and policy and identifying practical risks invariably caused by human nature and, increasingly, the Internet itself.

MP Caputo asked for some specifics, and I hope to oblige. The preamble says that the bill is to protect telco providers and critical systems and provides the minister with great power to order them to do anything or to refrain from doing anything to protect the Canadian telco system. That's laudable, but it lacks adequate safeguards to prevent abuse or ideological attack. This new law to add the promotion of the security of the Canadian telecommunications system as a policy objective tells companies to plug the holes that were built into their systems, something they should have done long ago to comply with privacy and other laws.

Rephrasing the request isn't going to change much, even with AMPs. I'll speak more on that in a minute.

Under proposed section 7 of part 2, a class of operators can be declared and any person or organization declared a member of that class. The bill applies to enterprises within the legislative authority of Parliament, and proposed subsection 9(1) ensnares the rest, the businesses and people whose products or services are in support of federally regulated enterprises.

On accountability, the Auditor General noted that “Gaps in cyber security defences undermine the ability to protect critical information and manage cyber security risks.” Those gaps will remain even if this bill becomes law.

The standards, laws and frameworks already in place—the privacy, security and risk assessments now done or supposed to be done—cannot prevent outages like we saw last week that took down half the Internet and again yesterday that took down another half of the Internet, each time grinding services around the globe to a halt, thanks to a single technical problem. That's all it took, because accountability requirements are inadequate.

What accountability can there be when even the existence of orders can be ordered to be kept secret and when the Governor in Council can direct that orders not be published? Doing that leaves everybody in the dark and speaks to an undemocratic lack of transparency and a shield against accountability.

Proposed section 15.21 requires the minister to reveal how many times in the previous year secret orders were made and other details, but statistics are cold comfort, especially given the broad information collection and sharing powers in the bill.

Part 2 of Bill C-8 allows any service or system to be designated a vital service or system and requires designated operators “mitigate supply-chain and third-party risks”. It doesn't, but it should specify what risks are to be mitigated.

Proposed subsection 20(6) of the CCSPA prohibits a designated operator or class of operators from intercepting communications, but third parties that support critical services aren't included. That could easily be operationalized as encryption-busting back doors. This and other governments have worked mightily over the years to circumvent encryption. Bill C-8 needs clear language to ensure that its broad powers cannot be used in any way by anyone to undermine or circumvent encryption, a ban even more urgent considering that Bill C-2's vague language would grant sweeping ministerial powers to order changes in Canada's telecommunication networks.

The bill says AMPs are only intended to promote compliance and not intended to be punitive. They will benefit the largest providers that can recoup the cost from their broad customer base, further solidify their dominant position and still evade accountability. Meantime, others will be bankrupted.

Implementation must be monitored, measured and mandatory with Sarbanes-Oxley-like penalties imposed, including personal—not corporate—liability to make accountability inescapable so they do the right thing from the beginning.

How will a Canadian regulator be able to monitor compliance, I wonder, when Rogers just announced that it will be running its wireless network from India?

Orders may be made about any threat, including that of interference and manipulation. We know that elections have been swayed by social media content. AI for news often misrepresents the story. Will that be deemed manipulative or a threat and the platform subject to being silenced?

I wonder by what objective standard and by what calculation one measures the gravity of manipulation. The bill must be clear.

Finally, ordering that someone be denied Internet access because the minister considers something they’ve done or said to be a threat or to be manipulative will mean cutting them off from phone service, which is now Internet-based. Everyone in your house will be blocked from talking to friends, from calling adaptive transport, from phoning 911 or from applying to university. This is unjust and disproportionate, and this is what Bill C-8 allows.

Bill C-8 must be changed, or we will relive what my grandparents fled a hundred years ago, after the Russian revolution: people placed in isolation for their views and this being conflated with the stuff of good government.

Let me be very clear, Mr. Chair. I do not believe that a DDOS attack is protected free speech.

What I'm saying is that someone who might be suspected of participating in that type of attack could face very serious consequences through proposed section 15.2, without proper due process in place, very—