Parliamentary Committee Notes: Second Reading Debate
Bill C-26, An Act Respecting Cyber Security
Executive Summary
On June 14, 2022, the Government introduced Bill C-26, An Act Respecting Cyber Security (ARCS), in the House of Commons. Second reading debate began on December 1, 2022, with debating resuming again on March 6 and March 23, 2023. The bill was referred to the Standing Committee on Public Safety and National Security (SECU) on March 27, 2023.
Throughout the debate, opposition parties expressed high-level support for the bill's intent to bolster cyber security and provide authorities that could be used to restrict the use of products from high-risk suppliers; however, they also had pointed criticisms of the bill's perceived lack of oversight vis-à-vis the new powers it grants to the Government and confidentiality provisions around orders and directions. All parties expressed a desire to see the bill referred to SECU so they could hear from expert witnesses on how best to address these issues through amendments.
Issues Raised by Party
There was participation from a range of Members of Parliament throughout the three sessions of second reading debate with the Conservative Party of Canada (CPC), the Bloc Québécois, the Liberal Party of Canada, the New Democratic Party and the Green Party all making interventions. The vast majority of speeches were made by Conservative Members.
Two main themes were repeatedly raised by Parliamentarians as areas for improvement: 1) Ensuring that any new Government powers have appropriate checks and balances in place to prevent their misuse and improve accountability; and 2) Protecting the privacy of Canadians. These critiques have drawn from submissions from industry associations, civil society groups and academia. A third category of comment that was less prominent but still relatively common addressed concerns over the possible financial impacts on small and medium-sized enterprises (SMEs).
The summary below is grouped by political party, with some overlap on issues.
Conservative Party of Canada
The CPC was broadly supportive, and spoke at length about the necessity for legislation such as C-26, and for legislation “banning Huawei” being overdue. MPs repeatedly focused on the threats from state adversaries, notably China and Russia. The speakers were clear in repeated statements that the CPC would be voting to support C-26 at second reading, and refer the bill to committee for review.
While supportive of the intent of the bill, Conservative members were quite vocal in raising concerns and several speakers were similarly clear that they expect amendments to address some of the expressed concerns, notably around: 1) Perceived lack of oversight and authority scope; 2) Better protecting the privacy of Canadians; and 3) Costs of compliance for SMEs.
- Perceived lack of oversight and authority scope. While supportive of the bill, Conservative members were quite vocal in raising concerns about the broad, sweeping new powers the bill grants to government, citing wording in the proposed Telecommunications Act (TA) amendments that would allow the Minister or Governor in Council to direct telecommunications service providers “to do anything, or refrain from doing anything.” That quote is a partial quote but nonetheless one that has drawn a lot of attention. The bill actually qualifies that phrase by referring to anything “that is specified in the order and that is, in the Minister's opinion, necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.” Members said that this needs to be balanced with an appropriate level of accountability.
- This discussion also included concerns about scope of authority. Language about the ability of the Minister to order a telecom service provider “to do anything or refrain from doing anything” (intended as a catch-all and bounded by other factors), and the ability to order the cessation of telecom service, have been cited by stakeholders and were further raised by Members during the debate. A prominent University of Toronto study assessed that the bill could be moderated with the inclusion of limiting principles grounded in “proportionality, necessity and reasonableness,” and several speakers cited that specific study and remedy.
- The legislation is designed to have the Cabinet or the Minister take action when and if needed, but it does not try to avoid accountability. As envisioned, orders will likely be infrequent and exceptional, with confidential orders even more rare. That said, this is not explicitly spelled out in the legislation.
- Various CPC members focused on the desirability of Parliamentary review, with suggestions for the need of more Parliamentary oversight. While orders made under the TA will be public by default, there are provisions to allow them to be kept confidential. The concept of producing an annual report was also mentioned. For example, MP Shipley noted “The Conservatives would like to see annual reporting from the minister on what actions have been taken and a public disclosure of the orders that the government is making under these newly afforded power.” Many of these comments were linked to a distrust of the Cabinet process or to sole Ministerial discretion. It is also possible we could see a proposal to have the National Security and Intelligence Committee of Parliamentarians (NSICOP) involved in review of confidential orders.
- One member suggested that, in an extreme scenario, a future government could use the bill to abuse the civil liberties of Canadian or intrude on their private lives. To address this, they suggested putting safeguards in place, like building into the legislation an ombudsman or oversight committee to prevent overreach.
- Privacy needs to be a more explicit part of the bill. The bill does not mention the Charter, or the Privacy Act. Echoing comments made by the Canadian Civil Liberties Association, several speakers noted there are broad powers for the Minister to request information, and share it across government, including security-focused departments, and potentially with other countries. These powers are modelled on those of the CRTC but transposed into the security context has created concern they would be used for surveillance of individuals and/or capture sensitive personal information.
- Conservative members also asked about the treatment of sensitive information obtained from providers, in particular, about protective measures vis-à-vis the exchange of information between companies and the responsible Minister, information which may then be passed on to other ministers and government agencies. They questioned the safety and security of sensitive information provided to the government by companies in accordance with reporting requirements, including their cybersecurity plans, given that the federal government itself is not immune from hacking.
- Red tape, high penalties and costs of compliance, especially for SMEs Some speakers mentioned that the costs to SMEs might end up being unaffordable, and could be seen as ‘piling on' if they had already suffered losses due to a cyber incident. Such costs could arise in complying with the requirements of the bill, or from the penalties which could be assessed. Stakeholders, including the Business Council of Canada, have held that compliance with C-26 could impose undue costs, and these views were cited during the debate. Given the resources of some major operators, the penalties have a high range (as much as $15 million per day).
- Members also echoed concerns raised publicly by Canadian civil liberties organizations, as well as by the Business Council of Canada, describing it as red tape with no incentives for SMEs, which would have more difficulty complying with, among other things, what they see as cumbersome reporting mechanisms. One member suggested the government get creative and look at capital expense tax write-offs, compensation for losses, or additional funding for smaller or rural telecom providers, suggesting the costs to meet the red tape might put small players out of business.
Bloc Québécois
The Bloc Québécois questioned why the government remains reactive on cyber security. Bloc members criticized how long it took the Government to act on Huawei, being the last of the FVEY allies to announce a position on 5G security. They asked if the precautionary principle should not be applied more systematically, along with the recommendations made by the Standing Committee on Government Operations and Estimates in its June 2021 report, titled Ensuring Robust Security in Federal Purchasing (recommendations in the report aim to consider national security more strongly in procurement).
On the subject of provincial jurisdiction, they raised concerns about the impact this bill could have on Quebec companies and organizations like Hydro-Québec, since it designates interprovincial power line systems as vital services and vital systems. They referenced the Conservatives and their “famous great energy corridor” and asked whether the federal government could use the bill to appropriate provincial responsibilities and critical infrastructure in the name of national security.
Bloc members expressed concern about the impact on small players, stating cyber-attacks on businesses can be sudden and unexpected, and not every business has the money to invest in cybersecurity or protection mechanisms.
The Bloc echoed CPC comments on accountability. They asked about accountability – since decisions will be made by order, does that mean that under this bill the government will be using orders to govern in this area instead of going through parliamentarians. They also asked what mechanisms exist in Bill C‑26 that would help ensure public trust, both in the Internet and more generally. Bloc speakers saw a clear linkage to Bill C-11 on digital culture, and expressed concerns about the possible misuse of private information by Tik Tok and Facebook, which is not covered by Bill C‑26.
New Democratic Party
NDP members' chief concerns with the bill were around its broad powers and lack of reporting mechanism, the potential impact on everyday Canadians, and the lack of oversight and transparency. They also asked how the rights of persons with disabilities—who rely on technologies for everyday barrier reduction—to access technologies will be protected.
The NDP asked if the Government would be willing to work with them on amendments to add protections for everyday Canadians. In particular, they are seeking assurances that Canadians will not be unjustly examined or that this is not going to be applied to ordinary Canadians. Along with the other parties, they want assurances for everyday Canadians that the new powers, which they characterize as broad and sweeping, are not going to be applied for surveillance of everyday Canadians.
On the issue of transparency, the NDP emphasized the need for reporting on the extent to which the new powers are used, stating that, as drafted, “there will be no factual basis upon which to evaluate whether the powers have been appropriate or adequate, or whether they need to change in the future.”
Green Party
The Green Party expressed a concern over the authorities of the Communications Security Establishment (CSE). They referenced an open letter from civil liberties groups calling for improvements to the bill, in particular, in relation to concerns that “secrecy undermines accountability and due process.” They expressed interest in improvements that would ensure better public reporting and better balance the need to improve cybersecurity while holding on to accountability and transparency.
- Date modified: