Parliamentary Committee Notes: Bill C-26 Second Reading Questions

The below was prepared in response to questions during the Second Reading Debate for Bill C-26 on September 19, 2024.

Q1

Why are designated operators required to report cyber incidents to the Communication Security Establishment within a period prescribed by regulations not exceeding 72 hours, while political parties – who are holders of lots of private information on Canadian citizens and targets of foreign threat actors – are required to report an unauthorized disclosure within no timeframe informing the individual of the breach (Bill C-65)? Why would the same provision not be in place?

A1

Part 2 of Bill C-26 and Subdivision C of Bill-65 serve two different purposes and, therefore, have different obligations and requirements.

Part 2 of Bill C-26 is focused on the security of critical cyber security systems, while Subdivision C of Bill C-65 is focused on establishing a regime for registered and eligible parties respecting their collection, use, disclosure, retention and disposal of personal information.

Although the terms “cyber incident” and “data breach” are often used interchangeably, they are not the same thing. A cyber incident is any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource. It is important to note that not all cyber incidents involve the loss of data or personal information, though many do.

Part 2 of Bill C-26 seeks to protect critical cyber security systems in federally regulated critical infrastructure by imposing obligations on designated operators. This includes a requirement to report information about cyber incidents above a certain threshold. The reporting would be focused on what is happening to a designated operator's critical cyber system so that the Communications Security Establishment (CSE) may provide cyber security advice, guidance, and services in a timely manner to secure that affected system and protect others that may be vulnerable.

These incident reports are intended to allow CSE to rapidly deploy resources and render assistance to victims suffering an incident, analyze incoming reporting across sectors to spot trends, and quickly share that information with operators, critical infrastructure sectors and other potential victims.

Should a cyber security incident also result in a privacy breach, the affected designated operator would be required to treat the breach according to the relevant provisions of either the Personal Information Protection and Electronic Documents Act (PIPEDA) and/or the Privacy Act as applicable. This could include notification to the Office of the Privacy Commissioner (OPC) and affected individuals if it is reasonable to believe that the breach creates a real risk of significant harm to the affected individual.

Though the protection of personal information is not the primary purpose of Part 2 of Bill C-26, a reduction in the overall number of cyber incidents would likely also reduce the number of cyber incidents that include data breaches, which could include personal information and data. In this way, Part 2 of Bill C-26 is expected to have a positive effect on the protection of personal information.

With respect to the timeframe for reporting a cyber incident, the initial draft of the legislation required designated operators to report the incident “immediately.” Many industry stakeholders noted that this timeframe for reporting was both unrealistic and open to interpretation.

They called for a well-defined timeframe that would allow designated operators to collect relevant information, assess the materiality of an incident, and compile an actionable report.

That is why the Committee carried a motion specifying cyber incidents must be reported within a period prescribed by the regulations not exceeding 72 hours.

In addition, this timeframe is consistent with the reporting requirements of our Five Eyes partners, including the U.S.

Specificity around the types of incidents, thresholds, timelines and processes for reporting cyber security incidents will be determined during regs development and in consultation with governments, industry and regulators.

Q2.

What kind of oversight is provided in Bill C-26 to oversee Ministerial Order and Direction making powers, and how can the Judicial Review process be leveraged?

A2.

Bill C-26 includes provisions to ensure the protection of Canadians' rights and they were further strengthened via amendments adopted by the House of Commons

Part 1 – Amendments to the Telecommunications Act

Amendments

The new policy objective under Part I is limited to the protection of telecommunications system, rather than to advance security objectives overall. This establishes a frame of the governance of technical network operations rather than advancing general security or law enforcement aims. Other protections include the Privacy Act, a limits on information sharing to only involve non-confidential information, and administrative law requirements to consult affected parties in rule-making.

A “reasonableness test” was added along with a non-exhaustive list of factors that must be considered in developing orders.

For greater certainty, there are explicit designations for personal and de-identified information and further confirmation that orders cannot be used to intercept private communications.

To improve oversight, there are detailed annual reporting requirements.

Additionally, in the event that a confidential order or security direction is issued, the National Security and Intelligence Review Agency (NSIRA) and the National Security and Intelligence Committee of Parliamentarians (NSICOP) must be notified within 90 days of the order.

Confidential orders are expected to be rare and only necessary in instances where public disclosure could expose vulnerabilities to Canada's telecommunications system. Still, these two oversight bodies will be informed of all confidential orders to help ensure these powers are used appropriately.

These additions are expected to provide transparency to stakeholders and the public regarding the Government's use of these new powers.

Judicial Review

Regulated entities have recourse to judicial review should they wish to challenge an Order or cyber security direction.

C-26 was also introduced with provisions that would allow for the secure treatment of sensitive information with appropriate protections.

Since then, Parliament passed C-70, An Act respecting countering foreign interference. It includes provisions for secure administrative review proceedings that will prevail instead so that there are consistent provisions for this issue across legislation.

The C-70 provisions are similar but provide greater protection for entities challenging a government rule, in particular they provide for a security-cleared counsel to be provided.

Part 2 – Critical Cyber Systems Protection Act

Amendments

To balance the need for secrecy with the public's desire for transparency there are now specific reporting requirements in the Annual Report.

The Minister of Public Safety must notify the NSICOP and NSIRA within 90 days of a direction being issued.

Guardrails were introduced around direction-making powers, including:

These additions are expected to provide transparency to stakeholders and the public regarding the Government's use of these new powers.

Judicial Review

A designated operator subject to a Cyber Security Direction (CSD) would be able to seek judicial review before the Federal Court of Canada and challenge the direction.

The Critical Cyber Systems Protection Act (CCSPA) would create a framework to facilitate the protection and use of sensitive information in the course of any such judicial review.

In the national security context, this framework is similar to ones that exist in other legislative regimes. For example, the appeals procedures set out at subsection 16(6) of the Secure Air Travel Act (SATA) are virtually identical to the judicial review procedures proposed for the CCSPA. They provide for the non-disclosure of information in an appeal where the disclosure could be injurious to national security or endanger the safety of any person.

Because the Bill stipulates that judicial review proceedings related to cyber security directions must be conducted in the absence of the public and the applicant when the threshold set out in the legislation is met, it engages Section 2(b) of the Charter.

The following considerations support the consistency of this aspect of the Bill with the Charter.

Like other Charter rights, the open court principle is not absolute and may be limited where there are pressing state objectives. Protecting sensitive information, the disclosure of which could harm international relations, national defence or national security, or endanger the safety of any person, is a recognized and important state interest.

The hearing process that would be established under the Bill is tailored to limit the use of closed proceedings to only those situations where closed hearings are necessary to protect sensitive information.

The responsibility for assessing whether the release of the information could lead to the listed harms would lie with the presiding judge. Most importantly, the closed proceeding provisions only apply to those portions of the judicial review proceedings that involve sensitive information.

The remainder of the hearing would be open to the public and the applicant. Finally, any summaries of evidence provided to the applicant would become part of the publicly available court record.

Q3.

What are the potential criminal offences that someone could be charged with under this Act?

A3.

Part 1 – Amendments to the Telecommunications Act

Part 1 of Bill C-26 establishes an administrative monetary penalty scheme and a sentencing scheme to promote compliance with orders and regulations.

The maximum penalty for individuals is $25,000, or $50,000 for subsequent violations. In any other case, the maximum penalty is $10,000,000, or $15,000,000 for subsequent violations.

The amount of a penalty will consider several factors including history of compliance (or non-compliance), the nature and scope of the violation, and any benefits gained from violation.

The Bill also explicitly requires that the operational and financial impacts on telecommunications service providers be considered when assessing monetary penalties, as well as any other factors deemed relevant by the Minister.

When it comes to the sentencing scheme, for individuals, offences can be punishable by imprisonment (up to two years less a day) or a fine, or both, depending on the court's decision.

Part 2 – Critical Cyber Systems Protection Act

CCSPA relies on both an administrative monetary penalty regime and regulatory offences (or quasi-criminal) regime for enforcement of its provisions.

Administrative Monetary Penalties (AMPs) are intended to encourage compliance with the Act and are not meant to be punitive. Additionally, there are off-ramps available to designated operators, including entering into a compliance agreement with the regulator, who may then reduce the penalty in whole or in part.

In addition to AMPs, the CCSPA would create summary and hybrid offences for the most serious contraventions of the Act such as not implementing a Cyber Security Direction or disclosing confidential information including around the existence or contents of a direction.

These hybrid offences would be punishable by a fine and/or a maximum term of imprisonment of two years less a day on summary conviction and five years on indictment. The offences are tailored to the legislative objectives and preserve the discretion of trial judges to impose a fit and appropriate sentence.

Due diligence is always a defence for designated operators. None of the offences in the CCSPA would give rise to the possibility of imprisonment in the absence of, at a minimum, negligence on the part of the accused.

Q4.

Is Bill C-26 in contravention of the Charter of Rights and Freedoms, however is saved by Section 1, as indicated in the Charter Statement?

A4.

Part 1 – Amendments to the Telecommunications Act

The Bill is Charter compliant. The Charter Statement recognizes that certain rights may be engaged, but also highlights the aspects by which those provisions would be consistent with the Charter.

For example, the requirement for regulated entities to comply with certain information collection requests potentially engages with Section 8. However the statement notes that generally speaking, the information being gathered relates to the technical operations of commercial entities. This is not the kind of personal biographical information that attracts a heightened privacy interest. Statutory powers to require the production of relevant information for regulatory or administrative purposes, rather than for the purpose of investigating criminal offences, have been upheld as reasonable under section 8.

Amendments adopted in the House of Commons provide further comfort that the rights of Canadians will be respected. For example, that provide greater certainty on the protection of personal and de-identified data, and that the Privacy Act continues to apply.

Part 2 – Critical Cyber Systems Protection Act

The Bill is Charter compliant. The Charter Statement recognizes that certain rights may be engaged, but also highlights the aspects by which those provisions would be consistent with the Charter.

Four sections of Charter could be potentially engaged by the proposed legislation: Sections 2(b), 7, 8 and 11.

In reviewing the provisions of the Bill, the Minister of Justice highlighted considerations that support the consistency of the regime with Sections 2(b), 7, 8 and 11 of the Charter.

Non-disclosure of Cyber Orders (Section 2(b) of the Charter): The Minister of Justice did not identify any inconsistencies with the non-disclosure provisions of the Charter in Section 2b.

Offences (Section 7 of the Charter): In reviewing the offence provisions included in the CCSPA, the Minister of Justice did not identify any inconsistencies with the principles of fundamental justice under Section 7 of the Charter.

Inspection, requirement and disclosure powers (Section 8 of the Charter): Because the these powers have the potential to interfere with privacy interests they may engage Section 8. With respect to the potential to engage Section 8 of the Charter, the proposed powers are similar to regulatory inspection powers that have been upheld in other contexts.

Administrative monetary penalties (Section 11 of the Charter): The following considerations support the consistency of the regime with Section 11 of the Charter.

Date modified: