Public Safety Committee on Dec. 4th, 2025

Agreed.

Good morning. Thank you.

My name is Kate Robertson. I'm a lawyer and currently a researcher at the University of Toronto's Citizen Lab.

My comments draw on Citizen Lab's research on cybersecurity and telecommunications, as well as constitutional law analysis that I submitted in a brief to this committee.

Parts two and three of my brief set out amendments to address constitutional deficits and cybersecurity risks in the bill. Out of those recommended changes, the introduction of the brief identifies two priorities.

The first is to explicitly protect encryption technology in Canada's telecommunications networks. At present, the broad powers in the bill could have the effect of compromising encryption standards for lawful access purposes.

For example, under proposed section 15.2 of part I of the bill, the minister could require that a telecom operator implement “specified standards”. The minister could prohibit a telecom operator “from using any specified product or service”. The minister could also “impose conditions on [the]...use of any product or service”. These are just some examples.

While officials have stipulated that this law is not a surveillance bill and that these provisions don't authorize the compromise of encryption, there is no explicit clause to ensure this. Future governments could interpret proposed section 15.2 very differently, arguing that heightened surveillance capabilities would promote Canada's security interests. An interpretive clause is essential to protect encryption, which is an essential form of cybersecurity.

I note in my brief that even the recently tabled Bill C-2, which also proposes very broad powers to order changes in telecom networks, has a specific clause that the government has pointed to as a proposed means of ensuring that orders won't compromise encryption. In contrast, there is still nothing comparable in Bill C-8.

Recommendation eight of my brief suggests that language should be added to stipulate that orders cannot be used to compromise the confidentiality, availability or integrity of a telecommunications service. This phrasing is a widely recognized term to describe the three essential elements of strong cybersecurity. It is a term that is used by federal agencies in Canada.

I can also answer questions about alternative language that would also be workable. I can submit those suggestions in writing after this hearing, if it's helpful.

Ultimately, since the intent of the legislation, as we’ve been told, is not surveillance or encryption-breaking, this should not be a controversial improvement to the bill.

As a second priority, the law's broad and warrantless collection power under proposed section 15.4 is a significant constitutional deficiency. As we know, telecom providers are conveyors of the most private information known to our legal system. I must respectfully disagree with the view that this law would only apply to technical information. The actual text of the legislation—which is what matters—creates a broad and warrantless power to collect personal and de-identified information from telecommunications companies.

I share the view of the intelligence commissioner of Canada—who has previously testified—that the warrantless search and seizure powers are a constitutional flaw in the bill with no apparent justification. I agree with Mr. Noël’s recommendation that when it comes to the CSE specifically, an important change would be to require that the CSE’s use of information be subject to annual ministerial authorization and, ultimately, approval by the intelligence commissioner. This would be a very notable improvement, but as he noted, there still would remain a warrantless collection flaw in Bill C-8 generally, which he testified is a problem that he would leave for others to address.

Recommendation three in my brief addresses this larger gap by proposing Federal Court authorization for the collection of personal and de-identified information. This is critical in order to place Bill C-8 on much stronger constitutional footing.

Given my time, I would invite a follow-up question from this committee on why the current safeguards in the bill, which are for the most part inapplicable to the collection power under section 15.4, are inadequate to remedying this constitutional deficit.

Thank you for your attention. I defer to my brief for my remaining recommendations.

Thank you, Madam Chair.

When Canadians get into their cars, they trust that the safety-critical systems inside will work flawlessly. When industrial automation systems keep our energy grids running, we trust that they will perform as intended. That trust is what BlackBerry delivers every day.

Our QNX operating system is embedded in over 255 million vehicles on the road today. It powers industrial control systems, nuclear power stations and autonomous systems in mission-critical environments where safety, reliability and performance are non-negotiable. QNX is trusted to ensure that these systems are secure and reliable, because failure is not an option. Our responsibility does not stop there.

We protect the communications that keep leaders connected during a crisis and the systems that coordinate emergency response when every second counts. When a cyber-attack threatens a power grid and disrupts transportation networks or when a national security incident demands immediate action, BlackBerry ensures that sensitive information remains secure and that decision-makers can communicate without fear of interception or compromise.

Our mission is simple: safeguard the integrity of critical operations so governments and essential services can respond quickly and confidently. In these moments, trust isn't optional; it's everything. This is why banks, energy providers, telcos and transportation agencies rely on BlackBerry. We were built with security in mind from the ground up.

BlackBerry strongly supports Bill C-8, particularly part 2. Critical infrastructure is increasingly digital, making it a prime target for cybercriminals and state-sponsored actors.

The stakes are high. These systems deliver essential services and house sensitive data. A single breach can cascade across borders and sectors. Canada is the only G7 country without mandatory cyber-incident reporting for critical infrastructure. It's time we align and strengthen our cyber-defences.

Bill C-8 is a major step forward. It will enhance situational awareness and collective response, strengthen organizational learning to identify systemic risks and inform cyber-practices and improve corporate governance by elevating cybersecurity to the board level.

Global experience shows that these laws work. The United States' 2022 Cyber Incident Reporting for Critical Infrastructure Act has led to faster resource deployment, trend analysis and information sharing. Officials say it helps “spot adversary campaigns earlier, and take coordinated action”. Europe's NIS2 Directive and Australia's Security of Critical Infrastructure Act show similar benefits.

Success depends on three factors. The first is speed. Rapid reporting enables rapid response. Second are clear definitions of what constitutes a reportable incident. Third is access to secure and certified incident reporting and critical event management tools that enable stakeholders to communicate in times of crises.

Canada needs this speed and clarity. The October 2025 Auditor General's report found that Canada's response to a major cyber-attack was delayed by seven days due to incomplete protocols and the lack of a tool for secure information sharing. That delay gave attackers more time to access sensitive information. Mandatory reporting must be paired with tools and procedures for seamless communication.

To make this law effective, we recommend five things. First, define “reportable incident” clearly and consistently. Second, mandate timely reporting with a tiered approach and initial notification within 72 hours followed by detailed reports. Third, provide access to secure tools for real-time communication and coordination. Fourth, guarantee liability protections for good-faith reporting. Fifth, include business continuity as a baseline requirement, ensuring entities can communicate, mobilize and restore services quickly.

In closing, Bill C-8 moves Canada from a patchwork of voluntary guidelines to a mandatory framework aligned with global best practices.

Thank you.

Good morning.

I'm Matt Hatfield, and I'm the executive director of OpenMedia, a grassroots community of 230,000 people in Canada who work together for an open, accessible and surveillance-free Internet. I'm joining you from the unceded land of the Tsawout on Salt Spring Island in British Columbia.

Loopholes matter. A bad loophole you pass in this legislation does not just weaken the law; it will prove far more important than the law's intended purpose. Right now, Bill C-8 contains several serious loopholes that you must fix.

Bill C-8 is built on and very closely resembles Bill C-26, the cybersecurity legislation this committee's predecessor passed last year. Both bills give future industry ministers the power to permanently and secretly disconnect Canadian citizens from the Internet without notifying them or explaining the decision; to issue orders to telecom companies to do or not do anything the minister says is necessary to protect our telecom infrastructure; and to keep you, our elected representatives, entirely in the dark about what these orders say. That is simply too much unchecked power. Canada does need cybersecurity legislation, but you should not pass this legislation as worded today.

In proposed subsection 15.2(2), the minister is given the power to order telecom providers to do anything or not do anything they believe is necessary to secure the Canadian telecommunications system. Constructively, Bill C-8 now states that the minister's use of these powers should be reasonable and within the act's purpose.

Who will decide if that standard is met? It's not the public; we're only informed of the existence of these orders in a yearly report. It's not your colleagues at NSICOP. The minister has to tell you only why they think what they're doing is reasonable, not show you that it is. That is not transparency and accountability; it is accountability theatre. The minister is required to think hard about whether their decisions are reasonable and proportionate and to promise you in writing that they are, but there's no oversight to check. This is much like a law that requires me to give you a very good explanation for why I think my hands should be in the cookie jar, but doesn't let you check what I'm actually doing in there.

Our democratic allies don't write legislation like this. In the U.K., the government cannot issue this kind of order without consulting Ofcom, the independent regulator. Different uses of order-making powers require the approval of an independent technical board, a reviewing judge or both. In Bill C-8, the minister alone decides.

In Australia, if a telecom company believes that an order would compromise the privacy or security of their network, they can demand a technical review by an independent judge and a technical expert. In Canada, the minister alone decides. Not coincidentally, these baked-in expert reviews also protect the government from accidentally creating technical disasters by issuing orders with consequences they don't understand that break rather than protect telecom infrastructure.

Canada's approach, Chair, is not a system of democratic checks and balances. It is a blank cheque to future government ministers to build a growing system of permanent secret orders whose reasonableness and proportionality is entirely in their hands, and the necessary fixes are really much like they were at the last stages of Bill C-26.

First, the government's new powers must be constrained by actual independent review. The minister's opinion that they are necessary and proportionate is not good enough. A judge and technical expert should have full access to these orders either before they are issued or, in emergency circumstances, within 30 days, and they should have the ability to overturn orders that go too far.

Second, Bill C-8's legitimate purpose is systemic infrastructure protection, not being misused to surveil Canadians. That means the bill must explicitly prohibit orders that have the effect of creating a systemic weakness or backdoor encryption, language already used by our allies in Australia. If the door is open for the minister, it is open for hackers too.

Further, personal information must be clearly defined as confidential and, if any is incidentally collected in the process of carrying out Bill C-8, it should be rapidly destroyed. In all circumstances, Bill C-8 must forbid personal information collected under it from being shared with foreign intelligence agencies that are not subject to our laws.

Third, the government must not be allowed to keep how it is using these new powers permanently secret, not from you and not from the public. Outside of immediate emergency situations, the standard of disclosure of what is happening under Bill C-8 should be one level higher than is currently required. That means that the public should be informed not just of how many orders are being made but of the minister's description of what they are accomplishing and why they are necessary. NSICOP should be provided with a full description of the orders so MPs can judge if the minister's public report is telling Canadians the truth.

More than 10,000 Canadians have written to our government to demand this cybersecurity legislation pass only once it includes robust rights protection. That's your job to do. We urge you to listen to these voters and to adopt the amendments that civil society has placed before you to get this legislation to where it needs to be.

Thank you, and I look forward to your questions.

I would defer it to my colleague, Kate, for a lawyer's view on this.

This is a public advocacy perspective for me.

If someone eventually has a decision overturned, it could be months or years before it's changed. Many people in Canada, of course, wouldn't have the resources or understanding to challenge these orders. I don't think it's nearly as good as having a built-in process the government is forced to go through to seek a later process.

Under the Constitution, the courts will look for a meaningful system of accountability. If you have an absence of transparency, a notice to individuals, including potentially the need for strict gag orders that would prevent individuals from knowing that their privacy, or other interests, have been impacted, then that thwarts their ability to meaningfully access review mechanisms. In that regard, the judicial review is inadequate from a constitutional perspective.

I'd also note that there is a reasonable best standard, and there's deference applied, which is why I recommended that we have a specific clause clarifying that this is essentially not for surveillance purposes but is about cybersecurity, because that as well would be, in the absence of such an interpretive clause, assessed on a different standard in the judicial review process.

That's the case, but if they aren't themselves within the cone of the gag order, then they wouldn't know of the existence of government orders or subsequent action by telecom providers.

That's not the case, and it really depends on the specific nature of the order itself. There are many ways that this bill suggests that from the minister's perspective in introducing this legislation, they see this as a matter between telecom providers and the government. In many ways the public at large is, I have to say, treated as not part of the equation. If there is an order that's specific to an individual, that would be a different matter, but for many cases, the intent of the legislation and how it's been discussed appears to be really looking at orders to telecom providers, and in that way individuals would not receive notice.

It certainly could.

I would commend the 2017 CBC investigation that showed that in the case of a member of Parliament, once an investigative journalist gave a security researcher that member of Parliament's phone number, the security researcher—in this case consensually, but it will illustrate the problem—was able to intercept that member of Parliament's locations, text messages and communications. That really shows the systemic vulnerabilities that are inherent in the world's mobile communication networks, and that's what we hope 5G and 6G technology will help us with, including through the introduction of robust security features including encryption.

From a BlackBerry perspective, I think the notion of reasonableness is very important and the notion of judicial review, but we are no longer in the telecommunications business.

Our focus is more around cybersecurity.

We do deal with encryption.