Honourable senators, I rise today to speak to second reading of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

This bill consists of two parts, the first of which amends the Telecommunications Act to add security as a policy objective and increase security in Canada’s telecommunications system. It would allow the government to prohibit telecommunication providers from using products or services from high-risk suppliers and to establish a system of penalties for infractions.

The second part establishes the critical cyber systems protection act, requiring designated operators in critical federally regulated systems — finance, telecommunications, energy and transportation — to protect Canada’s crucial cybersystems from threat. It further establishes reporting requirements for cybersecurity incidents.

This bill has been a long time coming. The Trudeau government first held public consultations on it back in 2016. That was so long ago, the government was still talking about sunny ways. It seems like a world away today. Is their Liberal caucus meeting done yet? I digress.

In 2018, the Trudeau government released a National Cyber Security Strategy, and it took another four years, until 2022, for them to draft and introduce this bill in Parliament. Why did it take the Trudeau government so long to draft this legislation? I’ll tell you what we do know about that time frame: For two of those years, Bill Blair was the Minister of Public Safety, and we know he doesn’t read crucial security briefings. We also know his chief of staff throughout those two years had a tendency for important documents to get lost on her desk.

Whatever the reason, once Bill C-26 was finally introduced, it took two more years for it to work its way through the House of Commons, and even after it passes the Senate, it will take another two years in the regulatory phase before much of the impact of this legislation even comes into effect. In fact, Bill C-26 has taken so long to work its way up to the Senate that some of its provisions are now outdated — and it hasn’t even passed yet.

In June we passed Bill C-70, An Act respecting countering foreign interference, which included provisions for secure administrative review proceedings. That will prevail instead of those provisions contained in Bill C-26. Even after taking eight years to produce Bill C-26 to this point, the Trudeau government still hasn’t produced a Gender-based Analysis Plus for it. Remember that promise, GBA Plus? It’s another of the Liberal government’s greatest hits. It was supposed to be mandatory for all bills they introduced in Parliament. When I inquired about whether there was a Gender-based Analysis Plus for Bill C-26, the government finally replied with only this: “If passed, a GBA Plus analysis will be conducted as part of the regulations development process.”

So, in the six years leading up to this bill appearing in the House of Commons, the government could not find time to write a GBA Plus analysis of it because — you know — priorities. They were also too busy over the past two years while this bill was sitting in the House of Commons because governing is hard. But they pinky-swear we’ll get one after the bill is passed. Funny, that doesn’t seem like an ideal time to consider the ramifications of legislation on minorities, but to this Trudeau government, it means avoiding those pesky parliamentary questions.

Even when GBA Plus documents are produced for a bill, they are often not posted online or circulated during parliamentary study of legislation. I can’t even count the number of times our Senate Legal Committee has had to ask for the GBA Plus analysis once bills reach the Senate committee stage, even after a bill has passed the House of Commons and the minister has appeared before our Senate committee. It is unacceptable. It is just one more broken Liberal promise on the path of their utter incompetence. It underscores the lack of seriousness with which this Trudeau government approaches governing.

Speaking of which, I will note that, once again, the leader of the Trudeau government in the Senate did not speak on this bill, nor did any members of this Trudeau government caucus. Therefore, once again, senators were denied the opportunity to ask questions of the government about this important and complex bill. The sponsor’s speech was relatively brief, and I had to wait more than three weeks for the government to provide answers to the questions I asked the sponsor that day.

It seems the Trudeau government takes this same cavalier attitude in addressing cybersecurity. Remember how long it took this federal government to finally join our allies in rejecting Huawei’s involvement in the 5G network? It was three years, a whole lot longer than it should have. During the almost 10 years it will have taken to implement Bill C-26, Canada’s critical infrastructure has been left at considerable risk of cyberattacks, and that vulnerability is alarming.

Caroline Xavier, the Chief of the Communications Security Establishment — the government agency that handles cybersecurity — called attacks on Canada’s critical infrastructure the “greatest strategic threat to Canada.”

She said:

. . . cybercrime is the most prevalent and most pervasive threat to Canadians and Canadian businesses. Cybercriminals trying to probe Canadian systems have been found in Russia, China and Iran, among others. These actors use various techniques, such as ransomware . . . .

According to the government’s own National Cyber Threat Assessment 2023-2024, ransomware is the most common and persistent cyber-threat facing Canadians and Canadian organizations. Yet, Bill C-26 is oddly silent on the matter, making no explicit reference to this cybercrime at all in this legislation. The consequences of cyberattacks can be not just financial but even existential. The worst-case scenario could be a threat against Canada’s critical energy infrastructure — pipelines, for example, or the electrical grid in the middle of a harsh Canadian winter.

As a small population spread across a vast land, Canadians are also vulnerable to threats disrupting telecommunications and transportation infrastructure so crucial not only to the economies in our big cities but also to survival in the rural and remote areas of our country.

Twenty-five percent of all businesses in Canada have endured a cyberattack. Caroline Xavier told the House of Commons Standing Committee on Public Safety and National Security that small- and medium-sized businesses comprise 98% of the Canadian economy, yet a stunning 44% of them are without protection from a cyberattack. That leaves the Canadian supply chain and our critical infrastructure systems vulnerable.

There is, then, definitely a need for legislation to address cybersecurity issues and inoculate Canada against the disruption of our society and economy that comes from such attacks. That is why it’s so crucial that we get it right.

This legislation has not only been a long time coming, but it also had to be significantly overhauled at the House of Commons committee stage.

Some of the amendments passed at the House of Commons committee stage have made this legislation more palatable, and thank goodness. But the fact remains: Why did the Trudeau government introduce this legislation with such significant flaws in the first place? Several of the amendments were proposed by the Liberal members of the committee who knew their legislation would otherwise have been in trouble. Even after the massive delay in introducing this cybersecurity bill, the Trudeau government still had to repair its own mess once the bill was before the House committee, as they so often had to do at Senate committees as well.

It’s shamefully bad governance.

One major problem with the bill is the wide-sweeping powers it grants to cabinet, the executive branch of government. As the sponsor, Senator McNair, stated in his second reading speech, Bill C-26 authorizes the Governor-in-Council — that is, the cabinet — to direct the telecommunications industry “. . . to do anything, or refrain from doing anything . . . .” if deemed necessary by the minister. That’s extremely broad power. While that language was cushioned at the House of Commons committee to require the minister to have “reasonable grounds” for the exercise of that power to be necessary, we must still remain vigilant against ministerial overreach — a favourite Trudeau government pastime.

Critics of this legislation have also complained that Bill C-26 provides only limited oversight. While amendments were passed at committee requiring the minister to notify Canada’s national security committees — the National Security and Intelligence Committee of Parliamentarians, or NSICOP, and the National Security and Intelligence Review Agency, or NSIRA — of confidential orders, the accountability and transparency afforded by those bodies is very limited. Both committees answer to the Prime Minister, the head of the executive branch of government. As I have said before, the Prime Minister appoints all the members who sit on these bodies. All senators who are currently members of NSICOP were appointed to the Senate by Prime Minister Trudeau, with significant Liberal and Trudeau Foundation ties. The work of both committees is conducted in secret, with only limited information available to parliamentarians or the Canadian public. As my Conservative MP colleague Raquel Dancho, the Public Safety critic, said about Bill C-26 in the House of Commons:

. . . “with great power must come great accountability.” There is great power in the bill, but the accountability side is lacking.

To try to bolster the accountability of the bill, the House of Commons Standing Committee on Public Safety and National Security passed amendments requiring the minister to table an annual report in both houses of Parliament. Further amendments detailed the type of information to be included in these reports.

I have many questions about the possible quasi-criminal offences in Bill C-26. I asked the Senate sponsor of the bill some questions about that after his speech in the Senate. Three weeks later, he provided the government’s answers to my queries, but I must say I found them unsatisfactory. These responses mostly focused on the penalties in the bill, rather than the potential quasi-criminal offences employed for this regime.

The critical cyber systems protection act provisions — Part 2 of Bill C-26 — establish several hybrid and summary offences for contraventions of the act. According to the government response:

These include the hybrid offences of contravening a cyber security direction, disclosing information about the existence or contents of a cyber security direction and disclosing confidential information in circumstances not permitted under the Act. These hybrid offences would be punishable by a fine and/or a maximum term of imprisonment of two years less a day on summary conviction and five years on indictment.

While there is an opportunity for judicial review, there are more significant limitations for a successful application than with an appeal process.

Part 1 of the bill — amendments to the Telecommunications Act — establishes an administrative monetary penalty scheme and a sentencing scheme for violations. According to the government response:

[T]he maximum penalty for individuals is $25,000, or $50,000 for subsequent violations. In any other case, the maximum penalty is $10,000,000, or $15,000,000 for subsequent violations. . . . For individuals, offences can be punishable by imprisonment (up to two years less a day) or a fine, or both, depending on the court’s decision.

Business groups, especially small- and medium-sized enterprises, have also raised concerns about Bill C-26. The limited time frame and the cost of implementing the measures necessary to comply may be especially onerous on smaller enterprises. MP Raquel Dancho raised with the minister whether any funding would be available or provided to small- and medium-sized businesses to assist with compliance, but she did not receive a response to her query. This government spends tens of millions of dollars on cybersecurity, but it is clearly not making smaller businesses a priority.

We all know that as the Trudeau government piles up regulations and obligations onto businesses and service providers — through Bill C-11, Bill C-18 and now Bill C-26 — the costs for businesses to comply mount. And that cost is ultimately paid by just one person: the end consumer. In the last week, we’ve seen the music streaming service Spotify announce that it is hiking its fees in Canada, partly in response to regulatory burdens from Bill C-11.

Another major area of concern in this bill is the privacy provisions or lack thereof. Several key subject-matter experts have raised these as inadequate in Bill C-26. The Privacy Commissioner said:

As drafted, these powers are broad. In order to ensure that personal information is protected and that privacy is treated as a fundamental right, I would recommend that the Committee consider making the thresholds for exercising these powers more stringent, and placing stricter limits on the use of those powers.

One way of doing so would be to require that any collection, use, or disclosure of personal information be both necessary and proportionate. This is a core principle for the handling of personal information that is recognized internationally.

The House of Commons Standing Committee on Public Safety and National Security did pass amendments explicitly defining personal and de-identified information as “confidential,” which helps. But there is certainly more to be done to address serious privacy concerns in this legislation.

The Canadian Civil Liberties Association, or CCLA, brief outlines one such needed improvement:

Legislative wording should also make clear that personal information includes de-identified information, because the definition of “personal information” carries important Privacy Act protections. Additionally, personal information, including de-identified information, should always be deemed to be confidential, rather than that decision being left to the entity providing it.

Civil liberties groups also want limitations to be placed on how long authorities can retain the data of Canadians. One such amendment did pass the House of Commons committee but was inexplicably removed from the bill without debate at report stage. Why? I have no idea. I wish I would have had the opportunity to ask Senator Gold that very question, but, unfortunately, he didn’t give us the chance.

I expect the Privacy Commissioner will be asked to provide further input on this bill while it is before the Senate. I look forward to hearing his advice on whether the amendments passed in the House of Commons sufficiently addressed the reservations he initially flagged with this legislation. Further, it may be worthwhile to consider some role for the Privacy Commissioner in reviewing how sensitive information is handled and released under this act.

Some organizations have noted the lack of transparency in the legislation. The Centre for International Governance Innovation, or CIGI, expressed concern about the government’s ability to give direct orders in secret under Bill C-26 while a legislative vacuum exists regarding the adequate protection of privacy rights.

As highlighted in a recent article by law professor Matt Malone, which was published by CIGI:

The scope of Bill C-26’s secretive powers is all the more concerning when we consider that the federal government has not yet enacted concrete legislation on privacy, data protection, or its use of artificial intelligence technologies. Instead, a proliferation of non-binding governmental “directives” and “guiding principles” have been to left to cover some of these areas when it comes to the government’s own conduct. But they are all without meaningful sanctions for non-compliance.

Professor Malone also said that the lack of transparency is in direct contrast to the legislation governing the creation of the Communications Security Establishment. Bill C-26 would do the following:

. . . permit nearly complete secrecy when issuing cybersecurity directions to certain businesses; once received, those directions would almost never be subject to public disclosure. And they would not be subject to prior authorization or review before they were issued.

This diverges markedly from the thrust of the CSE’s enabling legislation, which seeks to impose greater accountability over certain conduct through prior authorization and review obligations. For example, under that enabling legislation, when the CSE’s spying activities contravene federal law or interfere with the reasonable expectation of privacy of individuals in Canada, the agency must obtain approval from the Office of the Intelligence Commissioner. Last year, the Commissioner fully granted half of such requests (three out of six). The cybersecurity direction powers in Bill C-26 are subject to no similar kind of review.

Several different civil liberties organizations, including the Canadian Civil Liberties Association, wrote an open letter to the Minister of Public Safety in 2022 to raise their concerns about this bill. The secrecy provisions of this bill raised red flags in the eyes of these organizations, with their letter stating that “Secrecy undermines accountability and due process.” This submission also addressed the issue of secret evidence in courts under this bill:

Even if Security Orders are subjected to judicial review, Bill C-26 could restrict applicants’ access to evidence. The legislation does not include any consideration of security-cleared advocates to be appointed on applicants’ behalf, as happens in other national security cases. While such provisions are an imperfect solution for due process, they do provide at least a minimal level of protection for applicants’ rights. C-26 even empowers judges to make rulings based on secret evidence that is not provided, even in summary form, to applicants or their legal team. It also places the onus on the target of Security Orders to bring legal proceedings, with the associated cost burden.

The Trudeau government’s Charter statement that accompanies Bill C-26 states that “. . . the open court principle is not absolute and may be limited where there are pressing state objectives.”

Secret courts? With evidence not even provided to an applicant so that they can defend themselves? In Canada? That is potentially very scary stuff. I will be interested — through study of this bill at committee — to learn how the United States, with a tendency more towards openness in their courts, handles similar scenarios under its own legislative regime.

The fact that orders may be rendered in secret also creates uncertainty and confusion for companies that are trying to comply with the law as regulatory decisions are public while security orders are not. According to the Canadian Civil Liberties Association’s submission, this further “. . . threatens the integrity and accessibility of Canada’s regulatory frameworks, and renders the security-related rules currently in effect unknowable for members of the public.”

Civil liberties organizations are also concerned about the lack of accountability in Bill C-26, even though the bill was amended to now include notification of National Security and Intelligence Committee of Parliamentarians, or NSICOP, and National Security and Intelligence Review Agency, or NSIRA, in the event of confidential orders. An updated brief by the Canadian Civil Liberties Association, or CCLA, specifically highlights the Communications Security Establishment Canada’s repeated refusal in the past to comply with NSIRA directives. The CCLA writes:

[A]s presently drafted, C-26 risks continuing a situation where the CSE interprets its mandates — now supercharged with even more Canadians’ personal information — in manners that have been found non-compliant with the Privacy Act by their reviewer. The Senate has a role and obligation to prevent such a mishandling of Canadians’ often most sensitive information, especially given the CSE’s long track record of failing to cooperate with its review agencies.

Another concern about Part 2 of Bill C-26 is the fact that it allows the Communications Security Establishment to use data from the organizations that hold Canadians’ most sensitive personal information, including banks, telecom providers and transit agencies. CSE would not be limited to using this information only for the cybersecurity purposes of its mandate. Instead, the information could be shared with CSE’s international partners for signals intelligence or foreign intelligence purposes.

In the words of the CCLA, “While our alliances are important, Canadians’ personal information should not be the coin to maintain these relations.”

Furthermore, such use would receive oversight only after the fact, not when it occurs.

In conclusion, Bill C-26 is long overdue, but it still has far to go. Significant concerns remain around important issues such as the privacy rights of Canadians, financial implications for businesses and adherence to our democratic standards of open courts and fairness before the law. Protection of Canada’s critical cyber infrastructure is crucial, but so is safeguarding the civil liberties and rights of Canadians. I look forward to a thorough study of this bill at committee so that we can delve further into these complex issues and try to find an appropriate balance between these competing priorities. Thank you.