Parliamentary Committee Notes: Charter Statement

Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

Tabled in the House of Commons, December 14, 2022

Explanatory Note

Section 4.2 of the Department of Justice Act requires the Minister of Justice to prepare a Charter Statement for every government bill to help inform public and Parliamentary debate on government bills. One of the Minister of Justice's most important responsibilities is to examine legislation for inconsistency with the Canadian Charter of Rights and Freedoms [“the Charter”]. By tabling a Charter Statement, the Minister is sharing some of the key considerations that informed the review of a bill for inconsistency with the Charter. A Statement identifies Charter rights and freedoms that may potentially be engaged by a bill and provides a brief explanation of the nature of any engagement, in light of the measures being proposed.

A Charter Statement also identifies potential justifications for any limits a bill may impose on Charter rights and freedoms. Section 1 of the Charter provides that rights and freedoms may be subject to reasonable limits if those limits are prescribed by law and demonstrably justified in a free and democratic society. This means that Parliament may enact laws that limit Charter rights and freedoms. The Charter will be violated only where a limit is not demonstrably justifiable in a free and democratic society.

A Charter Statement is intended to provide legal information to the public and Parliament on a bill's potential effects on rights and freedoms that are neither trivial nor too speculative. It is not intended to be a comprehensive overview of all conceivable Charter considerations. Additional considerations relevant to the constitutionality of a bill may also arise in the course of Parliamentary study and amendment of a bill. A Statement is not a legal opinion on the constitutionality of a bill.

Charter Considerations

The Minister of Justice has examined Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, for any inconsistency with the Charter pursuant to his obligation under section 4.1 of the Department of Justice Act. This review involved consideration of the objectives and features of the Bill.

What follows is a non-exhaustive discussion of the ways in which Bill C-26 potentially engages the rights and freedoms guaranteed by the Charter. It is presented to assist in informing the public and Parliamentary debate on the Bill. It does not include an exhaustive description of the entire bill, but rather focuses on those elements relevant for the purposes of a Charter statement.

The main Charter-protected rights and freedoms potentially engaged by the proposed measures include:

• Freedom of expression (section 2(b)) – Section 2(b) of the Charter provides that everyone has freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication. It includes the “open court principle” whereby members of the public have a right to receive information pertaining to judicial proceedings.
• Right to life, liberty and security of the person (section 7) – Section 7 of the Charter protects against the deprivation of an individual's life, liberty and security of the person unless done in accordance with the principles of fundamental justice. These include the principles against arbitrariness, overbreadth and gross disproportionality. An arbitrary law is one that impacts section 7 rights in a way that is not rationally connected to the law's purpose. An overbroad law is one that impacts section 7 rights in a way that, while generally rational, goes too far by capturing some conduct that bears no relation to the law's purpose. A grossly disproportionate law is one whose effects on section 7 rights are so severe as to be “completely out of sync” with the law's purpose. Also, for the mental element (mens rea)of a criminal offence to be consistent with the principles of fundamental justice, at least a defence of due diligence must be open to an accused person.
• Right to be secure against unreasonable search or seizure (section 8) – Section 8 of the Charter protects against “unreasonable” searches and seizures. The purpose of section 8 is to protect individuals against unreasonable intrusions upon their privacy. A search or seizure that intrudes upon a reasonable expectation of privacy will be reasonable if it is authorized by a law, the law itself is reasonable (in the sense of striking an appropriate balance between privacy interests and the state interest being pursued), and it is carried out in a reasonable manner.
• Rights that apply to any person charged with an offence (section 11) – Section 11 of the Charter guarantees certain rights to persons who have been charged with an offence. Persons are “charged with an offence” within the meaning of section 11 if they are subject to proceedings that are criminal by nature, or that can result in “true penal consequences”. True penal consequences include imprisonment and fines with a punitive purpose or effect, as may be the case where the fine or penalty is out of proportion to the amount required to achieve regulatory purposes.

Part 1 – Amendments to the Telecommunications Act

The Bill would amend the Telecommunications Act to add security to the nine other policy objectives currently identified in that Act, bringing telecommunications in line with other critical sectors. The Bill would also add new authorities to the Telecommunications Act, which would enable the Government to take action to promote the security of the Canadian telecommunications system.

These new authorities include order powers for the Governor in Council and Minister of Industry, which could be relied on when it is necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption. These orders would apply to telecommunications service providers (“TSPs”). For example, the orders could prohibit a TSP from using products and services provided by a specified company or other person, direct a TSP to remove specified products from its telecommunications networks or facilities, impose conditions on a TSP's use or provision of services, require that a TSP perform specified review processes on its networks or facilities, or require that a TSP develop a security plan. The Governor in Council would also be able to make regulations of a similar nature.

Non-disclosure of Orders (section 2(b) of the Charter)

In making such orders to TSPs, the Bill would allow the Governor in Council or the Minister of Industry to prohibit any person from disclosing the existence of the order, or some or all of its contents. Whether to include such a condition in a particular order is a decision that would be made on a case-by-case basis, in crafting the order. It would be an offence to contravene such a condition, punishable by a fine or imprisonment (see below). Because non-disclosure provisions in the orders would place limits on what persons could communicate to others, they have the potential to engage the right to freedom of expression in section 2(b) of the Charter.

The following considerations support the consistency of non-disclosure provisions in the orders with the Charter. The orders themselves, including the non-disclosure provisions, would pursue the important objective of securing the Canadian telecommunications system. Non-disclosure provisions could be used in situations where it is important to keep confidential the vulnerabilities that an order is seeking to address, or where commercially sensitive information is involved. A non-disclosure provision would not necessarily be included in every order. Whether to include such a provision in a particular order would be a discretionary decision, based on a reasonable consideration of the circumstances and the objectives of the particular order. The specific terms and conditions of the non-disclosure provision could be crafted according to the context. The non-disclosure provisions would, generally speaking, be placing limits on communication about the technical operations of TSPs, which are commercial entities. While restrictions on commercial speech can engage the right to freedom of expression, they usually do not implicate the core values of the right, which include the search for political, artistic and scientific truth, the protection of individual autonomy and self-development, and the promotion of public participation in the democratic process. Limits on expression that do not engage the core values of the right are more easily justified. Finally, TSPs that receive an order would be able to seek judicial review if they wish to challenge any part of it.

Inspection Powers and Information provision, sharing and disclosure (section 8 of the Charter)

The Bill includes several provisions to allow the Minister of Industry to gather and share information for the purpose of administering the regime. One power would allow the Minister to require any person to provide information that is believed, on reasonable grounds, to be relevant for the making, amending or revoking of an order to a TSP or a regulation, or to verify compliance or prevent non-compliance with those orders or regulations. Persons who provide certain types of sensitive information, including trade secrets or technical information, may designate this information as confidential. Confidential information would be subject to special use and disclosure restrictions, backed by offence provisions that already exist in the Telecommunications Act.

Another provision of the Bill would allow various federal ministers and officials to exchange information (including information designated as confidential), to the extent that it is necessary for the making, amending or revoking of an order to a TSP or a regulation, or to verify compliance or prevent non-compliance with those orders or regulations. The Bill would also allow the Minister of Industry to disclose information collected under the Telecommunications Act to the governments of provinces or foreign states, or to international organizations, if the Minister believes that the information would be relevant to securing the telecommunications system of either Canada or a foreign state. Prior to making such a disclosure, the Bill would require the federal government to enter into an agreement (or other form of written arrangement) with the recipient, whether it be the government of a province, a foreign state, or an international organization. That agreement must include a restriction on how the recipient uses the information, restricting it to regulatory or other non-penal purposes. Also, information designated as confidential could not be shared under this particular power.

Finally, the Telecommunications Act has a pre-existing scheme for regulatory inspections by designated inspectors. This includes powers to enter places where inspectors believe, on reasonable grounds, there are documents, information or things relevant to the purpose of verifying compliance or preventing non-compliance with the Act. They also include powers to require persons to produce information that the inspector considers necessary for the purpose of verifying compliance or preventing non-compliance with the Act. The Bill would make it possible to use these powers in order to verify compliance with the new types of orders and regulations mentioned above, or prevent non-compliance with them.

The power to require the production of information or documents potentially engages section 8 of the Charter, as do authorities to share information within the federal government or with outside entities. The following considerations support the consistency of this power with section 8. Privacy interests are diminished in the regulatory and administrative contexts. Generally speaking, the information being gathered and shared in this context relates to the technical operations of TSPs, which are commercial entities. This is not the kind of personal biographical information that attracts a heightened privacy interest. Statutory powers to require the production of relevant information for regulatory or administrative purposes, rather than for the purpose of investigating criminal offences, have been upheld as reasonable under section 8.

Furthermore, the Minister of Industry must have reasonable grounds to believe that the information being sought is relevant to the making, amending or revoking of an order to a TSP or a regulation, or to verify compliance or prevent non-compliance with those orders or regulations. The Bill contains limits on when information can be shared between federal ministers and officials, and protections to safeguard confidential information. It also restricts how information gathered by the Minister of Industry could be disclosed to entities outside of the federal government. Finally, as the provisions discussed above give discretion to the Minister of Industry in deciding whether to take specified actions, that discretion would have to be exercised in accordance with the Charter. In reviewing the relevant provisions, the Minister of Justice has not identified any potential effects that could constitute an unreasonable interference with privacy as protected by section 8.

Judicial Review (section 2(b) of the Charter)

Persons subject to an order or regulation issued by the Governor in Council or Minister of Industry would be able to apply to the Federal Court of Canada, to seek judicial review of the order or regulation. Due to the nature and purpose of these orders, their judicial review would have the potential to involve sensitive information. The Bill would create a framework to facilitate the protection and use of sensitive information in such proceedings. This framework is similar to ones that exist in several other legislative regimes.

Where the judge is of the opinion that the disclosure of evidence or other information could be injurious to international relations, national defence or national security, or could endanger the safety of any person, the judge would hear submissions on the evidence or other information in the absence of the public, the applicant and their counsel (i.e. a closed hearing). The judge would be obligated to ensure the confidentiality of the evidence or information. Although the information could not be disclosed to the applicant, the judge would have to ensure that the applicant is provided with a summary of the evidence and other information that allows the applicant to be reasonably informed of the Government's case. These confidentiality provisions could be triggered at any time during a proceeding, on the request of the Minister of Industry.

These provisions of the Bill have the potential to engage section 2(b) of the Charter, in particular the open court principle, because they would require that judicial review proceedings in relation to orders must be conducted in the absence of the public and the applicant when the threshold set out in the legislation is met.

The following considerations support the consistency of these provisions with the Charter. Like other Charter rights, the open court principle is not absolute and may be limited where there are pressing state objectives. Protecting sensitive information, the disclosure of which could harm international relations, national defence or national security or endanger the safety of any person, is a recognized and important state interest. The hearing process that the Bill would establish is tailored to limit the use of closed proceedings to only those situations where closed hearings are necessary to protect sensitive information. The presiding judge would have the responsibility for assessing whether the release of the information could lead to the listed harms. Most importantly, the process would only apply to those portions of the judicial review proceedings that involve sensitive information. The remainder of the hearing would be open to the public and the applicant. Finally, any summaries of evidence provided to the applicant under these provisions would become part of the publicly available court record.

Administrative monetary penalties (section 11 of the Charter)

The Telecommunications Act already includes an administrative monetary penalty regime, relating to contraventions of the existing provisions of that Act. Bill C-26 would add another such regime to the Act, for the specific purpose of promoting compliance with the orders to TSPs and regulations discussed above.

If the Minister of Industry (or a person who the Minister has designated to issue notices of violation) has reasonable grounds to believe that a person has committed a violation of an order, they may issue a notice of violation setting out, among other things, the alleged violation, the penalty, and a summary of the person's rights, including the right to seek review of the penalty. Individuals may be liable for committing violations, and directors and officers of designated operators may be personally liable if they “directed, authorized, assented to, acquiesced in, or participated in” the commission of a violation. This regime would be subject to existing section 72.17 of the Telecommunication Act, according to which issuance of a notice of violation would prevent the police from laying criminal charges and vice versa.

The Bill would specify that the purpose of the penalty is to promote compliance with the orders to TSPs and regulations, and not to punish. The amount of a penalty is to be determined by taking into account a range of factors including the person's history of compliance or non-compliance with orders made under the new provisions; the nature and scope of the violation; and whether the person obtained any benefit from committing the violation. The regime would not impose a minimum penalty. It limits the maximum amount of an administrative monetary penalty to $25,000 for an individual (or $50,000 for a subsequent contravention) and $10,000,000 for a corporation or other non-natural person (or $15,000,000 for a subsequent contravention).

The following considerations support the consistency of the regime with section 11 of the Charter. The penalty regime would be administrative in nature, and its penalties would not have “true penal consequences.” The purpose of the penalties would be to promote compliance with orders and not to “punish” in the sense used for the purposes of section 11 of the Charter. Penalties would be determined taking into account the factors set out in the regime. Although there is a potential for large penalties, this is necessary given the size and nature of the designated operators. The possibility that a substantial monetary penalty may be imposed does not engage section 11. Properly construed and enforced, this new regime would not allow penalties with “true penal consequences.” Finally, penalties could be civilly enforced before the Federal Court but could not lead to a sentence of imprisonment in the event of a failure to pay a penalty.

Offences and Punishment (section 7 of the Charter)

Bill C-26 would make it an offence to contravene an order or regulation made by the Governor in Council or Minister of Industry. Upon conviction, the court could impose a fine of an amount that is left to the discretion of the court. Where it is an individual who is convicted (rather than a corporation or other legal person), the court could also impose a sentence of imprisonment with a maximum duration of two years less a day.

As the new offence provisions could lead to a term of imprisonment, the liberty interest under section 7 of the Charter is engaged. In reviewing the offence provisions, the Minister of Justice has not identified any potential inconsistencies of the provisions with the principles of fundamental justice under section 7. The scope of the offence is tailored to its objective, and upon conviction a judge will have discretion to impose a fit and appropriate sentence. Due diligence in seeking to prevent contravention of the order would be an available defence. Finally, the Bill provides that convicting someone for contravention of an order would require proof that the person had been notified of the order at the time of the alleged contravention.

Part 2 – Enactment of the Critical Cyber Systems Protection Act

Part 2 would enact the Critical Cyber Systems Protection Act (CCSPA), which would create a framework to protect “critical cyber systems” that support services or systems within Parliament's jurisdiction that are vital to national security or public safety. “Critical cyber systems” would be defined as cyber systems that, if compromised, could affect the continuity or security of a vital system or service. Services and systems that would initially be designated as “vital” are telecommunication services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems, banking systems and clearing and settlement systems. Additions to the list of vital systems and services could be made by the Governor in Council.

The CCSPA would seek to ensure that risks to critical cyber systems are identified and managed. This includes risks associated with supply chains and the use of third-party products and services. It would also seek to ensure that critical cyber systems are protected from being compromised and that cyber security incidents affecting critical cyber systems are detected. Finally, the CCSPA would seek to ensure that impacts of cyber security incidents are minimized.

In order to achieve these objectives, the CCSPA would authorize the Governor in Council to designate classes of operators (“designated operators”) who own, control or operate critical cyber systems. Designated operators would be subject to specific obligations relating to the protection of critical cyber systems. These include the obligation to establish and implement a cyber security program, obligations to mitigate supply-chain and third-party risks as well as reporting and notification obligations where there has been a cyber security incident. The Governor in Council would also be authorized to make orders (“cyber security directions”) directing designated operators to comply with specific measures to protect a critical cyber system.

Non-disclosure of Cyber Orders (section 2(b) of the Charter)

The CCSPA would prohibit designated operators from disclosing information about the existence or content of a cyber security direction, except to the extent necessary in order to comply with the direction. Disclosure of such information contrary to the Act would be an offence punishable by a fine or imprisonment (see below). Because the Act would place limits on what persons could communicate to others, it has the potential to engage the right to freedom of expression in section 2(b) of the Charter.

The following considerations support the consistency of the non-disclosure provisions with the Charter. These provisions pursue the important objective of protecting critical cyber systems. The non-disclosure provisions would, generally speaking, be placing limits on communication about the technical operations of designated operators, which are commercial entities. While restrictions on commercial speech can engage the right to freedom of expression, they usually do not implicate the core values of the right, which include the search for political, artistic and scientific truth, the protection of individual autonomy and self-development, and the promotion of public participation in the democratic process. Limits on expression that do not engage the core values of the right are more easily justified.

Inspection, requirement and disclosure powers (section 8 of the Charter)

The CCSPA would create a number of authorities for the collection and disclosure of information, similar to those in other regulatory laws. In order to verify compliance or prevent non-compliance with the Act or regulations, designated individuals would be authorized to enter and conduct inspections in places to which the requirements under the Act apply. The Act would also authorize the entities that regulate the designated operators to require information from any person, partnership or unincorporated organization in order to verify compliance or prevent non-compliance with the Act. Specifically, this requirement power would be granted to the Minister of Industry, the Minister of Transport, the Superintendent of Financial Institutions, the Bank of Canada, the Canadian Energy Regulator and the Canadian Nuclear Safety Commission (“the regulators”).

Disclosure of information to the Communications Security Establishment (CSE) would be authorized in certain circumstances. In particular, regulators would be authorized to disclose the following information to CSE: (a) information about a designated operator's cyber security program; (b) any steps taken to mitigate risks associated with the operator's supply chain; or (c) its use of third-party products and services. Disclosures under this clause could only be made in order to request advice, guidance or services from CSE about the exercise of the regulator's powers or performance of its duties under the Act.

The CCSPA would impose requirements on designated operators that experience a cyber security incident. A cyber security incident is defined in the CCSPA as an incident in relation to a critical cyber system that interferes or may interfere with the continuity or security of a vital system or service, or that interferes with the confidentiality, integrity or availability of the critical cyber system. A designated operator that experiences a cyber security incident would be required to immediately report the incident to CSE in accordance with the regulations and to notify the regulator. The regulator would also be authorized to receive the incident report, on request, from the designated operator or CSE.

The proposed Act would authorize the exchange of information, including confidential information, between certain parties, as necessary for the purpose of making, amending or revoking a cyber security direction. The parties that would be authorized to exchange information for this purpose are the Minister of Public Safety, the designated operator's regulator and responsible minister, the Minister of Foreign Affairs, the Minister of National Defence, the Chief of Defence Staff, CSE, the Canadian Security Intelligence Service (CSIS) and any other person or entity prescribed by the regulations.

Finally, the CCSPA would create a number of rules for the handling and protection of “confidential information”. Confidential information would be defined as information obtained under the Bill relating to a critical cyber system that: (a) concerns a vulnerability of a critical cyber system or the methods used to protect it and that is consistently treated as confidential by the designated operator; (b) could lead to financial or competitive harms to the designated operator if disclosed; or (c) could interfere with the contractual or other negotiations of a designated operator.

Disclosure of confidential information would be prohibited except in specific situations. In particular, confidential information could be disclosed where:

• the disclosure is required by law;
• the information is publicly available;
• the designated operator consents to the disclosure;
• the disclosure is necessary for the protection of vital services, vital systems or critical cyber systems; or
• the disclosure is made in accordance with the provisions of the Act or with the Security of Canada Information Disclosure Act.

The confidentiality provisions would not prevent disclosure to CSIS or law enforcement where the disclosure is otherwise lawful.

The CCSPA would also allow the sharing of information with the government of a province or of a foreign state, or with an international organization established by the government of a foreign state, where there is a written agreement or arrangement relating to the protection of critical cyber systems. The sharing of confidential information would only be permitted with institutions or agencies of a provincial government if the responsible minister or regulator is satisfied that the information will be treated in a confidential manner by the other party and not be further disclosed without their express consent.

Because the inspection, requirement and disclosure powers have the potential to interfere with privacy interests they may engage section 8. The following considerations support the consistency of these powers with the Charter. Designated operators are sophisticated actors, operating in heavily regulated spheres of activity in which privacy expectations are generally diminished. The inspection and requirement powers would be available for the regulatory purpose of verifying compliance and preventing non-compliance with the Act. They would not be available for the purpose of advancing a penal investigation. As such, the proposed powers are similar to regulatory inspection powers that have been upheld in other contexts.

The proposed authority for the exchange of information in relation to the making, amendment or revocation of a cyber security direction is tailored to limit any potential interference with privacy interests. The authority would only apply to the specific individuals or entities named in the Act or regulations and would only authorize the exchange of information to the extent necessary in relation to making, amending or revoking a cyber security direction.

The provisions governing the disclosure of information to and from CSE are also tailored to limit any potential interference with privacy interests to what is necessary to allow CSE to carry out its mandate, including in relation to cyber security, and to allow regulators to benefit from CSE's expertise in the performance of their duties and functions under the Act.

Judicial review

A person subject to a cyber security direction would be able to seek judicial review before the Federal Court of Canada. The CCSPA would create a framework to facilitate the protection and use of sensitive information in the course of any such judicial review. This framework is similar to ones that exist in several other legislative regimes.

Where the judge is of the opinion that the disclosure of evidence or other information could be injurious to international relations, national defence or national security, or could endanger the safety of any person, the judge would hear submissions on the evidence or other information in the absence of the public, the applicant and their counsel (i.e., a closed hearing). The judge would be obligated to ensure the confidentiality of the evidence or information. Although the information could not be disclosed to the applicant, the judge would have to ensure that the applicant is provided with a summary of the evidence and other information that allows the applicant to be reasonably informed of the Government's case. These confidentiality provisions could be triggered at any time during a proceeding, on the request of the Minister of Public Safety.

Because the Bill stipulates that judicial review proceedings related to cyber security directions must be conducted in the absence of the public and the applicant when the threshold set out in the legislation is met, it engages section 2(b).

As with the judicial review proceedings under the Telecommunications Act,the following considerations support the consistency of this aspect of the Bill with the Charter. Like other Charter rights, the open court principle is not absolute and may be limited where there are pressing state objectives. Protecting sensitive information, the disclosure of which could harm international relations, national defence or national security, or endanger the safety of any person, is a recognized and important state interest. The hearing process that would be established under the Bill is tailored to limit the use of closed proceedings to only those situations where closed hearings are necessary to protect sensitive information. The responsibility for assessing whether the release of the information could lead to the listed harms would lie with the presiding judge. Most importantly, the closed proceeding provisions only apply to those portions of the judicial review proceedings that involve sensitive information. The remainder of the hearing would be open to the public and the applicant. Finally, any summaries of evidence provided to the applicant would become part of the publicly available court record.

Administrative monetary penalties (section 11 of the Charter)

The CCSPA would set out a scheme for administrative monetary penalties for some violations of the Act or regulations. If the regulator has reasonable grounds to believe that a designated operator or other person has committed a violation, the regulator could issue a notice of violation setting out, among other things, the alleged violation, the penalty, and a summary of the designated operator's rights, including the right to seek review of the penalty. Individuals may be liable for committing violations, and directors and officers of designated operators may be personally liable if they “directed, authorized, assented to, acquiesced in, or participated in” the commission of a violation. A regulator issuing a notice of violation would prevent the police from laying criminal charges and vice versa.

The CCSPA would stipulate that monetary penalties may be imposed in order to promote compliance with the Act and not to punish. The amount of a penalty is to be determined by taking into account a range of factors including the designated operator's history of compliance or non-compliance with the Act; the nature and scope of the violation; whether reasonable efforts were made to mitigate the effects of the violation; and whether the violation contributed to any economic or competitive benefit. The CCSPA would not impose a minimum penalty and would limit the maximum amount of an administrative monetary penalty that may be established by regulation to $1,000,000 for an individual and $15,000,000 for a corporation or other non-natural person.

As with the administrative monetary penalty scheme under the Telecommunications Act, the following considerations support the consistency of the regime with section 11 of the Charter. The penalty regime would be administrative in nature, and its penalties would not have “true penal consequences.” The purpose of the penalties would be to promote compliance with orders and not to “punish” in the sense used for the purposes of section 11 of the Charter. Penalties would be determined taking into account the factors set out in the regime. Although there is a potential for large penalties, this is necessary given the size and nature of the designated operators. The possibility that a substantial monetary penalty may be imposed does not engage section 11. Properly construed and enforced, this new regime would not allow penalties with “true penal consequences.” Finally, penalties could be civilly enforced before the Federal Court but could not lead to a sentence of imprisonment in the event of a failure to pay a penalty.

Offences (section 7 of the Charter)

The CCSPA would create a number of summary and hybrid offences for contravening specified provisions of the Act. These include the hybrid offences of contravening a cyber security direction, disclosing information about the existence or contents of a cyber security direction and disclosing confidential information in circumstances not permitted under the Act. These hybrid offences would be punishable by a fine and/or a maximum term of imprisonment of two years less a day on summary conviction and five years on indictment.

Offences that can result in a term of imprisonment engage the right to liberty and must accord with the principles of fundamental justice. In reviewing the offence provisions included in the CCSPA, the Minister has not identified any potential inconsistencies with the principles of fundamental justice under section 7. The offences are tailored to the legislative objectives and preserve the discretion of trial judges to impose a fit and appropriate sentence. None of the offences in the CCSPA would give rise to the possibility of imprisonment in the absence of, at a minimum, negligence on the part of the accused. Finally, the Act would stipulate that a designated operator cannot be found to have contravened a cyber security direction unless they had been notified of the direction, or unless reasonable steps had been taken to notify designated operators likely to be affected by the direction.

Date modified:

2024-06-04