Submission to the Standing Senate Committee on National Security, Defence and Veterans Affairs on Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

May 22, 2026

BY EMAIL

The Honourable Marty Deacon, Senator
Chair, Standing Senate Committee on National Security, Defence and Veterans Affairs
The Senate of Canada
Ottawa, Ontario  K1A 0A4

---

RE: Submission on Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

Dear Chair:

Thank you for the opportunity to provide my views to the Standing Committee on National Security, Defence and Veterans Affairs (“the Committee”) on Bill C-8, an important legislative initiative that seeks to promote cyber security in Canada’s critical infrastructure. In this submission, I acknowledge some of the significant improvements that Parliament has made to the Bill. I then propose two additional recommendations for the Committee’s consideration, both of which I have advocated for in the past, most recently in a November 2025 submission on Bill C-8 to the Standing House Committee on Public Safety and National Security. In my view, these proposals would further promote and protect privacy rights without undermining the important cyber security-related objectives of this Bill.

In my appearance before the Committee on the former Bill C-26 (the predecessor to Bill C-8) on November 18, 2024, I observed that Parliament had made several privacy-protective amendments to that bill. I am pleased to see that these amendments were carried over to Bill C-8, and, furthermore, that the following additional privacy-protective amendments have been made since its introduction:

• More consistent proportionality requirements: Both for order-making powers and for information-sharing authorities, Bill C-8 has been amended to include a requirement that measures for information-sharing be “reasonable in relation to the gravity of [the cyber security] threat”, which is analogous to proportionality. (See in particular, cl. 2, ss. 15.1, 15.2, 15.4 and 15.6 of the Telecommunications Act, SC 1993, c 38(“TA”), and cl. 11, s. 20(3.1) of the Critical Cyber Systems Protection Act, (CCSPA)). In addition to protecting privacy, the addition of this threshold will focus regulatory intervention on clear cyber-security risks and thereby contribute to the overall effectiveness of cyber-security regulation.
• Identification of privacy as a factor in cyber-security order-making decisions: Both Governor in Council (GIC) and ministerial orders under the TA (cl. 2, ss. 15.1 and 15.2) and GIC orders under the CCSPA (cl. 11, s. 20(3)) now require consideration of how the order might impact the privacy of Canadians.
• Increased transparency: Orders under the TA would now be subject to an after-the-fact notice requirement (subject to exceptions) applicable to any person specified in an order (cl. 2, s. 15.211). The Minister of Public Safety (or another designated minister) would furthermore be required to conduct a five-year review of the provisions in Bill C-8, a report on which would be tabled in Parliament. (Part 3, cl. 17).
• Protections related to the treatment of personal information: Any personal information compelled under s. 15.4 of the TA would now be deemed to be confidential, (cl. 2, s. 15.5(2.1)). Furthermore, the TA and CCSPA would contain express requirements to dispose of personal information that it is no longer necessary to retain (cl. 2, ss. 15.7(1)(b), 15.701, cl. 11, s. 29.1).

From a privacy perspective, these amendments significantly improve Bill C-8. I would like to take this opportunity to call the Committee’s attention to two additional recommendations from my prior submissions on this Bill and the former Bill C-26:

1. That a reference to “personal information” be added to the CCSPA’s definition of “confidential information” (in cl. 11, s. 2).

I note that Parliament amended the CCSPA to add a “for greater certainty” provision noting that nothing in the CCSPA affects the provisions of the Privacy Act in relation to the protection of personal information (cl. 11, s. 26.1). This provision may clarify that the Privacy Act continues to apply, but the objective of my recommendation is to ensure that personal information triggers the special treatment under the CCSPA for confidential information.

Including personal information in the CCSPA’s definition of “confidential information” would not preclude information-sharing. Instead, it would impose tighter controls, such as a prohibition with limited exceptions (cl. 11, s. 26), as well as higher thresholds and more safeguards for extra-territorial information sharing (cl. 11, s. 27). This recommendation would also make the CCSPA more consistent with how the TA, as amended by Bill C-8, defines confidential information (cl. 2, ss. 15.5(1)(d), and 15.5(2.1)).

2. That the Communications Security Establishment (CSE) be required to provide my Office with copies of cyber-security incident reports it receives when those reports identify serious or systemic privacy issues.

This would allow my Office to leverage the CSE’s cyber-security expertise. Although the OPC already receives breach notifications under PIPEDA, these tend to be limited in scope to discrete incidents. Cyber-security incident reports, by contrast, have the potential to quickly identify systemic privacy risks. For example, a cyber-security risk caused by a systemic vulnerability in telecommunications infrastructure could generate multiple discrete breach reports under PIPEDA without the OPC ever becoming aware of the underlying vulnerability.

A cyber-security incident report could provide my Office with a clearer and more timely line of sight into an emerging vulnerability (for example, a broader compromise by an advanced persistent threat actor). This would allow the OPC to act expeditiously to mitigate privacy risks for Canadians, including through proactive outreach and public-facing guidance. While cyber-incident reports may contain sensitive information, my Office is open to working with the CSE and Public Safety Canada to explore mutually agreeable approaches to mitigating any risks, such as through redactions, strict confidentiality and security requirements, and coordination of regulatory approaches in appropriate circumstances.

Thank you for your invitation to share my views on this important bill; I hope that this submission assists in the Committee’s ongoing consideration of its provisions.

Sincerely,

c.c.: Ericka Paajanen, Clerk of the Committee