Canada's Bill C-8, the Act Respecting Cyber Security, aims to strengthen the country's cyber defense in the face of a complex threat landscape. While the bill continues to make its way through the legislative process, its success may ultimately depend on whether its obligations can balance national security with privacy protections.
During a recent appearance before the the House of Commons Standing Committee on Public Safety and National Security, Privacy Commissioner of Canada Philippe Dufresne unpacked what privacy mechanisms would make sense for the bill.
Dufresne noted the bill's obligations recognize "steps must be taken to protect critical infrastructure against cyber threats, which are continuing to evolve in sophistication and complexity." However, he indicated changes to the bill could better support both security and privacy, urging lawmakers and officials to prioritize consistency by introducing a uniform set of standards for data collection and safeguards for information-sharing agreements.
Key Concerns
Bill C-8, previously Bill C-26, aims to amend the Telecommunications Act and implement the Critical Cyber Systems Protection Act. The bill looks to bolster cybersecurity safeguards for critical infrastructure by creating a cybersecurity framework for the banking, energy, transport and telecommunications industries. Under Bill C-8's requirements, organizations must establish cybersecurity programs, manage third-party risks and report cyber incidents to federal authorities.
The bill prioritizes the security of Canada's telecommunications system. It would also grant the Minister of Industry and the Governor of the Council a new authority to issue binding orders to telecommunications service providers. Through this enforcement, the office can require companies to take steps to safeguard their networks, supply chains and equipment from cyber threats.
Despite goals to strengthen digital infrastructure, Bill C-8 has raised concerns that its enforcement powers could allow government agencies to obtain access to personal information, including encrypted data.
Intelligence Commissioner of Canada Simon Noël previously testified to the Standing Senate Committee on National Security, Defense and Veterans Affairs warning the bills efforts to strengthen enforcement would "essentially compel the production of any information in support of orders," and allow for potential nonconsensual disclosures of personal information.
While Bill C-8 could allow for enhanced enforcement powers, Canadian Cyber Threat Exchange Executive Director Jennifer Quaid argued collaborations between organizations and agencies can also be a powerful tool to strengthen cybersecurity. Quaid said the legislation must ensure "that organizations who are trying to do the right thing by sharing useful information about cyber attackers and their techniques are not punished. Without Safe Harbor protections, too many organizations hesitate to talk about breaches or vulnerabilities. … They fear lawsuits, reputational damage, or regulatory penalties."
The Canadian Civil Liberties Association and OpenMedia also raised concerns about Bill C-8's alleged lack of safeguards to prevent potential government surveillance. OpenMedia Executive Director Matt Hatfield claimed the proposed legislation "can be abused to surveil Canadians in secret, well beyond its legitimate purpose," while urging officials to implement changes to data protection standards.
OPC Recommendations
Though Dufresne said he supports Bill C-8's efforts to prevent sensitive data from evolving cyber threats, he issued recommendations to mitigate the bill's privacy implications.
"It's essential to ensure that the new powers or authorities and obligations that are created to improve cybersecurity contain the necessary limits and do not have an unintended impact on privacy," Dufresne said.
Dufresne noted the bill should require government agencies to conduct risk assessments and introduce standards to ensure data is only collected and processed for intended uses. Agencies must also implement safeguards when sharing information with foreign governments.
While the bill looks to modernize digital security standards, Dufresne called for the implementation of a mechanism to inform the OPC of cybersecurity breaches affecting individuals' personal data and incidents concerning information shared internationally.
By notifying the OPC of potential security concerns, Dufrene noted the OPC and agencies "can collaborate and coordinate our efforts in protecting Canadians' privacy."
Bill C-8 is currently in consideration by the House of Commons.
Lexie White is a staff writer for the IAPP.
