Parliamentary Committee Notes: Summary of Issues Addressed During SECU Study
Executive Summary
On June 14, 2022, the Government introduced Bill C-26, An Act Respecting Cyber Security (ARCS), in the House of Commons. Second reading debate began on December 1, 2022, with debate resuming again on March 6 and March 23, 2023. All parties expressed a desire to hear from expert witnesses on how to best address various concerns through amendments. The bill was referred to the Standing Committee on Public Safety and National Security (SECU, or Committee) on March 27, 2023. Committee study began January 29, 2024 with five meetings between then and February 12, 2024 to hear from witnesses, followed by two clause-by-clause sessions held on March 18, 2024 and April 8, 2024, where the Committee carried several motions addressing stakeholder concerns.
Throughout Committee study, witnesses provided testimony and had the opportunity to respond to questions from Members of Parliament (MP). Overall, stakeholders and MPs generally expressed support around the importance of this legislation and protecting Canada's critical infrastructure from cyber threats and vulnerabilities. However, concerns were raised about the bill's perceived lack of oversight vis-à-vis the new powers it grants to the Government, the treatment of confidential information, personal information protection, clarity around program design, and confidentiality provisions around orders and directions.
Summary of Issues Raised
A range of witnesses from academia, civil liberties groups, regulators, industry, the Government of Canada (GC) and cyber security experts participated in discussions. Parliamentarians from the Conservative Party of Canada (CPC), the Bloc Québécois (BQ), the Liberal Party of Canada (LPC), and the New Democratic Party (NDP) provided their perspectives as well. Many MPs from the LPC and the NDP asked about the risks of delaying or not passing the legislation, including consequences to critical infrastructure, increased costs of cyber incidents, and falling behind Canada's allies.
The summary of issues below is grouped by key themes raised by Parliamentarians and stakeholders during Committee study:
Due Diligence Defence and Administrative Monetary Penalty Regime
The BQ, CPC and stakeholders commented on the possible financial impact that penalties impose on small and medium-sized enterprises (SMEs), arguing that they are unaffordable by all but the largest of organizations. Some speakers suggested the Administrative Monetary Penalty (AMP) regime was a double punishment, with companies being fined for being hacked. Stakeholders suggested providing a due diligence provision ensuring that no one is punished for good faith efforts to comply with the legislation, and perhaps protected from personal and civil liability.
Treatment of Confidential Information
The LPC and CPC inquired about the treatment of confidential information collected by the GC from industry. In particular, the CPC questioned the safety and security of sensitive information provided to the government in accordance with reporting requirements, given that the federal government itself is not immune from hacking. Stakeholders raised similar concerns about the treatment of confidential information. Suggestions were made that conditions on the use of information should be strengthened and/or limits should be introduced on the amount of sensitive data collected. Additionally, it was recommended that any information the Communications Security Establishment (CSE) obtains about Canadians under this legislation should be used exclusively for the defensive cyber security part of their mandate and/or carve the CSE out of the legislation to avoid a “chilling” effect whereby organizations share less. Some stakeholders also expressed interest in adding safe harbor provisions to encourage information sharing and broadening information sharing to security focused government departments and agencies, including the CRTC.
Personal Information Protection
CPC and NDP members inquired whether this legislation, without amendments, will protect the privacy of Canadians. LPC members raised questions about how the legislation will intersect with the Privacy Act. Stakeholders stated that this legislation threatens individuals' privacy and makes it difficult for organizations to comply with privacy laws. Several stakeholders proposed explicit protections for personal information, and tighter controls surrounding the sharing and use of personal and confidential information. Witnesses also argued that privacy rights must be entrenched in the legislation and proportionality tests are needed, similar to Australia's cyber security legislation. OpenMedia delivered a petition with nearly 6,000 Canadian signatures demanding increased protection of privacy.
Additional Guardrails on Orders/Direction-Making Powers
The NDP, LPC, CPC and BQ members scrutinized the lack of guardrails on the new powers granted to the GC, citing the need for increased transparency. CPC and BQ members raised concerns about the sweeping powers that the bill grants to the GC, with the CPC commenting that this legislation may enable the GC to shut Canadian services off. Stakeholders shared concerns that the legislation's sweeping powers enables the GC to create back doors, weaken encryption standards and seize anything. They emphasized that regulatory authorities and GC access rights should be limited in their scope and to certain critical situations that meet specific non-compliance thresholds. Stakeholders also shared concerns that those charged with creating industry-specific directions need to have the skills required to do so effectively, and should collaborate with industry.
Witnesses recommended the inclusion of ‘fair and reasonable limitations' on powers to issue orders and directions, stating that, otherwise, there would be no obligation for the Cabinet to consider the costs to companies for complying with an order, whether there are reasonable alternatives to an order, or the possible effects on competition or customers. LPC members inquired about the number of sectors the legislation applies to, new authorities the GC will receive under this legislation, and the inclusion of a reasonableness standard for orders and directions. They also proposed a list of factors to be considered before orders and directions can be issued. Further recommendations were made to place proportionate and reasonable limits on powers, such as that the issuance of cyber security directions be subject to section 3 of the Statutory Instruments Act, which would hold that any Cabinet orders issued to designated operators under the legislation should be examined by the Clerk of the Privy Council and the Deputy Minister of Justice.
Treatment of Confidential Orders/Directions
LPC members questioned whether the use of confidential orders and directions was justifiable. To address transparency concerns, stakeholders suggested eliminating secret evidence or appointing special advocates to ensure that all evidence is duly tested when subject to judicial review. They also proposed that orders issued under the legislation be published annually in the Canada Gazette. Any exceptional circumstances that may justify confidentiality of those orders should be expressly and strictly defined in legislation, and should be time limited.
Clarifying Language
The CPC, LPC and BQ members all asked how definitions can be further clarified. Stakeholders suggested defining key terms more precisely, such as “cyber security incident” and “critical cyber system”. They also recommended amending language to encourage all organizations, not just designated operators, to voluntarily share cyber threat information.
Clarity around Program Design and Clarifying Provisions
All political parties that were present raised several inquiries about program design. The NDP and BQ members asked about the cost of compliance for SMEs, especially given labor shortages. CPC members brought up similar concerns over the cost of compliance for operators and how that may affect Canadians. Stakeholders suggested the use of tax incentives to encourage cyber security compliance, rather than punishing non-compliance.
Several inquiries about the mandatory reporting requirements were raised by the BQ, NDP, and LPC. Stakeholders recommended that the legislation should follow similar requirements to that of the U.S, allowing for a 72-hour reporting window for cyber security incidents, as opposed to immediate reporting. The CPC also expressed concerns that the legislation will have a “chilling” effect on information sharing between the GC and operators given the mandatory reporting. To increase two-way information sharing, stakeholders suggested making membership for a Canadian Cyber Threat Exchange an allowable expense for GC programs.
The BQ, CPC, and LPC asked how this legislation may change pre-existing regulatory requirements, including provincial regulations. LPC Members also inquired into the framework for cyber security programs and about the reasonable steps operators must take to mitigate supply-chain and third-party services. Stakeholders recommended aligning legislation with pre-existing regulatory frameworks, such as those established by provincial regulatory agencies, to avoid regulatory overlap. Several MPs and witnesses also expressed interest in aligning this legislation with international standards, specifically the U.S., UK and Australia, in regards to adopting a risk-based methodology for designated operators proportionate to their level of risk.
Committee Study Adopted Amendments
Committee members took great care to strengthen this legislation during their study, taking into consideration concerns raised by a variety of stakeholders including industry, provinces and territories, academia and civil liberties associations. To address the issues raised by stakeholders, the Committee carried several motions, providing additional transparency, oversight and personal information protections, that strengthen provisions of the bill and further strengthen the legislation.
A summary of these motions is provided below, including, but not limited to the following:
- Availability of a due diligence defence, and parameters for enforcing the Administrative Monetary Penalty regime;
- Greater certainty that Canadians' privacy and personal information will be protected in accordance with the Privacy Act;
- Assurance that confidential information will be treated as such by anyone receiving such information;
- Specifications for the contents of annual reports to Parliament;
- An obligation for the government to notify review bodies that an order or direction has been issued;
- A reasonableness standard and a non-exhaustive list of factors that the Government must consider before deciding to issue an order or direction;
- Specification that cyber incidents must be reported within a period prescribed by the regulations, not exceeding 72 hours; and
- Explicit reference that this legislation aims to be harmonized with existing regulatory regimes wherever possible;
Additional details on these amendments are provided below.
Due Diligence Defence and Administrative Monetary Penalty Regime
For Part 1, a clause in the Bill which would have denied a due diligence defence was not adopted. As a result, the existing practice in the Telecommunications Act allowing for due diligence will apply. Provisions were added to explicitly consider the operational and financial impacts on telecommunications service providers when assessing monetary penalties, as well as any other factors the Minister believes are relevant.
Treatment of Confidential Information and Personal Information Protection
For both Parts 1 and 2 of the bill, amendments were made to provide greater certainty that confidential information would continue to be treated as confidential. This is expected to provide sectors with reassurance that their confidential information is, and will continue to be, treated appropriately. The bill now makes it explicit that Canadians' personal information and privacy will be protected in accordance with the Privacy Act. Specific to Part 1, amendments were also carried to strengthen personal privacy considerations by introducing definitions for “personal information” and “de-identified information”. A proposal by the NDP for text specifying the use of Special Advocates was ruled out of order; however with the passage of Bill C-70 (An Act respecting countering foreign interference) a blanket provision for Special Advocates to participate in relevant circumstances has been established.
Additional Guardrails on Order Making Powers
A number of amendments were carried to both provide further clarity of government powers as well as bolster transparency to the public. With respect to both Parts 1 and 2 of the bill, amendments were made to create mandatory public reporting requirements. In order to balance the need for secrecy with the public's desire for transparency, the Committee specified the contents of the annual report to Parliament that makes certain details of the directions or orders issued public. By providing added specificity around how often directions are made, the number of designated operators that received directions and other relevant information, a level or transparency is provided to Canadians surrounding this confidential process for the protection of critical infrastructure. To further define the scope of the government's new powers, amendments were carried to require a reasonableness standard and a non-exhaustive list of factors that, for Part 1, the Minister of Industry and the GIC, and for Part 2, the GIC, must consider before deciding to issue an order or direction. Additionally, for Part 1, the Minister of Industry must notify the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the National Security and Intelligence Review Agency (NSIRA) within 90 days of an order being issued, as is the same for the Minister of Public Safety for Part 2. These additions are expected to provide transparency to stakeholders and the public regarding the government's use of these new powers.
Clarity Around Program Design
Specific to Part 2 of the bill, the Committee carried several motions that improves sectors' ability to implement, and comply with, cyber security programs. Amendments were made to provide greater flexibility on the timing of notification of changes to designated operators' supply chain and third party service or product risks. The Committee also carried a motion that specified that cyber security incidents must be reported within a period prescribed by the regulations not exceeding 72 hours, making certain that operators are able to provide this information within a reasonable time period. Additionally, a motion was passed that would ensure, where possible, regulations would be harmonized with existing regulatory regimes, such as national, provincial or international regulatory regimes. It was also further defined in Part 2 that collaboration with provinces and territories will be an integral aspect of the regulatory process.
Overall, the amendments brought forward and carried during Committee study address key stakeholder concerns and will serve to strengthen the legislation, while still achieving the bill's important objective of securing Canadian critical infrastructure against security and cyber threats and vulnerabilities.
List of Witnesses
January 29, 2024
Department of Public Safety and Emergency Preparedness
- Colin MacSween, Director General, National Cyber Security Directorate
- Kelly-Anne Gibson, Director, Cyber Protection Policy Division
Department of Industry
- Éric Dagenais, Senior Assistant Deputy Minister, Spectrum and Telecommunications Sector
- Wen Kwan, Senior Director, Information and Communications Technology Resilience
- Andre Arbour, Director General, Telecommunications and Internet Policy Branch
Communications Security Establishment
- Sami Khoury, Head, Canadian Centre for Cyber Security
- Daniel Couillard, Director General, Partnerships and Risk Mitigation at the Canadian Centre for Cyber Security
February 1, 2024
Business Council of Canada
- Trevor Neiman, Vice-President, Policy, and Legal Counsel
Canadian Internet Registration Authority
- Byron Holland, President and Chief Executive Officer
Canadian Constitution Foundation
- Joanna Baron, Executive Director (by videoconference)
Centre for International Governance Innovation
- Aaron Shull, Managing Director and General Counsel
Privacy and Access Council of Canada
- Sharon Polsky, President
February 5, 2024
Beauceron Security
- David Shipley, Chief Executive Officer
Canadian Chamber of Commerce
- Ulrike Bahr-Gedalia, Senior Director, Digital Economy, Technology and Innovation
IBM Canada
- Daina Proctor, CyberSecurity Service Line Executive
- Tiéoulé Traoré, Government and Regulatory Affairs Executive
Bruce Power
- Todd Warnell, Chief Information Security Officer
Citizen Lab
- Kate Robertson, Senior Research Associate, Munk School of Global Affairs and Public Policy, University of Toronto
OpenMedia
- Matthew Hatfield, Executive Director (by videoconference)
February 8, 2024
BlackBerry
- John de Boer, Senior Director, Government Affairs and Public Policy, Canada
Canadian Cyber Threat Exchange
- Jennifer Quaid, Executive Director
Electricity Canada
- Francis Bradley, President and Chief Executive Officer
Canada Energy Regulator
- Chris Loewen, Executive Vice-President, Regulatory (by videoconference)
- Christopher Finley, Director, Emergency Management and Security (by videoconference)
Canadian Radio-television and Telecommunications Commission
- Steven Harroun, Chief Compliance and Enforcement Officer
- Anthony McIntyre, General Counsel and Deputy Executive Director, Legal Services
- Leila Wright, Executive Director, Telecommunications
February 12, 2024
As an Individual
- Andrew Clement, Professor Emeritus, Faculty of Information, University of Toronto
- Kate Robertson, Senior Research Associate, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto
Canadian Bankers Association
- Charles Docherty, Assistant General Counsel and Vice-President, Legal and Risk
- Angela Mason, General Counsel and Senior Vice-President, Legal and Risk
Canadian Telecommunications Association
- Robert Ghiz, President and Chief Executive Officer
- Eric Smith, Senior Vice-President
Office of the Privacy Commissioner of Canada
- Philippe Dufresne, Privacy Commissioner of Canada
Office of the Superintendent of Financial Institutions
- Tolga Yalkin, Assistant Superintendent, Regulatory Response Sector
- Date modified: