SECU Committee Meeting

    Good afternoon, everyone. I call this meeting to order.

    Welcome to meeting number 23 of the House of Commons Standing Committee on Public Safety and National Security.

    Pursuant to the House order of October 3, 2025, we're meeting on our study of Bill C‑8, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts.

    I would now like to welcome the witnesses, whom we know very well and who will answer questions, if needed.

    From the Department of Public Safety and Emergency Preparedness, we have Colin MacSween and Kelly‑Anne Gibson.

    From the Department of Industry, we have Andre Arbour and Wen Kwan.

    Other senior officials are seated in the room and can potentially move to the table if their presence is deemed necessary.

    We will now resume the clause-by-clause consideration of Bill C‑8.

    (On clause 2)

    You will probably remember that, last time, we had reached consideration of amendment CPC‑19.

    Is amendment CPC‑19 being moved?

    One moment, please.

    I'll give the member time to find amendment CPC‑19, on which notice was given.

    I will not be moving CPC-19. I intend to move CPC-21 instead.

    We will not be moving CPC-19, which brings us to amendment CPC-20.

     Is CPC-20 being moved?

     Yes, Mr. Chair. I would like to move CPC-20, please.

    Would you like to speak to it?

    I don't at this point. I think we have done a fair amount of talking. I think we know generally where the lines have been drawn, and I will leave it to you. If there are other interventions, I am happy to respond.

    Is there any discussion on CPC-20?

    Go ahead, MP Ramsay.

     I feel that this amendment would strongly reduce the power to collect information, so I'd like to verify with Mr. Arbour if he's of that opinion.

     Mr. Chair, the concerns with respect to this amendment concern this switch from collecting information that is relevant to an order-making activity to necessary. Then there's also a lack of clarity, potentially, and some risk of confusion. The core issue appears to be the difference between “necessary” and “relevant”.

    The issue here is that there is information that is highly relevant to an order-making activity, but it's highly debatable whether it would be necessary, for example, information from the private sector on the costs of implementing an order to undertake a reasonable cost-benefit analysis of how to calibrate the order. Arguably, that is not, strictly speaking, necessary to proceed, but it is certainly relevant to whether and how an order should be calibrated.

    The issue of the risk of lack of precision is due to the language around gravity of the threat. Another reason for collecting information in this context would be to verify compliance. By taking the gravity-of-the-threat language out of the order-making and putting it into information collection, it's unclear what threat we're talking about here. Is it the threat of non-compliance? Is it the threat for the reason of the order to begin with?

     I'll stop there. Hopefully, that's clear, but I'm happy to go further as needed.

     MP Caputo, go ahead.

     Thank you.

    I thank the officials and welcome them back. It's our third day, and I know they have a lot on their plate, so we are very grateful for their presence here.

    One of the reasons I will be voting in favour of this amendment, given the foregoing, is when we do have ambiguity, when it's like, “Well, this may be necessary.” I think that's part of the issue. Canadians write to me when there is ambiguity and when there is concern because something may not be necessary, but if it may not be necessary, it may also be necessary. Therefore, any clarification we can give is something which should animate our discussions and our votes.

    It is for that reason that I will be voting for this amendment.

    Thank you, Mr. Caputo.

    Is there anyone else?

    In that case, we will move to a vote on whether CPC-20 will be adopted.

    We will proceed with a roll call vote, Mr. Clerk.

    (Amendment agreed to: yeas 5; nays 4 [See Minutes of Proceedings])

    We'll now go to NDP‑5, which is deemed moved.

    Ms. Kwan, would you like to speak to it?

    Thank you very much, Mr. Chair.

    The rationale behind NDP-5, is that Bill C-8 grants the minister broad powers to compel the production of any information considered on reasonable grounds to be relevant to the exercise or enforcement of the minister's powers under part 1 of the bill. This could allow the government to order companies to hand over the personal and confidential data of Canadians without a judicial warrant or other independent oversight. As the Canadian Civil Liberties Association, amongst others, has pointed out, this “falls short of the constitutional minimum”.

    This amendment requires the government to obtain prior judicial authorization from the Federal Court before it can compel a telecommunications provider to disclose personal or de-identified information so that this section of Bill C-8 can meet the minimum protection against the government interfering with individuals' reasonable expectation of privacy under section 8 of the charter.

    Mr. Chair, I would note that this amendment is identical to CPC-21.

    Thank you, Ms. Kwan.

    Let me give you the following ruling.

    Bill C‑8 amends the Telecommunications Act to allow the minister, under proposed section 15.4, to require the provision of information that he or she considers relevant to establish or verify compliance with an order under proposed sections 15.1 and 15.2. The proposed amendment would require the minister to obtain the authorization of a judge to make such an order under certain circumstances.

     House of Commons Procedure and Practice, fourth edition, states the following in section 16.74: “An amendment to a bill that was referred to a committee after second reading is out of order if it is beyond the scope and principle of the bill.” In the chair's opinion, introducing judicial authorization prior to orders is indeed a new concept that is beyond the scope of the bill. Therefore, the amendment is out of order.

    Mr. Caputo, you have the floor.

    With the greatest of respect, Chair, I would challenge your decision, please.

    Thank you, Mr. Caputo.

    That brings us to an immediate vote.

    Mr. Clerk, would you please proceed to a roll call vote.

    (Ruling of the chair overturned: nays 5; yeas 4)

    That brings us to debating this amendment.

    Is there any discussion?

    Mrs. DeBellefeuille, you have the floor.

    I just wanted to ask for a little clarification, Mr. Chair.

    Before your ruling was overturned, you ruled NDP‑5 out of order. In my mind, and I think Ms. Kwan said this as well, NDP‑5 and CPC‑21 were similar. However, you didn't say at the outset that there was a line conflict.

    Do you see them as two different amendments?

    That's a great question.

    They're very similar, but they're not the same word for word.

    Mr. Ramsay, you have the floor.

    I just want to remind everyone that the word “person” used in proposed subsections (2), (3) and (4) refers to either a person or an organization that provides telecommunications services. As a result, this proposal would even prevent the collection of information from telecommunications companies.

    Now, I have two questions for the witnesses.

    First, as I understand it, this amendment would be out of step with existing regulatory regimes in several sectors. I'd like to hear from the experts on this.

    Second, I'd like to know if you feel that any other approaches or amendments that have been proposed would better fulfill this role than amendment NDP‑5.

    The wording of the provision currently proposed in Bill C‑8 is based on a provision in the Telecommunications Act that's been in force since the 1990s, so for several decades. It's very similar. There's another provision in the Radiocommunication Act that is, again, very similar. There are several similar provisions in insurance industry legislation, in the banking context, in the health context, in drug regulations, for example, or in the transportation sector. Access to private sector information is very important for a targeted regulatory regime focused on implementing and operating networks or operations in the private sector. So, without this type of provision, part I would perhaps be useless.

    The proposal to require judicial authorization has never been put forward to date in the federal context. It's completely new.

    In addition, the proposal introduces the context of rights under the Canadian Charter of Rights and Freedoms, but for businesses, yes, because relevant information is information from operating companies or financial companies. That is what has constituted relevant information in recent decades for general questions. I'm not necessarily talking about security, but about what has existed in the Telecommunications Act and the Radiocommunication Act for decades.

    I would like to add another clarification. The comments refer to the concept of “person”, but again, I think there's some confusion between the day-to-day usage of “person” and its usage in a legal context. In the legislative context, for example in the context of the Telecommunications Act, a person can be a corporation, meaning a business.

    So, if the proposed provision were included in the act, it would be more or less impossible to carry out part I effectively, given the evolution of technology, which is constantly changing.

    The committee has already adopted authorization processes that would add perhaps months, maybe even a few years, to the order-making process. If this proposal were adopted, it would add even more months to the process. In addition, it would increase the paperwork and make it harder for each business that would have to apply it. It would be very difficult.

    There may be one last thing to consider. Of course, there are other proposals, including the Bloc Québécois amendments BQ‑6 and BQ‑7, which I think are much more specific on the issue of protecting personal information, rather than introducing protections for Bell Canada or Rogers that would undermine the government's ability to apply measures to protect Canadians.

    Excellent.

    Is there any further discussion on NDP‑5?

    Seeing none, we'll go to a recorded vote.

    (Amendment negatived: nays 5; yeas 4 [See Minutes of Proceedings])

    As mentioned a few moments ago, CPC‑21 is very similar to NDP‑5, but it's not identical, at least in one of the versions. That's why it can be debated.

    Before we go to debate, though, can you tell me if CPC‑21 is being moved?

     Yes, I will move CPC‑21. I imagine that we will go straight to a vote.

    Thank you.

     Not immediately, because this is going to lead to the same decision that I just made for the previous amendment.

    The ruling is that this amendment is out of order, for the reasons you now know. I could go through the rationale again, but I think you've seen that this amendment would require the minister to obtain the authorization of a judge to make an order in certain circumstances, which, in the chair's opinion, is contrary to the scope and principle of the bill. Indeed, it is the chair's opinion that introducing such judicial authorization prior to orders is a new concept that is beyond the scope of the bill and, therefore, the amendment is out of order.

    With the greatest respect, I will again challenge the chair.

    Thank you.

    In that case, we must proceed immediately to a recorded division on the question.

    (Ruling of the chair sustained: yeas 5; nays 4)

    That brings us to NDP‑6, which is deemed moved.

    Ms. Kwan, do you wish to speak to this amendment?

    Thank you very much, Mr. Chair.

    Presently the limits on sharing personal information obtained through proposed section 15.4 are contingent on whether a telecommunications service provider has chosen to designate its customers' personal information as confidential. This amendment, one, would deem personal and de-identified information that is not designated as confidential by a telecommunications provider as confidential; and two, would introduce data retention and deletion clauses so that confidential information is retained only for as long as it is necessary.

    Mr. Chair, this amendment is similar to BQ‑5, BQ‑7 and PV‑6.

    Thank you, Ms. Kwan.

    Is there any further discussion on NDP‑6?

    (Amendment negatived [See Minutes of Proceedings])

    BQ‑5 could only be moved if NDP‑6 was defeated, which it was.

    Is BQ‑5 being moved?

    Mr. Chair, I would like to move BQ‑5.

    Basically, Ms. Kwan's explanation was very insightful, but the text is worded in a different way in BQ‑5. We prefer the version proposed in BQ‑5, which is directly related to a recommendation from the Privacy Commissioner.

    The commissioner made a few recommendations. He also helped us draft amendments. In this case, the Bloc Québécois is also speaking on behalf of the Privacy Commissioner to amend this clause.

    Thank you, Mrs. DeBellefeuille.

    Is there any discussion?

    Mr. Ramsay, you have the floor.

    BQ‑5 adds complexity to the act. However, we have come to the conclusion that this complexity can reassure people that the government will treat personal information with the appropriate confidentiality. Therefore, we will be voting in favour of this amendment.

    Thank you, Mr. Ramsay.

    Is there any further debate?

    (Amendment agreed to [See Minutes of Proceedings])

    We'll now go to PV‑6, which is deemed moved.

    Ms. Kwan, the floor is yours.

     A voice: No, it's Ms. May.

    It's PV; it's the Green Party.

    Oh, that's quite a mistake.

    No, it's a little error. It's PV; it's strange, yes. This is the first time we've had to participate like this. If it was the letter G for “Green”, there would be a problem, because it would be the same letter as the one designating the government. That's why all of my amendments are designated with the letters P and V for “Parti vert”.

    I so move PV‑6.

    The reasons for this amendment are pretty clear, and they're not far from some of the points that Jenny was making earlier about trying to find ways to protect privacy.

    All of proposed section 15.5 is described as relating to confidential information and its designation. The amendment we're putting forward would be to ensure that people's privacy cannot be violated at the discretion of service providers. The language is pretty clear. It's a short amendment. I would urge you to consider accepting it as an amendment to this bill.

    Thank you.

     Thank you, Madam May.

    Mrs. DeBellefeuille, you have the floor.

    I would like a clarification.

    I see that BQ‑5, which we've adopted, and PV‑6 are almost identical. Is it relevant, then? Is there a problem if we adopt PV‑6 when we've already adopted BQ‑5?

    I don't know if the legislative clerk can tell us a bit about that.

    Yes, but I can speak to that as well.

    It's called redundancy. In other words, the purpose of the two amendments is very similar, if not identical, but the wording is different.

    PV‑6 is in order, but if it were adopted in addition to the BQ‑5 we adopted a moment ago, it would create redundancy, which would lead the legislative clerks and department lawyers to have to arbitrate the will of the committee. Since the committee would have adopted two very similar amendments, it would be up to the experts in the department and the House of Commons to arbitrate for the committee, since these two amendments would be redundant.

    Thank you.

    Mr. Ramsay, you have the floor.

    For the reason expressed by Madam DeBellefeuille, we consider it to be so similar to BQ-5 that we don't think PV-6 is necessary. We're going to vote against it.

    Thank you, Mr. Ramsay.

    Is there any further debate?

    (Amendment negatived [See Minutes of Proceedings])

    That brings us to BQ‑6.

    Mrs. DeBellefeuille, would you like to speak to BQ‑6?

    Yes.

    BQ‑6 makes it possible to add new restrictions on the information collected. Again, this clarification was really inspired by the Privacy Commissioner's testimony. Therefore, I encourage my colleagues to be sensitive to the commissioner's recommendation, which we think is quite wise under the circumstances.

    Thank you, Mrs. DeBellefeuille.

    Is there any more discussion on BQ‑6?

    (Amendment agreed to [ See Minutes of Proceedings ])

    We'll move on to PV‑7, which is deemed to be moved.

    Ms. May, you have the floor.

    Mr. Chair, I think PV‑7 is very similar to BQ‑6, which was moved by Mrs. DeBellefeuille and which we adopted. Based on the clerk's opinion, I think my amendment is too similar to the one already adopted.

    Thank you, Ms. May. I take it, then, that you're not moving your amendment.

    Are you talking about PV‑7?

    Yes.

    I don't have the authority to make that decision, Mr. Chair. I'm not allowed to decide whether or not to move my amendments in committee.

     I find it really offensive that I'm in this position that I can neither move my amendments nor ask for them to be withdrawn, so I am in your hands.

    I point out the reality that I can't vote on, withdraw or comment on my amendments beyond the brief time allowed in the motion that this committee passed.

    That is correct, Madam May. Your expertise and your experience show again.

    That amendment, having been moved by default, means that we cannot withdraw it unless there is unanimous consent to do so.

    Mr. Caputo.

    I'll seek unanimous consent to withdraw.

    Is there unanimous consent for Ms. May to withdraw PV‑7?

     Some hon. members: Agreed.

    (Amendment withdrawn)

    Thank you, Ms. May, for helping us get through this.

    That brings us to CPC‑22.

    Is that amendment being moved?

     No, I will not be moving that one.

    Good. Therefore, CPC‑22 will not be moved.

    That brings us to NDP‑7, which is deemed to be moved.

    Ms. Kwan, the floor is yours.

     Mr. Chair, this amendment is about the collection and disclosure of personal information under the bill, which is not presently limited by necessity or proportionality requirements. This amendment proposes an inclusion in proposed subparagraph 15.5(4)(c) to balance the disclosure of sensitive information with the gravity of the threat to the Canadian telecommunications system.

     I won't read the clause into the record, Mr. Chair. That clause is available to all members in both official languages.

    Thank you, Ms. Kwan.

    Is there any further discussion on this?

    Mr. Caputo, you have the floor.

    Mr. Chair, I wonder if my colleague would consent to an amendment to part (c) that reads, “the Minister believes on reasonable grounds that the disclosure is reasonable in relation to the gravity of the threat, and necessary to secure the Canadian telecommunications system”.

    We could pause for a moment, Madam Kwan, if that would be useful.

    We'll suspend and we'll come back in a few minutes.

    We're able to start again.

    There was a bit of confusion, as you know. Ultimately, there will be no subamendment proposed for NDP‑7.

    We will now resume the discussion on NDP‑7.

    Mr. Caputo, you have the floor.

    Mr. Chair, the parties have discussed this. I think the most prudent manoeuvre would be that we seek to withdraw NDP-7. We would need unanimous consent for that, and we would also need UC for me to move CPC-22 to eventually accomplish what we're trying to accomplish with the amendment.

    Is there unanimous consent for NDP‑7 to be withdrawn?

    No.

    There is no unanimous consent, which brings us back to the discussion on NDP‑7.

    Are there any other interventions?

    Mrs. DeBellefeuille, you have the floor.

    I just want to hear from the officials on this amendment. I'm going to support it, because I think it's a very valid amendment, but I would still like to know if the officials have any reservations.

    Just before you begin your answer, Mr. Arbour, I would like to point something out.

    Mr. Chair, there was a pause while we were waiting for the translation of a subamendment. I'll tell you what I understand, Mr. Chair, and I'd like you to confirm whether it's the case. This may be more of a point of order. Did we drop the subamendment because the translation was slow in coming? Is there a problem with the translation bureau? Is our work slowed down because the bureau isn't able to translate a subamendment quickly? What happened the whole time we waited? What is the problem? I'd like you to let me know, because it's a huge concern for me.

    I'll answer your question first. Then, if I understand correctly, you would like the experts to comment on another issue.

    Obviously, it always takes some time to do a translation, but I can assure you that, in this case, the problem was not the translation, but rather the consistency between the subamendment and the amendment. At first glance, the legislative clerks believed, after a quick analysis, that the subamendment was compatible with the amendment. Therefore, it was sent to the translation bureau for translation. Then, elsewhere, it was found that the subamendment was not compatible with the amendment. That is why the subamendment is not currently being discussed and why we are discussing NDP‑7.

    Mr. Arbour, you have the floor.

    Thank you, Mr. Chair.

    In both CPC‑22 and NDP‑7, the language is very similar to the current text of the bill. The proposed changes would not have a very significant impact on the work we are doing. They might make the criteria for sharing confidential information a little bit stricter than they are in the current wording, but it's not a very big difference.

    I would like to add that, in this context, when we talk about private sector information, from what I've seen in my career, members of Parliament and civil society are usually the ones who want access to this type of information. It might be a good idea to ask officials questions about why the government isn't going to disclose the information in the interest of transparency. It's a very small comment to consider before making the decision. Overall, the difference is very small.

    Thank you.

    Is there any further debate?

    Shall NDP‑7 carry?

    Is it carried on division?

    We will have a recorded vote, since there is some uncertainty as to who is in favour of the amendment and who is not.

    (Amendment agreed to: yeas 5; nays 4 [See Minutes of Proceedings])

    We'll now move on to CPC‑23.

    Is CPC‑23 being moved?

    Mr. Chair, I will move CPC-23.

    Thank you, Mr. Caputo.

    Shall CPC-23 be adopted?

    (Amendment negatived [See Minutes of Proceedings])

    Is CPC-24 being moved?

     No.

     That brings us to NDP-8, which is deemed moved.

    Madam Kwan.

    Mr. Chair, I want to thank the committee members for passing my last amendment.

    On this one, proposed paragraph 15.5(4)(b) allows for the disclosure of confidential information with the consent of the person who designated the information as confidential. Telecommunications providers should not be able to consent on behalf of their customers to the sharing of personal or de-identified information. The amendment therefore ensures clearer limits on the sharing of personal information by requiring that consent be obtained from the person to whom the information relates, rather than a third party, before that information can be disclosed to other government agencies.

    Thank you, Ms. Kwan.

    Since NDP‑8 has been moved, CPC‑25 cannot be moved, as they are identical.

    We'll now discuss NDP‑8.

    Is there any discussion?

    (Amendment agreed to [See Minutes of Proceedings])

    We'll now move on to CPC‑26.

    Is CPC‑26 being moved?

    Yes, please.

    Are there any interventions on CPC-26?

    MP Ramsay, go ahead.

     We are against this amendment.

    We think that this will greatly limit the ability to intervene in behaviours that are legal but could nonetheless put the telecommunications system at risk. The purpose of the bill is to minimize the risks to the telecommunications system, not to determine whether behaviours are legal or not. We're talking about risks to the telecommunications system. These could include network configuration practices that are deficient or negligent. These are not necessarily illegal behaviours, but they are still dangerous for the telecommunications system.

    I'd like the expert, Mr. Arbour, to comment on that.

    Yes, of course.

    The proposal would pose major problems for the implementation of the bill. Many of the activities related to network operations, such as the frequency of software updates or the type of equipment used in the network, are not illegal under the Criminal Code, but can, of course, pose very significant risks to the security of our infrastructure. There were, for example, issues with Rogers in 2022 and other problems in the operation of telecommunications networks for Canadians.

    There would be enormous risks if this amendment were adopted.

    Thank you, Mr. Ramsay.

    Is there any further debate?

    (Amendment negatived [See Minutes of Proceedings])

    We'll now move on to PV‑8, which is deemed to be moved.

    Ms. May, you have the floor.

    Thank you, Mr. Chair.

    It's a very simple, straightforward element. It's just a straightforward change.

     If you're looking at proposed subsection 15.6(1), you'll see that it is just as straightforward: “Despite section 15.5, to the extent that is necessary for any purpose”.

    Based on the evidence of a number of witnesses, we propose changing “that is necessary” to “that they believe on reasonable grounds is necessary”.

    It's another protection against extending the reach of this ability to invade privacy through Internet service providers and make sure that the disclosure of information is only guided by the demand that they believe, on reasonable grounds, that it's necessary.

    I hope that you find amendment PV-8 acceptable.

    Thank you.

    Before I turn to you, Mr. Caputo, let me inform you that, if this amendment is adopted, CPC‑27 and NDP‑9 cannot be moved owing to a line conflict.

    Mr. Caputo, you have the floor.

    Mr. Chair, with the greatest of respect for the leader of the Green Party, I prefer the wording in CPC-27. I don't take issue with the rationale behind it. That is the only reason why I'll be voting against this.

    Thank you, Mr. Caputo.

    Is there any further debate?

    (Amendment negatived)

    We'll now move on to CPC‑27.

    Is CPC‑27 being moved?

    Yes, Mr. Chair.

    Is there any discussion on CPC‑27?

    Over to you, Mr. Ramsay.

    According to CPC‑27, even the exchange of straightforward, non-confidential information would be subject to a proportionality standard. This is unusual, to say the least, and it exposes us to significant problems, insofar as the proportionality standard is difficult to establish in routine operations.

    Perhaps Mr. Arbour can comment more appropriately on that.

    The amendment would add standards for information sharing even if the information is non-confidential. That would add a consideration. Outside of existing government activities, there is routine information sharing, for example to verify compliance with an order or regulation. That information is not confidential. The amendment would introduce some confusion when it comes to routine activities such as compliance verification.

    Thank you.

    Shall amendment CPC‑27 carry?

    We'll have a recorded vote to make sure of the outcome.

    (Amendment agreed to: yeas 5; nays 4 [See Minutes of Proceedings])

    NDP‑9 seeks to amend the same line as CPC‑27, which we just passed, which makes it inadmissible.

    We'll move on to CPC‑28.

    Is CPC‑28 being moved?

    Mr. Caputo, you have the floor.

     Yes, I will move CPC-28.

    If I may, I would ask the officials whether there is an issue with any overlap with this amendment, given the passage of CPC-27. I'd like to know that before I proceed any further, please.

    Mr. Chair, there does indeed appear to be a degree of overlap or duplication, since CPC-27 applies generally and CPC-28 focuses on personal or de-identified information.

    CPC-28 also introduces a concept of collective belief on behalf of the government entities involved, which is also not something I've encountered before. It could create some confusion about how to determine a group agreement on the question at hand.

     Given the overlap, I would seek unanimous consent to withdraw the amendment, and we can move on to NDP-10.

    Thank you.

    Is there unanimous consent to withdraw the amendment?

    Some hon. members: Agreed.

    (Amendment withdrawn)

    The Chair: We will move on to NDP-10, which is deemed to be moved.

    Madam Kwan.

    Mr. Chair, the rationale behind this amendment is that civil society groups and privacy advocates are concerned that the information collected under Bill C-8 could be used to achieve objectives that are unrelated to cybersecurity, including intelligence and surveillance activities. This amendment would introduce an interpretive clause to prevent such misuse of information collected under the bill by limiting its use to “purposes related to cyber security and information assurance”.

    Thank you, Ms. Kwan.

    Are there any comments on NDP‑10?

    Over to you, Mr. Ramsay.

    Essentially, the application would be limited to cybersecurity, but there could be circumstances that don't fall under cybersecurity, in this case extreme weather events. We feel that this concept simply adds confusion to the section of the act. We don't think the provision is necessary.

    I would like to hear from Mr. Arbour on that.

    For a change, I'll answer the question in English.

     There is already a set of scoping requirements that prevents even the collection of information for law enforcement, investigatory purposes or broader national security surveillance issues. This is done at the overall scoping of the law itself but also in each individual provision. Information can only be collected if it's necessary, not just relevant now, to the order-making authorities. It's scoped a number of different ways.

    In terms of the challenges with this provision of limiting it to cybersecurity considerations, part 1 deals with a range of risks to the telecommunications system, of which many are not specifically related to cybersecurity. With climate change, we've seen a fivefold increase in catastrophic damages to infrastructure as reported by the Insurance Bureau of Canada, so the information and activities that are contemplated are not strictly limited to cybersecurity.

    There are other provisions that already provide guardrails, and there are further amendments that are being adopted or contemplated specifically targeting personal information that the committee has either already adopted or will be contemplating moving forward.

     Thank you.

    Before we move to a vote on whether the amendment is adopted or not, let me signal that if this is adopted, CPC-29 will not be movable given that they are identical.

    We're going to have a recorded vote on NDP‑10.

    (Amendment negatived: nays 5; yeas 4 [See Minutes of Proceedings])

    We are moving to CPC-30.

    Is CPC-30 being moved?

     I will not move CPC-29, because it's identical and we know how that's going to go, so yes, I will move CPC-30, please.

    Are there any interventions on CPC-30?

    Mr. Ramsay, go ahead.

    Mr. Chair, we will vote yes.

    Thank you, Mr. Ramsay.

    Mrs. DeBellefeuille, is that okay?

    Yes.

    Good.

    (Amendment agreed to [See Minutes of Proceedings])

    That brings us to CPC‑31, but since it covers the same lines as CPC‑30, it is inadmissible.

    That brings us to NDP‑11, which is deemed to be moved.

    Ms. Kwan, the floor is yours.

     Mr. Chair, similar to NDP-6, this amendment introduces safeguards on the government's ability to share sensitive information with other countries and foreign or international organizations. It requires that the data retention and deletion clauses be included in agreements and MOUs entered into with foreign agencies.

    It also requires that these retention periods be communicated to the telecommunications providers and that personal and de-identified information be deemed confidential for the purposes of proposed section 15.7.

    Thank you, Madam Kwan.

    Are there any interventions on NDP-11?

    Mr. Ramsay.

    We cannot vote in favour of this amendment, which actually requires the government to disclose agreements with foreign governments to telecom companies. There is a risk of disclosing ongoing international relations activities that are not for the telecommunications service providers to know.

    Thank you, Mr. Ramsay.

    Is there any further discussion on NDP‑11?

    Mr. Caputo, you have the floor.

    Mr. Chair, perhaps the officials could help me out here. I'm trying to keep everything straight. I want to make sure that we don't have any sort of conflict between proposed subsection 15.7(3) of NDP-11 and CPC-30. It seems to me that they are essentially tackling the same thing.

    Could the officials please weigh in on that?

    Mr. Chair, indeed, there is quite a bit of overlap between NDP-11 and CPC-30, to the degree that it would likely be interpreted as a drafting error down the road, given how similar it is. That creates an issue.

    The one new element in NDP-11 that's not in CPC-30 is a requirement that the government disclose to any telecom service provider that it has entered into an agreement with another state. That speaks to the concerns that Mr. Ramsay was outlining about requiring the government to keep potentially dozens of telecom service providers up to speed with basic international relations, which would be problematic.

    Given that proposed section 15.7 already prohibits the government from sharing even confidential information, that personally strikes me as quite a bit of cost to the government's conduct of international relations without material benefit from a privacy standpoint, in addition to, indeed, the duplication with CPC-30.

    Okay. Thank you.

     I would leave it to Ms. Kwan to gauge her feelings on this, but because of the overlap and the official's comments, I would be prepared to vote in favour of proposed subsection 15.7(4), but that would require deletion of proposed subsection 15.7(3) in the amendment.

    Thank you, MP Caputo.

    Are there any other interventions?

    Shall NDP-11 carry? No?

    (Amendment negatived [See Minutes of Proceedings])

    Now we're on CPC-32.

    Is CPC-32 being moved?

    Yes, Mr. Chair.

    Are there any interventions on CPC-32?

    Mrs. DeBellefeuille, you have the floor.

    Based on my reading of CPC‑32, it looks to me like it's similar to BQ‑7. Do you have any notes on that, Mr. Chair? I would like that clarified. Is it identical or similar?

    That's a great question.

    I'm going to suspend for a moment so that we get the most accurate answer.

    We're back.

    Procedurally, CPC‑32 is admissible.

    We will, however, turn to the experts from the department to answer Mrs. DeBellefeuille's question about BQ‑7 as compared to CPC‑32.

    I think there are actually a number of conflicts.

    For example, as a matter of policy, the committee adopted BQ‑5, which requires that all personal information be automatically confidential. However, CPC‑32 indicates how the government should manage personal information that is non-confidential. That would be a conflict in the bill, because all personal information would be confidential, according to BQ‑5.

    There are other conflicts with the Bloc Québécois amendments regarding the management of information for sharing purposes.

    In my opinion, there are a number of conflicts, but, overall, I think the committee agrees on the general principles. If CPC‑32 were to pass, there would be a conflict in the language of the bill.

    I'm not sure I understand your explanation. You say that CPC‑32 would conflict with BQ‑5, but I was asking you if it was comparable to BQ‑7. That leaves me a bit confused.

    There's a certain degree of conflict with BQ‑5 in terms of the concept. In the way it's drafted, CPC‑32 talks about non-confidential personal information. However, according to BQ‑5, any information that is not designated by the telecommunications service provider as confidential will automatically be considered confidential. That makes it impossible for any personal information to be non-confidential.

    According to on your explanation, if we adopt CPC‑32, we're going to have a problem, given that we've already adopted BQ‑5.

    That's right.

    I understand the committee's intent, but there would be a conflict specifically in the wording of the text.

    Okay.

    Thank you, Mrs. DeBellefeuille.

    Is there any further discussion on CPC‑32?

    (Amendment negatived [See Minutes of Proceedings])

    We'll now move on to PV‑9, which is deemed to be moved.

    Ms. May, you have the floor.

     Thank you, Chair.

    This is the longest amendment of the package that I've prepared, and it's because the gap is large and the risk is large.

     I note that though there are no line conflicts, I appreciate that, as in other cases, a number of us are trying to get to the same end from different places. Much further in the package, BQ-12 and CPC-45 try to get at the same policy objective. The language here is carefully worked out based on briefs that were received by the committee, particularly from the Canadian Civil Liberties Association and the Citizen Lab.

    The concern—and this week, as we know, we disagree with some of the advice from our experts here at the table—is that the expansion of the Communications Security Establishment's ability to access personal data is made possible under Bill C-8. It is concerning. It is not sufficiently restricted in how personal data obtained through these provisions can be used for purposes unrelated to cybersecurity. The concern has been mentioned before about how they can be used in foreign intelligence and criminal investigations. It constitutes a significant expansion of the government's ability and capability to investigate these concerns, and the use of personal data obtained through provisions in Bill C-8 must be strictly limited to only cybersecurity provisions.

    It's for those reasons that PV-9, the Green Party's ninth amendment, as you look at it, is long. It's long because it sets out in detail, in a workable format, how to ensure that the legislation functions and is clear. I won't read the whole thing, Mr. Chair, obviously, but it reads:

    That is also new and in this amendment.

    It goes on.

    It's a very strong set of guardrails. It doesn't get in the way of cybersecurity, but it does ensure that the door that's opened by Bill C-8 doesn't lead to abuse of personal information and abuses that Canadians and so many witnesses have raised with this committee.

    In case anyone's keeping track, none of my amendments have passed yet, so I'll go for the sympathy vote and see if we can get this one in.

    Thank you, Mr. Chair.

     Thank you, Madam May.

    I'll turn to MP Caputo first.

    Mr. Chair, I'm mindful of the fact this is a tough question, given the length of PV-9, but Ms. May pointed out the complementary nature—potential overlap is probably a better term—of CPC-45 and PV-9.

    At the end of the day, I just want to get the best language. I don't know if the officials could opine on that. It's probably for the committee to decide. Could the officials do a quick compare and contrast on whether there are implications for interpretation in one that might not be in the other?

    I'm sorry. If you need a couple of minutes, I apologize. Please let us know.

     We'll suspend for a few minutes so that we get the most accurate answer.

     Thank you for your patience.

    The short pause gave the experts a little time to reflect upon the important question that was raised.

    Do the officials have any input on this?

     Mr. Chair, we looked at a crosswalk between this and the amendments that were mentioned. Given that they apply to different parts and fundamentally to different acts at the end of the day, the Telecommunications Act and the critical cyber systems protection act, this is a pretty complex piece of drafting, but we don't think there is a conflict there. There are many other substantial problems with this amendment. However, in terms of a conflict with the specific ones that you asked about, we don't think so.

    Thank you. I appreciate that. I know these things don't solve themselves, and I know it takes a while to look it over, so I thank you for your timely response.

    You did mention there are some issues with this. We may not agree on these, but if you're prepared to lay them out, that will inform how I vote.

    The CSE already participates in a range of voluntary activities with ISED and with the telecommunications sector regarding the sharing of threat analysis and understanding best practices for how they can secure their networks. The team of my colleague here oversees a private sector-government working group that includes the CSE and Public Safety Canada and that sort of thing. There's already a range of activities that do exist.

    The CSE is still bound by the guardrails under the CSE Act in terms of how it operates, and there is a set of oversight mechanisms that govern the CSE as it is. The CSE does not have any regulatory powers, investigatory powers or anything under the Telecommunications Act currently or under Bill C-8. However, this proposes to have the Minister of Industry take on a new oversight role of designating CSE activities in implementing certain aspects of the act and governing certain aspects of sharing information that raise quite a few substantial, practical and operational questions for us.

    I also note that the committee has already adopted a range of existing protections in terms of the sharing of information, and specifically on personal information, that are much better targeted, in my opinion. If there are broader questions about the oversight of the CSE and how that would work, I think the CSE Act would be the better venue for dealing with that. Trying to work that into the Telecommunications Act and a new oversight function for the Minister of Industry seems quite complex and confusing.

     Ms. May, I may have missed this earlier. If so, I apologize.

    Obviously, this is a very nuanced amendment. I'm wondering if you could tell us about the genesis of this amendment, where it came from. Was it verbatim from somebody or a group, or was this put together from a number of different recommendations?

    It comes from the Canadian Civil Liberties Association in their brief to committee and specifically from recommendation 5. In drafting it, we also worked with them, asking how we address the concern that's found in recommendation 5 and how we ensure that the Communications Security Establishment's ability to access this personal data is absolutely nailed down to only those purposes that Bill C-8 intends.

     That's enough for me to vote in favour of it.

    Thank you.

    Thank you.

    MP Ramsay.

    Mr. Chair, I just want to add to what Mr. Arbour just told us. In our view, to amend or clarify the legal activities of the Communications Security Establishment, it would be better to amend the Communications Security Establishment Act than redefine the scope of the Telecommunications Act or the powers of the Minister of Industry, who really has nothing to do with this specific field of activity.

    Therefore, we will be voting against PV‑9.

    Thank you, Mr. Ramsay.

    That brings us to a vote on PV‑9.

    (Amendment negatived [See Minutes of Proceedings])

    That brings us to BQ‑7.

    Is BQ‑7 being moved?

    Go ahead, Mrs. DeBellefeuille.

    Yes, I would like to move BQ‑7.

    Basically, the amendment clarified information sharing even further to better respect privacy. It's based on recommendations from the Privacy Commissioner.

    Thank you, Mrs. DeBellefeuille.

    Over to you, Mr. Ramsay.

    We are in favour of pretty much most of the amendment. However, we would like to propose a subamendment, because it seems to us that there is a conflict in the retention of information, which could contravene the Telecommunications Act, and in the deletion of information, which could contravene the Privacy Act.

    Therefore, we would like to remove the last five words of the amendment, “whichever retention period is shorter.”

    Thank you, Mr. Ramsay.

    Do we have specific enough information to provide to members of Parliament? It seems so.

    Have all members understood the content of the subamendment?

    By the way, we've all understood that if BQ‑7 is adopted, then CPC‑33 can't be moved, because it's identical. In fact, since we are discussing BQ‑7, we won't be able to discuss CPC‑33 in a moment.

    Is there any discussion on the content of the subamendment proposed by Mr. Ramsay?

    (Subamendment agreed to [See Minutes of Proceedings])

    That brings us to BQ‑7 as amended.

    (Amendment as amended agreed to [See Minutes of Proceedings])

    That brings us to CPC‑34, since we're skipping CPC‑33.

    Is CPC‑34 being moved?

     If I could I just have a quick moment, my concern is that we are essentially dealing with a conflict with BQ-7, which just went forward. Could the officials confirm that, please? It looks as though we're in a bit of a conflict, though.

    As you noted, MP Caputo, we just voted on BQ-7, which was amended. Having considered BQ-7, we need to skip CPC-33, which is identical to BQ-7.

     No, I'm talking about CPC-34. I think that CPC-34 is almost identical, except for proposed subsection 15.701(2).

     There is a redundancy indeed with BQ-7, but it's not identical.

    It's not identical, but it's close enough. I think we would be getting into dangerous territory. The Liberals would have to move a subamendment, and we would be dealing with conflicting legislation there.

    Could I ask the officials about this? I think proposed subsection 15.701(2) is very clear. Just out of caution, does that conflict with anything we have passed so far?

    Mr. Chair, just to make sure I am referring to the right area, we're talking about CPC-34, proposed subsection 15.701(2), “In the case where the information was provided by”....

    Yes.

     The issue I'm grappling with in proposed subsection 15.701(2) is that it would require us to notify a telecommunications service provider about the disposal of personal information.

    The concern is less a conflict in law, as we would have to basically.... My apologies for being slow here. I think that whether there's an actual legal conflict, there's certainly a policy conflict in terms of how we would try to interpret the spirit of the provisions, because we are required to dispose of the information as soon as it's no longer needed or in accordance with the Privacy Act, but then we're also supposed to communicate with the telecom service provider about what we've done.

    For us to communicate that, it almost gets into having to specify the information in question, which involves us.... How would we talk about the personal information without again using the personal information in some shape or form? We don't foresee using personal information under these authorities, so it may be moot in practice, but in reality there does appear to be effectively a conflict here.

    Given that, then, I won't try to make the legislation any more complicated. The officials can get one there. I won't move that amendment.

    Thank you, MP Caputo.

    Not moving CPC-34 brings us to CPC-35, on which, according to my understanding, there may also be a redundancy with BQ-7.

    Yes. I will not be moving that one.

    Thank you.

     That brings us to CPC-36.

     Is CPC-36 being moved?

    Well, I do note the time, Mr. Chair, but I will work however many hours you want me to work—

    Some hon. members: Oh, oh!

    Frank Caputo: —but I think our Liberal colleagues have somewhere to be at 5:30. I'll let you have mercy on our Liberal colleagues.

    There is some good news here and some bad news. The good news is that MP Caputo is willing to work all the time and every time. The bad news is that he cannot work alone. He needs other colleagues.

     If I understand well, there will be a motion to adjourn.

     MP DeBellefeuille.

    Before you adjourn, Mr. Chair, I want to thank the interpreters. Today, once again, they did such an outstanding job that I was able to respond in real time. I would like to thank them, because it really makes a big difference to us. Kudos to them.

    Well done. I think your appreciation is widely shared.

    Obviously, we'll have the opportunity a little later, even though we should be doing it every day, to thank even more people who work very hard in this room and elsewhere. That will be for another day.

    In the meantime, we will have a meeting on Thursday on another topic, and we will obviously continue the clause-by-clause consideration of Bill C‑8 on February 24, when we get back from our constituency week.