Letter to the Standing Committee on Public Safety and National Security (SECU) on Bill C-8

November 14, 2025

BY EMAIL

The Honourable Jean-Yves Duclos, P.C., M.P.
Chair
Standing Committee on Public Safety and National Security
Sixth Floor, 131 Queen Street
House of Commons
Ottawa, ON  K1A 0A6

Dear Chair:

Thank you for the recent invitation to appear before the Committee to offer my views on Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

In my opening remarks, I offered the following recommendations for the consideration of the Committee:

• That the legislation impose a uniform standard requiring that any collection, use, or disclosure of personal information be both necessary in the circumstances to achieve the stated purpose and proportional to the benefits to be gained;
• That information-sharing agreements entered into under the legislation provide for minimum privacy safeguards in order to strengthen governance and accountability and ensure a consistent standard of privacy protection when information is exchanged outside of Canada; and,
• That the Communications Security Establishment be required to notify my Office when they are made aware of cybersecurity incidents involving a material privacy breach so that we can collaborate and coordinate our efforts in protecting Canadians’ privacy.

In addition, I reiterated my longstanding advice – which is broader than Bill C-8 – that government institutions be legally required to conduct privacy-impact assessments in high-risk situations and to consult my Office when developing new programs or initiatives with privacy implications for Canadians.

During my appearance I was asked to prepare a written submission identifying the specific sections of the Bill that in my view would benefit from privacy-focused amendments. With that in mind, I am pleased to share the enclosed annex, which sets out illustrative potential amendments that the Committee may wish to consider in order to give effect to the above recommendations.

Thank you again for the opportunity to present my views; I hope the enclosed is helpful as the Committee continues its work on this important Bill.

Sincerely,

c.c. Andrew Wilson, Clerk of the Committee

Annex: Sections for potential amendments in Bill C-8, prepared at the request of the Standing Committee on Public Safety and National Security

Recommendation 1: That the legislation impose a uniform standard requiring that any collection, use, or disclosure of personal information be both necessary in the circumstances to achieve the stated purpose and proportional to the benefits to be gained.

In order to give effect to this recommendation, the Committee may wish to consider:

• Inserting an overarching requirement to the above effect, which would be limited and specific to personal information, in both Parts 1 and 2 of the Bill; or, alternatively,
  
  
• Making targeted amendments to different collection and disclosure authorities in the Bill that may, directly or indirectly, implicate personal information, notably, ss. 15.4, 15.6, and 15.7(1) of the Telecommunications Act (TA) and ss. 20(1), 23(1), and 27(1) of the Critical Cyber Systems Protection Act (CCSPA).
  
  To take just one illustrative example, the Committee may wish to consider amending s. 15.4 to:
  
  
• Establish a standard of necessity rather than relevance (e.g., “… that the Minister believes on reasonable grounds is relevant necessary for …”); and,
  
  
• Introduce a requirement that, in scope and substance, the information demanded be reasonable in relation to the gravity of the threat (for consistency with the order-making powers in Part 1); or, alternatively, an analogous requirement that the disclosing institution be satisfied that the disclosure will not affect any person’s privacy interest more than is reasonably necessary in the circumstances (based on s. 5(1)(b) of the Security of Canada Information Disclosure Act).

Recommendation 2: That information-sharing agreements entered into under the legislation provide for minimum privacy safeguards in order to strengthen governance and accountability and ensure a consistent standard of privacy protection when information is exchanged outside of Canada.

In order to give effect to this recommendation, the Committee may wish to consider:

• Amending s. 15.7(1) of the TA and s. 27(1) of the CCSPA to establish minimum safeguards that must be included in information-sharing agreements, for example, based on language in Part 5 of Bill C-12 (clause 28, s. 5.5(1)).

Recommendation 3: That the Communications Security Establishment (CSE) be required to notify my Office when they are made aware of cybersecurity incidents involving a material privacy breach so that we can collaborate and coordinate our efforts in protecting Canadians’ privacy.

In order to give effect to this recommendation, the Committee may wish to consider:

• Amending s. 19 of the CCSPA to require that the CSE notify the Privacy Commissioner of any cyber security incident reported to the CSE under s. 17 that involves personal information if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm, as defined in ss. 10.1(7) and (8) of the Personal Information Protection and Electronic Documents Act.

Finally, in addition to the above recommendations, the Committee may also wish to consider the following amendments with a view to ensuring that Bill C-8 does not have unintended or unnecessary impacts on privacy:

• Adding retention requirements to ensure that any personal information collected under the Bill’s authorities is retained only for as long as is necessary for the purpose for which it was collected (e.g., under ss. 15.4 and 15.6 of the TA and s. 23 of the CCSPA);
  
  
• Adding “personal information,” as defined in section 3 of the Privacy Act, to the definition of “confidential information” in the CCSPA; and,
  
  
• Adding privacy as a factor that the Minister and the Governor in Council must consider under s. 15.2(6) of the TA and s. 20(3) of the CCSPA, respectively (e.g., “the potential impacts on privacy, if any”).