Evidence of meeting #20 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was c-8.
A video is available from Parliament.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
Right now, the bill is a mechanism to implement the rules. In part 1, there is no specific obligation, but rather powers related to the implementation of the rules.
At ISED, Innovation, Science and Economic Development Canada, we're quite used to working with small players and with many obligations around the issue of spectrum management, for instance. Given the level of consultation, we are able to strike a balance among certain obligations.
Bloc
Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC
Will that be done in the regulatory part?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
Yes. In this kind of context, it's really about the fine details. The obligation is relative to the size of the participant in question. For smaller companies, the rules are less detailed or they don't exist, as they're not very important for a small provider with hundreds of customers. In that context, the obligations are simpler and they correspond to the capacity of a small provider without a government relations office.
Bloc
Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC
I'm quite curious. The intelligence commissioner approves or doesn't approve national security and intelligence activities planned by the Communications Security Establishment Canada and the Canadian Security Intelligence Service, which are authorized by their ministers. How would Bill C‑8 become more complex if an independent body approved an intervention or not?
The minister said that it was a matter of responding quickly. After all, it was the intelligence commissioner who recommended to add an independent resource.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
In the context of part 1 and telecommunications issues, the Communications Security Establishment Canada, or CSE, does not play a role in the implementation of those powers. It's a matter of the private sector's obligations in the management of its infrastructure.
Liberal
The Chair Liberal Jean-Yves Duclos
Unfortunately, I have to interrupt you, as we are well over time.
Ms. Kirkland, the floor is yours for five minutes.
Conservative
Rhonda Kirkland Conservative Oshawa, ON
Thank you, Chair.
I appreciate that you're here now. I have some questions that may be repeating slightly questions that I asked the minister, so we can hear the department's perspective on that.
On October 30, we heard a lot of testimony from different departments, including the Centre for International Governance Innovation, raising concerns about proposed sections 15.1 and 15.2, which give the Governor in Council and the minister broad authority, quite broad, to impose secrecy around certain orders and decrees. They recommended that clear guidelines be included to govern the use of these extraordinary non-disclosure powers.
From your perspective, can you give any insight into why the government chose not to include guiding criteria? Is there a reason for not including guiding criteria in terms of safety? Shouldn't we limit when and how the secrecy powers can be used?
I'd be interested in your perspective.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
I'll start with just underscoring the minister's response that, absolutely, there is openness to consider amendments, including along the lines of the CIGI recommendation for criteria there.
In terms of the history of how we got to where we are today, with the existing provisions, first of all, it's not practical to have confidential orders on telecom operators, of which there are hundreds, as a matter of course. There's already a fair bit of.... We have no choice but to work in open consultation with many partners, so it's open by default.
Then, protections were added in the context of Bill C-26 to add some guardrails on the use of these authorities. The first was a requirement that if a confidential order is being made, there is a notification to NSIRA and NSICOP, so they can validate that the power is being used appropriately. Second, there are more detailed requirements in terms of an annual report to Parliament. We are required to report on our activities, including on the making of confidential orders. We can't get into the level of detail of what was in the order, but we have to describe at a high level what was done and why.
Conservative
Rhonda Kirkland Conservative Oshawa, ON
In that same meeting, the Privacy Commissioner acknowledged improvements. I mean, there are some marked improvements in Bill C-8 with respect to its predecessor, Bill C-26.
Several ongoing privacy concerns, though, include lower thresholds for the exercise of certain powers that may have privacy implications, and a lack of mechanisms to ensure that the Office of the Privacy Commissioner is informed of material cybersecurity breaches that have an impact.
Do you have any insight into why the bill does not provide a formal mechanism to notify the Office of the Privacy Commissioner when a cyber-incident involves protected information?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
I'll start with part 1 and then speak briefly on part 2.
In terms of the authorities around the information collection, I know there was some question about what explains the different wording in proposed section 15.4 versus proposed sections 15.1 and 15.2.
First, the information collection authority is already within the scope of.... It can only be exercised pursuant to proposed sections 15.1 and 15.2. You can only engage in an order-making activity if it's reasonably necessary to do so. We can only collect information if it's related to an order-making authority.
Conservative
Rhonda Kirkland Conservative Oshawa, ON
Correct me if I'm wrong, but that's not checked until after the fact.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
Those are the criteria that are in the bill already, in terms of scoping our ability to use the authority up front. It's an ex ante consideration. There are other protections around the use of that authority. For instance, the reasonableness criterion is an established threshold that's used in law, and proportionality is an aspect of reasonableness there.
To your question about CSE notification, this gets more into part 2 for my colleagues from Public Safety. It's not obvious to CSE when a privacy breach has happened, when they receive an incident report. They get an incident report that includes some technical information. Whether there are privacy implications.... There are already reporting requirements, though, under PIPEDA, so the private sector still has to report to the Privacy Commissioner under PIPEDA.
Liberal
The Chair Liberal Jean-Yves Duclos
Thank you very much for that.
Mr. Lavoie, go ahead for five minutes.
Liberal
Steeve Lavoie Liberal Beauport—Limoilou, QC
Thank you, Mr. Chair.
I thank the witnesses for being here today. I'm very happy to see them.
I'll ask you a secondary question first.
My colleague talked about small players in communications. We often talk about the big players, such as Bell, Telus and so on.
What does a “small provider” mean to you in terms of size? Where does it begin and end?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
I thank the member for his question.
There is a very wide variety of types of players. There's a small provider in northern Manitoba whose business is truly family-owned, with a few hundred customers. There are medium-sized companies that have a few hundred thousand customers or a million customers, such as Cogeco and Xplore.
Liberal
Steeve Lavoie Liberal Beauport—Limoilou, QC
At what point is a provider no longer considered a small provider, but a larger one? Is it based on the number of customers?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
There are no specific criteria in this context. It depends on the context and the aspect of the market in question.
In terms of developing the rules, in each context, consultations are held to determine where size is most relevant and how the impacts on the private sector can be managed. In some contexts, the rule is simple and necessary, and application is universal. In some other contexts, it's not worth it, or you have to consider the impact on the small players in question. So the context of the activities should be taken into consideration.
Liberal
Steeve Lavoie Liberal Beauport—Limoilou, QC
Okay.
As far as I understand, there are still rules to be established. It's not just a matter of size; it's also a matter of geography, and so on.
What I'm also interested in is the impact on smaller businesses. We often talk about the bigger players. We're talking about telecommunications, but there are also private companies. In fact, in Quebec alone, 72% of businesses have 10 or fewer employees.
Still in the interest of efficiency, I want to understand what the immediate impact will be for small private businesses. They often don't have the resources that large companies have to comply with regulations. That's when the situation becomes problematic. You talked about “powers” versus “obligations”. I would also like to hear what you have to say about that later on.
How will the government apply this new legislation, while thinking about small businesses, most of which are SMEs and don't really have the same staff, the same financial means, and so on?
Will they receive support? Will there be direct and indirect costs?
I'd like to hear more from you about SMEs, which basically make up the vast majority of our businesses in Quebec and Canada.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
Thank you for your question.
The government has an interest in supporting small businesses because they are a source of competition for the big players. A number of mechanisms exist to support them.
Application of the rules must be taken into account. Some of those rules only apply to larger players. Basically, there's an exemption. There are mechanisms related to support resources, including discussions with us to explain the application of the rules. Some measures, such as information requirements, may be simpler to apply to a provider with a small number of customers than to Bell or Telus.
Liberal
The Chair Liberal Jean-Yves Duclos
Thank you very much, Mr. Lavoie.
Next is MP Gill for five minutes.
That will be the last intervention.
January 27th, 2026 / 5:30 p.m.
Conservative
Sukhman Gill Conservative Abbotsford—South Langley, BC
Thank you very much for being here today.
I wanted to start off by saying thank you. Then I will be asking a couple of questions that might be a repeat from before, but these are concerns that my community members and I have, and I want to make sure I get the best response I can. I would appreciate it if you could answer to the best of your ability, please.
First, can the officials please tell us whether the department has assessed the extent to which major providers or contractors are outsourcing network-related telecom outside of Canada? What analysis has been conducted on the economic and employment impacts of this outsourcing, as well as its implications for the overall security objectives of Bill C-8?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
I'll start, and then my colleague Wen may supplement.
First, in terms of telecommunications equipment and services, that is a global market. When we're talking about the equipment that's used in their network and supporting services, there's a relatively small number of global players. They may have substantial investments in R and D within Canada, but if we're talking about Ericsson or Samsung or Nokia or those types of places, we are dealing with a global supply chain with global standards. We operate in a global market rather than having a purely Canadian context.
In terms of our ongoing engagement with carriers within CSTAC, we have posed questions along these lines to better understand their operations. In terms of their operations, they are dealing with best-in-the-world companies that are providing mission-critical services to large Canadian companies but also, say, AT&T, Orange in France or that type of thing. They are providing best-in-class services to support that.
Wen Kwan Director General, Spectrum and Telecommunications Sector, Department of Industry
Thank you for the question.
I would add that in the context of maintaining a telecom network, it is in the context of global equipment manufacturers. There are efficiencies to be gained. I'm not suggesting that this is the reason jobs are being offshored, but that's a consideration for the telecom companies to decide. What we are interested in is the security of the infrastructure.
As some members mentioned earlier, if there are already standards they are following, and they're strong, we do not have any objection, because the objectives of the Telecommunications Act are being met. We leave that decision to them. What we're interested in is the collaboration of the telecom service providers with intel agencies and security agencies, to ensure that we have the best protection and reliability of the network in Canada.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
I apologize. I would add one last thing. Should a risk be identified in this type of context, Bill C-8 would give the authority to remedy that risk, but there would need to be a clear risk and we would need to be taking action that's reasonable in relation to that risk.