Thank you, Mr. Chair.
I also want to thank the members for inviting me.
I'm joined today by Justin Dubois, executive director and general counsel at the Office of the Intelligence Commissioner.
To place my comments on this bill into context, it's useful to briefly explain what my role as the intelligence commissioner is all about.
My role is to approve or not approve certain national security and intelligence activities proposed by the Communications Security Establishment, or CSE, and Canadian Security Intelligence Service. These activities are authorized respectively by the Minister of National Defence and the Minister of Public Safety.
My independent approval is necessary because the activities the ministers authorize may be contrary to the law or breach the reasonable expectation of privacy of Canadians. Only with my approval can activities proceed.
The commissioner position that I hold was created in 2019. The mandate given to the commissioner by Parliament at that time is of particular relevance to the study of this bill. It includes enabling CSE to effectively respond to cyber incidents that affect federal systems and systems designated as important to the Government of Canada. One of my specific duties is to review ministerial authorizations that allow CSE to conduct cybersecurity activities on those systems.
My approval is also necessary because the cybersecurity activities conducted by the CSE lead to the collection of vast amounts of information, including information for which Canadians have a reasonable expectation of privacy. To be effective in conducting cybersecurity, the CSE needs to collect this information.
I only approve ministerial authorization when I'm satisfied that the minister has struck a reasonable balance between the security of Canada and the privacy of Canadians. This includes ensuring that appropriate measures are in place to protect the privacy interests of Canadians.
I noted that through my work as Information Commissioner, I see the tremendous value of a national approach to cybersecurity. Canada must have the necessary tools to protect our critical electronic systems. However, these tools must be accompanied by the appropriate safeguards and independent oversight.
In my view, there are elements of this bill where independent oversight would improve the protection of these privacy interests. I will raise one that relates closely to my role as IC. This bill aims to protect our critical cyber-systems. The CSE is our national expert on cybersecurity and will, through this bill, receive information on cyber-incidents.
In my experience as IC—with over three years and 45 decisions rendered—for the CSE to analyze and understand a cyber-incident, it must have access to information about the incident. There may be situations where this information is only technical in nature and sharing it with the CSE raises no privacy concerns, as you were told when you met with other witnesses. However, to fully understand the cyber-incident, other situations may require the CSE to have access to information, including technical information, for which Canadians have a reasonable expectation of privacy. I've seen it.
Technology and cyber-threats evolve faster than legislation. The bill should provide the flexibility to adapt accordingly and allow for the sharing of this information with appropriate oversight.
In the current system, prior to collecting this information, CSE is required to obtain a ministerial authorization and approval from the Information Commissioner. Parliament chose to implement this process in 2019, but not in 2025.
The mechanism proposed consists of adopting a regulation setting out what information about cyber-incidents is to be shared with the CSE and how it is to be shared. As you know, there is no independent oversight of the regulation. One possible simple and effective oversight measure would be to annually require ministerial authorization establishing a framework for how the CSE uses and shares the information, which would then be subject to review and approval by the intelligence commissioner.
Effective cybersecurity is essential for Canadians. CSE must have access to the information it needs to conduct its excellent work—with the necessary oversight to allow for that access.
I support the bill's intent but believe that targeted, additional safeguards that do not impose a heavy administrative burden on our agencies would increase Canadians' confidence that these measures intended to protect them do not themselves unnecessarily intrude on their privacy.