SECU Committee Meeting

    I call this meeting to order.

    Good morning, everyone. Welcome to meeting number 10 of the House of Commons Standing Committee on Public Safety and National Security.

    Before introducing our distinguished guests and giving them the opportunity to speak about the important topic of this meeting, I would like to invite Mr. Ramsay, following our final discussion last Tuesday, to clarify the work on Bill C‑12.

    Thank you, Mr. Chair.

    Following the informal discussions that we've had since Tuesday, I would like to amend the motion on Bill C‑12 to read as follows:

    I see that Mrs. DeBellefeuille would like to speak. Mr. Caputo will speak next.

    Mrs. DeBellefeuille, we're listening.

    Thank you, Mr. Chair.

    I have a point of order.

    We aren't discussing committee business. We're here to study Bill C‑8.

     We have a motion regarding the consideration of Bill C‑12. We debated, amended and passed this motion last Tuesday. As a result, I don't think that it's proper procedure for us to—this morning, in front of our witnesses and in public—reconsider a decision made on Tuesday.

    Mr. Chair, remember that we spent half an hour on Tuesday planning the work on the consideration of Bill C‑12, and we came to an agreement. I find it unacceptable to continue the discussion this morning.

    I'm raising a point of order because this is off topic. We're studying Bill C‑8, which has nothing to do with Bill C‑12.

    The chair has in fact decided to resolve this issue because the clerk and the parliamentary analysts urgently need an idea of what lies ahead. For the sake of efficiency, I would like the committee to clear up any confusion that arose on Tuesday, given that we didn't take enough time for this discussion on Tuesday.

    Mr. Chair, I find it difficult to accept your explanation. After debating the motion for half an hour, we came to an agreement. You now want us to quickly agree on something that was debated for 30 minutes.

    Mr. Chair, I gather that there have been discussions, that the Conservatives probably agree with your proposal and that you feel comfortable not complying with the Standing Orders. Personally, if I may say so, I think that this is a poor way to run the committee.

    I'm not holding this against you personally. You're stuck in a bit of a bind. You decided to leave it off the committee's agenda so that we would have time to come to an agreement. However, this morning, because a negotiation took place between the Liberals and the Conservatives, you can't suddenly ask me to meekly accept this change in three or four minutes without speaking up.

    This is out of order and off topic. I challenge your ruling.

    Mrs. DeBellefeuille, you have every right to express your opinion on this matter. All these discussions are the result of conversations held outside this committee. However, they also take into account all the committee business, including business that matters even more to you.

    I know that conversations took place. We may soon get to Bill C‑8 and the border study, which we would like to complete shortly.

    We must take all these factors into consideration to make the committee's work as effective as possible. I personally believe that, in order to help the clerk, the analysts and the members do their jobs properly, it would be useful to clear up this confusion now.

     I'm simply telling you that I find this unacceptable.

    I think that we reached a good consensus at the last meeting. The Conservatives are prepared to support the amendment. I take that for granted. The Liberals feel comfortable revisiting an issue resolved at the last meeting. This is basically a test of confidence.

    The Bloc Québécois has no intention of blocking Bill C‑12. We told you this, and we even facilitated the debate. We don't intend to filibuster or to move a bundle of amendments. Everyone agrees on this. I have the impression that the same applies to the Conservatives.

    I'm arguing on principle. If you proceed as you intend to do today, it will set a precedent.

    You're in charge of maintaining order and following procedure. I expect you to refrain from participating in informal partisan discussions. You must remain neutral.

    You're absolutely right.

    Mrs. DeBellefeuille, rest assured that I'm not involved in these discussions. I receive the conclusions and instructions from all committee members. My job is to help you and us, as members of Parliament, do the best job possible. We must strike a certain balance and sometimes make compromises.

    If we want to proceed with the study of Bill C‑12 and Bill C‑8 and complete the critical study on border management, the analysts and the clerk must be able to do their job effectively. This is why I'm providing this opportunity this morning.

    Mr. Caputo has the floor.

    Thank you, Mrs. DeBellefeuille. I understand your position.

     I need, hopefully, one minute to very clearly, I hope, lay out the Conservative position.

    Conservatives will agree to this motion on Bill C-12—this is where we get into Bill C-8—as long as it is clear that the minister appears on Bill C-12 and Bill C-8 separately. I have assurance from my colleagues, as I understand it, that the minister will appear for one meeting on Bill C-12 and one meeting on Bill C-8. If that's the case, we can agree to both.

    Mr. Ramsay has the floor.

    Mr. Caputo, we understood that it would be two hours overall, one hour for Bill C-12 and one hour for Bill C-8. Maybe you could simply let the committee know why you want it to be at two separate times.

    To my understanding, this was an agreement with the House leaders, so that's why. I'm just trying to give effect to the agreement.

    The usual procedure of committee business is to have ministers appear for one hour on a particular bill or on a particular study, which he will do. When that will happen is yet to be determined, but he will be here for one hour for Bill C-8. He has also committed to be here for one hour for Bill C-12.

    Mr. Ramsay.

    We will agree with Mr. Caputo. If that's what the Conservatives want, we'll have the minister appearing on two separate occasions.

    Okay. That's not only what the Conservatives want; it's also normal procedure. Sometimes it may not be possible to abide by it, but that's what the expectation would be, in most cases.

    That said, I can proceed to the vote on the motion moved on Bill C‑12.

    Who agrees with this motion on Bill C‑12?

    Who disagrees with this motion on Bill C‑12?

    Mr. Ramsay, would you like to speak about Bill C‑8, which is on today's agenda for discussion?

    Yes, since Mr. Caputo brought up the topic.

    We also have a motion regarding Bill C‑8, which was sent to the Conservatives and the Bloc Québécois. It reads as follows:

     Thank you, Mr. Ramsay.

    Is there any unanimous agreement on this motion?

    Is the Minister of Industry expected to appear? Bill C‑8 gives her considerable power. If not, I'll move an amendment.

    The motion read by Mr. Ramsay doesn't seem to mention anything about this.

    In the motion that I have and that was given to you, I hope—

    That isn't what was given to me.

    The motion states “that the committee dedicate four meetings to the hearing of witnesses, including the Minister of Public Safety” and “that the committee dedicate no more than two meetings to clause‑by‑clause consideration”.

    The Minister of Industry isn't included.

    Exactly.

    Since I see that the Minister of Industry isn't included in the motion, I would like to move an amendment.

    I believe that Bill C‑8 grants considerable power to the Minister of Industry, who manages telecommunications. I think that it would be reasonable for her to appear before the committee to answer our questions for an hour.

    I would like to move an amendment to the motion in order for the minister to appear.

    As we know, the committee doesn't have the power to compel a minister to appear.

    The legislation referred to in the bill concerns her department.

    Yes, but we agree that we can't compel a minister to appear. However, we can invite a minister to come. To do so, we need to amend the motion.

    Mr. Chair, sorry, but I would like you to follow the committee procedures. I just drafted an amendment. Normally, we should debate it and make a decision.

    Yes.

    I formally move the following: “That the motion be amended by adding after the words “Minister of Public Safety” the following: “and the Minister of Industry”.”

    I want this added to the motion. I don't think that it will cause any issues.

    Mr. Chair, could you please open the floor for discussion so that the committee can decide on this matter?

    Okay.

    There are two things. First, we clarified the fact that the current motion doesn't include an invitation for the Minister of Industry. Second, Mrs. DeBellefeuille is moving an amendment to this motion to invite the Minister of Industry, in addition to inviting the Minister of Public Safety.

    This amendment is ruled in order.

     Mr. Ramsay or Mr. Caputo, do you have any comments on this?

     Can we see the written version, please?

    Yes. Translation and interpretation obviously make it more complicated in some cases, so let me try to summarize that in English. The motion stays the same—

    The interpreters are telling me that they haven't received the text of the motion. This is a basic requirement. If they could have the text, it would be easier to interpret.

    Can someone from the Liberal team—

    A voice: I move that we suspend the meeting.

    Okay.

    We'll take a short break to make sure that the interpreters have a copy of the motion.

    We're moving along, but not as fast as some people thought we would.

    I would like to inform the various team members that the parties haven't reached a clear agreement on the motion regarding Bill C‑8. This means that we must postpone the discussion until a bit later, since we have important witnesses to hear from.

    That's what will happen.

    This brings me to perhaps something a bit more timely, which is the fact that we're now going to greet four important witnesses.

    I'll start by welcoming all our witnesses.

    From Canadian Cyber Threat Exchange, we're joined by Jennifer Quaid, executive director.

    From ISC2, Inc., we're joined by Philip Stupak, senior director of advocacy.

    From the Office of the Intelligence Commissioner, we're joined by the Honourable Simon Noël, Intelligence Commissioner, and Justin Dubois, executive director and general counsel.

    Lastly, from the Office of the Privacy Commissioner of Canada, we're joined by Philippe Dufresne, Privacy Commissioner of Canada, and Marc Chénier, deputy commissioner and senior general counsel.

    You have five minutes for your remarks.

    Ms. Quaid, the floor is yours.

     Thank you very much, Mr. Chair, and good morning.

    Let me start by saying that Bill C-8 represents a major step in modernizing Canada's cybersecurity framework by addressing weaknesses in our cyber-defence strategy. It advances both organizational accountability and national resilience, and it puts Canada in line with other nations.

    It's my privilege to be here today representing the Canadian Cyber Threat Exchange, an organization created by Canadian companies for the sole purpose of building cyber-resilience through collaboration. With more than 200 members representing 15 sectors and more than 1.5 million employees, many of our members represent the critical infrastructure sectors impacted by this legislation, while—

    Ms. Quaid, unfortunately there's a technical issue with the sound.

    We'll suspend the meeting for a few minutes so that we can resolve the issue as quickly as possible.

    Okay. It seems to have been sorted out.

    Ms. Quaid, you have the floor.

    With more than 200 members representing 15 sectors and more than 1.5 million employees, many of our members represent the critical infrastructure sectors impacted by this legislation, while others make up their supply chain—large and small businesses alike. Members join the CCTX because they want to actively share cyber-threat information to help build awareness and resilience in others, to get ahead of the threat and to prevent breaches and the corresponding need to report, which this bill governs. However, they are limited in what they can share.

    As Canada advances its national cybersecurity posture, one policy concept merits greater attention: safe harbour legislation. While overlooked in the current proposed legislation, it plays a critical role in fostering transparency, co-operation and resilience across our digital ecosystem. When we talk about cybersecurity, we often focus on technology—firewalls, encryption and artificial intelligence—yet one of the most powerful tools we have to strengthen our defences isn't technological at all. It's collaboration. It's the sharing of cyber-threat information to enable others to better protect themselves and to prevent a breach from happening.

    This requires protection by legislation. Safe harbour protection is about creating a climate of trust. We need to ensure that organizations that are trying to do the right thing by sharing useful information about cyber-attackers and their techniques are not punished. Safe harbour protection helps others to not be the victim of a breach.

    Mandatory reporting is done after the fact. We are interested in prevention. Without safe harbour protections, too many organizations hesitate to talk about breaches or vulnerabilities that fall below the threshold of reporting to regulators. They fear lawsuits, reputational damage or regulatory penalties. As a result, critical information stays hidden. The same attacks can then impact others across sectors and borders. Attackers will keep using the same techniques over and over again. We have seen this numerous times in the last year. Safe harbour changes that. It empowers companies to share threat intelligence with government and with each other, knowing they're protected when acting responsibly and without fear of legal consequence.

    It's not about excusing negligence or shielding bad actors. It's about enabling responsible behaviour, which creates the legal certainty needed for transparency and co-operation to flourish. Ultimately, safe harbour protection strengthens our collective resilience. It allows us to learn from each other and collaborate across sectors to build the trust needed to defend Canadians and Canadian organizations. If we embed safe harbour legislation in our cybersecurity policies and legislative frameworks, we can build a culture where reporting, learning and collaboration are seen not as risks but as responsibilities. That is how we move from reactive cybersecurity to a truly resilient digital Canada.

    In cybersecurity, silence is the real threat. Safe harbour ensures that speaking up is safe and that doing the right thing protects us all.

    Thank you.

     Ms. Dandurand, you have the floor.

    Thank you, Mr. Chair.

    I'm watching the time go by. I find this panel quite compelling. However, we've taken up a great deal of the witnesses' time with our previous discussions.

    Would it be possible to split the remaining time between the two panels of witnesses to give them 45 minutes each, so that we have more of a chance to hear from the witnesses on the first panel? Otherwise, I don't think that we can hear from everyone.

     The idea, just so that people can anticipate what's coming, is to split the remaining one hour and a half into two pieces. There would be 45 minutes for this panel and 45 for minutes for the other panel. I suppose there would be no objection to that.

     With that, thank you, Madam Quaid.

    Mr. Stupak, you have five minutes.

    Good morning, Mr. Chair and honourable members of the committee. My name is Philip Stupak. I serve as the senior director of advocacy at ISC2, the professional member association for cybersecurity professionals. Prior to joining ISC2, I had the privilege of serving in the Biden-Harris administration as the assistant national cyber director at the White House.

    ISC2 is the world's largest association dedicated to cybersecurity professionals, representing more than 265,000 members and associates globally. Our second-largest membership base is right here in Canada, with over 14,000 members. We offer nine professional certifications, the most recognized of which is the certified information systems security professional, or CISSP, widely regarded by employers as the gold standard for cybersecurity expertise.

    I appear today on behalf of our global membership to express the cybersecurity profession's strong support for Bill C‑8, an act respecting cybersecurity. We live in a period of extraordinary uncertainty. For much of our shared history, Canada and the United States benefited from geography as a natural deterrent. The vastness of the Atlantic and Pacific oceans provided a measure of protection our adversaries could not easily overcome. That era is over.

    The 2010 Stuxnet cyber-attack against Iranian centrifuges demonstrated, for the first time, that the boundary between the digital and physical worlds can be breached with tangible, real-world consequences. Today, 15 nations possess blue-water navies capable of projecting power across oceans. Eight possess nuclear weapons, and 170 nations have cyber-capabilities. We have already seen the effects of cyber-attacks here in Canada. Patients in hospitals across southwestern Ontario were forced to reschedule surgeries and appointments, costing millions of dollars and delaying care. While 516,000 patients had their private health information compromised, we know that cyber-attacks can cause even greater damage at a broader scale.

    It may take a navy a week to cross the Pacific or minutes for a missile to reach its target, but a cyber-attack could return hospital systems to the age of torchlight and hacksaws, and communication to horseback dispatches, without warning and without attribution. This is not speculation. This is preparation.

    Our adversaries are actively working to undermine critical infrastructure. Even a minor activation of pre-positioned digital weapons or malware across essential sectors could result in service disruptions, communication collapse, power outages, water shortages and transportation paralysis at a time and place of an adversarial actor's choosing. In the worst case, it could return modern societies to conditions resembling the pre-industrial era.

    However, I want to be clear: Our adversaries are not invincible. With foresight, coordination and policy action, we can and must defend ourselves. Bill C‑8 is an essential step toward ensuring that those defences are in place before they are needed. The amendments to the Telecommunications Act are particularly significant. By prohibiting high-risk suppliers, removing compromised equipment and requiring pre-approval for certain technologies, the bill strengthens the sector that underpins every other sector. Vulnerabilities in telecommunications are vulnerabilities everywhere.

    The creation of the critical cyber systems protection act is likewise prudent. It establishes minimum cybersecurity baselines across Canada's most essential sectors. I would respectfully encourage the committee to consider adding federally regulated water systems to that list, given their foundational importance to national health and safety. I likewise encourage the federal government to work with provincial, territorial and municipal partners to ensure that critical infrastructure under their jurisdictions achieves the same level of cyber-protection envisioned by Bill C‑8. A qualified workforce is essential to executing the functions of this act. Every day, ISC2 is training and certifying the government and critical infrastructure professionals who will be needed to implement Bill C‑8.

    We cannot afford to assume that threats to the Canadian way of life are distant or hypothetical. They are real, they are present and they demand decisive action. The responsibility for defending against these threats rests in part with this committee. Bill C‑8 represents a thoughtful, measured and necessary step toward that defence.

    Thank you.

    Mr. Noël, you have the floor.

    Thank you, Mr. Chair.

    I also want to thank the members for inviting me.

    I'm joined today by Justin Dubois, executive director and general counsel at the Office of the Intelligence Commissioner.

     To place my comments on this bill into context, it's useful to briefly explain what my role as the intelligence commissioner is all about.

    My role is to approve or not approve certain national security and intelligence activities proposed by the Communications Security Establishment, or CSE, and Canadian Security Intelligence Service. These activities are authorized respectively by the Minister of National Defence and the Minister of Public Safety.

     My independent approval is necessary because the activities the ministers authorize may be contrary to the law or breach the reasonable expectation of privacy of Canadians. Only with my approval can activities proceed.

    The commissioner position that I hold was created in 2019. The mandate given to the commissioner by Parliament at that time is of particular relevance to the study of this bill. It includes enabling CSE to effectively respond to cyber incidents that affect federal systems and systems designated as important to the Government of Canada. One of my specific duties is to review ministerial authorizations that allow CSE to conduct cybersecurity activities on those systems.

     My approval is also necessary because the cybersecurity activities conducted by the CSE lead to the collection of vast amounts of information, including information for which Canadians have a reasonable expectation of privacy. To be effective in conducting cybersecurity, the CSE needs to collect this information.

    I only approve ministerial authorization when I'm satisfied that the minister has struck a reasonable balance between the security of Canada and the privacy of Canadians. This includes ensuring that appropriate measures are in place to protect the privacy interests of Canadians.

    I noted that through my work as Information Commissioner, I see the tremendous value of a national approach to cybersecurity. Canada must have the necessary tools to protect our critical electronic systems. However, these tools must be accompanied by the appropriate safeguards and independent oversight.

     In my view, there are elements of this bill where independent oversight would improve the protection of these privacy interests. I will raise one that relates closely to my role as IC. This bill aims to protect our critical cyber-systems. The CSE is our national expert on cybersecurity and will, through this bill, receive information on cyber-incidents.

    In my experience as IC—with over three years and 45 decisions rendered—for the CSE to analyze and understand a cyber-incident, it must have access to information about the incident. There may be situations where this information is only technical in nature and sharing it with the CSE raises no privacy concerns, as you were told when you met with other witnesses. However, to fully understand the cyber-incident, other situations may require the CSE to have access to information, including technical information, for which Canadians have a reasonable expectation of privacy. I've seen it.

     Technology and cyber-threats evolve faster than legislation. The bill should provide the flexibility to adapt accordingly and allow for the sharing of this information with appropriate oversight.

    In the current system, prior to collecting this information, CSE is required to obtain a ministerial authorization and approval from the Information Commissioner. Parliament chose to implement this process in 2019, but not in 2025.

     The mechanism proposed consists of adopting a regulation setting out what information about cyber-incidents is to be shared with the CSE and how it is to be shared. As you know, there is no independent oversight of the regulation. One possible simple and effective oversight measure would be to annually require ministerial authorization establishing a framework for how the CSE uses and shares the information, which would then be subject to review and approval by the intelligence commissioner.

    Effective cybersecurity is essential for Canadians. CSE must have access to the information it needs to conduct its excellent work—with the necessary oversight to allow for that access.

     I support the bill's intent but believe that targeted, additional safeguards that do not impose a heavy administrative burden on our agencies would increase Canadians' confidence that these measures intended to protect them do not themselves unnecessarily intrude on their privacy.

    Mr. Noël, you have only a few seconds left.

    Thank you.

    I'm sorry to cut you off so abruptly. Thank you for those remarks.

    Mr. Dufresne, you have the floor.

    Thank you. Mr. Chair.

    Thank you for the invitation to appear before you today to offer my views on the implications of Bill C‑8, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts.

    I am accompanied by Marc Chénier, deputy commissioner and senior general counsel.

    There is no doubt that we continue to face a challenging cyber-threat landscape in which the consequences of cyber-incidents are increasingly disruptive and widespread.

    Breaches of critical infrastructure, such as the one that affected Nova Scotia Power in May of this year, are particularly concerning as they can compromise systems and services that are essential to the health, safety, security and economic prosperity of Canadians. Such incidents may result in unauthorized access to or disclosure of personal information, potentially leading to major privacy implications and a real risk of significant harm to affected individuals.

    It is for these reasons that I support the objective of Bill C-8 to protect systems and services that are vital to national security or public safety from cybersecurity threats and vulnerabilities.

    Like its predecessor Bill C-26, Bill C-8 recognizes that steps must be taken to protect critical infrastructure against cyber-threats, which are continuing to evolve in sophistication and complexity. This is necessary from a security standpoint and from a privacy standpoint.

    While stronger cybersecurity protections can help to reduce the likelihood and impact of privacy breaches, it is also essential to ensure that new powers that are created to improve cybersecurity contain the necessary limits and that they do not have unintended impacts on privacy.

    I am pleased to see that Bill C‑8 incorporates a number of improvements compared to its predecessor, Bill C‑26, including additional guardrails on the proposed order-making powers, and new notification and reporting obligations.

    These will help to achieve a better balance between the bill's cybersecurity objectives and privacy rights and interests.

    However, some privacy risks remain, including lower thresholds for the exercise of certain powers and authorities with potential privacy implications, the absence of a mechanism to ensure that my office is notified of major cybersecurity breaches that impact the privacy of Canadians, and insufficient minimum privacy requirements for the sharing of information with foreign governments.

    To address these risks and achieve the necessary balance between security and privacy, I would recommend, first, that the legislation impose a uniform standard requiring that any collection, use or disclosure of personal information be both necessary in the circumstances to achieve the stated purpose and proportional to the benefits to be gained.

    Second, I would recommend that information-sharing agreements entered into under the legislation provide for minimum privacy safeguards in order to strengthen governance and accountability and to ensure a consistent standard of privacy protection when information is exchanged outside of Canada.

    Third, I would recommend that the relevant government institutions, including the Communications Security Establishment, CSE, be required to notify my office when they're made aware of cybersecurity incidents involving a material privacy breach so that we can together collaborate and coordinate our efforts in protecting Canadians’ privacy.

    While this is not specific to Bill C‑8, I would also reiterate my overarching recommendation that government institutions be legally required to conduct privacy impact assessments and to consult my office when developing any new programs or initiatives with privacy implications for Canadians.

    Thank you for the opportunity to present my views on this bill. I would now be pleased to answer your questions.

    Thank you, Mr. Dufresne.

    We will now give the floor to committee members. Mr. Caputo, you have the floor for six minutes.

     Thank you very much to all the witnesses.

    Where do I start? I'd like to start with Monsieur Noël and Monsieur Dufresne.

    You both spoke a lot about what's not in this bill.

    I'm sorry. I'm going to take a step back before I forget. We only have you for a few minutes today, unfortunately. What I would ask, if you are comfortable with it, is that, whatever we don't get to, especially.... You have given us comprehensive areas where the legislation is silent. Really, we're talking about two things here: the problematic aspects of the legislation—what's written and what's wrong with what's written—and what's not present.

    Perhaps this already exists, but it would be exceptionally helpful to me if you were to enumerate those things. Otherwise, we're going through transcripts. I'm not sure if your office has the capability. I think it would be very helpful if you were able to say, “In our view, the legislation needs to include this, this and this.” That would help us tremendously at the clause-by-clause and amendment phase.

    I'll leave that with you.

    I'm going to focus on what's in the bill. I will give you both two minutes. Please point out specific provisions, if you can, because you've spoken in generalities thus far. If there is a specific section, can you point to it and say, “In my view, this section is a problem because...”? Am I clear?

    Mr. Dufresne, do you want to have the first couple of minutes? Then we'll move on to Monsieur Noël.

    Sure. Thank you, Mr. Caputo.

    I highlighted three themes for recommendations: necessity and proportionality; information-sharing agreements and the minimum content there; and sharing authorities.

    For necessity and proportionality, I'll start with the positive. There have been amendments to the minister's order-making power in the Telecommunications Act section. If we look at proposed subsection 15.1(2), we see this mentioned:

     That doesn't use the words “necessity and proportionality”, but it achieves that purpose because you are talking about what you are trying to achieve and whether it would be proportional to that.

    By contrast, if we look at the powers given to the Minister of Industry under proposed section 15.4, they would have the ability to require any person to provide to the Minister or any person designated “subject to any conditions that the Minister may specify, any information that the Minister believes on reasonable grounds is relevant”. That's not a necessity and proportionality test. That's a relevance test, so it's different.

    Later in the bill, we have exchanges of information with foreign governments based on necessity. In the cybersecurity section of the legislation, we have the ability to issue some directions for cybersecurity. There, we have either necessity alone or an absence of necessity and proportionality.

    My overarching point is this: In those sections, there is a precedent for a good necessity and proportionality clause. It's the proposed section that I cited. What's interesting is that, even in the cybersecurity bill, in proposed subsection 147(1), there is an annual report that would have to be prepared. In there, the legislation says, at proposed paragraph 147(2)(f), that the report would have to include “an explanation of the necessity, proportionality, reasonableness and utility of the directions.” I think that's an example of why this proportionality is necessary. There's already a recognition that it should be in the report, but it should also be in the power.

    In terms of information-sharing agreements, then, we should specify the types of restrictions for sharing with other countries.

    Thank you very much. If you have anything else, please let us know in writing. The more specific and concrete the better.

    Monsieur Noël.

     Yes. I'll be precise.

    My knowledge is on the CSE. I know the information that is being transferred to the CSE in order for it to be able to do its cyber-activities.

    Where's the framework? Look at proposed section 17 in part 2 of the bill. It doesn't stipulate anything. It says there will be regulations eventually.

    At the present time, under my legislation with the CSE, when a cyber-activity incident occurs, the minister gets involved and renders a decision. You go into action and then I get the decision. I approve it, amend it and change it, and then the results come out.

    The other point I want to tell you is this. I heard the bureaucrats tell you earlier this week that it's technical information. I agree that it's technical information, but I also know that if you want a positive result on an incident of such importance, they need to go into the content. I've seen it in every cyber-operation I've been involved in.

    You're asking me if there are other types. I'm not talking about it—I'm limiting myself to this—but it's clear that warrantless search and seizure creates a problem. I'll let others deal with that.

    Thank you, Mr. Noël.

    Thank you.

    I also have problems with the personal information.

    If we don't get to them, please write to the committee on those points. I would really appreciate that.

    Thank you.

    That's a good comment, MP Caputo.

    Let me turn now to MP Ramsay.

    Mr. Stupak, this is great. I'd like to know if Bill C-8 is a Canadian version of a similar bill elsewhere. In terms of benchmarking, what is in Bill C-8 that is not elsewhere, and what is elsewhere that is not in Bill C-8?

    Can you elaborate on this, especially with the view of our main partners?

    When I think about benchmarking, one of the first things Bill C-8 would do, which I think is quite wise, is consolidate some powers in the minister. This is important.

    Right now, many countries have a distributed system of defining cybersecurity policy and reacting to the cybersecurity incident. By having this invested in the minister, you have one person who is ultimately responsible. When we created the national cyber director role within the United States, it was at the behest of our senate. Senator Angus King from Maine famously said he was doing this because he needed “one throat to choke.”

    One of the important elements in Bill C-8 is that you are creating this uniformity within one minister. Obviously, there are other ministers and other ministries that will participate in implementing those actions, but having that one person to look over all of it is important.

    What is a bit different—at least from the United States' system, which is what I can talk about—is the ability to direct industry to do certain actions. I wish I'd had that ability. That was something I was certainly lacking during my tenure at the White House. I could not direct industry to take specific actions. I think that is beneficial, especially when you're dealing with a cyber-incident where time matters. That's something that is not within our system, but you do have it here, and I think it is beneficial.

    I absolutely agree with what Mr. Stupak said.

    What is not in this, as I've said, is the safe harbour legislation, which is in the U.S. version. That has been critical because it has enabled organizations to share information—and this is not breach information. That goes to the regulator and the authorities guided by this legislation, where it belongs. This is the information about activity that falls below the level of a breach but is still an attack. Information like that can help other organizations defend against exactly the same attack.

    Think about Scattered Spider for a minute. We've all heard about it in the news. It has been so successful because we're not sharing the information on how it gets in and what it does when it's in a system. If we could do that, we would help strengthen all the defences.

     I would like for Mr. Stupak to comment on the assertion from the Hon. Simon Noël that normally, when there's a technical cyber-attack, you need to go into content. What is your appreciation of that comment?

    I do not believe that I would necessarily agree with that statement. I think you can often deal with cyber-attacks, when you are dealing with how you are stopping it, usually at the more technical level.

    There are adequate protections we have put in place so that you do not have that privacy component you're looking into. Of course—and I say this very respectfully—I do think that occasionally content can be or needs to be looked at. However, that is not something I would suggest is always the case. We are frequently sharing TTPs for an attack, which do not go into content.

    In my experience, in a very short answer, on at least 12 cyber-incidents in Canada, there was, at the end, intrusion into content to the point that these intrusions into content were reported to the appropriate bodies. I'll limit myself to that.

     That is my own experience, as a Canadian being in a very special position. I'm not saying that it's with all the technical information, but I'm saying, on an exceptional basis, content is shown.

    While we're on the subject, Mr. Noël, did the attacks you're referring to come from outside the country and were they perpetrated by other countries?

    Yes.

    Thank you, Mr. Ramsay.

    Mrs. DeBellefeuille, you have the floor for six minutes.

    Thank you very much, Mr. Chair.

    Mr. Dufresne, you talked a lot about section 15. You said there's a provision regarding reports, but that it might be better to limit the minister's powers and ensure a correlation between powers. I'd like to talk about section 34 of the proposed critical cyber systems protection act, which has the word “order” in its title. Let's put aside section 15. Section 34 gives the superintendent a lot of power. They may, in writing, order what they want from an operator. You haven't talked about this section, but I worry about it.

    Elsewhere in the bill, there's mention of a transparency process, but I'll give you an extreme example of what section 34 could allow. A superintendent could ask a supplier to reduce their encryption. The superintendent would then have access to conversations between clients and suppliers without any accountability or authorization. No one would know.

    Am I right in saying that a lot of power is being given without any accountability requirement, and that a citizen has no way of knowing that authorities have access to their conversation?

    That section refers specifically to the superintendent's powers. Other sections apply to the Bank of Canada and the industry minister. We're talking about a regulatory audit, a records audit. Audit authorities get that type of power through statutory instruments. That's not why I'm here today, and it's not one of my main concerns.

    That said, I would point out that my third recommendation would require that these organizations share information and notify my office when cyber-attacks are committed and when they are made aware of incidents that could lead to privacy breaches for Canadians. I don't think the audits you're referring to concern this type of information. However, if they do, we need to be notified.

    I'd like to follow up on the previous discussion about whether this includes personal information. In a way, I think the bill recognizes that it's possible, because it refers to personal information. Personal information is part of confidential information.

    Regarding whether there are comparable provisions in other countries, in Europe, institutions have to notify data protection authorities. We don't have such provisions, so I think we could do better.

    Would Microsoft, for example, be considered a company providing critical services to the Canadian government? I mean, they manage our entire Internet system. Could the superintendent of financial institutions give Microsoft an order under Bill C‑8, and would the company have to comply?

    The vital systems are listed in schedule 1 of the bill. They are telecommunications services, pipeline systems, nuclear energy systems, transportation systems, banking systems and clearing systems. That's the list that would have to be used. Given the nature of Microsoft's operations, would they fall under telecommunications services? The operations in question would have to be looked at. When a company falls under that class of operators, it could be subject to orders to ensure cybersecurity.

    I think this criterion should be tightened to ensure proportionality when it comes to personal information and require that my office be notified. My opinion is more or less in line with that of Judge Noël. An independent audit would increase Canadians' trust in the institutions.

    The bill also allows for the sharing of information with other countries, so it's a good thing that it requires a written agreement. It's an improvement, but it could go further. Bill C‑12 has a boilerplate provision that allows for more requirements to be included in international agreements. There are minimum requirements regarding the scope of what can be accomplished.

    Adding those elements would increase Canadians' trust in the institutions.

    Thank you.

    Mr. Dufresne, I would like to come back to what you and Mr. Caputo were talking about earlier.

    Your remarks were very relevant, especially since you made a connection with Bill C‑12, which the committee will be studying.

    You could give us examples of provisions we could improve in the bill to protect privacy. I think democracy is based on privacy protection, and the American model doesn't inspire confidence. We value this protection. Again, I think we have an opportunity to improve on Bill C‑26, and modernize this one even more to better protect the personal information of Quebeckers and Canadians.

    I often read the reports of the agency that examines whether organizations are respecting the requirements related to the use of personal information, and I've realized that they are often in violation of those requirements. Given that, Bill C‑8 needs to be nearly perfect.

    That's why we'll use your recommendations to bring tangible improvements to the bill through amendments.

    I'll be happy to make recommendations.

    On an international level, I'd like to mention the United Kingdom, one of the Five Eyes countries. For the British, necessity, relevance and proportionality have to be taken into account. They created a precedent in that regard.

    Thank you.

    Thank you very much for that discussion.

    Mr. Lloyd, you have the floor for five minutes.

     Thank you.

    I'll start with Mr. Dufresne.

    Will you be providing recommended amendments to committee to address the concerns you have laid out today?

    It's been requested in the exchanges, so we'll follow up with specifics.

    Thank you.

    You were the Parliamentary law clerk and counsel for a number of years. Is that correct?

    Yes.

    You also served on the Human Rights Commission as legal counsel?

    I did.

    That was for many years, so it's fair to say that you have a lot of experience in this.

    We've had a chance to ask the department about the powers that have been provided to the minister in proposed section 15, specifically about the authority to compel the telecoms to remove services for a specified person. They gave assurances that the scope of the legislation doesn't pertain to free speech or content that otherwise poses no threat to the integrity of the telecommunications system.

    Do you believe that the scope and the reasonableness requirement that has been outlined in this legislation is clear enough to restrict the potential abuses of these legislative powers?

    In terms of the section that you're referring to as it relates to the order-making power under the Telecommunications Act in proposed subsection 15.2(3), there has been an addition to require that it must, “in scope and substance, be reasonable in relation to the gravity of the threat, including that of interference, manipulation, disruption or degradation.”

    I think this doesn't use the words “necessity and proportionality”, but there is that sense of balance, so I would find that achieves my goal of making sure that you have security and privacy. It's a balance and we don't want to have a zero-sum game, where you go too far in limiting the agency's power to protect Canadians, or you go too far in harming Canadians' privacy. I am comfortable with that clause.

    It's the other clauses, in terms of some of the other powers, where we're talking only about necessity or about relevance, that I would want to see strengthened to bring in this key concept of proportionality.

     Can you elaborate further on what you just spoke about—where we would want to see further strengthening?

    When we look at necessity and proportionality at my office, it's a little bit of the same test as under the Charter of Rights and Freedoms. It balances the fundamental rights with the important public interest imperative. You need to ask yourself these things: What is your goal? What is your objective? Is it important enough? What is your measure? Is your measure effective?

    Can you be specific about these measures in the bill that you're talking about?

    In that context, we have the power to ask an organization not to use a certain provider. There may be a national security concern with a specific company linked with a specific country. Looking at that, then you're going to look at the measures that you're putting in place. Are you overreaching? Are you doing something that just goes too far, relevant to the threat?

    If you have a major threat, you're going to be able to have a higher measure. If the threat is smaller, more contained, you need to make sure that you're not doing collateral damage.

    You don't think that this proportionality has been included.

    I think it has been incorporated in the section on the order-making power. I don't think it's been incorporated elsewhere in terms of information requirements or on the cyber side.

    Okay. Thank you.

    I'm going to move on to the intelligence commissioner.

    You raised some really interesting concerns about warrantless search and seizure, and you talked about content. I know the department took pains to assure us that they're not really concerned about the content that's going through the pipes; it's about whether or not an action is a threat to the pipes themselves.

    Can you elaborate on your concerns about warrantless search and seizure and about content? Could you give us some more clarity on that?

    With regard to the warrantless search and seizure, it really triggers section 8 of the charter. It's evident for any judge. It stands out, more so when there are penalties provided for that in the act. That triggers more—and that's the Supreme Court saying that.

    If you look at what you have in this bill now, you don't have anything.

    Can you provide an example of when that section 8 right could be triggered by this legislation? Can you provide a specific example?

    In any search and seizure, if they go into an office and open up, without a warrant, and start searching, it's evident that there's an intrusion being done.

    There are two ways to go into an office. One is that you go in and say, “Would you mind giving the following documents?” The other way is that—

    You don't believe that those protections are—

     —we're going in because we want to go and get that document. Usually, the police force needs—

    Don't they have other legislative tools in Canada to do that anyway?

    Under the Criminal Code, there are certainly some provisions on that, but if you look at the Criminal Code, you will see that a warrant will be required.

    Thank you, Mr. Noël and Mr. Lloyd.

    Ms. Acan, you have the floor.

    Thank you, Mr. Chair.

    I will be sharing my time with Ms. Dandurand, if there's any left.

    Thank you for coming today.

    My question will be for Mr. Stupak.

    Thank you for your testimony and for speaking on the importance of this bill.

    I echo your point on the implications of a cyber-attack on our infrastructure from monetary and security perspectives. Under Bill C-8, designated operators will be required to adopt comprehensive cyber programs and report incidents essential for baseline protections.

    You have expressed strong support for Bill C-8. Given your experience and extensive knowledge on similar laws in Europe or the Five Eyes, particularly in the U.S., when it comes to federal policy and workplace development, you have experienced what worked and what didn't work.

    With two questions, I would like to focus on implementation capacity and professional standards. First, how prepared is Canada's current cybersecurity workforce to meet the compliance and technical demands that Bill C-8 introduces?

    Second, from your international perspective, how does Bill C-8 align with similar frameworks in allied jurisdictions, and where should Canada prioritize harmonization to reduce compliance challenges for global firms?

     Thank you for both of those questions. They're extremely pertinent.

    On the workforce question, Canada has a very robust workforce. You have an impressive workforce that has the tools and capabilities to implement Bill C-8.

     I will be honest. We all need more. We need more professionals within this space. We need more people who have certifications that indicate they have the necessary skills in order to do the work that needs to be done. This is important. Too often, we are focused on education and whether someone has the necessary degree, but what we're really looking for are the skills in order to do this work.

    There are efforts under way under the NICE framework, for example, to define what those functions are that every role within cybersecurity should have, and then how you meet those functions. This is being developed. I think this is something that is not robust enough across borders, but the point is that you do have the capability to begin implementing. You are going to need to do more education. You are going to need to do more training. You're going to need to do more certification.

    On the question of international frameworks, because you do take the sectoral approach and it is directed at a particular sector, I think you are very well aligned with the United States and how we have historically done this—by looking at each sector and what needs to be done within that sector. Not all sectors are equal. Bluntly, the water sector within my country is not at the same level as financial services. You do need to have that approach, because not everyone is ready to do the same thing at the same time.

    I would compare this also to the NIS2 standards from within the European Union. That is not how I would recommend to do this. There, they take much more of an auditing perspective, and it's impossible to audit all critical infrastructure as frequently as you need to. Moreover, the compliance regime is simply not mature enough or robust enough yet to comply with NIS2.

    I appreciate that this bill takes more of a sectoral approach, which is more like the United States and a little less like the European Union.

    Thank you.

    Mr. Chair, I'd like to thank my colleague for sharing her time with me.

    The commissioners' comments have been very informative.

    Mr. Stupak and Ms. Quaid, what kind of information is shared usually?

    What do the indicators of compromise look like, and how do they differ from the typical data?

    The information that is shared under this proposed legislation would be information that comes from a successful cyber-attack, a breach, if you will, where PII has been impacted or where other information has been leaked, taken, stolen or otherwise made inoperable. That's critically important for our government to be aware of, and it is critically important that it be reported, because unless we are reporting on cyber-attacks, we actually don't know the size and scale of the problem.

    What I was referring to goes beyond that. I'm interested in the information that is perhaps not quite so successful an attack. That is the information where an organization is impacted by a cyber-attack, but it is not at the level of a breach. Their defences held, if you will. Maybe the outer defences failed and the inner defences held. That's the information that is important to share with the greater community.

    Safe harbour legislation should never be restricted to sharing information with the same regulators and government officials that this bill represents. Safe harbour legislation needs to protect people and organizations when they share information with the broader community.

     I'll give you a very quick example—

    In just a few seconds, Madam Quaid, please.

    —in one second. We have one very large member that frequently tells me they are able to share cyber-information—TTPs and IOCs—with the FS-ISAC in the U.S., which is an information-sharing association for financial services, and that they cannot share in Canada because they're not protected. It's frustrating.

    Thank you, Madam Quaid.

    I would have liked to hear Mr. Stupak on that—

    I'm sorry to interrupt, MP Dandurand.

    We have two minutes and half for Madam DeBellefeuille, and then it will unfortunately be the end.

    Thank you very much, Mr. Chair.

    Mr. Noël, the RCMP and the Canadian Security Intelligence Service, or CSIS, are putting a lot of pressure on lawmakers to make access to information—intelligence—easier. As we always say, there needs to be a balance between security, protective intervention and privacy protection.

    I feel a lot of pressure to follow a path that is quite unsettling for us as elected officials. If our institutions no longer need or want to be accountable or would prefer to show as little transparency as possible, won't that break people's trust in those institutions? They say that too much transparency makes us vulnerable security-wise and opens the door to outside powers that don't necessarily want what's best for us.

    Do you think the committee should be able to hear from the National Security and Intelligence Review Agency? They're charged with making sure agencies respect the law. If we give the ministers and superintendents more power without holding them to account, the agency won't be able to do its job. Everything will happen in secret.

    What do you think of this pressure we feel to both increase and limit transparency?

    I sympathize with what you're saying.

    It is clear that we are living in a world in which cyber-attacks have become the new tools of war. When we look at malicious actors, whether it's a country or someone demanding a ransom, we see they have a tremendous capacity to pierce through our layers of protection and gain access to what they want.

     If you want to adequately protect your constituents, you need to give the government and police the same tools, so they can combat those malicious actors.

    That said, your challenge is to find measures that take into account your concerns as an MP: people's privacy, on one hand, and national security, on the other.

    Sorry, Mr. Noël, but that's all the time we have.

    I'll leave it there, but I think I've said what I wanted to say.

     Thank you.

    We are grateful for your time today, but especially for the work you did in preparation for today's meeting. Thank you and have a good rest of the day.

     We are going to move on to our next panel, so I will suspend the meeting briefly. Please be quick if you are grabbing something to eat before the witnesses join us.

    We are resuming the meeting since we have quorum.

     Welcome to our four important witnesses.

     With us are Josh Dehaas, counsel for the Canadian Constitution Foundation; Aaron Shull, managing director and general counsel for the Centre for International Governance Innovation; Luc Lefebvre, chairman and co-founder of Crypto Québec, who is joining us by video conference; and Sharon Polsky, president of the Privacy and Access Council of Canada.

     Welcome to all four of you. You will each have five minutes for your presentation.

    Please go ahead, Mr. Dehaas.

     Thank you, Mr. Chair.

    My name is Josh Dehaas. I'm counsel with the Canadian Constitution Foundation. The CCF is a non-partisan charity dedicated to defending Canadians' rights and freedoms through education, communications and litigation. The CCF is most famous for successfully challenging the invocation of the Emergencies Act in February 2022. The Federal Court found that the invocation was ultra vires the statute and violated the rights to freedom of expression as well as security against unreasonable searches and seizures.

    The CCF has serious concerns about one particular aspect of Bill C-8. Proposed section 15.2 would allow unconstitutional limits on freedom of expression, peaceful assembly and association. Proposed subsection 15.2(1) would give the Minister of Industry a dangerous new power to order telecommunications service providers to cut individuals off of Internet or phone services based on “any threat” to the telecommunications system, which includes all of Canada's Internet, phone and radio infrastructure. This need not be a systemic or even a serious threat.

    Proposed subsections 15.2(5) and (8) would allow the details of the minister's orders to remain secret under the threat of huge fines. While there may be circumstances where the minister requires the power to order malicious servers to be cut out of the system, it's dangerous to civil liberties to allow the minister the power to cut off individual Canadians without proper due process and to keep that secret.

    Consider, for example, a protester whom the minister believes may engage in a distributed denial of service, or DDOS, attack, which is a common form of civil disobedience employed by political activists. Using proposed section 15.2, the minister could order that this dissident's Internet and phone services be cut off and require that the decision remain secret. That individual's only recourse would be to hire a lawyer at great expense to contest the minister's order. That order would remain in place unless and until a court hears the case and orders restoration of the services. The person affected may not even be aware that they're entitled to judicial review, because the statute does not require that they be informed of their right to challenge that order in court.

    To be clear, DDOS attacks are genuine cybersecurity risks. They are a criminal offence. However, somebody merely suspected of planning to participate in such civil disobedience could be silenced. Without the Internet or phone, they would be effectively cut off from all online expression. They would be prevented from constitutionally protected political activities, including speaking out in opposition to policy or meeting with others online—violating expression, assembly and freedom of association.

    While the statute appears to be a good-faith attempt to prevent and stem cyber-attacks, it does not include proper safeguards to prevent abuse. Statutes passed in good faith are often used to violate rights, particularly in periods of political and social unrest. For example, the federal government ordered financial institutions to freeze hundreds of accounts without due process during the invocation of the Emergencies Act. This left some protesters and their domestic partners unable to pay bills in the middle of a very cold winter and violated their rights under section 8 of the charter. The government also used the act to block protesters from simply standing on Parliament Hill with the Canadian flag or a placard opposing vaccine mandates, violating their right to expression.

    In other words, we can't just trust governments with this sort of power. There must be better safeguards built into the bill.

    The CCF has five proposed amendments that would reduce that civil liberties risk.

    First, the CCF proposes that proposed subsection 15.2(1) be modified to clarify that the power to cut off services may only be used in cases of serious systemic risks.

    Second, the CCF proposes that the statute make explicit that judicial review is available and that services may be restored immediately by a judge.

    Third, the CCF proposes that the statute limit the secrecy of any order by requiring that it be published in the Canada Gazette within 90 days unless the minister obtains an order from the Federal Court prohibiting the disclosure of some or all of its contents.

    Fourth, the CCF proposes that such orders may only be kept secret where a Federal Court judge is satisfied that there are reasonable grounds to believe that the disclosure of some or all of the order would be injurious to international relations, national defence or national security or endanger the safety of any person.

    Finally, the CCF proposes that where the judge is of the opinion that it is necessary to protect the fairness of proceedings for an individual impacted by such a decision, they may appoint an amicus curiae to assist that individual.

     Thank you for your time. I'd be happy to answer any questions.

    Thank you, Mr. Dehaas.

     Mr. Shull, the floor is yours for five minutes.

     Thank you very much, Chair and members of the committee.

    I'm going to do two things today. I will go to specific proposed sections of the legislation that I think warrant a further look and potential amendment. Then I will talk about a practical policy tool to encourage compliance. I'm going to propose a cybersecurity investment tax credit for Canadian businesses. We have a once-in-a-generation nation-building moment here, and I think a tax credit is the way to go.

    My colleagues who preceded me did a good job, but I want to go through a couple of things.

    Proposed subsection 15.1(3) and proposed subsection 15.2(5) are non-disclosure provisions that allow the Governor in Council or the minister to impose secrecy around orders without any guiding criteria. That's the point I want to come back to. Secrecy must be the exception, not the default. I think you should impose statutory criteria that need to be considered when determining whether or not to render an order secret.

    I would propose the following if it were up to me: the degree to which disclosure could reasonably be expected to compromise the effectiveness of the order or jeopardize national security; the availability of less restrictive means, including partial or delayed publication to achieve the same objective; the impact of non-disclosure on the transparency and accountability of government decision-making; the necessity of non-disclosure in light of a threat's urgency, nature and duration; and any representations made by affected telecommunications service providers or regulators surrounding the need for confidentiality.

    I'm okay with secrecy and understand the need for it here. I'm just saying that you need some criteria under which to make those determinations. The bill has criteria elsewhere for decision-making, just not around non-disclosure.

    Next, I want to talk about proposed subsection 15.1(8) and proposed subsection 15.2(10), and I apologize for being so detailed. I'm a lawyer. It's an occupational hazard.

    Here, the Crown would bear no financial responsibility arising out of an order. I think that's sound, but we would end up with a bit of a problem. Pairing the no-compensation rules with the non-disclosure rules would lead us to a situation where publicly traded companies could find themselves in breach of securities law. They could have a material change to their financial books. Suppose a telecommunications provider gets a rip-and-replace order, and it's $25 million. They couldn't disclose that to their shareholders if the order were secret. In that very moment, they would find themselves in breach of their fiduciary duty and the securities regulations. That's something we should consider.

    There are ways you can deal with this. I propose that regulations could allow for cost recovery in discrete and exceptional circumstances. You should also create a secure disclosure channel for affected companies so they could make these disclosures to their security regulators and auditors under conditions that would satisfy the safeguards surrounding the classified information.

    Somebody was talking about safe harbour earlier. I want to talk about a different safe harbour because, if this proceeds the way it's written, it could function as.... We need a limited form of legal protection for officers and directors of corporations who comply with Bill C-8 on a good-faith basis but who are then exposed to liability under their securities law. We need to make sure there's a safe way for them to do that without finding themselves on the horns of a very pronounced legal dilemma, where they cannot simultaneously comply with both obligations.

    In proposed subsection 15.21(1) and proposed subsection 15.81(1), there is duplication of reporting. There are two proposed subsections that would require the minister to report to Parliament three months after the annual report. I think it's just a drafting error. You could easily clean that up. It's the same thing.

    More pronounced, proposed section 15.4 would compel information. This would let the minister compel information from any person. This isn't important for compliance, but you're going to run into section 7 and section 11(c) challenges under the charter if the material is used for the purpose of prosecution down the road. Add an explicit immunity-use clause modelled after the Competition Act. This would make sure the information is only used for regulatory purposes, not criminal prosecution. That would preserve your confidentiality without weakening enforcement. That is present in the Competition Act.

    Regarding proposed section 15.9 and judicial review, there's an issue there too. The judge would have to give back any irrelevant information the minister provided. There is a problem because, when a judge reviews something on a JR, they're looking at whether all the information the minister relied on is relevant. Judges could find themselves in an awkward spot, where they are not allowed to look at all the material they need to for the purpose of determining relevancy. That's something you will want to look at. It's a bit like putting a hockey player on the ice with one skate and no stick. You have to make sure the judge has all the information they need, and I think a simple amendment could solve that.

     Moving to proposed section 142 under the CCSPA and proposed subsection 73(3.3) of the Telecommunications Act, I don't know if this was done on purpose, but under the Telecommunications Act the company is only liable if the employee who committed the offence was acting within the scope of their job or authority, while under the CCSPA that qualifier is missing. This means that two companies could face different standards of liability. I think that's worth a second look too.

    Thank you very much.

    Thank you, Mr. Shull.

     We will now hear from Mr. Lefebvre for five minutes.

    Mr. Chair, members of the committee, I am here today as the chairman and co-founder of Crypto Québec, a non-profit organization and social economy enterprise. Our mission is to shed light on information security, intelligence and geopolitical issues, while promoting best practices.

    Thank you for having me as a witness as part of your study on Bill C‑8.

     Part of Crypto Québec's work is to foster a digital environment where protecting fundamental rights is central to securing data and infrastructure, while taking into account Quebec's context, first and foremost, and industry practices around the world. To that end, Quebec has a strong body of privacy legislation—Bill 25, in particular—as well as relevant institutions—including the access to information commission, which actively monitors compliance and respect for individuals' rights. I would also point out that many information security practices, standards and certifications govern Quebec's critical infrastructure activities.

    My comments today on Bill C‑8 are informed by that dual requirement of privacy and security. At a time when the enemies of democracy are clearly and publicly demonstrating their desire to make people doubt government institutions, we, too, must be more transparent in our response.

    The bill gives the federal government the power to direct telecommunications service providers and vital system operators to do anything, or refrain from doing anything, and that direction may constitute a state secret. This ability raises two major issues. First of all, there are no clear guardrails, no parameters around the necessity, proportionality or duration of the order, or recourse. Those problems have been discussed extensively in the submissions to the committee. Second, because the confidentiality that applies to the orders is not limited in any way, the regime goes beyond the legitimate objective of security; it makes transparency and accountability difficult, if not impossible.

     In Quebec, privacy protection is based on clear principles: a privacy impact assessment must be conducted; measures must be documented; disclosure is required when individuals' rights are affected; and lastly, consent must be obtained. The adoption of a less stringent federal regime must not weaken Quebec's system. For that reason, I recommend that any order made under Bill C‑8 be subject to the following requirements: a public summary, annual reporting to a committee or the Quebec National Assembly, and a proportionality test explicitly set out in the legislation.

     Quebec has demonstrated its ability and authority to oversee privacy and digital security. Bill 25, along with laws such as Bill 5, which pertains to health information, sets out strict requirements for public and private organizations in relation to privacy impact assessments, consent, incident reporting, data localization and respect for the language and rights of Quebeckers.

    Bill C‑8 could create a parallel system, or override Quebec's regime for Quebec-based entities or foreign industrial entities operating in vital sectors such as energy, telecommunications and transportation. This opens the door to a fragmented system with watered-down responsibilities, not to mention public confusion, which would only help our enemies. It is crucial that the federal framework explicitly recognize two things: one, that organizations operating in Quebec are subject to Bill 25; and two, that Quebec's standards provide at least as much protection as federal requirements. That is not a given at this point.

    Unlike the rest of Canada, Quebec has a sophisticated governance regime for securing its information systems. To begin with, Quebec has a cybersecurity and digital technology ministry, which ensures that all the entities under its jurisdiction adhere to high security standards. Second, Quebec has an access to information commission, an independent body responsible for protecting personal information, and unlike its counterparts in the rest of the country, Quebec's commission has punitive powers to deal with violations or non-compliance. Bill C‑8 would infringe on the responsibilities of these two organizations, while failing to provide a similar or higher level of security. Bill C‑8 would in fact be a step backwards for Quebec.

    Another major issue is that the bill does not explicitly prohibit the government from compelling providers to undermine encryption or install internal monitoring mechanisms. This directly affects user trust, the security of communications and resistance to digital threats. The approach Quebec has chosen does not achieve security at the expense of privacy; rather, security is achieved through stronger controls, encryption, governance mechanisms and auditing.

     I recommend that Bill C‑8 include an explicit ban on the undermining of encryption, that it clearly distinguish between cybersecurity measures and monitoring measures, and that it require Quebec-based entities to report the collection or sharing of sensitive data to the appropriate Quebec authorities.

    In conclusion, I urge you to protect critical infrastructure systems, while respecting individuals' rights, preserving Quebec's authority, and adopting a clear, consistent, credible, transparent and proportionate framework. Bill C‑8 is not only an opportunity, but also a challenge. We already have a strong track record in Quebec, so use that expertise to build a reliable Canadian model that people can trust. Quebec can play a central role in that effort.

     Thank you for your time. I would be happy to answer your questions.

    Thank you, Mr. Lefebvre.

    Ms. Polsky, the floor is now yours for five minutes.

     Thank you for inviting me to address the committee today.

    I am Sharon Polsky. I'm the president of the Privacy and Access Council of Canada, an independent, non-profit, non-partisan organization that is not funded by government or industry.

    Since launching 30-some years ago, the Internet has infiltrated our lives. I spent those years consulting to governments and to small, medium-sized and Fortune 100 businesses, seeing how they apply the law and policy and identifying practical risks invariably caused by human nature and, increasingly, the Internet itself.

    MP Caputo asked for some specifics, and I hope to oblige. The preamble says that the bill is to protect telco providers and critical systems and provides the minister with great power to order them to do anything or to refrain from doing anything to protect the Canadian telco system. That's laudable, but it lacks adequate safeguards to prevent abuse or ideological attack. This new law to add the promotion of the security of the Canadian telecommunications system as a policy objective tells companies to plug the holes that were built into their systems, something they should have done long ago to comply with privacy and other laws.

    Rephrasing the request isn't going to change much, even with AMPs. I'll speak more on that in a minute.

    Under proposed section 7 of part 2, a class of operators can be declared and any person or organization declared a member of that class. The bill applies to enterprises within the legislative authority of Parliament, and proposed subsection 9(1) ensnares the rest, the businesses and people whose products or services are in support of federally regulated enterprises.

    On accountability, the Auditor General noted that “Gaps in cyber security defences undermine the ability to protect critical information and manage cyber security risks.” Those gaps will remain even if this bill becomes law.

    The standards, laws and frameworks already in place—the privacy, security and risk assessments now done or supposed to be done—cannot prevent outages like we saw last week that took down half the Internet and again yesterday that took down another half of the Internet, each time grinding services around the globe to a halt, thanks to a single technical problem. That's all it took, because accountability requirements are inadequate.

    What accountability can there be when even the existence of orders can be ordered to be kept secret and when the Governor in Council can direct that orders not be published? Doing that leaves everybody in the dark and speaks to an undemocratic lack of transparency and a shield against accountability.

    Proposed section 15.21 requires the minister to reveal how many times in the previous year secret orders were made and other details, but statistics are cold comfort, especially given the broad information collection and sharing powers in the bill.

    Part 2 of Bill C-8 allows any service or system to be designated a vital service or system and requires designated operators “mitigate supply-chain and third-party risks”. It doesn't, but it should specify what risks are to be mitigated.

    Proposed subsection 20(6) of the CCSPA prohibits a designated operator or class of operators from intercepting communications, but third parties that support critical services aren't included. That could easily be operationalized as encryption-busting back doors. This and other governments have worked mightily over the years to circumvent encryption. Bill C-8 needs clear language to ensure that its broad powers cannot be used in any way by anyone to undermine or circumvent encryption, a ban even more urgent considering that Bill C-2's vague language would grant sweeping ministerial powers to order changes in Canada's telecommunication networks.

    The bill says AMPs are only intended to promote compliance and not intended to be punitive. They will benefit the largest providers that can recoup the cost from their broad customer base, further solidify their dominant position and still evade accountability. Meantime, others will be bankrupted.

    Implementation must be monitored, measured and mandatory with Sarbanes-Oxley-like penalties imposed, including personal—not corporate—liability to make accountability inescapable so they do the right thing from the beginning.

    How will a Canadian regulator be able to monitor compliance, I wonder, when Rogers just announced that it will be running its wireless network from India?

    Orders may be made about any threat, including that of interference and manipulation. We know that elections have been swayed by social media content. AI for news often misrepresents the story. Will that be deemed manipulative or a threat and the platform subject to being silenced?

     I wonder by what objective standard and by what calculation one measures the gravity of manipulation. The bill must be clear.

    Finally, ordering that someone be denied Internet access because the minister considers something they’ve done or said to be a threat or to be manipulative will mean cutting them off from phone service, which is now Internet-based. Everyone in your house will be blocked from talking to friends, from calling adaptive transport, from phoning 911 or from applying to university. This is unjust and disproportionate, and this is what Bill C-8 allows.

    Bill C-8 must be changed, or we will relive what my grandparents fled a hundred years ago, after the Russian revolution: people placed in isolation for their views and this being conflated with the stuff of good government.

    Ms. Polsky, I'm sorry to interrupt, but that's all the time there is for this initial segment.

    That allows us to turn to MP Lloyd for six minutes.

    Thank you.

    Thank you to all of the witnesses here today.

    I really appreciate when people come forward with amendment ideas. It makes our job easier. I know the analysts were typing away, and they're very pleased with all of the ideas that were put forward.

    I'll start with you, Mr. Dehaas, on something you said. Do you believe that a denial of service attack is a free speech right?

    Let me be very clear, Mr. Chair. I do not believe that a DDOS attack is protected free speech.

    What I'm saying is that someone who might be suspected of participating in that type of attack could face very serious consequences through proposed section 15.2, without proper due process in place, very—

    I appreciate that clarification. Thank you.

    I'm just wondering. We had the Privacy Commissioner here. He had been concerned about Bill C-26. He indicated that the necessity and the proportionality had been largely addressed by the introduction of a reasonableness requirement. We were told by officials from the government that the reasonableness requirement has been clearly outlined in a Supreme Court case.

    Why do you think the reasonableness requirement is not suitable or not stringent enough to protect from overreach by the minister?

    The reasonableness requirement is important. It's a good addition to the bill.

    The problem is that proposed section 15.2 states that “any threat” could result in this type of order. “Any threat” is simply not a high enough threshold. The judge would be looking at this and asking if this is a reasonable decision, based on a power that grants the minister the ability to do this type of thing based on any threat, no matter how minimal, whether serious or trifling.

    Wouldn't reasonableness dictate that the response would have to be proportionate to the level of the threat, or is that not clear?

    It would be reasonable in regard to what is written in the provision in 15.2. A judge, later on, looking at that would ask if this was a proportional decision, based on this power, which is very broad.

    Proposed subsection 15.1(2) talks about scope and substance. That's still scope and substance in relation to the provision itself. I think that adding the words “serious” and “systemic” to 15.2 would help.

    I'm very interested in that amendment. I thank you for that.

    We're talking about the secret orders. The department came and assured us that, in 99% of cases, there's going to be no justification for a secret order. However, in 1% of cases, the disclosure of an order would in itself lead to a threat to the telecommunications system, but you don't seem to be convinced that's a good enough safeguard.

    You provided the example of a protester who is suspected of wanting to commit a denial of service attack. What reasonableness requirement would be met by the minister to put a secret order on banning that person from the Internet?

    I think that would be hard to justify.

    I think there are occasions when a secret order would be warranted, if we're talking about national security threats from other countries or from foreign actors that want to take over parts of the system. The way it's written would allow the minister to do this and then to keep it secret for long enough, until the crisis that led to it had passed.

    Think, for example, of a protester who wants to take over the Prime Minister's website through a DDOS attack. Maybe a group is planning to do this as some sort of protest. The minister could do this as punishment, without due process, and could keep that secret. We might never find out that it had occurred, so—

     Although there is a notification requirement now, are you saying the notification requirement's probably not stringent enough?

    I'm saying that it needs to be higher, yes.

    I'm going to move on.

    There's been talk about encryption-breaking powers in the bill.

    Mr. Shull, I didn't see anything in the bill about encryption powers, but it seems people are saying that because they're giving the power to the minister to compel the telecoms to do anything or refrain from doing anything, it could indirectly lead to encryption breaking. Did you have any comments on that?

    It's not specifically enumerated in the bill to be able to crack encryption, but you're right that there's broad language. I suppose you could maybe find yourself there. That's why I was saying let's be crisp on the criteria.

    There are bad guys doing bad things and we have to be able to stop them. We all agree on that, but under what circumstances? Let's just be crisp on the criteria that are set out so that when we get to determining whether this was reasonable, we know what yardstick we are using.

    Okay.

    I remember my question for Mr. Dehaas.

    Let's say somebody is banned from the Internet because the government believes they're going to do an attack. I believe they have to be consulted and told by the government that they've been banned. Is that not clear?

    In most cases the government would and they would find out, but it's not clear to me in the bill. I think that could be clarified.

    Is it itself a crime to seek judicial redress? If you feel that it's been unjustified and violates your charter rights and you go to a judge, is that a violation of the secret order? Is that criminal in itself?

    No, it would not be. Judicial review would always be available.

    The problem here is that a layperson may not realize and they might be cowed by the fact that it's not entirely clear that they cannot seek judicial review and that it would be breaching the order. Even though judicial review is essentially always available, it should be clarified.

    Thank you.

    Thank you both very much.

    Ms. Dandurand, you have the floor for six minutes.

    Thank you, Mr. Chair.

    I'm comparing the testimony we're hearing today with what we heard last week from expert witnesses, and I find some things a bit startling.

    Mr. Dehaas, one of the things we've heard from your organization is that Bill C‑8could enable the government to disconnect Canadians from the Internet because they've criticized the government. A certain expert witness last week said that Canadians' comments as individuals absolutely don't fall within the scope of the bill. It's also being said that the bill includes concepts of proportionality and the necessity to stop an attack in order for the law to be enforced.

    How do you respond to that?

    I think the government may, in good faith, not be particularly interested in that type of censorship. The problem is that the act does say it applies to any threat to the telecommunications system so that is very open to interpretation.

    Would a court find that the act would allow this? Probably not, but the risk is that the government would do it anyway. For example, in an emergency, when tensions are heightened, this is the type of thing that can happen. That's why it's important to make it clear that these are serious threats, and that they're systemic threats to the system itself and not to individual speech.

    Okay.

    Ms. Polsky, I'm going to ask you the same kind of question. You were saying that the bill would eventually make it possible to blindly fish for information. The expert I was talking about earlier said that none of what you mentioned as a threat could be applicable. What you're worried about goes well beyond the scope of the bill, so it isn't possible for anyone to blindly fish around.

    What do you have to say about that?

    It's important, certainly, to protect our national critical infrastructure and have provisions, but there have to be appropriate limits because the language in the law right now is vague enough, as my colleague said, that it's open to interpretation.

    Without specific boundaries and without specific wrappers, what constitutes a threat? Anything can be justified. It's very easy. It's human nature we're dealing with, and if somebody feels threatened, it's easy enough to say the things that need to be said, find the evidence, make an allegation, do what you want and then leave the person to defend themselves after the fact.

    That's dangerous, so there needs to be clearer language so that it's not just an open-ended opportunity.

    The bill contains a clause that clearly defines what's considered to be a threat. That refers to what's included in the legislation. Some experts have looked into this issue.

    I'm going to go to Mr. Shull.

    I'd like to talk about comparisons with other jurisdictions abroad. It has been said that the European Union, the United States and Australia already have approaches to balance cybersecurity, privacy protection, transparency and oversight.

    Do you think Bill C‑8 enables us to effectively comply with best practices around the world when it comes to cybersecurity?

     I think it's a good bill. Don't get me wrong. I'm asking for some provisions to be changed because I think they could be tightened up here and there, but I absolutely think we need this bill.

    I'll take a step back and say that when we're talking about privacy, we're talking about personally identifiable information. This bill is about the system itself, not just individuals. The core evil we're trying to deal with is that we're hooking up everything we possibly can to the Internet, including water systems and electrical systems. We don't really talk about OT, operational technology, but I will tell you right now that it's what the bad guys are doing. They're pre-positioning onto our critical infrastructure with a view to disabling us if we are ever in a conflict or to exert pressure. This is very bad and we have to deal with it.

    The point I'm making is that I'm very supportive of this bill. It just needs some marginal tweaks to make it a bit better.

    Thank you.

    Let's go back to the comparison with other jurisdictions abroad. Are there any lessons for us to learn? Have some of them already gotten ahead? Would we be leaders if we were to implement your suggestion?

    For sure. The closest comparisons will always be with the U.S., Australia and the U.K. We don't have a mechanism requiring critical infrastructure providers to report right now, and we have no legislative authority to require telecommunications providers to rip out bad gear. Our allies do, so we're already behind the rest of the class.

    Just getting this bill passed is a step in the right direction.

    Ms. Dandurand, you have a total of 15 seconds left.

    I'll yield them to you.

    Mrs. DeBellefeuille, you have the floor for six minutes.

    Thank you, Mr. Chair.

    Thank you to the witnesses for their testimony. I think there's some consensus that this is a good bill, but that there are improvements to be made, especially to clause 15. It may be necessary to tighten up or better regulate the ministerial powers. There are reports and accountability, but they don't match the ministers' powers. That's what I'm noticing and retaining today. Thank you very much.

    Mr. Lefebvre, I'd like to ask you a question so that the committee can better understand something. You talked about encryption. We don't have any knowledge of that, but I think it's an important aspect for you, because you point out that it's completely missing from the bill.

    Can you explain why you think it's important for the bill to state that it's prohibited to change encryption standards?

    In fact, the bill doesn't specifically talk about encryption. At the moment, western democracies have a tendency to want to reduce encryption. Law enforcement and intelligence agencies are insisting on a decrease in encryption for messaging apps and anything that can be related to communications. We're talking about telecommunications and that sort of thing. There's a very big trend at the moment, whether in the United Kingdom or the United States, to want to reduce that encryption.

    Basically, our main recommendation is to get ahead of the curve. Does Canada want to be a leader with the implementation of Bill C‑8? If it wants to become a leader, it has to take the lead and specify that those powers, which are quite extraordinary, won't be used to reduce encryption, which could infringe on Canadians' privacy and personal information.

    For all those reasons, I think it should be clarified.

    I think encryption is what prevents companies or the government from having access to our personal conversations. If the standards are lowered, companies and governments could have access without us knowing. That means that encryption is a protection, a measure that has to be retained so that authorities aren't allowed to easily intrude into our exchanges by email or on WhatsApp, Messenger, Facebook and so on. That's what I've understood.

    At the previous meeting, there was a lot of talk about overlap with Quebec, and department officials told us that they were aware of those overlaps and duplications, but they said that everything would be settled in the regulatory part with the aim of reducing those overlaps as much as possible.

    As a Bloc Québécois member, I know that when Canada wants to do this with the provinces, the result is always that it wants to impose its views and that the provinces have to obey and comply. The proof is that there are currently still a few billion dollars in the federal government's coffers, while the municipalities are in need. However, in the absence of an agreement with Quebec because Ottawa wants to impose its standards, the money isn't currently being disbursed, even though that would enable municipalities in particular to build infrastructure.

    Could you tell me your biggest fear about this overlap and duplication? What's the main problem?

    Of course, in reality, there are fundamental differences between Bill 25 on the protection of Quebec citizens' personal information and Bill C‑8. Bill C‑8 doesn't particularly cover the risks of privacy breaches. It probably isn't clear enough, especially when it comes to the proportionality we talked about, for example. On the other hand, Quebec's Bill 25 places a great deal of importance on it.

    In fact, Quebec's approach to information security, privacy and infrastructure protection is very much oriented toward privacy. That protection is really central to Quebec's approach, whereas the approach proposed in Bill C‑8 is very technical. It's basically very focused on protecting the operations of critical infrastructure, but it pays little attention to privacy. There was discussion earlier about all the little details that could allow individuals to be targeted. The protection of freedom of expression and that sort of thing isn't as well defined in Bill C‑8, so that's certainly a challenge.

    As for overlaps, it's clear that Bill C‑8 would encroach on a lot of jurisdictions, particularly those of Quebec's ministry of cybersecurity and digital technology, or MCN, which is responsible for ensuring the security of all of Quebec's critical infrastructure, ministries and paragovernmental organizations. That means that there would be a clear overlap. It would remain to be seen whether the MCN could ultimately retain certain rights, certain powers, when it already has little, in a way. Would it retain its powers with respect to Bill C‑8 or the federal government? There's a sense that Bill C‑8 would prevail in that regard.

    There's one place where there isn't any overlap. The MCN doesn't have that much power when it comes to imposing certain security requirements on private companies, such as telecoms. That means that Bill C‑8 would have an advantage in that regard because there isn't an overlap, but really, it would be important to do some matching, or what's called mapping, when it comes to oversight. That's a matter of—

    Mr. Lefebvre, I'm sorry to interrupt you again, but that's all the time we have.

     I have a point of order, Mr. Chair.

    Thank you to the witnesses for being here and for the time you spent preparing for this meeting today. That's all the time we have for you.

    I have a point of order.

    Since the time is up, I will adjourn the meeting. We'll meet again next Tuesday.