Madam Speaker, I want to thank my colleague, the member for Bourassa, for splitting his time with me.
Cybersecurity is no longer a distant concern of experts in back rooms; it is a kitchen table issue. Canadians expect their lights to come on, their paycheque to be deposited, their medical records to be private and their phone to connect them to loved ones without interruption. They expect those things to be safe from hackers, hostile states, nefarious actors and, yes, overreach by their very own government. Cybersecurity is not an abstract concern; it is about whether families can trust their power grid to stay on, whether a rural clinic can keep its patient records safe and whether small businesses can keep their doors open without fear of being taken down by hackers.
Canadians deserve real protections against cyber-threats. They are a reality in today’s world, and we all recognize that. In that respect, I acknowledge that Bill C-8 reflects a pressing reality: Canada must strengthen the resilience of our critical infrastructure. However, in our rush to act, we must also ensure that we get the right balance. If we protect our systems but undermine our rights, if we secure our networks but destabilize our economy, then we will have built a fortress with the doors left open.
Bill C-8 as it stands raises several concerns. The Liberals tell us the bill is proof of their so-called innovation agenda, but when we look closely at the fine print, the reality is far more complicated. Bill C-8 is a near carbon copy of Bill C-26, a bill that died when Parliament was prorogued earlier this year, and while some minor improvements have been made, some fundamental flaws remain. This is where I would like to focus my remarks as I and my colleagues in the NDP consider the ramifications of the bill. Allow me to bring those questions forward with the hope of bringing some clarity and changes to the bill.
First is the scope of ministerial powers. Under the bill, the Minister of Industry could compel telecommunications providers to rip out equipment, ban entire suppliers or suspend agreements. Imagine that a company might have to pass the costs of that on to its customers or close its doors entirely.
While the minister explained that safeguards exist to prevent disproportionate orders from crippling providers and leaving rural Canadians disconnected, Bill C-8 would grant sweeping powers to cabinet and the Minister of Industry: powers to ban telecom companies from using certain equipment, to force its removal, to suspend services and to terminate contracts. These orders could be issued without prior judicial approval, without parliamentary review and without independent oversight. When we concentrate this much power in the hands of a single minister, we need checks and balances. Where are they in the bill?
Second are the risks to privacy and civil liberties. The bill would allow for mandatory information sharing between telecoms, regulators and federal agencies, and possibly onward to foreign governments. The standard for this disclosure is simply the minister’s own judgment of what is “necessary”. This is vague, subjective and wide open to abuse. Why are there no requirements in the bill for privacy impact assessments? Why are there no guarantees that collected data would not be repurposed for unrelated purposes?
Third is the absence of compensation or worker protection. If a company is ordered to rip out equipment or shut down services, there would be no compensation. For small Internet providers, that could mean bankruptcy. For their workers, it could mean layoffs. For rural and remote communities, it could mean disruptions in already fragile service. Where is the government’s plan to support the workers, providers and communities that would bear the costs of compliance?
Fourth are the penalties. Bill C-8 envisions fines of up to $15 million a day for corporations and up to $1 million a day for individual employees. Think about that: A frontline worker following orders from management could face personal ruin under the regime. Where are the safeguards to ensure fairness, due process and appeal rights?
Fifth is the one-size-fits-all approach. The bill would lump together banks, telecoms, nuclear facilities and energy co-operatives under a single compliance framework. All of them would face the same 90-day timeline to stand up cybersecurity programs, no matter their size or capacity. For large corporations, perhaps this is feasible, but for small operators or co-ops, it could be impossible. Should compliance obligations not be tailored to the realities of different sectors?
Sixth are international consequences. Canada’s adequacy status under the European Union’s GDPR is the foundation of much of our digital economy. It is what allows European data to flow into Canadian systems, supporting banks, airlines and cloud providers, but the European Commission reviews adequacy every four years. If it sees that Canada is granting unchecked surveillance powers, or if it sees data repurposed without necessity and proportionality, we risk losing that adequacy decision. We have already seen what happened to the United States under Schrems II. Does the government truly want to put Canada in the same position?
New Democrats agree that cybersecurity is essential, but cybersecurity must not come at the expense of democracy, accountability, privacy or fairness for workers and communities.
Here are the questions we are putting on the record for the Minister of Public Safety and the government to answer. Why has the government chosen to concentrate so much power in cabinet without requiring independent judicial and parliamentary review? Why would there be no independent oversight body to ensure that orders are proportionate and justified? Why would the bill not guarantee privacy impact assessments or limit onward disclosure of Canadians’ personal data to foreign governments? Why has the government not proposed compensation or transition supports for workers and small providers who would bear the financial burden? Why would penalties be so extreme that individual employees could be personally liable for millions of dollars, even when following management orders? Why would the same compliance framework be applied to banks, nuclear facilities and small ISPs alike? Has the government conducted and published a risk assessment of how Bill C-8 could affect Canada’s adequacy standing with the European Union?
The Liberals say the bill would modernize our telecom laws and defend Canada, but democracy must not be sacrificed in the process. Strong cybersecurity should also mean strong democracy. It should protect Canadians from foreign threats without opening the door to unchecked government overreach.
New Democrats will continue to push for changes, independent oversight, stronger privacy protections, fair treatment for workers and communities, proportional penalties and sector-specific flexibility. We can protect Canadians from cyber-threats without trampling on rights, without ignoring workers and without undermining our economy. Bill C-8 is an opportunity to strike the right balance, but right now it does not seem well equipped to do that.
Canadians want more answers, transparency and oversight from overreach, as we have seen the tendency of the new Prime Minister to move headlong toward centralization without considering the consequences for public policy and its effects on everyday Canadians.