Bill Respecting Cyber Security, Amending the Telecommunications Act and Making Consequential Amendments to Other Acts

Honourable senators, I rise today as the official opposition critic to speak at third reading of Bill C-8, the critical cyber systems protection act.

This legislation is twofold. Part 1 amends the Telecommunications Act to include the policy objective of security and allow the government to impose security measures on telecommunications service providers. Part 2 of the bill enacts the critical cyber systems protection act, making cybersecurity mandatory in four federally regulated critical sectors: finance, energy, telecommunications and transportation.

Bill C-8 requires cybersecurity programs, the mitigation of supply chain risks and the mandatory reporting of certain cyber incidents. It also establishes a compliance regime of administrative monetary penalties and criminal offences.

As many of you will know, this legislation has been a long time coming. The Trudeau government first consulted on it back in 2016. The predecessor cybersecurity bill in the last Parliament, then numbered as Bill C-26, had several fatal flaws, largely based in privacy protection concerns.

Late in the Senate committee study of the bill, a serious error was discovered. As a result of a numbering mistake that conflicted with Bill C-70, foreign interference legislation earlier passed in that Parliament, the operative part of Bill C-26 would have been completely nullified. The bill was therefore amended and sent back to the House of Commons with a few weeks left to pass it in December 2024. The government decided not to. Instead, the bill died on the Order Paper when then-Prime Minister Trudeau prorogued Parliament in January 2025.

The government introduced Bill C-8, the bill before us today, in June that same year. It was almost identical to its predecessor, Bill C-26. The government had not used the intervening months to consider amendments that had been raised during Senate committee study. It did not take the opportunity to consult the Privacy Commissioner or the Intelligence Commissioner regarding their thoughtful suggestions on ways to improve privacy protections for Canadians.

The Carney government reintroduced practically the same deeply flawed bill. I questioned Public Safety Minister Gary Anandasangaree at committee about why the government chose not to include significant changes to Bill C-26, when they had a six-month lag before introducing Bill C-8. He gave me no real answer, referring only to the fact that the government had accepted some of the Conservative House of Commons Bill C-8 amendments. The long story short? The government had the opportunity to introduce Bill C-8 as a better bill initially, but it failed, yet again.

It is largely thanks to my Conservative colleagues in the House of Commons that the version of the bill we see before us today has been greatly improved. During House of Commons Public Safety and National Security Committee, Conservative members made amendments that specified the threshold for action under the bill’s compliance regime to be relevant, necessary and proportional.

Other amendments required alignment with existing international regulatory standards, tighter rules on data handling and retention, increased transparency and accountability, and some additional safeguards around the capture of confidential and personal information.

Regrettably, three very important amendments brought by the Conservatives were ruled “out of scope” by the Speaker of the House of Commons. They pertained to the very important matter of judicial authorization. This continues to concern privacy experts. The government should be open to strengthening its legislation. They choose not to, and they hide behind this technicality.

We know that this Carney Liberal government has no qualms about introducing government amendments to its own bills. It has become almost expected of them by this point, particularly in later stages in the Senate. But, rather than amend these provisions and bring them into order, the government allowed technical objections to thwart these critical safeguards for Canadians. It speaks volumes about their priorities.

The Carney Liberal government is again trying to whistle legislation through the Senate in a quick fashion. This is bad governance. There is no time to let parliamentary debate properly play out before the government-imposed deadlines here in the Senate must be met. There is no time to let the appropriate ministers come to committee. Again, there are no second or third reading speeches on the bill from the Senate government leader. This results in much less accountability.

Under this expedited schedule, mistakes are more likely to occur. We certainly don’t need a repeat of the Bill C-26 and Bill C-70 debacle I mentioned earlier. Even though I questioned the departmental officials at my critic’s briefing, the bill sponsor after his second reading speech and the minister at committee for Bill C-8, I still have no additional clarity as to what, if any, processes the Liberal government has put into place to ensure that kind of significant error never happens again. It sounds as if they haven’t done a thing, because if they had, why wouldn’t they trumpet it?

Instead, the Carney Liberal government seemingly hasn’t learned any lessons at all. After a fall when they passed almost no legislation, they are now trying to force through many government bills in the next few weeks. They’re even sending bills to less appropriate Senate committees, as with Bill C-9, to force them through more quickly and with less scrutiny.

This is not a good way to govern.

Honourable senators, we need to stop using a rubber stamp so readily here in the Senate. Time and again, this Liberal government continues to try to use fear to ram through the many Liberal bills that take away Canadians’ rights and freedoms, including Bill C-8. They use that fear to urge parliamentarians to curtail study and debate just to get a bill passed more quickly. This government has zero interest in actual sober second thought. It’s foolish.

Just remember that if we had just let Bill C-26 pass as quickly as the Liberal government had wanted it to 18 months ago, we’d now have a deeply flawed bill as law without all the many good Bill C-8 amendments from Conservative MPs.

When Bill C-26 — Bill C-8’s predecessor bill — was referred to committee in the last parliamentary session, both the Minister of Public Safety and the Minister of Industry attended. That is why I found it so curious that for Bill C-8, Mélanie Joly, the Minister of Industry, attended only the House of Commons committee and not the Senate committee. Minister Joly didn’t come, even though she had been invited to attend the day that the Public Safety Minister came. Minister Joly was apparently too busy to appear; yet at different points that day, she was in the House of Commons just down the street, where she answered for the government in general during Question Period and attended a House of Commons committee.

When Minister Anandasangaree appeared, he proactively said that Minister Joly would be appearing later in the hearings. Minister Joly’s Innovation, Science and Economic Development Canada officials appeared on their own that same day.

Of course, since the committee members anticipated Minister Joly would appear in the future, it changed the questions we asked those officials. We did not find out until after their appearance that Minister Joly would not, in fact, be appearing at all. The committee decided to have only one other meeting with witnesses before going to clause by clause. Once again, the Minister of Industry’s failure to appear curtailed our ability as senators to get answers from the actual government.

Therefore, with no speeches from the Government Representative in the Senate on this bill and less ministerial accountability at committee, this doesn’t say much for scrutiny by the independent Senate.

Several witnesses appearing at the Senate Defence Committee indicated many areas of Bill C-8 that they would still like to see amended. Matthew Hatfield, the Executive Director of OpenMedia, said:

. . . the other house’s amendment work got a lot right on this bill. When civil society and the Privacy Commissioner came to the House with very severe concerns about the previous version of Bill C-8, many were heard, and real improvements were made . . .

He suggested four “. . . narrow amendments . . . .” to further improve Bill C-8. His recommendations, in addition to wanting to reinstate the House’s judicial authorization amendments, were:

. . . that data taken for one purpose is used for that purpose; that orders are proportional, not just reasonable; that our rights are defended by appointed judges, not a private corporation’s decision to fight an order; and that no secret order stays secret forever.

Researcher Kate Robertson of CitizenLab outlined five problem areas in Bill C-8 that would need to be addressed in order to, in her considered view, ensure constitutional compliance. They would include judicial authorization for the government to obtain personal or de-identified information from a telecommunications provider; excluding the interception of metadata under section 15.2; amending section 15.2 to clarify it cannot be used to adopt intercept capabilities; specifying the purpose for which personal and de-identified information can be used — as only for cybersecurity and information assurance activities; and clarification to protect encryption and technical safeguards in telecom networks generally, not just specific encryption that is attached to private communications.

Ms. Robertson warned us:

If a non-amended Bill C-8 passes, all telecom providers in Canada would be compellable through secret orders to install backdoors inside Canada’s networks by weakening encryption or network equipment . . .

She continued, saying:

Creating powers to drill holes in telecom encryption standards would only entrench or worsen cybersecurity threats into Canada’s networks. . . .

Obviously, this is very concerning, honourable senators, and something to consider as we face pressure from the government to pass this bill quickly and unamended.

The government’s insistence on just pushing this through has also meant inadequate consultations. The Privacy Commissioner and Intelligence Commissioner were not meaningfully consulted at all during the creation of Bill C-26, and, even though several months passed between the time Bill C-26 died on the Order Paper and when Bill C-8 was introduced, neither of them was consulted before the new legislation was introduced. This was later confirmed by officials, but no reasons were given by the government. I asked the bill sponsor, Senator McNair, about this again yesterday after his third reading speech. There was no justification given, only an attempted assurance that the government will consult with them in the future.

The Intelligence Commissioner testified at the Senate committee that he is “completely absent” from the machinery of Bill C-8. This is clearly not appropriate. While the government now promises to consult the Privacy Commissioner and Intelligence Commissioner in the creation of regulations, it is truly too little, too late.

Both commissioners had serious concerns about Bill C-26, namely regarding a lack of oversight. Under Bill C-26, it was possible that private information could be breached without the Privacy Commissioner even becoming aware. I proposed an amendment at committee that had been originally suggested by the Privacy Commissioner. It would have ensured that any material cybersecurity breach would have to be reported to the Privacy Commissioner. Unfortunately, my Senate colleagues defeated this reasoned amendment, and this hole remains in Bill C-8.

When Minister Anandasangaree appeared on Bill C-8, Senator McNair asked him to explain why my amendment had not been included in Bill C-8. The minister’s response was that it was “already covered by PIPEDA,” the Personal Information Protection and Electronic Documents Act. But wouldn’t the Privacy Commissioner know that if true? This is definitely within his ambit.

Many witnesses testified that Bill C-8 needs additional oversight, particularly through the addition of judicial authorization. As I mentioned, amendments to this effect were passed at the House of Commons Public Safety and National Security Committee but were ultimately ruled technically out of order by the Speaker of the House of Commons.

I asked Public Safety Minister Anandasangaree about the need to increase oversight in the legislation. He pointed to the National Security and Intelligence Committee of Parliamentarians, or NSICOP; and the National Security and Intelligence Review Agency, or NSIRA — both entities that review incidents after they occur — as “safeguards.” Of course, both of those bodies are also populated by people appointed by the Prime Minister and who report to the Prime Minister, all under a great veil of secrecy. That doesn’t seem like a very effective “safeguard.”

Several expert witnesses indicated to the Senate Defence Committee that the lack of oversight in Bill C-8 remains problematic, and, while proponents of the bill point to post-order review by NSICOP and NSIRA as proper oversight, experts still maintain this is entirely insufficient.

Professor Matt Malone points to the lack of oversight ex ante — before the fact — as a significant problem with Bill C-8. By the time NSICOP and NSIRA review a case, the horse is already well out of the barn. Furthermore, both organizations are appointed by and answer to the Prime Minister. As Professor Malone points out, NSICOP has been muzzled from releasing its findings publicly in the past, and NSIRA has stated very clearly that they are not doing some of the real review work they otherwise might because of a lack of resources. Furthermore, as Intelligence Commissioner Simon Noël told the Senate Defence Committee, there would likely be significant delays in findings. He said NSIRA could be reviewing an incident as much as three years after it occurs.

Some witnesses suggested the creation of an annual ministerial authorization that would build a framework for how the Communications Security Establishment uses and shares information about cyber incidents and that the Intelligence Commissioner should review and approve it. Kate Robertson suggested that this was one way to improve oversight that would not be considered out of scope, as with the original judicial authorization amendments.

The Intelligence Commissioner explained to our committee the way that his review function generally works. He said:

I’ve been doing this for the past four years. I can tell you that my experience is such that two or three times I decided that some of the activities that the minister wanted to grant were not to be. Why did I do that? I had viewed the jurisdiction as it was granted, Senator Batters, and came to the conclusion that what the agency wanted to do was not in conformity with the jurisdiction. Therefore, this activity did not occur. . . .

. . . If you want to impact the personal information of Canadians, you must justify doing so. It compels the decision maker or the agency to really ask, “Can we do this? Are we doing it in accordance with the law?”

In response to a question from Senator Yussuff, Intelligence Commissioner Noël said:

The fact that the Intelligence Commissioner is not part of the system means that, at the beginning of any decision, there will not be any involvement of a third party that will look into the situation and make sure that it’s in accordance with their legislation.

Second, when they do collect information on Canadians, they do it in accordance with their own internal policies. They will be left on their own, except after the fact.

Then NSIRA, the civilian review agency, will have an opportunity. It’s been shown that 50 decisions of our office have produced on the part of the agencies an attitude of being very meticulous and very concerned about information on Canadians and with ensuring that they don’t go overboard when they have to deal with it for the purposes of solving, for instance, a cybersecurity incident.

Commissioner Noël stated he still has concerns about warrantless searches under Bill C-8, as he did with Bill C-26. He wrote to the committee:

The concern with searches that are not pre-approved by an independent officer relates to the nature, use and retention of information that could be seized. This concern would increase if the use of the information moves away from compliance.

Several times at committee, we heard witnesses argue that we should pass Bill C-8 as it is, warts and all, and expect outstanding issues to be dealt with via regulation. When I asked whether that regulatory process would most likely be a two-year process, government officials initially denied it, but then, when pressed by me, they admitted it could still take up to 18 months. Yesterday, Senator McNair said the minister’s letter to the committee admits it could take up to 24 months.

Honourable senators, we know that judges, including the justices of the Supreme Court, look to the Senate on occasion when deciding Parliament’s intent for statutory interpretation. If we pass this bill unamended and proclaim it good enough, I submit we leave glaring holes that will misrepresent our actual intent.

Witness Kate Robertson expressed that leaving details to regulation is wholly inadequate. She said:

I actually think it would be quite a problem if they were left for regulation because they are a matter of statutory interpretation. If I could just use one example, right now, the bill references the lack of authority in clause 15.2 to order the intercept of private communication.

I recommended that should be inclusive of intercepting metadata as well. As a matter of statutory interpretation, Parliament’s intent will be divined from the clause that right now, as it stands, does not include metadata. There will be inferences drawn as to whether Parliament very much intended to enable the interception of metadata.

Other witnesses suggested issues not addressed directly in Bill C-8 could come to light in the five-year review mandated in the legislation. But, colleagues, as we all know, these reviews don’t happen often, if at all. And as a long-standing member of the Senate Legal Committee, I can vouch for that. Given all the government legislation and senators’ public bills we always have stacked on our committee agenda, especially in the last several years, five-year reviews don’t get the priority for study they probably deserve. So to say we will deal with outstanding issues in Bill C-8 with a legislative review is unlikely, to say the least.

As I said earlier, this cybersecurity legislation has been long in the making, and now we are being pressed to just pass this legislation because something is better than nothing. We are the last of the G7 countries to have cybersecurity legislation in place. Our critical systems are currently vulnerable to attack and it is better to have at least that basic protection in place.

I have some sympathy for that argument. It is a dangerous, fast-paced world, and global cyber-threats seem to only be accelerating at breakneck speed, particularly with the advent of artificial intelligence. We don’t want to fall behind or make our citizens — our country — vulnerable to attack.

But the problem is this: It is the constitutional privacy rights of Canadians that are sacrificed by proceeding with this unamended legislation. The significance of that cannot be diminished. The right to privacy is really one of the most fundamental constitutional rights Canadians have — the ability to choose what thoughts and beliefs in our minds and hearts we share with the external world. And there can be very grave, life-altering consequences if one’s privacy is sacrificed. Cybersecurity experts and privacy officials have warned us repeatedly that this remains a risk if we pass this legislation before us as it is.

Sharon Polsky, the President of the Privacy and Access Council of Canada, expressed concerns about the lack of restrictions on the sharing of data collected under Bill C-8, which can be shared with foreign governments, institutions and organizations. She said:

How can Canadians have trust? We’re told to trust. I’d rather have reason to trust, and this bill doesn’t quite give enough assurances to provide a reason to trust. It’s still too broad, non-specific and open to interpretation. . . . I think the consensus in our organization and with our members is that it’s not good enough to pass a piece of legislation that has so many flaws that so many people recognize while still saying, “Just pass it. It’s better than nothing. It’s better than what we have.”

Ms. Polsky continued:

“Good enough” isn’t a good enough reason to pass the legislation as it is. It really could benefit from some minor tweaks that would make a huge difference and improve Canadians’ trust. Give them a reason to trust.

Professor Matt Malone addressed the length of time it has taken to get Bill C-8 to this final stage in the Senate and warned:

. . . As much as there is an urgency to pass the law, which I recognize, the reality is that once we have the legislation, it is likely to be there for a long time.

That’s why Parliament needs to get it right.

Matthew Hatfield agreed. Rushing to pass this legislation prematurely could be a mistake that lasts for quite a while. He said:

Laws sometimes last a very long time. Small imperfections passed in a law today can turn out to be very impactful and could kick around for many years. . . .

So, yes, pass a version of this bill eventually, but there is no reason to get this done so urgently that you can’t take a few more weeks to make necessary improvements.

Honourable senators, it has already been 10 years. Yes, this legislation is long overdue. We have taken a few runs at this. The House of Commons committee made quite a few amendments that greatly improved this bill, but there are still several legislative holes that are concerning from a privacy perspective.

This government has had ample opportunity to improve this legislation to adequately protect Canadians’ fundamental privacy rights, and they have abrogated their duty to do so. If the bill were to wait a few more weeks to get fixed properly, it would be the government’s fault, not ours.

With that said, I would have liked to propose amendments to Bill C-8 to try to honour the recommendations of some of the most thoughtful expert witnesses who came before the Senate committee with the protection of the rights of Canadians as their foremost concern. But it is very evident to me that members of the Senate National Security and Defence Committee and members in this Senate Chamber will not accept amendments; they want this bill to pass unamended.

I proposed a reasonable, well-supported amendment to try to improve Bill C-26. It was rejected by a wide margin. Bill C-26 passed this chamber of supposed sober second thought, even though that bill had gaping security and privacy concerns detailed by the vast majority of our committee’s witnesses. And now, the Senate National Security and Defence Committee has passed Bill C-8 after a 90-second clause-by-clause consideration, with no amendments and no observations.

I know exactly where this is headed, honourable senators, and I ask you to consider the potential consequences of our haste. A decade of work should produce a virtually perfect piece of legislation, but it certainly hasn’t. We need to carefully consider what the implications will be for the privacy rights of Canadians if we pass this flawed bill.

Thank you.

Yes.

I think what I said was that he appoints them and they report to him. They are members from different committees — different senators — but the fact remains that they are appointed by the Prime Minister, they report to him and the vast majority of their work has to remain secret.

There can only be so much actual accountability resulting from that, and it’s always after the fact and not before the fact. The vast majority of my speech talked about how Bill C-8 really suffers from a lack of oversight prior to a decision rather than years after the fact, as often happens with the National Security and Intelligence Review Agency, or NSIRA, and the National Security and Intelligence Committee of Parliamentarians, or NSICOP.

In his capacity on NSICOP, yes, he does. That committee reports to the Prime Minister, not Senator Claude Carignan himself. NSICOP as a body does, yes.

Are senators ready for the question?

Is it your pleasure, honourable senators, to adopt the motion?

Some Hon. Senators: Agreed.

An Hon. Senator: On division.

(Motion agreed to and bill read third time and passed, on division.)