Consolidated Issue Sheets on Bill C-26

Appearance before the Standing Senate Committee on National Security, Defense and Veterans Affairs (SECD)

---

Previous OPC recommendations on Bill C-26 (SECU)

Speaking points

• When I appeared on Bill C-26 before the Standing Committee on Public Safety and National Security, I expressed my support for the bill’s overall objective to protect critical systems from cybersecurity threats.
• At the same time, I recommended higher thresholds for the use of the new powers that it would grant the government, that organizations be required to complete PIAs before undertaking new programs or initiatives under its authorities, and greater transparency.
• I also called for stronger accountability measures when information is shared outside Canada, and for greater flexibility for my Office to coordinate with other regulators and oversight bodies.
• The Committee clearly gave serious thought to many of the recommendations it received and has made several positive changes to the bill. However, in my view, certain privacy risks remain outstanding.

Background

• Specific OPC recommendations to SECU were as follows:
  • more stringent thresholds for and limits on the exercise of the new powers the bill would grant the government, including a requirement that any collection, use, or disclosure of personal information be necessary and proportionate (implemented in part);
  • that organizations be required to conduct PIAs and to consult the OPC on any programs or initiatives created under the bill’s new authorities that involve personal information (not implemented);
  • that the bill’s confidentiality provisions be counterbalanced by appropriate transparency requirements (implemented);
  • stronger accountability measures to promote the protection of personal information shared outside Canada, including specific requirements for information-sharing agreements (not implemented); and,
  • that the OPC have the flexibility to coordinate with other regulatory and oversight bodies where a cybersecurity incident involves a privacy breach so that it may exercise its jurisdiction and fulfill its mandate (not implemented).

OPC position on SECU amendments to Bill C-26

Speaking points

• The Standing Committee on Public Safety and National Security (SECU) clearly gave serious consideration to many of the recommendations that it received in the course of its study of the bill.
• Several of the amendments help address some of the bill’s potential privacy risks, including the new limits on its order-making powers, the new and expanded notification and reporting obligations, and the inclusion of personal and de-identified information as categories that may be designated as confidential under the Telecommunications Act.
• However, despite these and other positive changes, additional limits on some of the bill’s authorities would help further mitigate their potential privacy impacts, including a requirement that any collection, use, or disclosure of personal information be both necessary and proportionate.

Background

• Notable privacy-related amendments adopted by SECU include:
  • with respect to orders, a reasonable-grounds threshold, a list of factors that must be considered, a requirement to notify the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency, new reporting obligations, a necessity requirement for orders under the Critical Cyber Systems Protection Act (CCSPA), and a requirement that orders under the Telecommunications Act (TA) be reasonable in scope and substance and that appropriate persons be consulted;
  • the addition of personal and de-identified information as categories that may be designated as confidential under the amended TA;
  • the addition of language to clarify that any confidential information collected or obtained under the legislation must be treated as such;
  • references to the Privacy Act in the TA and the preamble to the CCSPA;
  • narrower language to limit certain CCSPA authorities [e.g., ss. 26(1) and 28(1)];
  • a requirement that any information collected or obtained under s.23(1) of the CCSPA be retained only for as long as is necessary to make, amend, revoke, or verify compliance with orders (though subsequently deleted on third reading).

Current OPC recommendations on Bill C-26

Speaking points

• The Standing Committee on Public Safety and National Security (SECU) made a number of positive changes to the bill, several of which are consistent with my previous advice.
• For the consideration of this Committee, I would recommend the following to further mitigate the bill’s privacy risks:
  • An explicit requirement that any collection, use, or disclosure of personal information be both necessary and proportionate;
  • Retention requirements for any personal information;
  • Prescribed minimum content requirements for information-sharing agreements (ISAs) with other jurisdictions; and
  • A requirement for the CSE to share with my Office a copy of a report of any cybersecurity incident and related information that may have significant privacy implications.

Background

• Many of Bill C-26’s collection and disclosure authorities set a threshold of necessity (e.g., “if it is necessary for”); others are based on relevance (e.g., “if the Minister believes that the information may be relevant to,”) or a mixed threshold (e.g., “to the extent that is necessary for any purpose related to”).
• More consistent necessity and proportionality requirements throughout the legislation would help reduce the risk that personal information may be over-collected or inappropriately used or disclosed.
• Alternatively, an overarching requirement could be inserted in both the TA and the CCSPA to the effect that personal information shall not be collected, used, or disclosed under either Act unless the collection, use, or disclosure is necessary [to secure the Canadian telecommunications system OR to protect a critical cyber system] and proportionate to an identified threat or vulnerability.
• SECU amended the CCSPA to require that any information collected or obtained under 23(1) be retained “only for as long as is necessary” to make, amend, revoke, or verify compliance with orders, but this amendment was deleted on third reading.
• SECU did not adopt our recommendation for minimum requirements for ISAs.

OPC role under Bill C-26

Speaking points

• Bill C-26 does not provide for an explicit role for the OPC, but my Office has jurisdiction over the handling of personal information by the federal government and private sector, including in the context of cybersecurity.
• In addition to their reporting obligations under the Critical Cyber Systems Protection Act, designated operators subject to PIPEDA will still need to report breaches of security safeguards involving personal information to my Office when there is a real risk of significant harm.
• However, I would recommend that the CSE also be required to share reports of cybersecurity incidents and related information that may have significant privacy implications with my Office.
• In my view, the OPC should also have the necessary flexibility to collaborate and exchange information with other regulators and oversight bodies when doing so is necessary to fulfill our mandate.

Background

• Given Bill C-26’s objective to protect federally regulated critical infrastructure from threats that may have little or no connection with personal information, a broad role for the OPC would likely stray beyond the Office’s institutional competence.
• Nothing in the bill would limit the powers of the Privacy Commissioner to initiate or conduct investigations under PIPEDA or the Privacy Act, just as nothing would detract from the breach-reporting obligations of telecommunications service providers and other designated operators that are subject to PIPEDA.
• Likewise, some of the conduct provided for in the bill would fall within the purview of the National Security and Intelligence Review Agency (NSIRA), which has a mandate to review any activity carried out by a department that relates to national security or intelligence (NSIRA Act, s.8(1)).
• The OPC and NSIRA are authorized to coordinate activities (ss. 37 of the Privacy Act, and 15.1 of the NSIRA Act), for example to avoid duplicative investigations.
• As amended, the bill would also ensure that NSIRA and NSICOP are notified of confidential TA orders (s.15.22) and of CCSPA cybersecurity directions (s.20).
• Although the government could consult the OPC on orders and regulations that may have privacy implications, it would be under no obligation to do so.

OPC role with respect to cybersecurity (general)

Speaking points

• The protection of personal information increasingly relies on the security of digital systems and infrastructure. Cybersecurity incidents affecting such systems can have significant privacy impacts when they result in unauthorized disclosures of personal information.
• My Office has an important role to play in ensuring that organizations subject to PIPEDA or the Privacy Act take adequate steps to prevent unauthorized disclosures and respond appropriately when they occur.
• In parallel, we must also monitor and assess whether measures taken in response to cybersecurity threats have unintended privacy impacts.
• Unfortunately, I face several challenges in carrying out these functions, including a lack of order-making powers, the absence of a legal requirement for organizations to complete PIAs and consult my Office, and – with limited exceptions – no explicit authority to collaborate and share information with other federal regulators and oversight bodies.

Background

• The cybersecurity role of the OPC is limited to incidents that involve unauthorized disclosures of personal information. In some cases, the OPC may undertake an investigation to determine whether affected organizations were in compliance with their obligations under PIPEDA or the Privacy Act (PA).
• Although the OPC does not have a formal guidance role under the PA, government organizations are required under TBS policy to notify us and to provide approved PIAs for any planned initiatives that implicate personal information, which could include new programs or activities to bolster cybersecurity.
• Pursuant to our guidance role under PIPEDA, the OPC has developed and published information on how to guard against certain cybersecurity threats (e.g., malicious software, spam, identity theft, etc.).
• The OPC has the authority to coordinate its activities with those of the National Security and Intelligence Review Committee to avoid any duplication of work, and, in the context of Canada’s Anti-Spam Legislation, with the CRTC and the Competition Bureau.

Stakeholder concerns about Bill C-26’s potential privacy impacts

Speaking points

• A number of witnesses and civil liberties experts have expressed concerns about Bill C-26’s potential privacy impacts.
• Many of these concerns relate to the breadth of certain powers and authorities in the bill and the possibility that they – or the information obtained under them – may be misused absent further restrictions.
• In my view, such concerns are legitimate. However, the likelihood and impact of such risks should be weighed against the bill’s potential benefits, which include a higher baseline for cybersecurity protection that may help reduce the likelihood and impact of privacy breaches.
• Having said that, I am also of the view that the bill continues to present avoidable privacy risks. One of the most effective ways to mitigate those risks would be an overarching requirement that any collection, use, or disclosure of personal information be both necessary and proportionate.

Background

• Civil liberties groups, industry representatives, and other stakeholders have raised concerns about Bill C-26 since it was introduced in June 2022, some of which have now been addressed through amendments adopted in the House.
• The Senate Standing Committee on National Security, Defence and Veterans Affairs (SECD) has now held two meetings on the bill. To date, witnesses have reiterated the following privacy-specific concerns:
  • that the government may use the order-making powers under the Telecommunications Act to direct telecoms providers to weaken encryption standards in order to create lawful-access backdoors on their networks;
  • that the bill fails to establish a uniform and consistently high threshold for the collection, use, and disclosure of personal information;
  • that the Communications Security Establishment may use information that it receives under the Critical Cyber Systems Protection Act for purposes other than cybersecurity (e.g., foreign signals intelligence); and
  • that the lack of meaningful privacy law reform in Canada exacerbates the bill’s potential privacy risks.

Order-making powers for the government under Bill C-26

Speaking points

• Bill C-26 would grant the government broad powers to issue orders to compel telecommunications service providers and other designated operators of critical systems to take prescribed steps against cybersecurity threats and vulnerabilities.
• I previously recommended more stringent thresholds and stricter limits on these powers to reduce the risk that they might result in the over-collection or inappropriate use or disclosure of personal information.
• The amended bill incorporates several positive changes in this regard.
• However, an overarching requirement that any collection, use, or disclosure of personal information be necessary and proportionate would further limit the scope of the order-making powers and mitigate their potential privacy impacts.

Background

• Sections 15.1(1) and 15.2(1) of the amended Telecommunications Act (TA) would authorize the GIC and the Minister of Industry to prohibit TSPs from using specified products or services and to direct the removal of specified products or services from their networks or facilities.
• Section 15.2(2) of the amended TA would authorize the Minister to order TSPs to take a range of steps – including to “do a specified thing or refrain from doing a specified thing” – if the Minister believes on reasonable grounds that it is necessary to do so to secure the telecommunications system against any threat.
• Section 20(1) of the Critical Cyber Systems Protection Act (CCSPA)would enable the GIC to issue cybersecurity directions to regulated operators if it has reasonable grounds to believe that it is necessary to do so to protect a critical cyber system.
• SECU amended the bill to restrict these powers, including through the introduction of a reasonable-grounds threshold, a list of factors that must be considered, a requirement for the GIC and the Minister to consult appropriate persons on orders under the TA, a requirement that orders under the TA be reasonable in scope and substance, and a necessity requirement for orders under the CCSPA.
• However, SECU did not adopt our advice to add a requirement that any collection, use, or disclosure of personal information be necessary and proportionate.

Collection and disclosure authorities in Bill C-26

Speaking points

• Bill C-26 would enable several government institutions to collect and share information for the purposes of orders and regulations to secure critical infrastructure from cybersecurity threats and vulnerabilities.
• Although much of this information would likely be technical in nature, personal information falls within scope of the bill’s authorities and may be deemed necessary or relevant in certain circumstances.
• As amended, the bill incorporates several positive changes that mitigate some of its privacy risks. However, an overarching requirement that any collection, use, or disclosure of personal information be both necessary and proportionate would further reduce the risk of over-collection or inappropriate use or disclosure.

Background

• Bill C-26 would enable different federal institutions to collect and share information that is deemed necessary for – or, in some cases, relevant to – the protection of Canadian telecommunications and critical cyber systems in Canada and abroad.
• Notable examples in the Telecommunications Act include s.15.4 [provision of information to the Minister of Industry], s.15.6(1) [exchange of information between federal entities], and s.15.7(1) [disclosure of information to other jurisdictions].
• Notable examples in the Critical Cyber Systems Protection Act (CCSPA) include s.23 [exchange of information between federal entities], s.27(1) [agreements for the exchange of information between jurisdictions], s.28(1) [exchange of information between regulators], and s.29 [requests for information by responsible ministers].
• SECU adopted several amendments to limit some of these authorities, including by adding personal and de-identified information as categories that may be designated as confidential under the amended TA; introducing a necessity requirement for the exchange of information between regulators and ministers under the CCSPA; and narrowing language in certain provisions of the CCSPA (e.g., “if the disclosure is necessary for any purpose related to the protection of”).
• However, other authorities in the bill remain comparatively broad and permissive [e.g., ss. 15.4 and 15.7 (1) of the TA and ss. 27(1) and 29 of the CCSPA].

Information-sharing agreements under Bill C-26

Speaking points

• Bill C-26 would enable certain federal government institutions to share information, potentially including personal information, across provincial and international borders.
• Although the legislation would require written agreements for such disclosures, it stops short of prescribing minimum privacy safeguards.
• To ensure a consistent standard of protection if or when personal information is shared outside Canada, the requirement for written agreements could be expanded to include minimum privacy protections, including appropriate safeguards, retention periods, and limitations on secondary use or onward transfer.

Background

• The amendments to the Telecommunications Act (TA) include an authority to share information with provincial and foreign governments pursuant to a written agreement. Disclosure of information that has been designated as confidential – which may now include personal and de-identified information – would not be authorized under this authority (s.15.7).
• The Critical Cyber Systems Protection Act (CCSPA) would authorize the disclosure of information to provincial and foreign governments under written agreements. Confidential information could be provided to provincial but not to foreign governments (s.27).
• The TA and CCSPA define “confidential information” differently. The TA requires information to be designated as such by regulated parties. Grounds for designation include that the information is personal or de-identified (s.15.5). The CCSPA has a fixed definition that does not require designation. Personal or de-identified information could be included but are not standalone grounds for confidentiality (s.2).
• SECU amended the bill to add personal and de-identified information as categories that may be designated as confidential under the TA, which would exclude them from disclosures to other jurisdictions except in limited circumstances (s.15.5(3)). However, SECU did not make a parallel amendment to the CCSPA.
• Both the TA (s. 15.5) and the CCSPA (s. 26) contain prohibitions on the disclosure of confidential information, subject to limited exceptions, including on consent and where disclosure is deemed necessary for certain cybersecurity-related purposes.

Retention requirements under Bill C-26

Speaking points

• Bill C-26 would enable the collection, use, and disclosure of a range of potentially highly sensitive information for the purposes of orders and regulations to protect critical infrastructure from cybersecurity threats.
• Although it is vital that the government obtains the information it needs to achieve the objectives of the legislation, the absence of limitations on retention creates a risk that information may be kept when it does not meet (or no longer meets) the required threshold.
• Amendments made in the other place would have mitigated this risk by adding rules on retention to the Critical Cyber Systems Protection Act, but those were subsequently deleted from the bill on third reading.
• In my view, the inclusion of rules on retention for any personal information that might be collected, used, or disclosed under the legislation would be privacy-enhancing.

Background

• The Standing Committee on Public Safety and National Security (SECU) added a requirement that any information collected or obtained under s.23(1) of the Critical Cyber Systems Protection Act be retained “only for as long as is necessary” to make, amend, revoke, or verify compliance with orders, and a related requirement to inform designated operators of the retention period. However, these amendments were deleted at third reading. (There is no record of the rationale.)
• During clause-by-clause consideration at SECU, a Bloc Québécois motion to insert a parallel retention requirement in the Telecommunications Act (TA) was defeated; according to a Liberal member, the amendment at s.15.71 to clarify that the Privacy Act (PA) applies was a “cleaner way of achieving the same thing.”
• However, this reference to the PA merely confirms the status quo: it does not impose any obligation to limit retention beyond the requirement at 6(1) of the PA that personal information that has been used by a government institution for an administrative purpose be kept for “such period of time after it is so used as may be prescribed by regulation” (currently two years).

Designation of personal and de-identified information as confidential

Speaking points

• The Standing Committee on Public Safety and National Security (SECU) amended Bill C-26 to add personal and de-identified information as categories that may be designated as confidential under the Telecommunications Act (TA, s.15.5).
• This amendment is privacy-enhancing in that it will require that information designated as confidential be treated as such. For example, with limited exceptions, confidential information is subject to prohibitions on disclosure (s.15.5(2) of the TA).
• By contrast, personal and de-identified information were not added to the definition of “confidential information” in the Critical Cyber Systems Protection Act (CCSPA), where the term relates primarily to vulnerabilities in critical cyber systems, the methods used to defend against them, and commercially sensitive information (s.2).
• Given this, one option the Committee may wish to consider would be a requirement that, to the greatest extent possible, personal and de-identified information be removed prior to any disclosures under the CCSPA.

Background

• The addition of personal and de-identified information as grounds for confidentiality in the TA responds to the recommendation of a coalition of civil liberties groups that also called on SECU to prohibit international disclosures of such information.
• The exceptions to the prohibition on disclosing confidential information largely relate to disclosures within Canada by government actors. However, they could also apply to disclosures to foreign jurisdictions, for example, where the person who designated the information as confidential gives their consent or where necessary to secure the telecommunications system against certain threats (s. 15.5(3)).
• Civil liberties groups have also recommended adding personal and de-identified information as categories of confidential information under the CCSPA, which would bring them under the prohibition on disclosures at s. 26 (subject to exceptions).
• The proposed alternative option to require the removal of personal information prior to making any disclosures under the CCSPA is based on parallel requirements in the US Cybersecurity Information Sharing Act (e.g., s. 103(b)(1)).

Reasonableness vs proportionality

Speaking points

• Although not currently a requirement in federal privacy legislation, my Office has consistently advocated for the threshold of necessity and proportionality for information-sharing. Neither the proposed amendments to the Telecommunications Act nor the Critical Cyber Systems Protections Act would consistently require this dual threshold.
• A key information-collection threshold in the Telecommunications Act amendments is only “reasonable grounds to believe” that information is “relevant” to an order-making or compliance-verification purpose (s. 15.4). The Critical Cyber Systems Protections Act largely requires necessity but not proportionality (ss. 23, 26, and 28).
• I encourage the Committee to consider approaches from other jurisdictions, such as the UK, which allows for information-sharing only where it is “necessary” for specified purposes, as well as “relevant and proportionate” to those purposes (s. 6 of the Network and Information Systems Regulations 2018).

Background

• Reasonable grounds to believe is a common investigative standard that requires an objective basis for a belief based on compelling and credible information.
• Information-sharing thresholds in the Telecommunications Act: s. 15.4allows the Minister of Industry to compel information they believe on reasonable grounds is relevant for an order-making or compliance-verification purpose. For its part, s. 15.6 of the Act, which allows information-sharing among an enumerated list of government authorities, imposes a necessity threshold.
• Information-sharing thresholds in the Critical Cyber Systems Protections Act: ss. 23 (exchange of information among government actors), 26 (prohibition on disclosure of information), and 28 (disclosure of information by appropriate regulators) all contain a necessity threshold but do not require proportionality. Sections 27 (exchange of information under written agreements) and 29 (collection of information by appropriate regulators) do not require necessity or proportionality.
• Proportionality is absent from the CCSPA, but amendments to the TA order-making power would require that, in scope and substance, orders be “reasonable to the gravity of the threat” (ss. 15.1, 15.2), which is analytically similar to proportionality.

Judicial review

Speaking points

• While cybersecurity directions and orders may be subject to judicial review, judicial review hearings may be held in secret.
• Although Bill C-26 contains unique rules governing judicial reviews, these will be repealed if the bill comes into force by coordinating amendments in Bill C-70, the Countering Foreign Interference Act, which received Royal Assent last June.
• Bill C-70 amended the Canada Evidence Act to create a general scheme to deal with information relating to international relations, national defence or national security in the course of certain “federal proceedings” (Part 2, Division 3).
• The judicial review-related amendments in both bills engage Charter-protected rights such as freedom of expression (s. 2(b)) and the right to make full answer and defence (ss. 7 and 11(d)). From a privacy perspective, they also raise transparency and access issues.
• That said, while I believe the provisions in both bills are defensible given the pressing policy interests, I prefer the broad regime created by Bill C-70 to the narrow one proposed in Bill C-26 (which would apply exclusively to certain cybersecurity orders and directives under the bill).

Background

• Provisions in Bill C-26 (which will be repealed): Rules for judicial review of orders and directions are set out under the proposed s.15.9 of the Telecommunications Act and s.145 of the Critical Cyber Systems Protection Act. They provide for the withholding of information from affected parties, including whether any personal information has been collected, used, or disclosed.
• Bill C-70 amendments: In place of the above, Bill C-70 amended the Canada Evidence Act to establish a regime of general application to govern the disclosure, protection, and use of sensitive or potentially injurious information in administrative proceedings before the Federal Court or Federal Court of Appeal (s. 38.2-38.45).
• Among other things, this regime provides for special counsel, whose role is to protect the interests of non-governmental parties when proceedings are subjected to heightened secrecy (ss. 38.34-38.35).

Public and private-sector breach-reporting obligations

Speaking points

• Private-sector organizations subject to PIPEDA are required to report privacy breaches to the OPC when there is a real risk of significant harm to an individual.
• Conversely, federal institutions subject to the Privacy Act are required to report such breaches only under Treasury Board policy. I have therefore recommended that breach-reporting obligations be given the force of law under a modernized Privacy Act.
• Increasingly, third-party organizations that provide services to both the public and private sectors (e.g., IT and cloud storage, relocation, etc.) are being targeted in cyber-attacks that can have a cascading impact on multiple client organizations. This was the case, for example, with the BGRS Sirva breach, the MoveIT and GoAnywhere incidents.
• My Office is concerned that, under PIPEDA, service providers have often not reported privacy breaches directly to the OPC and that this has resulted in less overall transparency. We have recommended a more explicit reporting obligation for service providers in Bill C-27.

Background

• Under section 4.2.12 of the TBS Policy on Privacy Protection, federal organizations subject to the Privacy Act must report material privacy breaches to the OPC within 7 days of determining that a breach is material [“material privacy breach” defined as one that could reasonably be expected to create a real risk of significant harm to an individual].
• Under section 10.1(1) of PIPEDA, organizations must report breaches to the OPC as soon as feasible after determining that there is a RROSH to an individual. RROSH is determined based on the sensitivity of the personal information and the probability that the personal information has or will be misused.
• The OPC continues to see a significant gap between the public and private sectors when it comes to the reporting of privacy breaches involving cyber incidents. In 2023-2024, the OPC received 321 breach reports from the private sector but only 37 from federal institutions, 33 of which related to a single incident at a government relocation service provider (BGRS).

Breach trends and statistics

Speaking points

• Reports of privacy breaches received by my Office are on the rise, including breaches caused by cyber incidents.
• In 2023-24, the OPC received 561 breach reports from institutions covered by the Privacy Act and 693 under PIPEDA (1,254 total), which together represents a 28% increase over the previous year.
• Privacy breaches reported in 2023-24 affected close to 25 million Canadian accounts, twice as many as in the previous year.
• In the first six months of 2024-25, the OPC saw a 15% increase in total breach reports received from the public and private sectors combined compared to the same period last year, if we exclude the some 31,000 CRA incidents reported in one breach report in May 2024.
• With respect to cyber incidents in sectors that are in the purview of Bill C-26, we have received 26 breach reports to date this year and 107 total reports since 2022. These 107 reports represent 14% of all cyber incidents reported to our office under PIPEDA since 2022.

Background

Breaches reported to the OPC

Fiscal year	PIPEDA	PA	Total	Reported critical infrastructure cyber incidents / all PIPEDA cyber incidents
2024-25*	354	370	724	26 / 170 (15%)
2023-24	693	561	1,254	34 / 321 (11%)
2022-23	681	298	979	47 / 274 (17%)
Total	1,728	1,229	2,957	107 / 765 (14%)
*As of September 30, 2024

• Critical infrastructure as defined in Bill C-26 includes telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems that are within the legislative authority of Parliament, banking systems, and clearing and settlement systems.

Privacy breaches at the Canada Revenue Agency (CRA)

Speaking points

• In May 2024, the Canada Revenue Agency reported over 31,000 cyberattack-related privacy breaches to my Office.
• The breaches allegedly took place over an extended period of time, with some dating back to 2020.
• Since receiving the breach report, the OPC has been engaging with the CRA on an ongoing basis to find out more about their response and to inform our next steps. The agency has been collaborative.
• On October 29, after receiving a complaint, I launched an investigation into privacy breaches at the Canada Revenue Agency. The investigation relates to cyberattacks that led to more than 31,000 privacy breaches, some dating back to 2020.
• Federal government departments and agencies hold sensitive personal information about millions of Canadians, making them attractive targets for cyberattacks. That is why the OPC expects them to have robust safeguards and adequate breach-response processes in place.

Background

• The investigation, which was launched following the receipt of a complaint, will examine whether the CRA met its obligations under the Privacy Act.
• Federal institutions are required to report breaches under Treasury Board Secretariat policies and directives, notably the Policy on Privacy Protection (s. 4.2.12) – it is not currently a legal requirement under the Privacy Act.
• The Compliance sector has held several meetings with the CRA to better understand the breaches and to seek clarifications on CRA’s process to notify affected individuals and their ongoing remediation and mitigation efforts.

Impact of Bill C-26 on CRA breaches

Speaking points

• The Critical Cyber Systems Protection Act (CCSPA) aims to protect cyber systems that, if compromised, could affect the continuity or security of telecoms, banking, energy, transport, and other vital systems and services that are within the legislative authority of Parliament.
• While the CCSPA would not apply to federal organizations like the Canada Revenue Agency, they are required to report material privacy breaches to the OPC and to the Treasury Board Secretariat (TBS) under section 4.2.12 of the TBS Policy on Privacy Protection.
• My office recently launched an investigation into the CRA in connection with cyber attacks that have reportedly led to more than 31,000 privacy breaches, some dating back to 2020. As the investigation is ongoing, I am not able to comment further at this time.

Background

• The CCSPA is concerned with cyber systems that are of such critical importance to other vital systems and services that their disruption could have serious consequences for national security or public safety.
• The CCSPA authorizes the GIC to designate services or systems in federally regulated sectors as “vital” and to establish classes of operators in respect of such systems and services that will be subject to the Act (“designated operators”) (s. 6).
• Under section 17 of the CCSPA, designated operators would be required to report cybersecurity incidents to the Communications Security Establishment within a period prescribed by regulation (not to exceed 72 hours).
• Under section 18, designated operators would also have to notify the regulatory authority that oversees their sector (e.g., the Minister of Industry, the Minister of Transport, the Superintendent of Financial Institutions, the Bank of Canada, the Canadian Nuclear Safety Commission, or the Canadian Energy Regulator).
• As set out in Schedule 1 of the CCSPA, the vital systems and services currently in scope include (1) telecommunications services, (2) interprovincial or international pipeline and power line systems, (3) nuclear energy systems, (4) transportation systems, (5) banking systems, and (6) clearing and settlement systems.
• Many operators designated under the CCSPA would also be subject to PIPEDA’s breach-reporting obligations (s.10.1), but the OPC has no role under the CCSPA.

International comparisons

Speaking points

• Some cybersecurity regimes in other jurisdictions have privacy-protective elements that Bill C-26 lacks. For example:
• Regulatory collaboration: Under Article 35 of the EU’s Directive on measures for a high common level of cybersecurity across the Union (NIS2), when cybersecurity enforcement authorities become aware of a cyber incident that may entail a personal data breach, they must notify data protection authorities. Bill C-26 does not provide for a comparable level of regulatory collaboration.
• Clear necessity and proportionality threshold: In the UK, the Network and Information Systems Regulations (2018) require that cybersecurity-related information-sharing between enforcement authorities be necessary, relevant, and proportionate. Bill C-26 does not consistently establish a similarly high threshold.
• Guidance requirements: Under the US Cybersecurity Information Sharing Act (CISA), the Attorney General and Department of Homeland Security must publish binding guidelines that address privacy and other civil liberties (s.105). Incorporating a mandatory requirement for public-facing guidance in Bill C-26 could promote compliance and reduce privacy risks.
• Enhanced privacy protections: The US’s CISA also has other privacy-protective features that would improve Bill C-26, including requirements that the use, retention, and disclosure of cyber-threat information be limited to statutorily defined purposes (ss.103-105) and a requirement for federal and non-federal entities to remove personal information before sharing cyber-threat information (ss. 103 and 104).

Background

• Guidance requirements: Although Bill C-26 does not provide for guidance, s.24(d) of PIPEDA would provide some scope for the OPC to create non-binding guidance.

Provincial and territorial cybersecurity legislation

Speaking points

• Cybersecurity crosses federal and provincial jurisdictional lines. Some provinces have enacted or proposed cybersecurity legislation, although none as comprehensive as Bill C-26.
• In 2022, Québec passed the Loi sur le Ministère de la Cybersécurité et du Numérique. Under this law, the new Minister has a policy coordination role for cybersecurity and digital technology.
• In Ontario, Bill 194 was recently introduced in the Legislative Assembly and has been referred to committee. Schedule 1 of the bill would enact the Enhancing Digital Security and Trust Act, 2024, which contains regulation-making and Ministerial directive authorities relating to cybersecurity in the public sector (ss. 2-4).

Background

• According to its annual report, in the 2023-2024 fiscal year, two broad cybersecurity-related objectives of Québec’s Ministère de la Cybersécurité et du Numérique were (1) to combat ransomware attacks by promoting cybersecure practices; and, (2) increase the level of protection against cyberattacks directed at the government.
• On October 29, 2024, Ontario’s Bill 194 was referred to the Standing Committee on Justice Policy. It was also the subject of a June 24, 2024, written submission from Ontario’s Information and Privacy Commissioner (IPC).
• With respect to the cybersecurity component of Bill 194, the IPC made the following broad recommendations:
  • Align the bill with C-26 by defining core cybersecurity requirements in the legislation (rather than in regulations or directives);
  • Require IPC notification in the case of cybersecurity incidents that involve, or may involve, personal information; and,
  • Establish a ministerial reporting requirement (for the Minister of Public and Business Service Delivery).