Skip to content
SECD - Standing Committee

National Security, Defence and Veterans Affairs


THE STANDING SENATE COMMITTEE ON NATIONAL SECURITY, DEFENCE AND VETERANS AFFAIRS

EVIDENCE


OTTAWA, Monday, November 18, 2024

The Standing Senate Committee on National Security, Defence and Veterans Affairs met with videoconference this day at 4 p.m. [ET] to study Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts; and to examine and report on issues relating to national security and defence generally.

Senator Hassan Yussuff (Chair) in the chair.

[English]

The Chair: Good afternoon, senators. Before I begin, I would like to ask all senators and other persons in the room to consult the cards on the table for guidelines to prevent audio feedback incidents. You may see a little thing right beside you there, so if you can refer to that, it will be helpful.

Welcome this meeting of the Standing Senate Committee on National Security, Defence and Veterans Affairs. I’m Hassan Yussuff. I’m from Ontario and the chair of the committee. I am joined today by my fellow committee members, who will introduce themselves starting on my right with our colleague and deputy chair.

[Translation]

Senator Dagenais: Jean-Guy Dagenais from Quebec.

[English]

Senator Richards: Dave Richards, New Brunswick.

Senator M. Deacon: Welcome. Marty Deacon, Ontario.

Senator McNair: John McNair, New Brunswick.

Senator Ross: Krista Ross, New Brunswick.

Senator Dasko: Donna Dasko from Ontario.

Senator LaBoucane-Benson: Welcome. Patti LaBoucane-Benson, Treaty 6 Territory, Alberta.

Senator Kutcher: Stan Kutcher, Nova Scotia.

Senator Cardozo: Andrew Cardozo from Ontario. Mr. Chair, I look forward to your first meeting as chair. Congratulations.

The Chair: Thank you. I have the gavel.

Today we continue our consideration of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

We will hear from these three panels of witnesses who will share their insight on this bill. In the first panel, I’m pleased to welcome in the room today with us, David Shipley, Chief Executive Officer and Co-Founder, Beauceron Security Inc.; Todd Warnell, Chief Information Security Officer, Bruce Power; and Sharon Polsky, President, Privacy and Access Council of Canada.

Thank you very much for joining us today. We invite you to provide opening remarks to be followed by questions from our members. I remind you that each of you will have five minutes to present. We’ll begin today’s presentation with Mr. David Shipley. Please proceed when you’re ready.

David Shipley, Chief Executive Officer and co-founder, Beauceron Security Inc.: Thank you so much. I appreciate the opportunity to be here today.

My name is David Shipley, and I am the chief executive officer and co-founder of Beauceron Security Inc. I am also a co-chair of the Canadian Chamber of Commerce’s cyber council.

Beauceron Security works with global banks, national telecommunications companies, provincial and municipal governments, higher education and more, helping educate and motivate individuals to make good decisions about technology so they can reduce their cyber risk and thrive in a digital world. We serve more than 1,090 clients, primarily in Canada but also in the United States, Europe and Africa.

I support the need for this legislation. We need this now more than ever. We’re far behind our allies, and we’re risking the safety and prosperity of Canadians every day that we delay.

I draw your attention to April 2023 when we learned through a U.S. intelligence leak that a Canadian pipeline provider was hacked by the Russian hacking group Zarya. Zarya’s intent was to cause economic damage, and its attack could also have risked human life. Here we are, a year and a half later, still working through the laws that we hope someday will reduce this risk.

I was recently informed there were other attacks on Canadian critical infrastructure that did not garner attention that could have posed safety risks.

I want to acknowledge that important changes I, my colleagues on the cyber council and others advocated during parliamentary hearings and have been reflected. The deletion of clause 10 and subsequent restoration of the due diligence defence, the removal of the requirement for immediate reporting of cybersecurity incidents and the harmonization with existing obligations in North America were all needed changes.

I do believe there are more changes that could be made to this bill to ensure that it serves its purpose best, although I’m cautious that any amendment process could potentially jeopardize the bill passing in a timely fashion. However, it is worth noting that the proposed addition in Part 1, clause 6, no compensation, to the Telecommunications Act should be considered for an amendment to look at compensation for telecommunications service providers under the following circumstances. For example, if an order required a change of a technology vendor at immediate cost to the business without the ability of the organization to phase out the technology or service in a planned fashion in accordance with their technology life cycle plans or over a period of multiple years so that changes can be budgeted and accounted for so they can be entitled to some compensation, particularly when thinking of regional service providers who don’t have the wallets to do these kinds of changes at a moment’s notice.

The sections of the law that deal with individual liability remain hugely problematic. I can personally attest to several senior cybersecurity leaders, specifically chief information security officers, in critical infrastructure who have indicated they intend to quit their jobs if the law passes at it stands, which will only serve to make things more dangerous in our critical infrastructure sectors. The number of experienced cybersecurity leaders looking to leave the field due to stress and burnout is already at crisis levels, with nearly half looking to leave the role.

I believe individual liability, if it is to be maintained in the law, should solely be limited to directors of a corporation as this is the group charged with setting the risk appetite, ensuring governance structures and ensuring resources required to comply with the law.

The importance of two-way information sharing. As it stands, the legislation only contemplates one-way reporting, and it remains is a huge missed opportunity.

I would be remiss if I didn’t take the opportunity to point out that while I strongly support the need for this legislation, it represents the bare minimum legislatively that the federal government can do to help protect Canadians.

By focusing Bill C-26 on federally regulated sectors in telecommunications, financial services, energy transmission and transportation, the government focused on federal responsibility over national security in the broadest sense. These sectors are already the best resourced and best defended in the country.

This law does nothing to protect our health care system, which has borne the brunt of repeated major disruptive attacks, such as what happened in Newfoundland and more recently in Ontario. These attacks go beyond terrible impacts on privacy, such as the leak of reproductive health choices or nude images of people battling various cancers, they can have life-threatening impacts as has been recently stated by the head of the World Health Organization and in recent U.S. research on health care ransomware attacks.

Our increasingly high-tech agricultural sector, which now has fully automated smart tractors that are vulnerable to severe disruption, remains without a proper strategy or focus.

Nor does this law help Canadian small businesses and everyday citizens who are suffering from an increasing plague of AI-powered cyber fraud.

These are but three glaring examples of the growing national threats due to cybersecurity at a time when the federal government has still yet to publicly announce its updated strategy from 2018.

I urge the Senate to publicly study the ransomware plague, the crisis in health care cybersecurity and the future national security implications of an increasingly hostile digital world.

I look forward to discussing Bill C-26 with you further and answering what questions you may have for me. Thank you.

The Chair: Thank you, Mr. Shipley.

Todd Warnell, Chief Information Security Officer, Bruce Power: Thank you, Mr. Chair and members of the committee. My name is Todd Warnell, and I am the chief information security officer at Bruce Power.

Established in 2001, Bruce Power is Canada’s only private sector nuclear generator, annually producing about one third of Ontario’s power and life-saving medical isotopes used globally to fight cancer around the world and sterilize medical equipment globally.

I am grateful for the invitation to participate in your review of Bill C-26. Today, I will focus my comments on the imperative need for proceeding with the implementation of this legislation, particularly Part 2 of the bill, namely the critical cyber systems protection act, or CCSPA.

Bill C-26 represents a pivotal first step in fortifying the resilience and security of Canada’s critical infrastructure to ensure the safety, reliability and integrity of essential services for all Canadians. This legislation is not merely a policy proposal but a commitment to safeguarding the backbone of our nation’s economy and security in an increasingly complex and evolving global cyber threat landscape.

Within Canada’s nuclear industry, we have demonstrated that through collaboration with government, regulators, industry, academia and individual Canadians, we can successfully establish and regulate cyber systems that are crucial to the safe and reliable operation of critical services.

Bill C-26 aims to secure essential systems, encourage proactive risk management and enable responsible government intervention in cases of significant cyber-threats. The critical cyber systems protection act will introduce a broad framework from which all critical sectors in collaboration with government and regulators can develop and implement risk-informed and performance-based regulations to enhance the reliability and resilience of critical services.

There are several key benefits to proceeding with Bill C-26. Namely, strengthening national security and safety. Bill C-26 is crucial for protecting national security by requiring both private and public organizations within critical infrastructure sectors to adopt robust cybersecurity practices. As cyber-threats evolve and become more sophisticated, securing critical infrastructure and services is paramount to maintaining national security and public safety.

Enhanced risk management. By enforcing mandatory risk management practices, the bill helps organizations move away from a reactive posture to a proactive approach that minimizes risks before they escalate into actual incidents.

Government authority in high-risk scenarios. The bill empowers government authorities to intervene in critical infrastructure during severe threats. This capability is crucial for responding swiftly to imminent attacks or breaches, preventing or minimizing potential damage to essential services, and maintaining public trust.

Alignment with global allies. Our allies are implementing or strengthening similar cybersecurity laws in their nations. Bill C-26 allows Canada to align with international partners and makes it easier for Canadian companies to operate globally within secure and trusted frameworks.

Finally, economic security. Cyberattacks on critical sectors can have far-reaching economic implications. By ensuring key industries and services are protected, Canada also safeguards its economic stability, helping prevent the cascading consequences that could arise from disrupted infrastructure.

In conclusion, Bill C-26 is a well-intentioned first step to address the pressing issue of cybersecurity in Canada’s critical infrastructure sectors. Thank you for the opportunity to address the committee, and I look forward to your questions today.

The Chair: Thank you, Mr. Warnell.

Sharon Polsky, President, Privacy and Access Council of Canada: Thank you so much for the invitation to address the committee today. I’m Sharon Polsky, president of the Privacy and Access Council of Canada, or PACC, an independent, non-profit, non-partisan organization that is not funded by government or industry.

Since its launch more than 30 years ago, the internet has become an integral part of our everyday lives. It enables research, commerce, communication and democratic freedoms. The internet also facilitates harmful conduct such as harassment, ransom demands, hostile activities by unfriendly states — all sorts of behaviours that existed long before the internet enabled such abhorrent activity to be carried out with great ease and broad reach.

Bill C-26 is one of several bills advanced by Canada’s government to protect Canadians from such harms, but it also illustrates how proposed cures can be worse than the disease itself. In the name of strengthening cybersecurity, the bill grants the government sweeping power to order telecommunication providers — the very same telecoms that are now the repositories of our most intimate, sensitive and health-related data — “. . . to do a specified thing or refrain from doing a specified thing . . . .” Similar powers, of course, apply to operators designated under Part 2 of the bill.

Bill C-26’s omission of vital democratic checks and balances to constrain such alarmingly broad powers rightfully sparked an avalanche of criticism, because this is not a zero-sum game. I think we can all agree on the need for cybersecurity, but not when it’s at the cost of our civil liberties. I do want to acknowledge the work of members in the other place in curbing some of this bill’s most egregious excesses, but even with that, Bill C-26 contains significant flaws that risk-compromising civil liberties and cybersecurity. Let me give you a few practical examples.

First, Bill C-26 gives the government the power to order telecommunication providers to adopt standards that actually weaken encryption and privacy with it. This endangers the freedom of everyone in Canada, including political representatives, to safely engage in national and international commerce and communications and enjoy private communications.

Second, Bill C-26 allows the government to indefinitely keep secret any order made to telecoms and other designated operators. While secrecy might be warranted in some circumstances, it should not be the default or allowed to remain indefinitely. Such excessive secrecy shields accountability, undermines trust and precludes our members and, indeed, all Canadians from being able to understand how government uses its powers and hold it to account.

Third, Bill C-26 allows the minister to require telecoms and designated operators to disclose personal and de-identified information. Once collected, the information can be shared across “government 2.0” and with foreign entities, and easily re-identified in many cases. PACC members work hard every day to safeguard privacy. It is alarming to know that their work risks being undercut by the secret stroke of a minister’s pen.

Fourth, Bill C-26 dramatically expands the Canadian Security Establishment Canada’s, or CSE’s, ability to obtain personal information from telecoms, financial institutions and many other companies that Canadians now trust, but it lacks the safeguards needed to constrain how the CSE can use that information. Indeed, the testimony of CSE officials makes it clear that they fully intend to use the information that they gather for both offensive and defensive purposes, and share it with their Five Eyes partners.

In short, this legislation remains fundamentally flawed from a privacy perspective. That’s why we, along with other civil society organizations and experts across Canada, have submitted recommendations to address these flaws.

Let me be clear and echo my colleagues here on the panel. We want to fix this legislation, not kill it. We recognize that cybersecurity is a team sport and that public trust is critical for this to be a win. But a bill that fails the democratic legitimacy test will fail to strengthen cybersecurity and trust. I know there has been some discussion about not letting the perfect be the enemy of the good, but in its current form, with respect, Bill C-26 is far from good. It needs fixing, and it is fixable.

If adopted, our proposed amendments, which are balanced, practical and achievable, will result in a cybersecurity framework that all Canadians can trust. Given the Senate’s constitutional role, you have a critical part to play in ensuring that Bill C-26 delivers strong cybersecurity.

Senators, you have the ability to amend Bill C-26 to broaden oversight of its implementation and operation to ensure it protects privacy, delivers genuine accountability and upholds the rights of everyone in Canada. I look forward to your questions.

The Chair: Thank you. Ms. Polsky.

We will now we will proceed to questions. As usual, four minutes allotted to each question, including the answer. I ask that you keep your questions succinct in an effort to allow as many interventions as possible. I offer our first question to our deputy chair, Senator Dagenais.

[Translation]

Senator Dagenais: My question is for Mr. Shipley. Just last week, the government authorized its agencies to advertise on TikTok, yet it is telling us to proceed with caution if we use it. That’s surprising, especially considering the warnings issued by the former director of the Canadian Security Intelligence Service, David Vigneault.

Basically, government agencies can advertise on a platform they consider hazardous to Canadian citizens. Does this indicate that the government doesn’t always take cybersecurity issues affecting its citizens very seriously? I’d like your thoughts on that.

[English]

Mr. Shipley: Thank you so much for the opportunity to talk about this. I have spoken to the media about this particular issue. There is, obviously, an incongruity between what I think is a very significant national security threat — because it certainly takes a great deal of action to get a minister of the Crown to take the actions they have now proposed to take with TikTok to shutdown business operation. If we take that on the surface as true and valid — there is a body of evidence to support that TikTok’s ownership structure ties back to the Chinese Communist Party and is bad for Canada — then it is foolish to spend money on advertisements there. As I pointed out to the reporter, first of all, if you’re saying you can’t trust this company, and you’re going to give them millions of dollars in ad money to run ads, how do you know they even ran the ads? You can’t trust them. It’s not the first time that we have seen national security and political interests on two different tracks. I think it would be great if we could have a consistent message.

Unfortunately, with the change in government expected in the United States, the TikTok expulsion is probably not going to happen now. I think the whole issue of social media ownership, beneficial ownership and manipulation requires a serious adult conversation in this country, and we’re not getting that leadership right now.

[Translation]

Senator Dagenais: You’ve already commented publicly on the theft of personal information in the health sector, for example. I’m talking about major pharmacy chains that have that kind of sensitive information on their computers. Are you satisfied that Bill C-26 does enough to address that? Does it reassure you in that regard? What risks are Canadian citizens exposed to in terms of their personal medical information?

[English]

Mr. Shipley: This bill does absolutely nothing to protect Canadian health care system privacy or the availability of health care in this country, purposely so because it was determined to limit to the federal scope.

My ardent support of getting this done is born out of hope that we can move on to much-needed other conversations. When we talk about this, in Newfoundland, an interviewer — and I encourage you to go back and see the CBC coverage of this — as the crisis unfolded, he asked if the information included people’s reason for being admitted to a hospital in Newfoundland, to which the answer was “yes.” That meant every person who went for an abortion in that province had that information potentially exposed.

Not just that, we think about privacy and we think of the horrible implications. Years ago, we had a LifeLabs breach that involved people’s sensitive blood tests. We also have five hospitals in Ontario that were crippled for a period of time. What we know from U.S. studies and the World Health Organization is that when hospitals go down, patient outcomes suffer. People die. I could not put it more plainly.

The inability of this country to get beyond a Constitution that was thought of in the 19th and 20th centuries to contend with 21st century problems is a big issue. I don’t care that health care is a province’s jurisdiction. If I can tie outcomes to hip surgery, I can tie cybersecurity to federal government funding. I don’t understand what it takes to get the government to care.

Senator Kutcher: Thank you very much for being here. I just want to follow up on Senator Dagenais’s issues around the health care issue. Any of you may please comment on this.

The reality is that health care is primarily a provincial and territorial responsibility, and it is fiercely guarded as such. The federal government does have primary authority for some parts of health care, such as the military, the RCMP and Indigenous populations.

Cybersecurity issues around health care — my way of thinking, and I could be wrong on this — cluster into two areas, one being personal health data — the privacy side — and the other being the health care infrastructure — the ability to run your hospital, make sure that the electricity doesn’t shut off the intensive care unit, or ICU, beds, et cetera.

Given those multiple challenges and given that this legislation is federal, do you have suggestions or thoughts as to how we can deal with this health care conundrum through this piece of legislation?

Ms. Polsky: I would love to offer a few comments.

One of the things that I have seen is that, yes, security is important, but we don’t have enough people who know what they are doing or are properly trained to actually make sure that systems are secure. There are vulnerabilities. Every system, even a key-lock system, has workarounds because whatever the technology is, the biometric is to let you into the office and I don’t happen to have that, whether it’s a fingerprint, an eye scan or whatever, there has to be a workaround. Otherwise, you might be considered to be discriminating against me for health reasons. So there is always a flaw.

That’s one side of it. That’s the operational side.

From a privacy side, when anybody goes onto a website — and this is regarding a vast majority of websites, including the Canadian Association for Mental Health. I did a quick scan of their website over a year ago, then a few months later and a few months later. Never mind the massive amount of cookies — like 58 of this type and 35 of that type — which are sending information to other websites. Before you even see the website, the fact that you are there requesting that website has been communicated secretly to Meta, which is Facebook. You fill in a form that says, “I want to contact you.” Why would I want to contact you? Incest, suicide, mental health — whatever — that information has been communicated.

If somebody gets a hold of that, it’s not just whether I went to a hospital and why; this is a completely different matter. This is around mental health issues. That makes somebody vulnerable if there is an interested party who wants to use that information.

That is a huge risk. Yes, it’s health information, but it’s federal because it falls under the Personal Information Protection and Electronic Documents Act, or PIPEDA, and — forgive me for straying — Bill C-27 won’t improve that situation.

Mr. Warnell: I’ll offer a perspective to your question, senator.

We define 10 critical infrastructure sectors in Canada. This bill expressly talks to four that the federal government has more direct control over. It is an important first step in driving the conversation around the requirements and the capabilities to ensure safe outcomes in those sectors, and it can set a trailblazing path toward informing and working through collaboration with the various levels of government, whether provincial or municipal, on the importance of this topic.

We could, as individual Canadians and in this body, talk about how we can make the bill more inclusive and cast its net wider, but at the same time, the threat landscape continues to evolve. Standing still in defence of “hey, we should go further into health or further into food or water systems,” I think, would be a disservice to the threat that is happening right now. The first step will be the most important step, and then we can continue to tackle and model what “good” looks like across other critical infrastructure sectors as well.

Mr. Shipley: There are things the government could do very quickly. They could actually form a centre of excellence in what ideal state health care cybersecurity at a provincial level should look like. They could get agreements with each of the provinces — because no province says no to more money — to say that, in exchange for this net new funding, here are the digital security standards we could get to. Health Canada could play a better role in making sure that medical devices are actually secure by design and updated. They could coordinate better with the provinces on that.

We could be forming better agreements with the provinces to respond and share lessons learned through a cybersecurity review board that, when a hospital gets hit, asks how it happened. We should be as transparent with a hospital ransomware incident as we are with a plane crash, because it causes harm and we need to learn everything we can from it.

Those are all things they could do now.

Senator M. Deacon: Thank you for being here today.

I would like to address my first question to Mr. Warnell, if you don’t mind. It concerns international cooperation.

Last year, the Bruce Power site took part in a blended cyber and physical mock attack with industry peers at the Los Alamos National Laboratory in New Mexico, something I understand that was a first-of-its-kind simulation. I am wondering how important peer-to-peer cooperation is for you. Is it easy enough to share this kind of information with trusted international peers in your industry? Also, does this bill in any way assist, enhance or hinder security cooperation?

Mr. Warnell: Thank you for your question.

The exercise we did complete through the Canadian national labs in conjunction with national labs down in the United States was, in fact, the first blended joint cyber-physical full-scale security exercise in the nuclear industry. It demonstrated a number of key elements. Cross-border allyship is important to driving lessons learned and expanding our body of knowledge around where we can enhance our defences and capabilities from a different point of view from what we had solely in the Canadian nuclear landscape.

We benefit within the nuclear industry of having both national and international networks of operational experience sharing what we have benefitted from, for decades. We draw upon that, whether it’s about getting better at work-management practice in the factory or power plant, or in a better supply chain practice or cybersecurity practice. That ability to share across borders and with trusted international partners is paramount to securing capabilities and driving maturity of what we do every single day. We’ve had that in place for many decades.

This particular legislation, as it becomes part of Canada’s landscape, sends a signal to our international partners that we are taking cybersecurity seriously, and it welcomes us to the table of those important conversations where those practices and learnings about the threat landscape — that could be changing or emerging — gets shared. It could be a preventative approach for the Canadian landscape versus being left on the outside.

I think it very much is an important element of international cooperation to ensure that we can be best informed to either prevent and/or respond to events as they unfold.

Senator M. Deacon: Thank you.

Mr. Shipley, in the past, you’ve appropriately expressed some concerns around the regulatory making process that will follow this bill, stating to the Canadian Chamber of Commerce earlier this year that the regulations, such as the Office of the Superintendent of Financial Institutions, or OFSI, are experienced, but others are being given this responsibility for cyber for the first time.

The minister, when he appeared, said there will be a very thorough consultation process in crafting the regulations. I’m wondering if that statement eases some of your concerns, heightens some of your concerns or what you might suggest to the government to lead them in the right direction?

Mr. Shipley: I am open to the regulatory review process and what that could unfold. I think my concern is going to be more about how things get executed at the departmental level, and I don’t think regulations are going to do that. It’s going to come down to who they have and the talent, the resourcing and experience that they’ll have.

Telecommunications is really important to us, and they previously had a very collaborative relationship through the Canadian Security Telecommunications Advisory Committee, or CSTAC, so industry and government working side by side. Now, you are going to have a regulator responsibility, and if we have people that don’t have the experience on the government side making a regulatory call, they could potentially cause more harm than good if they don’t have the experience. It’s going to take years for them to build that up.

We are expecting Innovation, Science and Economic Development Canada, or ISED, to arrive at the same specification that OSFI has had 30 years to build to. It’s in the execution of this that we will succeed or fail.

Senator Cardozo: My question is for Mr. Warnell.

I wonder if you could just tell us a little bit more about the cybersecurity threat that you face, without going into too much detail — this is a public meeting — and how you cooperate with the other partners across the country who are either producing or dealing with nuclear power in one way or another?

Mr. Warnell: Absolutely. Thank you for your question.

Given that this is a public forum, I’ll keep it to what has been publicly disclosed. What has been disclosed in the threat landscapes facing critical infrastructure in North America over the last two years have been unprecedented. The volume of unclassified information — you might have heard of threat actors known as Volt Typhoon and Salt Typhoon, for example. You will hear large disclosures through our joint partners in the Five Eyes around the threat these Chinese national state actors and aligned actors are prepositioning in critical infrastructure, including the electrical distribution network, in the event of a larger scale geopolitical challenge.

This would have been previously — I would say — very tightly held pieces of information. The threat is so imminent and so real that our intelligence communities have been able to work through the various channels to get that information declassified, to talk about the importance of it to the public and to us in areas of particular influence or power to make differences and to drive change. That’s to speak to the threat landscape.

Through that, we work — much like other critical infrastructure industries — with our industry peers to share operating experience or operating intelligence across our organizations to see if a particular threat of someone knocking at our door is impacting other infrastructure operators. As well, through the Energy Security Technical Advisory Committee, or E-STAC — which is the equivalent to CSTAC — has formed, coming out of the events last year at Suncor, where they suffered a major ransomware event and really pushed the energy providers outside of nuclear to come together and start to operate as one party in defence of our operations.

It’s been a really good change, over the last 18 months to 2 years. The threat is real. It has been publicly disclosed, and, again, it is why standing still is not an option for Canada or for any other allied nation.

Senator Cardozo: Thanks. If I have a little bit of time, just make this a quick response by Mr. Shipley and Ms. Polsky.

In terms of other sectors, is it possible that we get to this down the road when we deal with the sectors we’re covering here? Ms. Polsky, I think you’re saying that’s not the issue. There are just some issues around civil liberties that need to be fixed that cannot be fixed later.

Ms. Polsky: Issues around civil liberties need to be addressed now, but I also look at the practical side of implementing this legislation. Really, every organization in Canada, whether it’s federally regulated or not — health care — they all, long ago, were supposed to be doing all of the things that we’re talking about today: Securing their networks, training their people and having policies in place so they can comply with the privacy laws.

This is going to be another massive onus and huge obligation on organizations of all sorts. They’re already behind the eight ball.

Mr. Shipley: We need to get this done, because we can’t keep the lights on and the natural gas flowing. That’s a primal survival issue for us. We have to get moving, as Mr. Warnell said. Again, we almost had a pipeline explode in this country, so we must move. We can’t stop here, and if we wait another 10 years, there is so much Canadian suffering we are not going to prevent.

With respect to the privacy laws — which my colleague is more suited to — I’ll say this: Our laws are toothless. There are no consequences in this country. The reason people don’t spend money is because when organizations realize there is no consequence, they go to other risks.

Privacy and security are linked. If there are no consequences, they don’t invest in privacy, and when they don’t invest in privacy, they aren’t secure either.

[Translation]

Senator Carignan: My question is about how confident the government can be that it is in control of elements of cybersecurity. I’m talking about how the government handles attacks and its cybersecurity vulnerabilities.

When cybersecurity drills were done, also known as cybernetic simulations, only 25% of the departments did those simulations.

Is there a chance companies will lose confidence in the government, which isn’t even up to standard itself? Will people and businesses have so little confidence in the government that it will be difficult to enforce Bill C-26?

[English]

Mr. Shipley: I want to be very clear that I have a lot of faith in the civil servants in this country, the hard-working men and women in various departments that are doing everything they can to protect the Government of Canada. I have had the privilege of meeting a great deal of them, and we have some tremendous talent.

What we lack in this country is a political interest in this issue, and you can see that in that they have a strategy that they just can’t be bothered to decide how much they want to spend and release.

You can see that when Joe Biden got upset at what happened with the Colonial Pipeline in the United States and said, “We will respond to this threat with the whole of government,” which is the same as they respond to terrorism, and we’ve never had our Prime Minister hold a summit in this country about the crisis. Newfoundland, Ontario, London Drugs — on and on and on — and British Columbia fully compromised by a foreign nation state to the extent of years worth of damage, and we can’t get a meeting at the senior political level.

It is to the government’s credit that Jennifer O’Connell is now a parliamentary secretary, which is progress. She’s phenomenal, but we need prime ministerial attention because it matters when a prime minister gets up and says, “We’re not going to be your punching bag or ATM anymore for cybercrime; we’re getting serious.” Australia has done exactly that, and they’re not that different from us. We’re not getting out of bed, and in the world we’re walking into in 2025, that means it’s open season on the maple leaf, and it’s not going to be good for us.

Ms. Polsky: That’s putting it gently, but I also look at the other side. When there is a breach — never mind an exercise to earn the public’s trust — the Office of the Privacy Commissioner of Canada is notified, and that’s as far as it goes. The public has no way of knowing that there has been a breach. There is one place in the world that I have found where a breach notification is publicized: California. Other than that, nowhere.

We’re always told to make sure where your information is going. The onus is put on us individually, not the tech companies, not governments. How can you or I make that determination when it’s opaque? As Mr. Shipley said, it’s a matter of political will, which has not been evident for a very long time. We have fallen behind, and we’re scrambling to catch up. That’s never a good position to be in because reactive is in panic mode instead of being thoughtful, proportionate, reasonable and practical.

Senator Richards: You just answered my question, Ms. Polsky. In a way, this is an existential threat, and this bill is only — as has been said — a first step. Security measures might become more extreme and revamped as time passes. As a matter of fact, they’re going to have to be. How can we ever keep up with the ongoing threat? If we do that, how do we better coordinate privacy and national security?

Ms. Polsky: Having the obligation and the liability on the executive is a tremendous idea. Think back to Enron, if anyone remembers that. Again, as Mr. Shipley said, our laws are toothless. Jennifer Stoddart said as she was leaving office that the privacy law could use more teeth. There is no penalty. Organizations can now do as they wish. That’s the private sector and also the public sector, because if there is a fine it comes out of this taxpayer pocket of dollars and goes into that taxpayer pot. It’s all taxpayer dollars being shuffled like a shell game, but nothing has been changing — to our detriment individually and collectively.

Senator Richards: Mr. Shipley, can you say that this bill is good enough or that it will be revamped within a couple of years, and will we be able to keep up with the ongoing threat?

Mr. Shipley: This law started in 2022, and we’re still not even through the Royal Assent phase so that we can get to the regulatory work to have it implemented to even know when the phase-in date will be. As much as I wish that there were still changes to be made, I would sacrifice those changes at this point to at least get the ball moving farther and hopefully advance the political conversation and say, “Okay, we have our plan for the four sectors. What are we doing about health care? What are we doing about agriculture? What are we doing about personal car safety?”

It’s one thing to say that we’re going to ban Chinese electric vehicles because we’re worried about it, but I guarantee there are bigger problems across every car manufacturer that is connected to the internet right now.

We can’t have any of those conversations if we can’t even tie our shoes.

Senator Richards: At which stage would you say that national security is with this?

Mr. Shipley: We are at the whim of people who want to cause us harm. The only thing that keeps us safe right now is whether someone wants to take a swing at us. Our face is out there, and we’re going to take it on the nose.

Senator Richards: Thank you.

Senator Batters: First of all, I want to make a comment regarding this discussion in which we are saying, “Hurry up; get it done; it’s good enough; let’s get something done.” I agree that this is a very important topic, but the Senate has only had this bill for about two months, because we received it on the very last day we were sitting in June, and we started sitting again in September. Public consultations on this bill began as far back as 2016. It then took two years for this federal government to generate a national cybersecurity strategy, and then it took four years to introduce this bill and another two years to get to the Senate. It’s our job to make bills better than they are when we get them, so we should take a little bit of time to be able to do that properly.

In that regard, I’d like to ask Ms. Polsky from the Privacy and Access Council of Canada a question. When you referred to the proposed amendments to detail some of these very concerning issues — and I agree with you that some of them are very concerning — I’m assuming that that’s contained in here. I’d like to give you a bit of time to describe what you think are the two most important ones, if you had to narrow it down. I know it’s difficult to do, but if you have to do it, which ones would you focus on, and if you could describe for us and for Canadians how those could improve this bill.

Ms. Polsky: I’m sorry, I hate questions like that. We’ve narrowed it down to the top most important ones, and they are all important; it’s a short list. Following from the previous question is on the consultation side.

At this point, to earn the public’s trust to ensure that this piece of legislation actually does what it’s designed and intended to do is to have a much more open consultation process as opposed to saying, “We consulted Canadians.” Which ones?

We’re not entitled to find out. Our government doesn’t say these things. Allowing consultation, ensuring consultation with the requirement that the consultation results actually be considered and implemented as opposed to saying, “Thank you very much, we consulted; consultation ends today, and we’re putting it in tomorrow.” That’s what we’ve seen until now.

Accountability and transparency are absolutely vital. We haven’t had that until now. There’s so much in this piece of legislation that is opaque and secret, and people are going to wonder why. We can look to the United States with the Foreign Intelligence Surveillance Act, or FISA, court orders — the secret orders — where people weren’t allowed to contact a lawyer to say, “I received this order; what do I do?” because that was prohibited. We can’t allow that level of secrecy. Whatever happened to open courts, regular rule of law and democratic processes? We don’t know whom this shields, and that’s part of the problem. It creates a shield against accountability, which will engender mistrust.

Senator Batters: I agree with you, and the issue of potentially secret courts, orders that defendants can’t even know about or know what they might be facing, is something that I raised in my second reading speech about this bill. I’m the critic of the bill.

That’s something I’d like you to explain a bit more for us. How would your amendments on that issue help to improve this bill?

The Chair: Sorry, Ms. Polsky. I hate to cut you off, but Senator Batters is out of time. If we have a chance to come back, we’ll have an opportunity. If not, you might have to submit it in writing. I apologize.

Senator McNair: Thank you to the panellists for being here today and your testimony today in front of us. You’ve all made clear your views on whether the legislation should go forward or not.

Mr. Warnell’s comment was that this is a well-intentioned first step and that we’re taking cybersecurity seriously. Two of you have mentioned the fact that we’re not keeping up or we’re lagging behind our Five Eyes allies. What’s the impact of that? Do you see it getting to a point where they aren’t going to be sharing information with us anymore if this legislation isn’t passed as a first step?

Mr. Warnell: I’ll share a point of view on that, senator, without any insider knowledge or perspective. I would argue that when one party in a group is not pulling its weight, they usually get left behind. I would expect that a similar behaviour or outcome could be facing Canada if we do not create the right tool and capabilities in our national law to be able to stay at least aligned with our most important allies.

Ideally, I’d like to see us leading the pack. We have amazing capabilities, leaders and technologists in the organizations that do this on a day-to-day basis on behalf of the Government of Canada. We need to be able to help them do their best, not only in Canada but for nations around the world.

Mr. Shipley: I think we don’t necessarily risk the intelligence side, although I don’t have specific expertise on that. My greatest thing is if you’re the weakest kid in the group and someone wants to send a message, you’re the kid that’s going to get the beating. This is the risk that we run in terms of the schoolyard that are global affairs now and is going to be really brutal. I don’t want to be that.

If you want to see what it looks like to be the squeaky toy of the Russians, look at what they did to Ukraine before they invaded. They crippled their power grid twice to 200,000 people in the winter to send a message. We’re next if we don’t get serious.

Senator Dasko: Thank you, witnesses. I have a follow-up on your comments, Mr. Shipley, about the lack of political will. Would you say that the fact that there is a bill indicates that there is political will?

Mr. Shipley: No. I will raise the point raised by a senator earlier about the time it takes a bill to get there. You saw political will with Bill C-70 on foreign interference. You saw the speed at which we finally oriented to the threat that we were taking seriously.

This bill is here through probably a lot of blood, sweat and tears from the people working behind the scenes to protect this country. It’s here in spite of a largely political will, I feel, at this point. I would love to be wrong.

Senator Dasko: You spoke about the regulatory framework that’s behind this and that lays down the road. Of course, with some bills, a lot of the regulatory work has already been done.

What is your perception of how much of that work is done? It may be the case that as soon as the bill it passed, the regulatory framework could be close behind, if I can put it that way. That is the case in some situations. In other situations, there is a lot of work left to be done. What is your sense of the work that’s been done?

Mr. Shipley: From the conversations I have had with officials and others, I think our best-case scenario is within a year of Royal Assent that the regulation process could be done. I don’t think it will be any faster than that. That means we have at least another year after the law passes before the regulations are finalized, and then whatever coming into force period may come in. We’re still talking about two years from now, when there might be some accountability and additional tools to protect us. That is why my sense of urgency is so high, notwithstanding the flaws in the bill. We are still a year or two away from this actually meaning anything. That’s where my perspective is on the time frame.

Senator Dasko: Mr. Warnell, Bruce Power obviously has very sophisticated systems already. Is this bill going to do anything or change anything that your company is doing?

Mr. Warnell: In respect to this bill, I think the nuclear industry in Canada is an indication of what “good” could look like. In fact, we’ve already been working for the better part of two decades hand-in-hand with our regulator, the Canadian Nuclear Safety Commission, with nuclear operators, with the nuclear supply chain partners, and with academics both internationally and within Canada to develop performance-based standards. We’re fortunate that we are out-of-the-gate early, and we want to be there because it’s the right thing to do and it’s the safe thing to do.

This bill will have an impact on all industries. However, I think we are at a state of higher maturity to the ones that would be impacted the least from a degree of change. But we welcome the other industries that are both directly affected by this bill and those that we want to be effect through influence through the other critical infrastructure sectors to learn from what we’ve done, why we did it that way and why we believe it’s an effective way to work forward on a safer Canada.

Senator Dasko: Basically your work is almost entirely done already.

Mr. Warnell: I wish I could say that. The job we do is never done because the landscape and the threat is always changing.

Going back to one of the questions from a senator earlier, one of the primary critiques of this bill in its early stages is that it’s very broad and wide. That is purposeful. I would expect the intention is not to trample civil liberties but to be quick to respond to a very fast-changing landscape and the threat dynamics that are changing hourly, daily and constantly. I have trust in Canadians at all levels of government, regulators, et cetera, to drive the right outcomes, and the broadness of the bill is actually the purpose to be able to respond. If you tried to regulate and legislate every scenario, every moment, we’ll be talking about cybersecurity on Commodore 64s in 2032. It will take that long to get through the legislative process. The broadness is an important facet of enabling us to be a safer Canada.

Senator Ross: Mr. Shipley, you used the term “bare minimum” in your testimony. Mr. Warnell, you used the words “first steps.” Could each of you suggest additional safeguards that could or should have been included in Bill C-26? What would they be?

Mr. Warnell: I’m happy to reiterate what I said in my opening comment about embracing and driving performance-based standards and not prescriptive standards. It’s easy for someone to say that your should have a firewall in the regulations. If a firewall is no longer relevant two years from now, having that in the regulations because the law told us to do so is ineffective. Moving to performance-based, the organizations will take action to defend against this type of threat or that type of capability, and that will be changing over time. I would highly recommend that the language lean towards performance-based standards as it would serve Canadians well.

Senator Ross: Thank you.

Mr. Shipley: In terms of additional safeguards, I think Mr. Warnell said it very well. The breadth of this legislation enables the kind of flexible thinking we need to have. I wouldn’t add anything else to this bill.

I would like to have narrowed the scope of individual accountability. I’m not in favour, in general, of piercing the corporate veil. We started down this road with the Canadian anti-spam legislation because there were known bad actors using corporate structures. I understand having the stick to drive compliance, but I don’t necessarily believe it was warranted in this case or that it absolutely should be directed at people who are not directors of a company. I’m willing to let that one go and get dealt with in the future.

I still think it’s profoundly unfair to small Canadian telecommunications carriers that through no fault of their own are told they have to get rid of their gear and they’re stuck with the bill. I think there could have perhaps been a means-based approach or a fairness piece to that. But again, in the urgency — and I hear the senators’ frustration — six years, which is ridiculous, to get this done, but now we’re in a bad neighbourhood globally and we’d better get moving.

Senator Ross: Telecom companies here in Canada outsource a lot of their operations. It enables them to reduce some costs, but it also costs jobs in Canada. Can you speak to how this might threaten privacy protection, weaken telecommunications services or open ourselves up to cyber-threat?

Ms. Polsky: When your information is being accessed by someone in some other country and you have no recourse and no way of knowing even where it’s being accessed, there are no controls. I appreciate it’s to reduce costs, but at what cost? In this case, personal information. If that information is misappropriated and used for purposes that you really didn’t intend — I was on the phone with my telecommunications carrier a few years ago, and they’re in Singapore, and they said, don’t worry, we have to abide by corporate polities. That was their justification. They knew they were golden because of corporate policies. I know they are frontline people, I don’t expect them to know all of the laws, but they’re using our information somewhere else.

When it comes to artificial intelligence and your calls are being recorded for training. These snippets are going to some other country where they’re paid pennies to examine and help improve the AI. We have no control. When it comes to cybersecurity, that creates risk on an individual and, therefore, a national level. When we’re looking at this piece of legislation that says carriers and others can be told to break encryption, that is a huge risk. Maybe it will be reasonably stated in the regulations as to why, when and under what circumstances encryption can be ordered to be broken. Perhaps very narrow circumstances can be prescribed, but from what we have seen in recent years, I’m not holding my breath.

The Chair: Thank you. We will have a last question.

Senator Boehm: Are you giving me the full four minutes?

The Chair: If you can keep it short, I would appreciate it.

Senator Boehm: All right, fine. Thank you.

Thank you witnesses for being here. My first question is for Ms. Polsky.

You know this very well, but privacy arrangements and regulations vary across various countries. There is always the challenge of getting the right alignment among countries. Generally speaking, I think the European Union’s General Data Protection Regulation, or GDPR, is seen as the benchmark. In implementing regulations or just in the general implementation of Bill C-26, could there be a better alignment or continuous evergreen alignment with what other countries and organizations are doing?

Ms. Polsky: I think the provision is already there, whether it’s in the Telecommunications Act, the Aeronautics Act or the Income Tax Act. Many of our federal laws already have language saying that the government can share our personal information with foreign governments, entities and individuals without notice or consent. Once “government 2.0” collects our information, under a number of laws, they can already export it and share it. There are international free-trade agreements that require information to be shared internationally.

As individuals, we have no way of knowing with whom our information is being shared and where it goes. We have no direct relationship with the ultimate recipient. We’re helpless to do anything about it.

Regarding the GDPR, yes, when it was introduced in 2018, it quickly did become the global standard, but even with their form of consent and what we now have in Canadian legislation — which will be watered down if Bill C-27 passes — are all-or-nothing Faustian bargains. You consent to the collection, use and disclosure of your personal information with our partners and affiliates.

Who, where or for what? We don’t have the ability to say, “Yes, share it, collect it and use for this purpose but not for that.” That has to be strengthened and changed. Then, once encryption is protected in this and other laws and once the government is prohibited from operating in secret — years ago, Jean Chrétien said of Joe Clark that, “He should learn to do as I do and talk out of one side of his face.” It was a wonderful quote, and it has been stuck in my brain since then. We have a government now that is saying one thing and doing the other. That does not garner trust, it does not warrant trust and when it comes to national security and cybersecurity, it’s a false foundation.

Senator Boehm: Thank you. Do I still have time for one question for Mr. Warnell?

The Chair: We’re out of time. I would like you to ask your question, and we will have the panellist send their responses in writing so we’ll have it for the record.

Senator Boehm: That’s okay. I’ll yield. It was a complicated one.

The Chair: I apologize, colleagues. We’re out of time and we have to get to the next panel. I want to thank Ms. Polsky, Mr. Shipley and Mr. Warnell for taking the time to be with us here today. It’s been very enriching. Thank you so much for being here.

For this next hour, we have the pleasure to welcome the Canadian Union of Public Employees, Brian Leclerc, Interim Chairperson, Provincial Council of the Communications Sector and Nathalie Blais, Research Representative. We also welcome from Electricity Canada, Francis Bradley, President and Chief Executive Officer, and from OpenMedia, by video conference, Matthew Hatfield, Executive Director.

I now invite to you provide opening remarks to be followed by questions from senators. You each have five minutes. I would welcome Mr. Leclerc to please begin.

[Translation]

Brian Leclerc, Interim Chairperson, Provincial Council of the Communications Sector, Canadian Union of Public Employees: Thank you, Mr. Chair. Thank you for inviting me to talk about outsourcing and offshoring telecommunications work. My name is Brian Leclerc, and I’m the interim chairperson of the Provincial Council of the Communications Sector of the Canadian Union of Public Employees, or CUPE, which represents some 6,000 telecommunications workers at Cogeco, Telus and Videotron in Quebec. Two of those companies, Telus and Videotron, have relocated thousands of jobs outside of Canada. Most of these jobs are in call centres, in technical support and various engineering positions. At Telus, approximately 7,000 jobs have been lost over the past decade in Canada. Over that same period of time, the total number of Telus employees abroad has quintupled and expanded to 37 countries, including India and the Philippines. Unfortunately, this phenomenon is showing no signs of slowing. In early 2024, Telus cut 175 jobs at CUPE alone.

Videotron is outsourcing customer service work to Egypt, Morocco, Romania and Senegal, where wages are much lower than they are here. Relocating jobs abroad violates the Telecommunications Act, which is intended to develop a system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions.

This is also a business model that we feel conflicts with other objectives set out in the bill, such as ensuring the safety of Canadian telecommunications networks and protecting privacy. Outsourcing telecommunications work may also pose a national security threat for several reasons. First, Canadians’ personal information gets out more. More people in a number of other countries have access to that information. Meanwhile, Canada has strained relationships with a growing number of states, including India, Russia and China. Even if we could be absolutely sure that client files are stored on servers located in Canada, personal information is still being made available outside the country, and that makes recourse in the case of a data breach complicated. Some Telus employees actually testified that their personal information was stolen in February 2023.

A few months later, the unions learned that our pay management system had been transferred to the Philippines, and we’re still waiting on the outcome of that investigation. In Egypt and Morocco, Telecom Egypt, an Egyptian-owned entity, operates the Xceed call centres, which are Videotron subcontractors. People make a big deal out of TikTok, which allowed the Chinese government to get its hands on our personal information through its app, but the situation in Egypt isn’t much different. However, it is less known and more worrisome because call centres have access to sensitive information that could enable the state to target devices, access protected systems or carry out massive attacks.

Skilled telecom jobs are also being outsourced. These are jobs in technology architecture, engineering and design. These jobs can provide access to very sensitive information, such as IP address blocks, the internal network architecture of commercial clients in Canada and the location of certain strategic components of Canadian telecommunications networks. All this information can be used by bad actors to harm Canada’s economy and democracy.

Relocating telecommunications jobs abroad can jeopardize national security. The government needs to make sure it has the legislative tools to put an end to that because it’s a weak link in Canada’s telecommunications system. We urge the committee to get out in front of this and amend Bill C-26 by adding an objective to the Telecommunications Act, whereby relocating and subcontracting our jobs abroad is forbidden. That would make it clear that the CRTC has the power to monitor jobs and require all personnel directly and indirectly involved in operating telecommunications networks to remain in Canada.

We also urge the committee to add a whistle-blower protection measure to Bill C-26 to enhance the ability to detect threats to Canadian telecommunications systems. Thank you for your attention.

[English]

The Chair: Thank you.

Francis Bradley, President and Chief Executive Officer, Electricity Canada: It’s a pleasure once again to have the honour to meet with this committee.

[Translation]

I am the president of Electricity Canada, the voice for Canadian electricity. Our members produce, transport and distribute electricity to every Canadian province and territory. Today, my remarks will focus on part 2 of the bill, the critical cyber systems protection act.

[English]

Before I proceed, I want to recognize the efforts made by the House of Commons Standing Committee on Public Safety and National Security who made several amendments in line with our recommendations. These include, one, adding the “consistency with regulatory regimes” clause, aiding alignment with existing frameworks and upcoming regulations; two, allowing the incident reporting period to be defined through regulations instead of fixed in the legislation, ensuring adequate flexibility; and three, enhancing transparency through additional ministerial reporting requirements to Parliament.

Now while these are positive steps, two critical recommendations were made.

First, the bill must align with existing regulatory frameworks. While the addition of the “consistency with regulatory regimes” clause is a step in the right direction, it is insufficient to address our sector’s specific concerns.

The electricity sector is unique in that it is regulated already under the North American Electric Reliability Corporation’s, or NERC’s critical infrastructure protection standards. These standards, which have been adopted, enforced and audited by provincial regulators, ensure robust measures to secure the grid. Introducing new requirements under Bill C-26 risks regulatory conflicts, compliance burdens and ambiguity, undermining the bill’s goal, the goal of enhancing system safety.

A risk-based approach is essential. By imposing fewer requirements on mature operators with strong cybersecurity programs, resources can be focused on incident prevention rather than additional compliance. Regulators in turn can prioritize high-risk operations or sectors.

Second, safe harbour provisions should be established to grant legal protections to operators who share information with government agencies. The electricity sector maintains a collaborative and strong relationship with Communications Security Establishment Canada, openly sharing information to enhance grid security. Mandatory reporting requirements under Bill C-26 could jeopardize this relationship unless safeguards are established.

The inclusion of safe harbour provisions encourages timely and open information sharing between industry and government without the risk of liability. Similar measures have been adopted in the United States with the passage of the Cyber Incident Reporting for Critical Infrastructure Act.

Imposing mandatory requirements may also create a chilling effect on the industry’s relationship with government departments and agencies. Without appropriate safeguards, operators will likely receive legal advice to share just enough information to comply with the act and nothing more.

This is counterproductive to the goals of the legislation, but there are a couple of things you can do to mitigate those risks. For a start, the legislation should explicitly clarify that information shared voluntarily with CSE outside of legislative or regulatory requirements imposed by Bill C-26 will not be shared with the regulator or enforcement agencies. Critical infrastructure operators currently enjoy a collaborative relationship with the CSEs Centre for Cyber Security. This is grounded in the confidence that the Cyber Centre does not disclose operator’s information to regulators, enforcement agencies or other departments. Protecting the Cyber Centre from any additional information sharing obligations is crucial to maintaining this collaborative relationship.

A similar relationship exists between NERC and the Electricity Information Sharing and Analysis Centre, to which electricity operators voluntarily share information about cyber and physical incidents. While the E-ISAC is operated by NERC, it is organizationally isolated from its enforcement processes, ensuring confidentiality and fostering open information exchange with electricity operators.

[Translation]

Although many other aspects of the bill also deserve our attention, that’s all the time I have for today. I would encourage you to consult our brief, which contains more recommendations for improving the bill. Thank you.

[English]

The Chair: Thank you, Mr. Bradley. Our final witness for this panel is Matthew Hadfield from OpenMedia.

Matthew Hatfield, Executive Director, OpenMedia: Good evening, I’m Matt Hatfield, the executive director of OpenMedia, a non-partisan, grassroots community of over 250,000 people in Canada who work for an open, affordable and surveillance-free internet. I’m speaking to you from the unceded territory of the Sto:lo, Tsleil-Waututh, Squamish and Musqueam nations.

Bill C-26 is not yet fit for service, period. I am hoping you give yourselves the time it will take to fix it. For ordinary Canadians, cybersecurity is inseparable from privacy, whether you are a hockey dad, a business owner or a Canadian senator, none of us wants the details of our lives spied on, by hackers, a hostile state or our own government. We all want private lives to stay private. That’s a cornerstone of democracy and a fundamental human need.

That is why since its inception, Bill C-26 has caused alarm for folks in OpenMedia’s community. We absolutely need stronger cybersecurity, but nobody is going to trust a cybersecurity framework that threatens our personal privacy. Cybersecurity and privacy must go hand-in-hand.

Regular Canadians do want and value cybersecurity. Cyber-threats that touch our lives are growing daily, with many emanating from hostile states no friend to democracies. Canada has not been defending ourselves adequately from these threats, and that has to change. Bill C-26’s goal is commendable, but the means by which it is currently seeking to achieve this goal, through granting the government sweeping new powers to obtain our private information without careful checks and balances, is not.

Here is where I have to blunt: People do not trust the government when it says it only wants our private information to protect us. Rightly so. People do not want the government to have inspection powers at will to access our private lives. People want our private lives kept private, and that means kept private from both hostile states and our own government. This is not about whether we trust Justin Trudeau or Pierre Poilievre or the NDP or the Bloc Quebecois. This is about who we are as Canadians, and the kind of society we want to live in.

As things stand, people cannot trust Bill C-26. Yes, it was improved by MPs in its journey through the House of Commons, but it contains several ticking time bombs that may severely hurt Canadians in the future if you don’t fix them.

Time bomb number one is that Bill C-26 allows the government to keep its orders to telecoms entirely secret and indefinitely. We all understand the need to, at times, act quickly and conceal parts of decisions from Canada’s adversaries, but permanent secrecy without mandated disclosure is extremely dangerous. If this section is not fixed, we are laying the foundation for a vast and growing secret governance and surveillance architecture created by these orders that do not belong in additional democracy.

Time bomb number two is that Bill C-26 gives the government far too free a hand to order telecoms, banks and other designated institutions to hand over our private, personal information and use and share that information as it chooses, including with foreign entities. Canadians should have confidence that information collected for cybersecurity is used for that purpose alone, and not to trawl for signs of protest activity or to be given freely to law enforcement. Right now, that confidence simply isn’t there.

Time bomb number three is that Bill C-26 continues to give the government the power to install the devices on networks that break encryption. Forbidding the minister from directly demanding our private messages without additional safeguards is like saying Bill C-26 doesn’t require that we report our conversations directly to the government, only that we keep a government phone in the room and off the hook everywhere we go.

Alongside many other civil society organizations and experts, OpenMedia has delivered a brief to you with common sense, straightforward amendments that would forbid the government from ordering the compromising of encryption, ensure government orders cannot stay secret indefinitely without judicial oversight, and ensure our personal information gathered under Bill C-26 is used only for cybersecurity purposes.

As many experts both here and in the House of Commons have testified, cybersecurity needs to be a team sport. Everyone needs to be on board for it to work, yet we’re living in a period of fracturing social trust. If we allow Bill C-26 to pass riddled with clear privacy and secrecy problems, we will be contributing to that decline in trust and undermining privacy, security and Canadian democracy.

Nearly 14,000 messages were sent by OpenMedia to the House of Commons asking them to fix Bill C-26. Today, their eyes are on you to finish the job. As senators, you have a vital constitutional duty to fix Bill C-26 and make it legislation all Canadians can have confidence in. Thank you, and I look forward to your questions.

The Chair: Thank you, Mr. Hatfield. We will now proceed to questions. As usual, four minutes will be allocated to each question, including the answer. I ask that you keep your questions succinct in an effort to allow as many interventions as possible. The first question goes to the deputy chair, Senator Dagenais.

[Translation]

Senator Dagenais: My first question is for Mr. Leclerc. I’m astounded that telecommunications companies are unable to set up firewalls to control access to personal information. If that’s true, I find that very worrisome. Can you give us examples of the risks that employees based in other countries pose to customers of telecommunications companies? How can that happen?

Mr. Leclerc: It happens in a number of different ways. When I was hired by my employer, I had to go through a criminal record check. Do they do that in other countries? Who knows? They have access to all the information in our accounts, in the network infrastructure. I mentioned that in my opening remarks. If some entity or a disgruntled, underpaid employee who is seeking revenge or wants to send a message gets their hands on IP addresses, that introduces a lot of vulnerability.

The previous panel of witnesses made that clear, too. We’re very vulnerable to all kinds of attacks.

Senator Dagenais: Thank you. Mr. Bradley, my next question is for you. I’m looking at the members of your organization, such as Hydro One, Hydro-Québec, major provincial corporations and cities, including smaller ones, that have their own electric utility for their residents. Not all those entities have the same revenue and the same resources.

Considering those differences, do you think all these corporations have sufficiently reassuring capacity to fight cyberattacks? If not, are some of them — not naming names — more vulnerable to attack?

[English]

Mr. Bradley: That is an excellent question, and one that is often asked of the sector. As you point out, there is a significant difference in terms of the size of the largest of our companies to the smallest companies. Our focus — and it is also the focus of the North American Electric Reliability Corporation — tends to be, principally those companies that are a part of the bulk power system. Any company that is interconnected and is interconnected at a kind of transmission level where the impacts of a breach would potentially cascade.

We work with our smallest members to help them with everything from cyber-hygiene to best practices and information sharing. But the principal focus of the association and the North American effort in this space has always been to ensure that everyone who is involved in the bulk electric power system in North America is at a security level that is more than sufficient.

Our concern for a number of years, long before this legislation ever became drafted — and I’ve been part of these discussions for almost 20 years in terms of what the legislative frameworks will be — our concern has always been that we have an electricity sector that we think is quite mature in terms of its approach, but my biggest concern is all the interdependencies. My concern is not necessarily with my smaller members; my concern is with the other sectors which we depend on whether it’s telecommunications, finance, water or transportation.

While we have very robust cybersecurity standards that the sector must maintain, we are looking at this legislation to be able to set a bar for all of the sectors, including those sectors we depend upon as well.

Senator Boehm: Thank you, witnesses, for being with us. My questions are related to our labour representatives here.

Obviously, workers and unionized workers are the ones who are at the forefront of implementing cybersecurity policies. Do you have concerns about training and how that will fit in, assuming the bill is passed and implemented?

Mr. Leclerc: Absolutely. Thank you for the question.

The company I work for, which shall remain nameless, refuses to allocate budgets to train people onshore because they’d rather package off the staff here in Canada and hire in India or the Philippines at pennies on the dollar. So it is a huge concern.

Senator Boehm: How are you addressing it? Are you speaking with management regularly about this? Are you looking at examples from other countries?

Mr. Leclerc: Absolutely. We try to negotiate in the collective bargaining process to have budgets allocated toward training and maintaining certifications for different equipment and hardware. Some clients use Cisco, some use Avaya and some use Fujitsu. You have technicians and programmers who are certified to work on that equipment, and they need to maintain certifications just to stay employable.

When you’re dealing with an employer that refuses to allocate the funds to train people to maintain their certifications, you’re creating vulnerabilities for your client base. You’re not investing in your workforce. That’s a huge concern.

Senator Boehm: Are you in touch with other labour representatives in other countries about this?

Mr. Leclerc: Absolutely.

Not in other countries but here in Canada.

Senator Boehm: And everyone has a similar concern?

Mr. Leclerc: We all have similar concerns.

[Translation]

Nathalie Blais, Research Representative, Canadian Union of Public Employees: I’d like to add that something we’re seeing more often is that unionized employees are being kept away from what would be considered the technical core. Subcontractors in other countries have access to our telecommunications networks while our employees do not. That’s a concern. It creates an additional entry point into the networks.

Senator Boehm: Thank you very much.

[English]

Mr. Bradley, do you have a comment on this issue?

Mr. Bradley: Training is certainly critical. We’re not facing the same kind of challenge with respect to the offshoring of our core activities. There is a clear delineation in the electricity sector between information technologies and operating technologies. Operating technologies are not offshored or sent elsewhere.

Senator Boehm: Are you in touch with other countries and jurisdictions in terms of how there would be an application?

Mr. Bradley: Absolutely. We are very active on the North American basis through a variety of means, such as the North American Electric Reliability Corporation, but we also have an international electricity summit. That is literally across the globe. It tends to be at the CEO level, but it’s also an opportunity at those meetings to have these kinds of conversations because the challenges are the same, regardless of where you happen to be, whether you’re in the United States, Japan, Australia, the U.K. or Canada.

Senator Boehm: Thank you very much.

[Translation]

Senator Carignan: I’m trying to understand how an external call centre works. I’m trying to get a sense of the risks. From what I understand of the system, data centres must be located in Canada. When people call, they communicate with external staff who have limited access in order to provide service. If I call Videotron, I’m calling Chicoutimi — I recognize the accent — but if I call Bell, I know I’ve reached someone in some part of Morocco. There hasn’t been an incident. At least, we haven’t heard about any incidents. Is this a real risk? It would be terrible for companies if it happened. I imagine they’re all taking this very seriously and making sure they minimize the risk. Unless you have whistle-blowers, like the Canada Revenue Agency?

Mr. Leclerc: Thank you for the question. There are examples of Videotron outsourcing to Egypt. At one point, there was a mutiny because the value of the Egyptian currency plummeted. Workers in North African countries ended up working for nothing, basically. That creates a risk when a worker is starving and can’t pay the rent—

Senator Carignan: I can see the risk of someone getting mad and taking drastic action.

Mr. Leclerc: Not just taking drastic action, but downloading a customer’s data onto a USB key and taking off with it.

Senator Carignan: Can someone do that, technically?

Mr. Leclerc: Absolutely. Look at what happened at Desjardins not that long ago.

Senator Carignan: Yes, but they can’t do it anymore. It was an issue at Desjardins, but they put security keys in place to prevent it from happening again.

Mr. Leclerc: Yes, but—

Senator Carignan: I imagine they have security keys over there, too. I’m playing devil’s advocate. I’m trying to understand your concern.

Ms. Blais: I think the main risk is associated with providing our information over the phone. If I call Videotron, I end up in Egypt and they ask me questions. What is my mother’s maiden name, my driver’s licence number and so on? I myself was a victim of partial identity theft involving a telecommunications company. Debt collectors contacted me at home. What saved the day and saved me from having to pay was that not quite all the information was correct. Because of that incorrect information, I was able to prove to the company that I was not the one who had made those purchases with the vendor.

I was off the hook, but when I give that information over the phone and it leaves the country, there’s nothing preventing someone from taking notes for a period of time and getting that information. I understand what you’re trying to say. Yes, companies have security measures. It’s not perfect in Canada, but at least in Canada it stays in Canada and I have recourse against the company. When that information leaves the country, I have recourse against the company, which has a contract with a subcontractor. I don’t know what’s in that contract. Does it protect personal information?

Senator Carignan: When it comes to protecting personal information, I do have recourse against a Canadian company in Canada, regardless of where the security breach happened.

Ms. Blais: Yes, but once the privacy genie is out of the bottle, it rarely goes back in again. Once things get out in other countries, it’s even worse.

Senator Carignan: I understand, but I’m more concerned about aspects related to electricity, which could fall prey to cyberattacks that crash the system. I’m not underestimating the importance of breaches that affect individuals, but do they have tools or access to technical information that could enable them to crash the system or demand a ransom, kind of like the essential nature of electricity?

Mr. Leclerc: The answer is yes, and it happens on a daily basis. Our union office was the victim of a ransomware attack less than a year ago.

Ms. Blais: The other thing you need to know is that, when technical jobs, such as design jobs in Algeria and India, are subcontracted, people abroad have access to our telecom system plans.

Senator Carignan: CAE has engineers in India, and it’s no less secure for airplanes. I’m trying to be objective about your risk.

Ms. Blais: I can’t comment further on that because that’s beyond my technical skills, but my understanding is that there really is information in Egypt, where the subcontracting company is owned by the Egyptian government, which is an authoritarian government and not necessarily a friend to Canada. I don’t know if they have the technical means to get their hands on that information or not.

[English]

Senator Cardozo: My question is for Mr. Hatfield.

You have raised the issue of trust in the system, which is really important. The purpose of this bill is to secure the Canadian telecommunications system against a range of threats. My question to you is: Does it do it in some ways, and is it your feeling that it’s overkill and that it allows the government to gather too much information about people?

Mr. Hatfield: I want to be quite specific about what we’re asking for here, because we heard in the last panel that people are saying there needs to be some broadness so the bill can be flexible to different technologies as they emerge.

We agree with that. We’re not asking for the bill to be made incredibly specific and narrow across the board. What we want to do is make sure that as the bill evolves — as it is in place for decades, potentially — there are some clear guiding principles and limits on it. Things like an indefinite secret order architecture, where they can make a secret order and then, well, gosh, you can’t talk about the secret order, so we need another secret order to build on that, and over a few decades, you can wind up with a whole system of governance set up, none of which is visible to the Canadian public.

That’s a huge concern for us here. We want to see the bill done, but we want to see a few more safeguards put in place to both protect us from that secrecy and also ensure that our data is treated appropriately.

Senator Cardozo: I haven’t thought this through completely, but there are other acts where certain warrants are issued by the RCMP, for example, with the approval of a judge, even though that takes place in secret. Would something like this be of assurance to you?

Mr. Hatfield: I think that’s helpful when it’s appropriate. The push back that we’ve had on that is that sometimes we have to act quickly and something must be done immediately. What we’re trying to allow for is that, yes, sometimes something has to be done immediately, and the minister, perhaps, makes an urgent secret order, but at some phase, there is some kind of public accounting for what’s happened. There is some report where they say, “We had to do this,” but a month or six months later — whenever it is — they come back and say, “This thing happened, and this is what we can tell you about it.” There is some transparency to the system.

Senator Cardozo: Thank you.

A quick question to Mr. Leclerc. Mr. Bradley talked about some types of information such as the internal administration of an electricity company, that this information is not available to foreign workers — I think maybe some of the things around billing. Maybe I’m paraphrasing it wrong, but is the information you’re talking about divisible in terms of what foreign workers would see and what they would not see?

Mr. Leclerc: Thank you for the question. The foreign workers have access to not just your billing information, but now they have our accounts payable, they have our payroll and they have dispatching capabilities.

As time goes on, the companies become more inclined to outsource and offshore more and more tasks to save more money. It’s just a matter of corporate greed.

Senator Cardozo: But the operation of the telecom, do the people who work on that, are they strictly on Canadian soil?

Mr. Leclerc: No. I said it in my introduction that design engineers to programmers — programming network infrastructure is done in India more and more.

There is a certain percentage of the clientele that stays onshore. If you’re a Fortune 500 company, for example, or different levels of government, that stays onshore, but if you’re not fortunate enough to be on that list of customers that has to be processed onshore, good luck.

Senator Kutcher: Thank you to our witnesses.

My question is to our labour representatives. Thank you for raising the concern of offshoring work with the telecoms.

Recently, Canada’s three largest telecoms — Telus, Bell and Rogers — have moved into the health care space big time. In the past, my understanding was that we had remote reporting of diagnostic imaging, which was concerning enough, but now some of the telecoms will actually provide direct health care services, and other telecoms will provide the infrastructural and communications support for independent private service health care providers.

The provinces don’t capture that data. It’s not in provincial databases. It’s a private company providing the services, and these services are provided across all provinces, not just within one province.

As far as I know, the federal government — I could be wrong — doesn’t have jurisdiction in this particular part. This seems like a bit of a grey area, and if some of the work offshoring of diagnostic work or therapeutic work occurs outside of the country, can this bill address any of those things? Should it address those things? How can we address those things?

Mr. Leclerc: Personally, I can’t speak to this because these companies work in silos. Your telecom business is under federal jurisdiction; it’s one silo. The health care side of the house, telemedicine and other products and services in that realm, that’s another silo, and they don’t communicate very well.

Obviously, they exchange services with each other, because the telecom business provides data connectivity to the health care side of the house, but are there risks? Absolutely.

[Translation]

Ms. Blais: I’ll add that there is another reason to worry. Technological advances such as 5G for cellphones combined with artificial intelligence with its scanners and sensors have led to self-driving cars and the internet of things. Now we’re talking about remote operations. This is all the more reason to make sure that Canadian telecom networks are truly secure in Canada. There is also the whole data protection aspect, which is covered by federal law because telecoms are federally regulated businesses.

The fact remains that there are gaps. Your data could end up overseas. If my driver’s licence number ends up in Egypt, I have no control over what happens afterward. In 2020, we launched a public awareness campaign about the situation and conducted a survey. Four out of five Quebecers were very worried when we told them their personal information was processed offshore. That was something really important to them.

[English]

Senator Batters: My question is to Mr. Hatfield from OpenMedia. At the House of Commons committee on Bill C-26, you stated this in your testimony:

. . . privacy rights must be entrenched. Personal information must be clearly defined as confidential and forbidden from being shared with foreign states, which are not subject to Bill C-26’s checks and balances.

I know Canadians will find this to be very alarming. You noted it in your opening remarks today, but please tell us more about how that schism in Bill C-26 could be fixed?

Mr. Hatfield: Yes. One of the most important remaining issues here is that there is a very high chance that some personal information is it going to be caught up in the operation of Bill C-26. It’s going to enter the hands of Canadian law enforcement agencies, which are doing appropriate work relating to cybersecurity, but currently there is no safeguard to make sure they don’t use that information for other purposes and may even end up sharing it with some of our Five Eyes intelligence partners, who can do whatever they want with that data.

Many of them have intelligence acts that don’t apply to noncitizens, so once that data is out of Canadian hands, it’s open season. We don’t want to see that happening under Bill C-26. That’s very alarming, especially knowing that the world is changing, democracy is under threat and some governments are doing more invasive things to their citizens. We worry about data originally collected for appropriate purposes by the Canadian government eventually being misused against Canadians.

Senator Batters: Thanks for setting those out as time bombs of this bill, because I agree that there are some very concerning things. You also said at the House of Commons committee:

 . . . when the use of those powers is challenged in court, there must be no secret evidence. Special advocates should be appointed to ensure all evidence is duly tested.

Can you tell us more about that, and how you propose to amend Bill C-26 to fix that?

Mr. Hatfield: It’s a huge issue, and we would still like to see Bill C-26 include that special advocate. People have referred to the situation regarding TikTok that we have right now. I can’t tell you what’s going on there. The government won’t tell us. They’re saying, “There is a big problem with TikTok. We had to do something and we’ve done it.” Was it a well-founded reason or not? I don’t know, and there is no special advocate in that system to say, “This person looked at it, and it was appropriate.” Under Bill C-26, we have no person to perform that kind of judgment currently.

Senator Batters: Speaking about this is something akin to the Office of the Intelligence Commissioner like with other types of national security-related cases, right?

Mr. Hatfield: Yes, special advocates exist in several other cases and serve a useful function there.

Senator LaBoucane-Benson: My question is also for Mr. Hatfield. The Civil Society brief that you signed onto — thank you for submitting that; it’s in-depth and very interesting — says that Bill C-26 allows the government to disclose confidential information “to anyone.” That’s on page 11. The concerns you have raised are definitely legitimate. I just want to ensure we’re not engaging in hyperbole. Under the Privacy Act, government institutions may only use personal information for the purpose for which it was collected. Do you agree that Bill C-26 — like all acts of Parliament — will be subject to the Privacy Act’s requirements?

Mr. Hatfield: Certainly subject, but information can be passed from some hands to others nominally for cybersecurity purposes, which in effect are actually used for a much broader set of purposes, particularly if the data is eventually handed outside of Canada. There is no application of the Privacy Act whatsoever in that case.

Senator M. Deacon: Thank you all for joining us today. My first question is for Mr. Bradley. You may have heard me touch on this in the first round with Bruce Power. It concerns international cooperation. Our power grids cross borders, and I want to get a sense from you about how our American partners view us when it comes to keeping our grids safe from cyberattacks and what they think of this legislation. Will it do much to build trust in our ability to protect ourselves in a North American grid?

Mr. Bradley: Thank you. That’s an excellent question. Of course, it is top of mind for us, and it has been for the last couple of weeks as to whether or not the political changes taking place in the United States will have any impact on us.

However, we are in a sector, where for more than 100 years, our systems have been tightly and closely integrated. We have a North American approach to security and cybersecurity, but we’ve had a regime for critical infrastructure protection cyber-standards through the North American Electric Reliability Corporation, now for close to 20 years. So it is now kind of in the DNA of the sector to operate and to think about this from a North American standpoint.

That doesn’t, however, touch on the potential political risk, and that would be my concern at this stage. From an operating standpoint, we don’t anticipate any change in terms of how we work together to ensure the security of the grid. Whether or not there will be political pressure that impacts us, I certainly hope not, but it could be possible.

It’s almost like what I was mentioning before about the difference between our information technologies and our operating technologies. The operating technologies are the ones that deal specifically with generating, transmitting and distributing electricity to customers. They are completely separate from the IT technologies. I’m hoping we can keep our operating technologies and how we operate our grids separate from political interference.

Senator M. Deacon: Thank you for that. You brought up, through your colleague, safe harbour laws. I’m trying to understand what this would look like in practice better. I was surprised when it came up at earlier committees that a company that warns of imminent or ongoing attack could face litigation for doing so. It seems we want reporting on it after the fact once the damage is done and not being penalized. I wonder what your thoughts are on that.

Mr. Bradley: The sharing of information and the continued sharing of information, which is the background to specifically the issue with respect to safe harbour. If we look at critical information writ large, less than 15% of it is actually owned and operated by the government. Eighty-five per cent of critical infrastructure is industry, so 85% of the information and intelligence about what’s happening in cyber-systems is not with the government. It is actually with industry. We’ve developed good working relationships and information exchanges over the last several years with the CSE and the Cyber Centre, where our information is protected; it is not released. Essentially, we have a virtual safe harbour right now in terms of how our critical information is treated by the Cyber Centre and is treated by the CSE.

We want to make sure that those kinds of protections for critical information will be built into how we implement this legislation. Otherwise, I fear we’ll have a chilling effect on that exchange of information and the ability and willingness of critical infrastructure owner operators to share information with the government.

Senator M. Deacon: Thank you for that.

Senator Batters: Mr. Hatfield, since we have a limited time at this committee, I wanted to give you a bit more time to describe how you would try to fix some of the time bombs you referred to with recommendations contained in that joint submission.

Mr. Hatfield: It’s about making the bill fit for purpose, and focused on its purpose. We are not in disagreement with the folks who want some version of this bill to happen somewhat quickly, but as you mention the Senate needs to take due time to fill its role of sober second thought and to consider adding a few safeguards.

We would like it to be made very clear that there can be no handover of data gathered under Bill C-26 — certainly not outside of Canada — but ideally not in the regular course of business within the Canadian government as well. There should be cybersecurity information that is used for cybersecurity purposes.

We would also like to see some kind of regime set up that will ensure that, after some period of time, any secret order that’s issued to telecoms be disclosed at some level, indicating roughly what’s happened so that Canadians can follow the progress of Bill C-26 and judge whether it’s growing well beyond what it ought to.

The Chair: This brings us to the end of our time for this panel. I extend my sincere thanks to Mr. Leclerc, Ms. Blais, Mr. Bradley and Mr. Hatfield.

Thank you for your participation. We appreciate your helpful consideration for this bill.

Our final panel for this evening, I welcome Philippe Dufresne, Privacy Commissioner of Canada from the Office of the Privacy Commissioner of Canada; The Honourable Simon Noël, K.C., Intelligence Commissioner from the Office of the Intelligence Commissioner, it’s good to see you again; and Tolga Yalkin, Assistant Superintendent, Regulatory Response Sector, Office of the Superintendent of Financial Institutions. Thank you so much. You each have five minutes and, of course, Mr. Dufresne you’re first.

[Translation]

Philippe Dufresne, Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada: Thank you to the chair and members of the committee for this invitation to appear as part of your study of Bill C-26.

Your study is very important because individuals, businesses and all levels of government in Canada remain vulnerable to a range of serious cyber-threats from a variety of cyber-threat actors.

In its National Cyber Threat Assessment 2025–2026, which was released in October, the Canadian Centre for Cyber Security underscores “an expanding and complex cyber threat landscape,” including a growing risk posed by “state and non-state threat actors” that are targeting Canada’s critical infrastructure. The Cyber Centre warns that such incidents could immobilize critical services, disrupt operations, destroy or damage important business data, and reveal sensitive information.

[English]

Bill C-26 recognizes that Canada’s critical infrastructure must be protected against such threats as they continue to evolve in sophistication and complexity. In addition to potential impacts on the health, safety, security and economic well-being of Canadians, cyber incidents can have significant privacy implications when they result in the unauthorized access to or disclosure of personal information.

Today, the protection of personal information increasingly relies on the security of the digital systems and infrastructure that house and transmit it. Stronger cybersecurity protections can therefore promote privacy interests by reducing the likelihood and impact of data breaches. At the same time, we must ensure that efforts to secure these systems and networks also protect and respect Canadians’ fundamental right to privacy.

[Translation]

This is not a zero-sum game, and privacy and the public interest are not only compatible — they build on and strengthen one another.

I strongly support the objectives of Bill C-26, and I was pleased to see that several amendments to the bill have been adopted in the spirit of protecting privacy. I was also pleased to see new references to the Privacy Act in the amended text of the bill, which confirms its applicability.

[English]

Requiring that any collection, use or disclosure of personal information be both necessary and proportionate is an important privacy principle. While the bill establishes a necessity and reasonableness threshold in certain cases, I would continue to recommend that the committee consider establishing a consistent threshold of necessity and proportionality in Bill C-26 that applies whenever personal information is involved. The adoption of a uniform standard that any collection, use or disclosure of personal information be both necessary in the circumstances to achieve the stated purpose and proportionate to the benefits to be gained would help address potential privacy implications.

In the alternative, should the standard remain unchanged, I would recommend that the committee reintroduce the requirement that information be retained only for as long as necessary. This was added by the SECU committee in the other place but deleted by the House at third reading. Requiring government institutions to conduct privacy impact assessments and to consult my office on new programs or initiatives created under the authorities contained in Bill C-26 would also strengthen privacy protections while supporting the public interest and generating trust.

[Translation]

Requiring privacy impact assessments, or PIAs — which are currently a policy requirement under the Treasury Board Secretariat’s Directive on Privacy Practices, but not a legally binding requirement under privacy legislation — are an important tool for identifying, analyzing and addressing or mitigating privacy issues before initiatives are put in place. PIAs can help to reduce inadvertent harms to privacy as initiatives roll out. That is why I have recommended that the preparation of PIAs should be made a legal obligation for the government under the Privacy Act.

[English]

The bill recognizes the importance of collaboration between domestic and international counterparts to ensure that critical infrastructure is protected against a variety of threats. In order to further enhance this collaboration, my office should also be notified about cyber incidents that may result in a material breach. This could include being notified by the Communications Security Establishment Canada whenever it receives a report of a cyber incident that may pose a real risk of significant harm to an individual.

[Translation]

International information-sharing agreements should also provide for minimum privacy safeguards in order to strengthen governance and accountability, and ensure a consistent standard of privacy protection.

Thank you for your work on ensuring stronger protections for Canada’s cyber infrastructure while protecting Canadians’ fundamental right to privacy. I would now be happy to answer any questions. Thank you.

[English]

The Chair: Thank you, commissioner.

[Translation]

The Honourable Simon Noël, K.C., Intelligence Commissioner, Office of the Intelligence Commissioner: Thank you, Mr. Chair and senators.

[English]

My comments today are informed by my legal and judicial background, including my time as designated judge of the Federal Court, and by my experience as Intelligence Commissioner. In one sentence, my mandate, as I see it, is to approve, or not, certain national security activities planned by CSE and CSIS and authorized by their respective ministers.

In that sense, the Intelligence Commissioner fulfills an oversight role, as opposed to a review role. My approval is required before the activities can be conducted. The Intelligence Commissioner’s approval is necessary because the activities the minister authorizes may be contrary to the law or breach the reasonable expectation of privacy of Canadians. My job is to ensure that the minister has struck an appropriate balance between the national security objectives, on the one hand, and the Charter and important privacy rights on the other.

[Translation]

I support the objectives of the bill. In my work, I see the usefulness and advantages of a national approach to effective governance of cybersecurity activities. However, I have a few comments to share with you. My duties as commissioner include approving ministerial security authorizations aimed at non-federal entities deemed important by the federal government. Some examples are the health care and energy sectors.

A non-federal institution can ask for help or support with cybersecurity from the Communications Security Establishment Canada. If the cybersecurity activities the CSE wants to undertake in support of the non-federal entity could violate the law or lead to information gathering that infringes on Canadians’ lives, the minister needs to authorize the activities. If necessary, I then need to approve the authorization.

[English]

When I review ministerial cybersecurity authorizations, my primary concern is that the breach of privacy rights is justified, which means that it is necessary and proportionate, and that there are equal measures in place to limit the impact on the privacy of Canadians. The CSE does not target the collection of personal information of Canadians when it comes to cybersecurity; however, there can nevertheless be a reasonable expectation of privacy even in technical information, as confirmed by the Supreme Court last March.

In my experience as the Intelligence Commissioner, when the CSE conducts cybersecurity activities, there will be a collection of information in which there is a reasonable expectation of privacy. This means there is effectively a seizure of private information. If I approve the ministerial authorization, it is because the correct balance has been struck.

Certain elements of Bill C-26 highlight how the treatment of ministerial orders are different than in the context of the Communications Security Establishment Act. In Bill C-26, there is no pre-approval of activities where those activities may be contrary to the law. In particular, there are two areas I want to highlight for your consideration. First, the proposed clause 15.4 of the Telecommunications Act allows the minister to essentially compel the production of any information in support of orders. This information could include personal information which, under broad exceptions, could then be widely disclosed. Second, as you have heard other witnesses say, Part 2, clause 32, allows for the regulators to carry out the equivalent of unwarranted searches where, again, personal information could be collected.

[Translation]

The glaring absentee in this bill is the Canadian public. The information that is collected is Canadians’ personal information.

Whether under Part 1 or Part 2, the CSE will play a crucial role and possess information, technical or otherwise, for which there is a reasonable expectation of privacy.

[English]

In light of the invasive nature of the bill, it is important that meaningful safeguards be part of it so that Canadians have confidence in their cybersecurity system.

[Translation]

I will be happy to answer any questions you may have.

[English]

The Chair: Thank you, commissioner. Next, we’ll hear from Mr. Yalkin.

[Translation]

Tolga Yalkin, Assistant Superintendent, Regulatory Response Sector, Office of the Superintendent of Financial Institutions: Good afternoon, Mr. Chair, ladies and gentlemen of the committee.

It’s a privilege to speak with you today about Bill C-26 and its implications for cybersecurity.

Cyber risks are an urgent and growing challenge. Attacks are increasing in both frequency and complexity. They target institutions’ operations, compromise sensitive data and, if unchecked, could undermine public trust in Canada’s financial system.

[English]

At the Office of the Superintendent of Financial Institutions, or OSFI, we are tasked with ensuring the institutions we oversee can withstand threats to their integrity and security. Cyber risks are a key area of focus because they not only disrupt individual organizations but can also ripple across sectors, affecting financial stability.

OSFI has taken a number of significant steps to address cyber risks over the years. First, on risk identification, cyber risk has been a priority in our annual risk outlook that we’ve published for the last few years. We regularly highlight the growing impact of ransomware, data breaches, and third-party vulnerabilities.

Second, on policy development, we have issued two relevant guidelines for financial institutions: first, guideline B-13 on technology and cyber risk management, which outlines how institutions should manage risks like data breaches and technology outages; and second, on guideline B-10, which covers third-party risk management and which addresses risks from third-party service providers, a growing area concern as institutions increasingly rely on external technology.

Third, regarding incident reporting and self-assessment tools, we require financial institutions to report cyber incidents and offer tools like our cybersecurity self-assessment to help them gauge and improve their preparedness.

These measures have helped create a baseline. However, they are not enough on their own. Cyber-threats evolve too rapidly, and gaps remain in the broader ecosystem. A legislative framework like Bill C-26 offers a critical opportunity to strengthen Canada’s defences across vital services and sectors.

While OSFI has focused on the financial system, a coordinated national approach is needed to address systemic risks and prevent silos in regulation. We believe this framework can build on existing guidelines to reduce regulatory overlap and address gaps; drive collaboration among regulators, industries and third parties; and foster a culture of resilience, not just prevention, across the system.

Despite these efforts, cybersecurity remains a moving target. Prevention is essential, but institutions must also focus on resilience, on being able to recover swiftly from attacks and maintain critical operations. The question we face is not if incidents will occur but how well we are prepared to respond and recover. This requires ongoing vigilance, innovation and coordination across sectors.

[Translation]

In summary, OSFI is committed to doing its part to build a resilient financial system. But the scale and complexity of cyber-threats demand a collective effort. Bill C-26 represents a step forward in aligning Canada’s response to these challenges.

I look forward to your questions and to discussing how we can advance this important work together. Thank you.

[English]

The Chair: Thank you, Mr. Yalkin.

We will proceed to questions. As usual, four minutes will be allotted to each question, including the answer. I ask that you keep your questions succinct in an effort to allow as many interventions as possible.

Our first question is from our deputy chair, Senator Dagenais.

[Translation]

Senator Dagenais: My question is for Mr. Noël and Mr. Dufresne. When Canadian companies like Pratt & Whitney are awarded American military contracts, their employees are subjected to highly stringent security checks. However, they are done by Americans, not Canadians.

I agree that they are our allies, but for years now, we have been forced to let a foreign power into our systems if we want to get contracts.

Some witnesses have raised concerns before the committee about the personal information sharing that could be authorized if Bill C-26 is passed. What do you think of the safeguards put in place to allow both investigations and privacy protection, especially if one of our allies requests information based on unverified suspicions?

Mr. Dufresne: That question has been given a great deal of thought internationally.

The Organisation for Economic Co-operation and Development produced a report on government use of personal data held by the private sector in relation to cross-border data flows. That is an aspect we are dealing with in the G7 in terms of data sharing based on trust. Basically, that requires us to have information-sharing protocols with our international counterparts. I signed a protocol with the U.S. Federal Communications Commission, or FCC, on joint investigations and information sharing.

We need to be disciplined when it comes to privacy, which should be treated as a fundamental right. I would also make a few recommendations, such as recognizing that collecting and using information must be necessary and proportional, stating that we won’t keep the information longer than necessary and, when sharing information internationally, signing strict information-sharing agreements and putting safeguards in place. Yes, some sharing may be necessary, but privacy needs to be treated as a fundamental right.

Senator Dagenais: Do you have any comments, Mr. Noël?

Mr. Noël: That is a very relevant question. In the current system, under the act that governs it, the CSE needs to comply with very serious internal policies. Let me explain.

In a cyberdefence operation, if information gathering impacts Canadians’ privacy, the information may be kept for a maximum of one year, unless it is deemed essential for the purposes of the cyberdefence operation.

As you have seen, personal information can be disclosed under the bill. The exception is very broad and has no parameters for now. The regulations on the way could cover that aspect, but I know that an act is powerful enough to override any regulation. I currently don’t see any provision in the bill that ensures the protection of the information of all Canadians, including employees of Pratt & Whitney.

Senator Dagenais: My next question is for Mr. Yalkin. We’ve just outlined the risks of offshore contracting by large Canadian telecoms.

Speaking of which, do financial institutions and insurance companies subcontract part of their activities to companies offshore? If so, do they require security checks on third-party employees with access to sensitive customer service information?

Mr. Yalkin: Thank you for the question.

[English]

Yes, indeed. We actually have a new guideline on this, which is our integrity and security guideline, which we published last year. It specifically provides for the appropriate background and security checks to be provided on third-party service providers and their employees in circumstances where the risk warrants it.

We operate in a risk-based system, so whether and what is required depends on the circumstances, the nature of the information that is being treated and the access that might be provided to those employees, and based on that, there is a proportional approach to determining what the different security and clearances and background checks are that financial institutions need to ensure are undertaken in order to protect that information.

Much depends on the circumstance that the third-party service provider is being contracted for. I will say that the simple, sheer fact that, indeed, those services are being provided by a third-party service contractor does not absolve the financial institution from ensuring that the appropriate checks are being conducted.

[Translation]

Senator Carignan: Thank you. This question is for the head of OSFI. In Canada, there are also service centres, many of them in Montreal, that deal with American institutions. Is Canada more or less strict than other countries, such as France or the U.S., in terms of holding information?

[English]

Mr. Yalkin: It’s a very good question. It’s difficult for me to answer that question, because in the interests of full disclosure, I’m not an expert on all of the information and protection requirements that Canadian companies are subject to.

What I can tell you is that when it comes to financial institutions in Canada, whether they’re operating in Canada or in other jurisdictions, we have expectations on them when it comes to the protection and the integrity of the data that they collect and hold.

In fact, this is also something that was covered in our recent integrity and security guideline. We outline our expectations for financial institutions on a consolidated basis. Consolidated basis means that their operations, both in Canada and abroad, that they took appropriate precautions to ensure that the integrity of the data that they collect — personal or otherwise — is protected.

[Translation]

Senator Carignan: This question if for Mr. Dufresne. I know that you’re investigating a relatively large data breach at the Canada Revenue Agency. Isn’t it a little utopian to think that the government is in a position to issue directions and properly manage that aspect of cybersecurity when it is clearly incapable of doing so for itself?

Mr. Dufresne: I think what we’re finding is that we need a legal framework where the government is dealt with as stringently as the private sector. Under the act as it stands, the private sector has an obligation to report privacy breaches to my office and to individuals. The public sector is not covered under the act.

Senator Carignan: That’s unbelievable.

Mr. Dufresne: That’s in the Treasury Board directive. There are incidents where the privacy breach is reported later. Bill C-26 includes a 72-hour deadline, but the government has an internal policy. One of the recommendations is to make it mandatory. We need to update the Privacy Act for the public sector. The act is 40 years old, so it’s a priority. That’s a prime example.

Senator Carignan: Thank you.

[English]

Senator M. Deacon: Thank you for being here today with us.

I’m going to also ask a question for Mr. Dufresne. Looking through this bill, clauses 26 through 29, it addresses the disclosure and use of information collected under the critical cyber systems protection act, or CCSPA.

While the CCSPA prohibits knowingly disclosing or allowing the disclosure of confidential information, it also creates a list of exceptions, including the disclosure under the Security of Canada Information Disclosure Act, which allows for the disclosure of information among 17 federal departments and agencies.

That’s a lot of eyes — maybe ears too — but a lot of eyes that could come across sensitive information. Are you confident our public servants will receive appropriate guidance on how to handle this information, and will you be involved in crafting the regulations or guidelines around them?

Mr. Dufresne: Thank you for the question.

Well, I would expect the federal government to consult my office in terms of drafting regulations that have a privacy aspect for Canadians, but at the same time, as was indicated by the Intelligence Commissioner, Mr. Noël, if something is in a regulation, it’s not the same thing as if it’s in the statute itself.

The recommendation is to ensure that the sharing of information is restricted to the minimum requirement — the necessity and proportionality — that they have ISAs — information sharing agreements — that set out very specifically those requirements and also that the retention be limited. This was something that was introduced at committee in the House. It was not kept after third reading, and so that is a shortcoming.

Now, that said, the Privacy Act will apply to the government departments, but the other element of my recommendation is that my office may not be aware of an issue that’s going on if there’s confidentiality or if there is a breach. Hence, the recommendation that I included, that if there is a breach that’s reported to the CSE, then CSE should be reporting this to my office, and that strengthens our collaboration.

Senator M. Deacon: Thank you very much.

Senator Dasko: Actually, my question is a bit of an extension of Senator Deacon’s question, just to focus a little bit more on the principles that Mr. Dufresne articulated, necessity and proportionality.

You spoke about privacy assessments and notification. How should these be dealt with? Should they actually be in this bill? I’m trying to understand that a little bit more. Are you saying that they are principles that are already part of this ecosystem, shall we say, that are already carried out in some way?

How do we make sure that these principles apply? Do they already apply? Should they be put into the bill? Do they come in regulations? How do we deal with the issues that you raised?

Mr. Dufresne: Thank you. Overall, my recommendation is that it should be in the legislation, to put it in the legislation.

Senator Dasko: These principles?

Mr. Dufresne: For instance, necessity and proportionality are not in the legislation.

Now, that said, the House did adopt some amendments, and it included a requirement that the order should be reasonable to the gravity of the threat of interference, manipulation and disruption. That goes some way. That’s something, for sure.

Necessity and proportionality is a known test. It’s the standard that we apply in the privacy world. It ensures that you’re focusing, similar to what we do in terms of other fundamental rights, the necessity of the objective and the link to that objective. Is it minimally impairing? Is it contextual? Is it proportionate?

We’ve applied these frameworks to the pandemic measures. This is a contextual tool. It works. It was highlighted. I think the proportionality concept was mentioned by all three of us so far in the discussion. That should be in the act instead of the one that is there.

Information sharing agreements, you could do that by regulation, but if there is a requirement in the act, it is stronger. Privacy impact assessment needs to be in the law. Right now, it is in a directive of the Treasury Board of Canada, and we see that it’s not always complied with.

Senator Dasko: It needs to be put in.

I want to go back to the topic that came up earlier about third-party offshore contractors. This came up in previous sessions and panels today.

Do you have a concern about that and the privacy issues involved?

Mr. Noël: Yes. Just to add one point to Bill C-59, the bill that looks at the CSE has this necessity and proportionality. It is in the law. It’s not in a regulation.

Senator Dasko: My question is about third party, offshore contractors and concerns that were raised in previous panels about potential breaches of confidentiality and privacy. Do you have concerns about those?

Mr. Dufresne: It’s a principle of privacy law that if we’re sharing information with third parties outside of borders, we need to make sure we’re putting in place equivalent types of protection. That goes to security. That goes to measures of transfer, the purposes, and so on. So it’s important there be rigorous frameworks around that. Another principle is if the government is contracting with the private sector, the government needs to make sure that the private sector that it’s using is itself complying with its legal obligations.

Senator McNair: My question is for the Office of the Superintendent of Financial Institutions. Listening to what you’re talking about in your opening remarks, I’m trying to understand. Could you speak a little bit about how the bill will affect the way you currently operate and how you support financial institutions? Does it give you any tools that you don’t already have?

Mr. Yalkin: Yes. Thank you for the question. Much remains to be seen because we do know the general framework of the law, but much will turn obviously on the regulation and its implementation.

Our general approach to prudential supervision is that we have a broad jurisdiction to supervise financial institutions according to what we think makes sense from our perspective when it comes to ensuring their safety and stability. On that broad grant of authority, we then develop guidelines, including B-13, that I referred to on cyber and tech risk, which set out our expectations for financial institutions and what they should do in order to manage these risks appropriately.

The difference that this bill will bring in for us is this: Rather than that being a prudential supervisory approach, it will actually be a regulatory-enforcement approach that will augment the already robust approach that we have to make sure that these risks are being managed appropriately.

In some sense, it could be helpful because it will bring into sharp contrast to financial institutions what those expectations are for them and what the consequences are for failing to comply with them too. I see opportunity for the regulations — however they are developed — to be integrated in a harmonious way with our existing guidelines and approach to prudential supervision.

Senator McNair: Mr. Dufresne, I hear what you’re saying, and you both are saying that regulation is not as strong as having it in the legislation, but if this is passed as is, the work will begin during the regulatory process to have safeguards put into place, eventually hoping to get it in the legislation itself or the act, I assume. This legislation is not going to be stagnant or static at any time. As soon as it becomes law, there’s a process to ensure that it keeps up with all the risks that are forthcoming. Would you comment on that?

Mr. Dufresne: My comment would be that, of course, it’s up to Parliament to determine what amendments to put in place or not. You have recommendations, but, yes, the regulatory-making process is also a tool that can be used to bring more precision to the legislation. My recommendation would be to make sure that my office is consulted in that process and that is it is seen to be consulted. It’s important that Canadians understand the safeguards and the guardrails and that the precision be broad in terms of information-sharing agreement, in terms of bringing precision to those principles. Certainly, my team and I will stand ready to assist in whatever way we can.

Senator McNair: Have you had any discussions at this point with different departments on your expectations?

Mr. Dufresne: My expectation, which has been repeated regularly to the government, is that we should be consulted early on new initiatives, including bills. Cabinet confidences have to be managed, of course, but the earlier we are consulted, the better we are able to provide input at the front end.

Senator McNair: Thank you.

Senator Batters: Mr. Dufresne, right on that point, then, when did the government consult you on Bill C-26?

Mr. Dufresne: I don’t believe we were consulted in the drafting part of that bill.

Senator Batters: Not at all?

Mr. Dufresne: We made recommendations at the House stage, and a number of them were reflected.

Senator Batters: At committee. Thank you, wow, that is a little shocking.

Dealing with some important issues here, your office is able to initiate investigations and to review compliance with the Privacy Act, and there are certain sections in Bill C-26 that allow your office to initiate investigations at your discretion, but as you were saying in your opening remarks, you’re recommending that your office should be notified about cybersecurity incidents where a real risk of a privacy breach occurs, because as we’ve heard about this bill, there could be situations where you never know about it. Unless that recommendation is actually put into effect in the bill, how would you know that you need to initiate an investigation? Is that your concern about this?

Mr. Dufresne: Well, it is. To be clear, we have great working relationships with the Communications Security Establishment Canada, but when you’re talking about confidential information or breach reports, there is going to be reluctance to sharing that unless you have legal authority to do so. I would be reluctant to do the same. That’s why in this instance it would be important that the bill be amended to provide this clear authority to our colleagues at the CSE because privacy and cybersecurity have this in common: They’re both built on the principle of safeguarding the information that you have commensurate to the risk and commensurate to the context. So we have a lot to learn from each other. We work very well together, but in this instance, my worry is that we’re not going to know, and CSE is not being to be able to tell us. That is a loss for Canadians because they can’t have this privacy prism on that.

Senator Batters: Absolutely. My next question is to the Intelligence Commissioner. Thank you very much for being here. In my second reading critic speech I was quoting from Professor Malone, who was talking about the legislation for the CSE, and his quote was saying that Bill C-26’s provisions diverge markedly from the thrust of the CSE’s enabling legislation, because under that legislation, where CSE’s spying activities contravene federal law or interfere with the reasonable expectation of privacy for individuals in Canada, the agency must obtain approval from your office, the Office of the Intelligence Commissioner. Last year, the commissioner — he said — fully granted half of such requests: three out of six. The cybersecurity direction powers in Bill C-26 are subject to no similar kind of review.

As you were saying earlier, that is an after-the-fact thing. Unlike what has existed with the CSE situation, they would have to obtain your approval before it happens. If you could speak a little bit more about how your office is involved in those types of situations, and how it differs from what would potentially be the case under Bill C-26 if it wasn’t amended at all.

Mr. Noël: Thank you, senator. We are involved right from the beginning. We review the minister’s decision. We review the chief of CSE’s application. We comment on it. We agree sometimes, and sometimes we disagree. You should also know that there is a document that establishes parameters within the CSE. For instance, it will do so on disclosure. It will do so on what is Canadian information, to what extent you should keep that information and how long you’re going to keep it. The provisions are such, senator, now that the data received from the cyber-suppliers is looked at carefully.

How do we become involved? We ensure the law is followed. Do you have the jurisdiction to do this — yes or no? We came to the conclusion in a few cases that they were outside their jurisdiction. So that was taken out.

When it comes to private information, we establish some guidelines with these policies, we make remarks, and we have an ongoing communication with the chief of CSE.

Without disclosing anything, it is important to realize that CSE is doing its best, but it’s not perfect. When I say this, I think the chief of CSE knows what I’m talking about. I think the fact that we’re involved at that stage — we’re a bit like the person looking above the shoulder of the decision maker — un chien de garde like we say in French — and we then make sure they comply. If they don’t, they report back to us, and we ensure that there are proper steps to be followed. That’s the type of relationship that we’re adding.

Senator Batters: And just to be clear, none of that is required under Bill C-26.

Mr. Noël: None of that.

Senator Batters: None of that. Thank you.

Senator LaBoucane-Benson: My question is for Commissioner Noël. Thank you so much for your testimony.

Perhaps you can help me understand how Bill C-26 operates in a broader legal context. For example, under Bill C-26, Charter protection against unreasonable search and seizure still applies, right? Also Criminal Code prohibition of interception of private communication still applies, right? Can you speak to that, please?

Mr. Noël: The Charter still applies, as does section 8 regarding seizures among other things. In all cases I’ve known, you need a warrant. You can obtain it from the justice of the peace, you can obtain it from the Federal Court, and you can obtain from a quasi-judicial officer. In the present bill, there is no such warrant requirement — except for dwellings or maison d’habitation. They make that exception. Everything else, when they go into the office of one of the regulators, the regulator will be able to go in and get what he wants. Normally, that would go against the Charter.

I’ve read the Charter Statement by the minister, and I haven’t seen anything in that statement that would give a justification under section 1 of the Charter. I haven’t seen anything. It’s a first in Canada where anyone can go and search. And the Supreme Court of Canada is very private about this information. In this case, it’s totally absent.

[Translation]

Senator Dagenais: Mr. Dufresne, I’ll go back to information sharing with other countries. Have all the countries in the Five Eyes alliance, meaning our closest allies, agreed in writing to the principle you’re talking about? If not, which are not yet part of the privacy agreement? Are there any that are not part of it?

Mr. Dufresne: The example I’ll give you is the U.K.’s approach, which recommends the idea of proportionality. It can be used as an example for cybersecurity-related information and information sharing with the authorities: It has to be relevant, necessary and proportional. I think that’s an example we should follow.

Our European counterparts, because of their obligations, require that the authorities in charge of data protection be notified whenever there is a cybersecurity breach. The data protection authority in Canada is my office, hence my recommendation that we should follow that stricter example. In the U.S., there are obligations to publish mandatory orders for dealing with privacy and civil rights and freedoms. Once again, that could be reinforced at the regulatory level. This whole matter of holding information…. As I said, we recently signed an agreement with the FCC, in the U.S., a memorandum of understanding. We worked closely with them. I would say that the principles we are advocating are generally accepted when it comes to privacy.

Senator Dagenais: Thank you.

[English]

Senator Batters: Back to the Privacy Commissioner, Mr. Dufresne. At the House of Commons committee, you testified this:

As drafted, these powers are broad. In order to ensure that personal information is protected and that privacy is treated as a fundamental right, I would recommend that the Committee consider making the thresholds for exercising these powers more stringent, and placing stricter limits on the use of those powers.

One way of doing so would be to require that any collection, use, or disclosure of personal information be both necessary and proportionate. This is a core principle for the handling of personal information that is recognized internationally.

You’ve talked about this today as well.

Now, the House of Commons committee did pass amendments which explicitly defined personal and de-identified information as confidential, which helps, but there is certainly more to be done to address the serious privacy concerns in this legislation. Please tell us why you don’t think the House of Commons amendments go far enough.

Mr. Dufresne: Thank you, senator. Indeed, there have been some improvements with the amendments made at the house. You mentioned some with the notion of defining personal information and de-identified information as confidential information for the Telecommunications Act part of Bill C-26. That wasn’t done for the other part in terms of confidential information, so there could be clarifications there.

There have been improvements in terms of the discretion to the minister and Governor-in-Council. The first version was much more “in the opinion of” and now there has been strengthened language about reasonableness, “reasonable to the gravity of the threat.” Nonetheless, I continue to recommend the gold standard of necessity and proportionality be the one used.

I think that when you have a standard that is known, that is understood, it’s better to continue to use it rather than create a new one. There is a risk that if there is a choice to use different language, people will ask why the legislator did that. Is it to have a less stringent standard?

So the recommendation is that we should stick with those principles. Privacy is a fundamental right. It is not an obstacle to public interest, but Canadians will be reassured by seeing this twin notion of necessity and proportionality overall for personal information.

Senator Batters: Thank you. Also with respect to that amendment that was passed by the House of Commons committee but then pulled out at third reading stage in the House of Commons, can you please tell us a little bit more about that, why it actually is important to have that amendment in there and maybe why it would have been pulled out? That’s kind of an unusual situation.

Mr. Dufresne: Yes. Thank you. This was an amendment that would provide that information shared with departments be kept no longer than necessary for the purpose, to the investigation and so on. This was a privacy protective principle of retention, and it was deleted at third reading.

My understanding is it may have been an understanding that there is a retention principle under the Privacy Act so you could deal it under the Privacy Act. Currently, the Privacy Act regulations don’t provide a maximum retention period. It provides a minimum retention period of two years. There remains a gap, and in this instance, the amendment put at second reading, in my view, was a good one, especially if the necessity and proportionate will not be the framework.

Senator Batters: Right, because as you were saying the Privacy Act would not cover that. Perhaps they were thinking it did, but you’re confirming today that the Privacy Act does not cover that.

Mr. Dufresne: It would not cover it. You may include it by amending regulations and providing some further detail there. There may be some possibilities, but, again, in this instance, you have the legislation that is providing for these powers and bringing this clarity. There is an opportunity to do this now. I don’t want to presume when the Privacy Act will be amended so you have the opportunity to.

Senator Batters: When was the last time the Privacy Act was amended? Was that Bill C-15?

Mr. Dufresne: It’s 40 years old. There may have been some small amendments during this period, but, certainly, it’s overdue.

Senator Batters: Thank you.

The Chair: Colleagues, there are no other senators on the list, so I have a question for Mr. Noël.

You have an important role as the chief Intelligence Commissioner. Given your responsibility of being a guardian of some fundamental principles and values in our democracy when the state should intervene and what the balance is — every time you’ve been here you have spoken about that balance very eloquently. In this situation, in this bill, your role and responsibility has diminished in how you get to play or continue to play that role. Can you explain to me why that is?

Mr. Noël: I have no reason why the conceptualizers of this bill have decided to — I haven’t been consulted. I haven’t been briefed on it. Although, just a few days ago they made an offer, which I declined, because I’m an independent officer. I don’t know why they have decided to put this oversight apart.

The Chair: Given the extremely important responsibility of cybersecurity for the whole nation, not just for individuals, there is always going to be a balance that needs to be struck in the interest of the country, protecting Canadians and institutions in many places, but wouldn’t it be fair for Canadians to want to understand whenever there is a need to find some way to deal with the gravity of the situation, we would have somebody providing oversight, which you have done for quite some time on our behalf, because you have the ability to make the determination if it’s reasonable or not.

Mr. Noël: As with the Privacy Commissioner’s job, the Intelligence Commissioner’s job is there to insert into the population a degree of confidence. That’s why we’re there. I feel like a goaltender, and it is my information. When I look at what CSE is doing, I have a view of it as if it’s mine. I want to make sure that if they have to keep it, they have good reasons to do so. I want to make sure, secondly, that if they have to keep it, how long they are going to keep it. It’s so important for me when I look at that type of information.

Cyberattacks are as the war of the present time. Canada is open to state attacks like it is to ransom attacks. We have to give our governments the tools to respond. You can’t give them a little shotgun, they have to have the same kinds of resources.

At the same time — the balancing that you’re talking about — there has to be an oversight, including a review process with the National Security and Intelligence Review Agency, or NSIRA, and the National Security and Intelligence Committee of Parliamentarians, or NSICOP in order to make sure that these important tools are properly used and that the privacy of Canadians at the end is protected. That’s why we’re there. That’s why the Privacy Commissioner is there.

In this case, they decided to leave aside the oversight and they made a big point about having the review, but they forgot that an oversight, like the Intelligence Commissioner, is a different one. It’s not the same as the review process, because the review process comes after the fact.

The Privacy Commissioner has an investigation power like NSIRA. At my stage, I deal directly with the operators. To that effect, it appears to me — and history has shown that up until now, that this job has evolved and things cannot be known now, but one day it will come out that it has been extremely useful.

The Chair: Thank you very much.

Colleagues, this brings us to the end of this panel. I want to thank the three witnesses who are before us today. Each one of them in their own capacity provides an important service to the country, and it is invaluable what you do on behalf of Canadians. Thank you for your service to the country. We very much appreciate the experience you bring and the insight you provide to the committee in regard to the questions we asked.

Senators, this brings us to the end of this part of today’s agenda. We have one issue for the committee to consider, which is a budget for us to travel for the study of military procurement.

You should have received a copy of the proposed budget report and communication plan for travel in relation to the committee’s study on military procurement and Canadian defence industry. This budget proposes funds for a one-day fact-finding mission to western Quebec in the area of Mirabel, where the committee members would meet with a small group of companies specializing in the production of defence capable assets.

Would members like to proceed in camera to discuss the budget? Agreed?

Hon. Senators: Agreed.

(The committee continued in camera.)

(The committee resumed in public.)

The Chair: It is agreed that the budget application for travel to western Quebec for a fact-finding mission for the fiscal year ending March 31, 2025, be approved for submission to the Standing Senate Committee on Internal Economy, Budgets and Administration.

All those in favour?

Hon. Senators: Agreed.

The Chair: Agreed. Thank you, senators.

This budget will now be submitted to the Standing Senate Committee on Internal Economy Budgets and Administration to be reviewed by the Subcommittee on Senate Estimates and Committee Budgets, or SEBS, at the earliest opportunity.

This concludes today’s agenda. Our next meeting will take place Monday, November the 25, at 4 o’clock Eastern Time. We will proceed to clause-by-clause consideration of Bill C-26. Members are encouraged to contact the Office of the Law Clerk or parliamentary counsel should they wish to bring forward amendments and to share amendments with the clerk as soon as possible. If you would like your amendments to be distributed in advance of the meeting, please share them with the clerk by Friday morning, November 22, at the latest. Otherwise, please bring sufficient copies of your amendments to the meeting. With that, I wish everybody a good night.

(The committee adjourned.)

Back to top