Consolidated issue sheets on Bill C-8

Previous OPC recommendations on Bill C-26

Speaking points

• When I appeared on Bill C-26, I offered a number of recommendations intended to help mitigate some of its potential privacy risks, including:
  • an overarching requirement that any collection, use, or disclosure of personal information be both necessary and proportionate (or, alternatively, requirements that such information be retained for no longer than is strictly necessary);
  • prescribed minimum privacy-protective safeguards in agreements for sharing information with other jurisdictions; and,
  • that my Office be notified of cyber incidents involving a material privacy breach with a view to greater regulatory collaboration (potentially by the Communications Security Establishment).

Background

• Many of Bill C-8’s collection and disclosure authorities impose a threshold of necessity (e.g., CCSPA s.28(1)); others are based on relevance (e.g., TA ss.15.4 and 15.7(1)) or a mixed threshold (e.g., CCSPA s.23(1)). A more consistent standard of necessity and proportionality would help reduce the risk that personal information may be over-collected or inappropriately used or shared.
• At committee stage, the CCSPA was amended to require that any information collected or obtained under s.23(1) be retained “only for as long as is necessary” for the purposes of orders. However, this language was deleted on third reading. (A motion to insert a parallel requirement in the TA was not adopted.)
• Following your November 2024 appearance at SECD on C-26, Senator Denise Batters (CPC) moved an amendment to require the CSE to share reports of cybersecurity incidents with our office that may involve a material privacy breach.
• In response, the bill’s Senate sponsor argued that operators must already report such incidents to the OPC under s. 10.1(1) of PIPEDA; that incident reports are likely to be highly technical and of little use to the OPC; and that the requirement could undermine the CSE’s role as a neutral adviser and thus discourage operators from reporting incidents. The motion was defeated on division.
• Although PIPEDA already contains breach-notification requirements, an authority for the OPC to receive information on privacy-impactful cyber incidents could allow our office to gain insight into systemic privacy risks faced by operators of vital systems and services.

Lead: PRPA

---

OPC views on amendments to Bill C-26

Speaking points

• The previous Parliament adopted several substantive amendments to the former Bill C-26 that helped achieve a better balance between its cybersecurity objectives and privacy rights and interests.
• I am pleased to see that Bill C-8 incorporates all of these improvements, including the additional guardrails on the proposed order-making powers and the notification and reporting obligations.
• However, Bill C-8 has also inherited some of Bill C-26’s privacy risks, such as the lack of a consistent standard of both necessity and proportionality wherever personal information may be collected, used, or disclosed.

Background

• Notable privacy-related amendments to Bill C-26 (and retained in Bill C-8) include:
  • additional safeguards on GIC and ministerial orders under the TA, including a threshold of reasonable belief (ss.15.1(1) and 15.2(1)), a requirement to consult appropriate persons before orders are made (ss.15.1(1) and 15.2(1)), a requirement that orders be reasonable in scope and substance relative to the gravity of the threat (ss.15.1(2) and 15.2(3)), a list of factors that must be considered when making orders (ss.15.1(4) and 15.2(6)), new reporting requirements (s.15.21), and an obligation to notify the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the National Security and Intelligence Review Agency (NSIRA) of any order containing a provision that would limit or prohibit its disclosure (ss.15.22);
  • additional safeguards on GIC directions made under the CCSPA, notably a threshold of reasonable belief that the order is necessary (s.20(1)), a list of factors that must be considered (s.20(3)), an obligation to notify the NSICOP and NSIRA of any order (s.20(5)), and expanded reporting requirements (ss.147(2) and (3));
  • the addition of personal and de-identified information as categories that may be designated as confidential under the TA s.15.5(1), which affords additional protections to information that has been designated as such, including an exclusion from international disclosures under s.15.7(1);
  • new language to clarify that confidential information collected or obtained under the legislation must be treated as such (ss. 15.6(2) of the TA; s.23(2) of the CCSPA); and,
  • the insertion of references to the Privacy Act in the TA to confirm its applicability (s.15.71) and in the preamble to the CCSPA to establish privacy as a guiding principle for interpretation.

Lead: PRPA

---

Scope and objectives of Bill C-8

Speaking points

• The OPC supports the objective of Bill C-8 to protect systems and services that are vital to national security or public safety from cybersecurity threats and vulnerabilities.
• Stronger cybersecurity protections can also promote privacy by reducing the likelihood and impact of breaches involving personal data.
• At the same time, new powers and authorities granted in the name of cybersecurity must be appropriately scoped and subject to suitable guardrails in order to limit the risk of unintended privacy impacts.
• Several amendments to the former Bill C-26 were adopted in this spirit, but C-8’s potential privacy impacts could be further mitigated through the addition of an overarching necessity and proportionality requirement for any collection, use, or disclosure of personal information.

Background

• Like Bill C-26, Part 1 of Bill C-8 would amend the Telecommunications Act (TA) to add promoting the security of Canada’s telecommunications system as a policy objective and to provide the GIC and Minister of Industry with order-making powers to that end.
• It would also amend the TA to create new authorities for the collection and disclosure of information by the Minister of Industry, Public Safety, Foreign Affairs, National Defence, the Chief of the Defence Staff, the Communications Security Establishment, CSIS, and the CRTC.
• Part 2 would enact the Critical Cyber Systems Protection Act (CCSPA), which would authorize the GIC to designate certain services or systems in federally regulated sectors as “vital”; to identify classes of operators that would be subject to cybersecurity directions and regulations; to issue cybersecurity directions; and to require designated operators to establish and implement cybersecurity programs, mitigate supply-chain, and report cybersecurity incidents.
• The systems and services in scope of the Act include telecommunications, interprovincial or international pipe and power lines, nuclear energy, transportation, banking, and clearing and settlement (i.e., of payment obligations).
• The bill also establishes a framework for enforcement and compliance, including powers of entry, recordkeeping requirements, AMPs, and rules for judicial review.

Lead: PRPA

---

Privacy risks that persist in Bill C-8

Speaking points

• Just as Bill C-8 incorporates all of the amendments that were made to Bill C-26 in the last Parliament, it has also inherited some of its privacy risks.
• Developments since C-26 was first introduced have also brought other risks into focus, including the possibility that government orders under Bill C-8 might compromise electronic data protections.

Background

Notable privacy-related risks in Bill C-8 include:

• Inconsistent thresholds for certain powers and authorities with potential privacy implications. In contrast to the TA, where orders must be “reasonable” in scope and substance relative to the gravity of the threat, there is no proportionality requirement for GIC directions under the CCSPA (s.20(1)). Certain collection and disclosure authorities also remain broad (e.g., TA s.15.4, which would allow the Minister of Industry to compel any information that the Minister believes on reasonable grounds is “relevant” for the purposes or orders or regulations).
• Challenges for oversight and accountability. Bill C-8 sets out information-sharing authorities that require written agreements for disclosures to other jurisdictions (TA s.15.7(1); CCSPA s.27(1)), but the lack of more prescriptive content requirements creates a risk that personal information may be inappropriately shared onward or otherwise improperly used or managed by recipients. The bill’s notification and reporting requirements (TA ss.15.21 and 15.22; CCSPA ss.20(5) and 147) help mitigate its transparency issues, but the confidentiality provisions (TA ss.15.1(3) and 15.2(5); CCSPA s.24) may pre-empt privacy complaints in that individuals cannot seek remedies without knowledge of a potential rights violation.
• Missed opportunities for regulatory collaboration with the OPC. Bill C-8 imposes reporting obligations on designated operators (CCSPA ss.17-18) but would not enable regulators and other oversight bodies to coordinate and share information with the OPC where it might be necessary for the Office to effectively carry out its mandate.
• Systemic vulnerabilities as a result of government orders. The ministerial order-making powers in Part 1 (s.15.2(2)) would enable the Minister of Industry to direct telcos to “do a specified thing or refrain from doing a specified thing” in order to secure the Canadian telecommunications system. Despite the guardrails on these powers, they could result in orders that deliberately or incidentally compromise electronic data protections. (For example, the UK government has reportedly demanded that Apple create a “backdoor” in its encrypted cloud-storage service).

Lead: PRPA

---

Collection and disclosure authorities in Bill C-8

Speaking points

• Bill C-8 would enable several government institutions to collect and share information for the purposes of orders and regulations to secure critical infrastructure from cybersecurity threats and vulnerabilities.
• Although much of this information would likely be technical, personal information falls within the scope of the bill’s authorities and may be deemed necessary or relevant in certain circumstances.
• Bill C-8 includes safeguards that help mitigate some of its privacy risks. However, a consistent standard or an overarching requirement that any collection, use, or disclosure of personal information be both necessary and proportionate would further reduce the risk of over-collection or inappropriate use or disclosure.

Background

• Bill C-8 would enable different federal institutions to collect and share information that is deemed necessary for – or, in some cases, relevant to – the protection of Canadian telecommunications and critical cyber systems in Canada and abroad.
• Notable examples in the Telecommunications Act include s.15.4 [provision of information to the Minister of Industry], s.15.6(1) [exchange of information between federal entities], and s.15.7(1) [disclosure of information to other jurisdictions].
• Notable examples in the Critical Cyber Systems Protection Act (CCSPA) include s.23(1) [exchange of information between federal entities], s.27(1) [agreements for the exchange of information between jurisdictions], s.28(1) [exchange of information between regulators and the Minister of Public Safety or the responsible minister], and s.29 [requests for information by regulators].
• The previous Parliament adopted several amendments to Bill C-26 that limit some of these authorities, including the addition of personal and de-identified information as categories that may be designated as confidential under the amended TA (15.5(1)); a necessity requirement for the exchange of information between regulators and ministers under the CCSPA (s.28(1)); and narrower language in certain provisions of the CCSPA (e.g., s.26(1)(d): “if the disclosure is necessary for any purpose related to the protection of vital services […]”).
• However, other informational authorities in the bill remain comparatively broad, notably, ss.15.4 and 15.7(1) of the TA and ss.27(1) and 29 of the CCSPA.

Lead: PRPA

---

Order-making powers in Bill C-8

Speaking points

• Bill C-8 would grant the government broad powers to order telecommunications-service providers and other designated operators of critical cyber systems to take prescribed steps against certain cyber threats or vulnerabilities.
• I previously recommended more stringent thresholds and stricter limits on these powers to reduce the risk that they might result in the over-collection or inappropriate use or disclosure of personal information.
• Bill C-8 retains several positive changes to Bill C-26 in this regard, but I believe additional amendments would further mitigate the potential privacy impacts of its powers and authorities, including a consistent standard of necessity and proportionality.

Background

• Sections 15.1(1) and 15.2(1) of the Telecommunications Act (TA) would authorize the GIC and the Minister of Industry to prohibit telcos from using specified products or services or to direct their removal from their networks or facilities.
• Section 15.2(2) of the TA would authorize the Minister to order telcos to take a range of steps – including to “do a specified thing or refrain from doing a specified thing” – if the Minister believes on reasonable grounds that it is necessary to do so to secure the telecommunications system against any threat.
• Section 20(1) of the Critical Cyber Systems Protection Act (CCSPA) would enable the GIC to issue cybersecurity directions to regulated operators if it has reasonable grounds to believe that it is necessary to do so to protect a critical cyber system.
• The previous Parliament adopted a number of amendments to impose guardrails on these order-making powers, including higher thresholds, a list of factors that must be considered, notification obligations, and expanded reporting requirements.
• However, our previous recommendation for a more uniform, consistent standard requiring that any collection, use, or disclosure of personal information be both necessary and proportionate was not adopted.
• To the extent that orders could compromise network security, a prohibition on introducing “systemic vulnerabilities in electronic protections” (modelled on the Supporting Authorized Access to Information Act in Bill C-2) could help mitigate this risk.

Lead: PRPA

---

Reasonableness vs proportionality

Speaking points

• Necessity and proportionality are core principles for the handling of personal information that help to ensure that measures are both justified and not excessive. Many of the proposed information sharing authorities in Bill C-8 do not have these thresholds.
• A key threshold for collection in the Telecommunications Act amendments is that there must be “reasonable grounds to believe” that information is “relevant” to an order-making or compliance-verification purpose (s. 15.4). The Critical Cyber Systems Protection Act largely requires necessity but not proportionality (ss. 23, 26, and 28).
• I encourage the Committee to consider approaches from other jurisdictions, such as the UK, which allow for information sharing only when it is both “necessary” for specified purposes, as well as “relevant and proportionate” to those purposes (s. 6 of the Network and Information Systems Regulations 2018).

Background

• Information-sharing thresholds in the Telecommunications Act: section 15.4 allows the Minister of Industry to compel information they believe on reasonable grounds is relevant for an order-making or compliance-verification purpose. “Reasonable grounds to believe” is a common investigative standard that requires an objective basis for a belief based on compelling and credible information. By contrast, section 15.6(1) of the Act, which allows information-sharing among listed government authorities, imposes a necessity threshold.
• Information-sharing thresholds in the CCSPA: sections 23 (exchange of information among government actors), 26 (prohibition on disclosure of information), and 28 (disclosure of information by appropriate regulators) all contain a necessity threshold but do not require proportionality. Neither sections 27 (exchange of information under written agreements) nor 29 (collection of information by appropriate regulators) require necessity or proportionality.
• Proportionality is absent from the CCSPA, but amendments to the TA order-making power would require that, in scope and substance, orders be “reasonable in relation to the gravity of the threat” (sections15.1(2), 15.2(3)), which is analytically similar to proportionality.

Lead: Legal

---

Confidentiality (non-disclosure) requirements in Bill C-8

Speaking points

• Legislation dealing with matters of national security must strike an appropriate balance between confidentiality and transparency.
• The previous Parliament adopted important amendments to Bill C-26 with this in mind, including an obligation to notify the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the National Security and Intelligence Review Agency (NSIRA) of confidential orders, as well as expanded reporting requirements.
• Orders are also subject to judicial review, including new rules under the Canada Evidence Act for secure administrative review proceedings.

Background

• Some stakeholders have expressed concerns that the non-disclosure provisions in Bill C-8 would enable the government to issue secret orders with no oversight or accountability.
• More specifically, ss.15.1(3) and 15.2(5) of the Telecommunications Act (TA) would allow the government to include provisions in orders prohibiting the disclosure of their existence or of some or all of their contents. However, s.15.22 would require the government to notify NSICOP and NSIRA of any such orders within 90 days.
• S.15.21 of the TA also sets out robust reporting obligations, including on the number and nature of orders, the number of telcos affected, a description of their compliance, and an explanation of “necessity, reasonableness, and utility.”
• S.24 of the Critical Cyber Systems Protection Act would prohibit operators from disclosing cyber-security directions, but the Act contains a parallel obligation to notify that NSICOP and NSIRA (s.20(5)) and similar reporting obligations (s.147).
• Bill C-70, which received royal asset in June 2024, amended the Canada Evidence Act to create a general scheme to deal with information relating to international relations, national defence, or national security in the course of federal court proceedings, which would apply to applications for judicial review under Bill C-8.
• In consideration of fairness and the principles of natural justice, this scheme allows for the appointment of a special counsel to protect the interests of non-governmental parties when sensitive information and other evidence is presented, or when representations are made in private and in the absence of the non-governmental party and their counsel.

Lead: PRPA

---

Information-sharing agreements under Bill C-8

Speaking points

• Bill C-8 would enable certain federal government institutions to share information, potentially including personal information, amongst themselves and across provincial or international borders.
• If information compelled by the Minister under the Telecommunications Act is designated as confidential by the party providing it, sharing pursuant to a written agreement under the Act would not be allowed. One of the grounds for designating information as confidential is that it contains personal or de-identified information. Formal agreements would be required for intergovernmental sharing, but the bill does not prescribe privacy safeguards for such agreements.
• To ensure a consistent standard of privacy protection if or when personal information is shared outside Canada, the legislation could establish minimum privacy requirements for written agreements, including appropriate safeguards, retention periods, and limitations on secondary use and onward transfer.

Background

• Bill C-8 does not require written agreements for exchanges of information between authorized persons or entities within the federal government (which is a requirement under s.4.2.33 of the TBS Directive on Privacy Practices).
• Part 1 of Bill C-8 would allow the Minister of Industry to share information related to telecommunications security with provincial or foreign governments, but only under a written agreement (section 15.7(1)). Subject to limited exceptions (including with consent and where necessary for cybersecurity-related purposes), disclosures of information designated as confidential would be prohibited.
• In parallel, the Critical Cyber Systems Protection Act (CCSPA) requires written agreements for the sharing of relevant information with provincial or foreign governments (s.27(1)). Subject to similar exceptions, disclosures of confidential information to foreign (but not provincial) governments would be prohibited.
• The TA and CCSPA define “confidential information” differently. The TA allows different categories of information – including personal and de-identified information – to be designated as such (s.15.5(1). The CCSPA has a fixed definition related to system vulnerabilities and proprietary or commercially sensitive information (s.2).
• Neither the TA nor the CCSPA’s requirements for information-sharing agreements prescribe minimum privacy safeguards.

Lead: PRPA

---

Judicial review

Speaking points

• I am aware that Bill C-8 would require a judge in a judicial review proceeding to return and keep confidential any information that the Minister withdraws from the proceeding, and that the judge would be prohibited from basing their decision on that withdrawn information.
• Those provisions, together with recent amendments made to the Canada Evidence Act by Bill C-70, the Countering Foreign Interference Act, appear intended to address the so-called “intelligence and evidence” problem, highlighted most recently by NSICOP in its special report on lawful access.
• Others are likely better placed to comment on whether the provisions in C-8 strike the right balance with respect to civil liberties and procedural fairness. However, I would note that these provisions only apply in a relatively limited, cybersecurity-related context.

Background

• Bill C-8 would require judges in judicial review proceedings to return to the Minister and keep confidential any evidence or other information that they determine is not relevant, or that the Minister withdraws. In either case, judges would be prohibited from basing their decisions on that evidence or information (Telecommunications Act, ss. 15.9-15.91; Critical Cyber Systems Protection Act, ss. 145-146).
• Bill C-70 amended the Canada Evidence Act (CEA) to establish a regime governing the disclosure, protection, and use of sensitive or potentially injurious information in certain “federal proceedings” before the Federal Court and Federal Court of Appeal (CEA, ss. 38.2-38.45).
• The “intelligence and evidence” problem refers to the risk of unauthorized disclosure of sensitive collection techniques, confidential sources or intelligence shared from foreign partners in court proceedings. NSICOP has repeatedly called on the government to address the problem (NSICOP foreign interference report (June 2024), paras. 106, 153, 180; NSICOP lawful access report (September 2025), paras. 178-181).

Lead: Legal

---

Charter compliance of Bill C-8

Speaking points

• While my office’s focus is on federal privacy legislation, the Charter is also an important source of privacy rights, especially the right to be secure against unreasonable search/seizure guaranteed by section 8.
• Bill C-8 would create new inspection powers (in the Critical Cyber Systems Protection Act) and amend existing ones (in the Telecommunications Act).
• Warrantless search powers can engage section 8 of the Charter. However, these powers would be used in the context of compliance verification rather than criminal investigations. They are therefore unlikely to contravene section 8 of the Charter.
• Nevertheless, additional privacy protections, such as independent review and oversight, could improve transparency.

Background

• The Department of Justice’s Charter Statement for Bill C-8 was published on September 26, 2025. It found that the bill’s powers to require the production of information and to collect and share information within the federal government and with outside entities potentially engage, but are likely consistent with, s. 8 of the Charter.
• Broadly speaking, the basis for this conclusion was the regulatory (rather than criminal) context, the use of the “reasonable grounds to believe” threshold, the technical nature of much of the information in question, and the fact that there were limits on onward information sharing.
• For the new inspection powers under the Critical Cyber Systems Protection Act (CCSPA), the threshold for authorizing a warrantless search is “reasonable grounds to believe” that a regulated activity is taking place. Inspections must also be for the purpose of verifying non-compliance or preventing non-compliance (ss. 32, 41, 50, 59, 68 and 78).
• The CCSPA does not provide for judicial oversight or for a review process for warrantless inspections (although these are uncommon in inspection regimes).

Lead: Legal

---

Effect of references to the Privacy Act in Bill C-8

Speaking points

• In addition to adopting its definition of “personal information,” Bill C-8 incorporates two explicit references to the Privacy Act.
• The reference in Part 1 confirms that the Act applies (for greater certainty), while the reference in the preamble to Part 2 establishes privacy as a guiding principle for interpreting and administering the Critical Cyber Systems Protection Act.
• However, these references do not in and of themselves create new, positive privacy obligations on the government.
• Although beyond the purview of this committee, it also bears repeating that the Privacy Act has not been substantively updated in 40 years.

Background

• The previous Parliament adopted several privacy-related amendments to Bill C-26, including a “for-greater-certainty” clause (s.15.71) clarifying that the Privacy Act (PA) applies to the order-making powers and the collection and disclosure authorities in the Telecommunications Act (ss.15.1, 15.2, and 15.4 to 15.7).
• It also adopted a reference to the PA in the preamble to the proposed Critical Cyber Systems Protection Act to foreground “the necessity to protect the privacy of Canadians with respect to their personal information in accordance with the Privacy Act.”
• Although Bill C-8 retains both of these changes, they are not a substitute for meaningful privacy safeguards, which should be considered in the context of Privacy Act reform.

Lead: PRPA

---

Lack of retention requirements in Bill C-8

Speaking points

• Bill C-8 would enable the collection, use, and disclosure of a range of potentially highly sensitive information for the purposes of orders and regulations to protect critical infrastructure from cybersecurity threats.
• Although it is vital that the government obtains the information it needs to achieve the objectives of the legislation, the absence of limitations on retention creates a risk that information may be kept when it does not meet, or no longer meets, the required threshold.
• Amendments proposed to Bill C-26 would have mitigated this risk by adding rules on retention to the Critical Cyber Systems Protection Act, but those were subsequently deleted on third reading.
• In my view, the inclusion of rules on retention for any personal information that might be collected, used, or disclosed under the legislation would be privacy-enhancing.

Background

• The Standing Committee on Public Safety and National Security (SECU) added a requirement that any information collected or obtained under s.23(1) of the Critical Cyber Systems Protection Act be retained “only for as long as is necessary” to make, amend, revoke, or verify compliance with orders, and a related requirement to inform designated operators of the retention period. However, these amendments were deleted at third reading. (There is no record of the rationale.)
• During clause-by-clause consideration at SECU, a Bloc Québécois motion to insert a parallel retention requirement in the Telecommunications Act was defeated; according to a Liberal member, the amendment at s.15.71 to clarify that the Privacy Act (PA) applies was a “cleaner way of achieving the same thing.”
• However, this reference to the PA merely confirms the status quo: it does not impose any obligation to limit retention beyond the requirement at s.6(1) of the PA that personal information that has been used by a government institution for an administrative purpose be kept for “such period of time after it is so used as may be prescribed by regulation” (currently two years).

Lead: PRPA

---

Risk of “systemic vulnerabilities”

Speaking points

• There is a possibility that orders under the Telecommunications Act or the Critical Cyber Systems Protection Act could impose requirements on operators that might compromise electronic data protections.
• The proposed Supporting Authorized Access to Information Act in Bill C-2 recognizes this risk by including exemptions for service providers with respect to orders or regulations that might require them to implement – or to refrain from addressing – “systemic vulnerabilities.”
• Given the potential privacy implications of such vulnerabilities, an analogous safeguard in Bill C-8 could help mitigate the related risks.

Background

• Since Bill C-26 was first introduced, certain developments have underlined the risk that cybersecurity-related orders or regulations could, paradoxically, impose requirements that compromise information and communications security.
• For example, a significant breach of US telecommunications networks by state-sponsored Chinese hackers that first came to light in October 2024 was reportedly carried out in part by way of systems designed to provide law-enforcement and intelligence agencies access to user data under the US Communications Assistance for Law Enforcement Act (CALEA).
• The Government’s proposed Supporting Authorized Access to Information Act (SAAIA) in Bill C-2, which would require electronic service providers to have the technical and operational capabilities to enable authorized persons under the Criminal Code or the CSIS Act to access or intercept information and communications, recognizes this risk by including exemptions with respect to orders or regulations that might result in “systemic vulnerabilities.”
• More specifically, despite any order or regulation under the SAAIA, electronic service providers would not be required to comply with any requirement to introduce or refrain from addressing a “systemic vulnerability” (ss.5(3), 7(4)). This term is not defined in the statute but could be in regulations (s.46(1)(c)).
• These exemptions are modelled on similar provisions in Australia’s Telecommunications Act 1997, which defines “systemic vulnerability” to include building new decryption capability and weakening encryption.

Lead: PRPA

---

OPC role under Bill C-8

Speaking points

• Bill C-8 does not provide a role for the OPC, but we have jurisdiction over the handling of personal information by both the federal government and the private sector.
• In addition to their reporting obligations under the Critical Cyber Systems Protection Act, designated operators subject to PIPEDA will still need to report breaches of security safeguards involving personal information to my Office when there is a real risk of significant harm.
• However, we remain concerned about the likelihood of under-reporting.
• Although Bill C-8 would require operators to report incidents to the Communications Security Establishment and allows for the exchange of information between regulators, the responsible ministers, and the Minister of Public Safety, there is no mechanism to notify my Office of incidents involving a material privacy breach.

Background

• Given Bill C-8’s objective to protect federally regulated critical infrastructure from cyber threats that may have little or no connection with personal information, a broad role for the OPC would likely stray beyond the Office’s mandate.
• Nothing in Bill C-8 would limit our powers to investigate breaches, just as nothing would detract from PIPEDA’s breach-reporting requirements.
• Some of the conduct provided for in Bill C-8 would fall within the purview of the National Security and Intelligence Review Agency (NSIRA), which has a mandate to review any activity carried out by a department that relates to national security or intelligence (s.8(1) of the NSIRA Act). The OPC and NSIRA are authorized to coordinate their respective investigative activities under ss.37(5) of the Privacy Act and 15.1(1) of the NSIRA Act.
• Bill C-8 would ensure that NSIRA and NSICOP are notified of confidential orders and all cybersecurity directions (ss.15.22 and 20(5)). The government could also consult the OPC on orders or regulations with privacy implications, but it would be under no obligation to do so.
• In contrast to Bill C-8, article 35 of the EU Directive on measures for a high common level of cybersecurity across the Union (“NIS2”) requires cybersecurity enforcement authorities to notify data-protection authorities when they become aware of a cyber incident that may entail a personal data breach.

Lead: PRPA

---

OPC role with respect to cybersecurity

Speaking points

• The protection of personal information increasingly relies on the security of digital systems and infrastructure. Cybersecurity incidents affecting such systems can have significant privacy impacts when they result in unauthorized access to or disclosures of personal information.
• My Office has an important role to play in ensuring that organizations subject to PIPEDA and the Privacy Act take adequate steps to prevent privacy breaches and to respond appropriately when they occur.
• In parallel, we must also assess whether measures taken to enhance cybersecurity may have unintended privacy impacts.
• I face several challenges in carrying out these functions, including a lack of order-making powers, the absence of a legal requirement for organizations to complete PIAs and to consult my Office, and – with limited exceptions – no explicit authority to collaborate and share information with other federal regulators and oversight bodies.

Background

• The cybersecurity role of the OPC is primarily focused on incidents that involve unauthorized access to or disclosures of personal information. In some cases, the OPC may undertake an investigation to determine whether affected organizations were in compliance with their obligations under PIPEDA or the Privacy Act (PA).
• Although the OPC does not have a formal guidance role under the PA, TBS policy requires government organizations to notify us and provide approved PIAs for any planned initiatives that implicate personal information (which could include new programs or activities to bolster cybersecurity).
• Pursuant to our guidance role under PIPEDA, the OPC has developed and published information on how to guard against certain cybersecurity threats (e.g., malicious software, spam, identity theft, etc.).
• The OPC has the authority to coordinate its investigative activities under the Privacy Act with those of the National Security and Intelligence Review Agency to avoid any duplication of work, and, in the context of Canada’s Anti-Spam Legislation, with the CRTC and the Competition Bureau.

Lead: PRPA

---

International comparators

Speaking points

• Some cybersecurity regimes in other jurisdictions have privacy-protective elements that Bill C-8 lacks.
• In particular, other regimes provide for greater regulatory collaboration in responding to cyber incidents; necessity and proportionality as a threshold requirement for information sharing; mandatory guidance for industry; and purpose limitation and data minimization requirements.

Background

• Regulatory collaboration: Under Article 35 of the EU’s Directive on measures for a high common level of cybersecurity across the Union (NIS2), when cybersecurity enforcement authorities become aware of a cyber incident that may entail a personal data breach, they must notify data protection authorities. Bill C-8 does not provide for a comparable level of regulatory collaboration.
• Clear necessity and proportionality threshold: In the UK, the Network and Information Systems Regulations (2018) require that cybersecurity-related information-sharing between enforcement authorities be necessary, relevant, and proportionate. Bill C-8 does not consistently establish a similarly high threshold.
• Guidance requirements: Although no longer in force as of September 30, 2025 (s. 111(a)), under the US Cybersecurity Information Sharing Act (CISA), the Attorney General and Department of Homeland Security were required to publish binding guidelines that address privacy and other civil liberties (s.105). Incorporating a mandatory requirement for public-facing guidance in Bill C-8 could promote compliance and reduce privacy risks. Although Bill C-8 does not provide for guidance, s.24(d) of PIPEDA would provide some scope for OPC to create non-binding guidance.
• Enhanced privacy protections: The US CISA also had other privacy-protective features that would improve Bill C-8, including requirements that the use, retention, and disclosure of cyber-threat information be limited to statutorily defined purposes (ss.103-105) and a requirement for federal and non-federal entities to remove personal information before sharing cyber-threat information (ss.103 and 104).

Lead: Legal

---

Provincial and territorial cybersecurity legislation

Speaking points

• Cybersecurity crosses federal and provincial jurisdictional lines. Some provinces have enacted or proposed cybersecurity legislation, although none as comprehensive as Bill C-8.
• In 2022, Quebec passed the Loi sur le ministère de la Cybersécurité et du Numérique. Under this law, the new Minister has a policy coordination role for cybersecurity and digital technology.
• In Ontario, Bill 194 received Royal Assent last year and came into force in January, 2025. Schedule 1 of the bill enacted the Enhancing Digital Security and Trust Act, 2024, which contains regulation-making and Ministerial directive authorities relating to cybersecurity in the public sector (ss. 2-4).

Background

• The Critical Cyber Systems Protection Act (CCSPA) applies to “vital” systems and services that are identified in Schedule 1 to the Act. Illustrative examples include telecommunications services and interprovincial or international pipeline and powerline systems. The GIC may also designate other systems or services within the legislative authority of Parliament as “vital” by regulation.
• “Vital services” are subject to federal jurisdiction but may also be provincially regulated. The Government has indicated that aspects of Bill C-8, such as the CCSPA’s mandatory reporting requirements for cybersecurity incidents, are intended to serve as a model for provincial and territorial governments.
• As detailed in its annual report, in the 2024-2025 fiscal year, Quebec’s Ministère de la Cybersécurité et du Numérique has a 2023-2027 strategic plan with three broad issues: (1) establishing a cybersecure Quebec in partnership with the ecosystem; (2) promoting a digital and efficient public service; and (3) achieving high-calibre expertise in a model public service.
• The cybersecurity-related provisions in Ontario’s Enhancing Digital Security and Trust Act, 2024 consist of GIC and Ministerial regulation-making authorities related to the creation of public sector cybersecurity programs and technical standards related to cybersecurity (ss. 2-3), and a Ministerial directive authority related to public sector cybersecurity (s.4).

Lead: Legal

---

Stakeholder concerns about Bill C-8

Speaking points

• Bill C-8 could help reduce the likelihood and impact of privacy breaches by establishing more consistent baseline requirements for cybersecurity protections in Canada.
• However, stakeholders from civil society have expressed concerns about the bill’s potential privacy impacts, including the possibility that some of its powers and authorities – and the information obtained under them – could be misused.
• Some experts have also suggested that the bill’s order-making powers could result in systemic vulnerabilities in electronic protections that may be introduced for legitimate law-enforcement purposes but that could be discovered and exploited by unauthorized third parties.

Background

• Some civil liberties groups have raised a number of privacy-related concerns about the former Bill C-26 and Bill C-8, including:
  • that the government may use its broad order-making powers to direct operators of critical cyber systems to weaken encryption standards in order to create lawful-access “backdoors”;
  • that the bill fails to establish a uniform, consistently high threshold for the collection, use, and disclosure of personal information;
  • that the Communications Security Establishment may use information that it receives under the Critical Cyber Systems Protection Act for purposes other than cybersecurity (e.g., foreign signals intelligence); and
  • that Bill C-8’s potential privacy risks are exacerbated by the lack of meaningful privacy-law reform in Canada.

Lead: PRPA

---

Public- and private-sector breach-reporting obligations

Speaking points

• Private-sector organizations subject to PIPEDA are required to report privacy breaches to the OPC when there is a real risk of significant harm to an individual.
• Federal institutions are required to report such breaches only pursuant to Treasury Board policy. I have recommended that breach-reporting obligations be given the force of law under a modernized Privacy Act.
• Increasingly, third-party organizations that provide services to the public and private sectors (e.g., IT solutions/platforms) are being targeted in cyber attacks that can have a cascading impact on multiple client organizations.
• I am concerned that such third-party service providers may not report privacy breaches directly to my office because their reporting obligations under PIPEDA are unclear. I would therefore like to see more explicit reporting obligations for them in the next iteration of a modernized private-sector privacy law.

Background

• Under section 4.2.12 of the TBS Policy on Privacy Protection, federal organizations subject to the Privacy Act must report material privacy breaches to the OPC within 7 days of determining that a breach is material.
• Under section 10.1(1) of PIPEDA, organizations must report breaches to the OPC as soon as feasible after determining that there is a RROSH to an individual. RROSH is determined based on the sensitivity of the personal information and the probability that the personal information has or will be misused.
• The OPC continues to see a significant gap between the public and private sectors when it comes to the reporting of privacy breaches involving cyber incidents.
  • In 2024-2025, the OPC received 429 breach reports from the private sector where a cyber incident was identified as the underlying cause but only 55 such reports from federal institutions. This still represents a 35% increase in such breaches under both Acts when compared to the previous year.

Lead: CPE

---

Breach stats and trends

Speaking points

• Breaches are consistently on the rise in both the public and private sectors year after year. In the private sector, these include mainly cyber incidents and, in the public sector, document losses.
• Last fiscal year, my office received breach reports affecting close to 21 million Canadian accounts.
• The vast majority of public sector breaches (94%) and over half of private sector breaches (59%) reported to my office last year created a real risk of significant harm to those whose personal information was captured.
• Since April 2023, my Office has noticed an increase in the number of cyber incidents affecting companies that oversee critical infrastructure, such as financial and telecommunications companies.
• Last fiscal year, the financial sector reported the largest percentage of breaches to my office (31%).

Background

• We continue to receive a high volume of breach reports, many of which are complex due to, for example, third-party service providers being the target, or attack vectors increasing in sophistication.
• This year to date, cyber incidents affecting critical infrastructure represent a higher percentage (22%) of all cyber incidents reported to the OPC than last fiscal year (14%).
  

  Breaches reported to the OPC

  Fiscal year	PIPEDA	PA	Total	Reported critical infrastructure cyber incidents /all PIPEDA cyber incidents
  2025-26*	287	246	533	31 / 144 (22%)
  2024-25	686	613	1,299	61 / 429 (14%)
  2023-24	693	561	1,254	34 / 321 (11%)
  2022-23	681	298	979	47 / 274 (17%)
  Total	2,347	1,718	4,065	173 / 1,168 (15%)
  *As of September 30, 2025

Lead: CPE

---

OAG report on cyber security

Speaking points

• The Auditor General’s recent Report on Cyber Security of Government Networks and Systems found significant gaps in cyber security services, monitoring, and responsiveness during active attacks.
• For example, it notes issues with information-sharing and coordination between the Communications Security Establishment (CSE) and Shared Services (SSC) during a cyber attack at Global Affairs (GAC) in January 2024, which allowed the attacker prolonged access to personal information.
• As the Auditor General’s findings make clear, response delays increase the likelihood that cyber attacks may result in the theft of personal or sensitive information. Bill C-8 would help mitigate this risk in federally regulated sectors by requiring designated operators to report cyber incidents to the CSE within 72 hours.

Background

• The audit examined whether TBS, the CSE, and SSC had the tools in place to protect and defend government networks and systems from cyber attacks in a coordinated manner. The audit found:
  • The federal government has a comprehensive cyber security strategy.
  • CSE and SSC developed good cyber security services and sensors to protect the government’s networks. However, many organizations were not using the cyber security services offered by CSE and SSC because they are not subject to TBS security policies.
  • There are important gaps in tools to monitor suspicious cyber security events; central inventories of IT assets were incomplete; and there was a lack of coordination and information-sharing procedures and protocols to respond to cyber attacks (e.g., an initiative to set up a cyber security collaboration platform and incident case-management tool was stalled due to lack of funding).
• OPC is currently investigating the cyberattack at GAC. The OAG report also mentions the cyber attack at FINTRAC in March 2024. The OPC has engaged with FINTRAC on this incident and intends to review the measures and controls that is has implemented during future biennial reviews.

Lead: PRPA

---

Global Affairs Canada VPN breach

Speaking points

• Following several complaints to my Office, in February 2024 I announced the launch of an investigation into a data breach at Global Affairs Canada (GAC).
• This breach involved a cyberattack on GAC’s internal network. As a result, the personal information of users, including employees, was compromised after unauthorized individuals accessed the department’s virtual private network.
• The investigation is examining the adequacy of the safeguards that were in place at the time of the breach to protect the personal information under GAC’s control.
• GAC’s information holdings are a high-value target for threat actors because of its international-relations mandate.
• Since the investigation is ongoing, I cannot provide further details or comments at this time.

Background

• As noted in the Auditor General’s recent (October 2025) report on the cybersecurity of government networks and systems, the GAC incident was a months-long security breach that resulted in the theft of personal information.
• CBC reported that they obtained a copy of an email that noted that GAC’s internal systems had been vulnerable between December 20, 2023, and January 24, 2024. The OPC was notified of the breach on January 26, 2024.
• The media have also reported on a GAC memo to staff that indicated that email traffic and files on personal and shared drives “may have been compromised.”
• The final report of findings is currently under development.

Lead: CPE

---

Nova Scotia Power breach

Speaking points

• On April 25, 2025, Nova Scotia Power detected a cyber incident on their network and initiated their incident response with the help of external cybersecurity experts.
• My Office began collaborating with Nova Scotia Power immediately after we were made aware of the breach to ensure that the organization implemented measures expeditiously to adequately mitigate the risk of harm to affected individuals and the impact on Canadians.
• We subsequently received complaints about the matter and, on May 28, 2025, launched an investigation into the breach. We are currently engaged with the company to try to address the matter efficiently and expeditiously and to ensure that they protect their systems against the risk of a subsequent breach.
• The company confirmed that it notified affected individuals and that it has offered a five-year subscription for credit monitoring.
• Since our review is ongoing, I cannot share further details at this time.

Background

• Nova Scotia Power determined that on or around March 19, 2025, a threat actor obtained access to its networks, and client personal information (PI) stored on its systems was exfiltrated. The company also determined that breached data had been shared on the dark web.
• Breached PI of current and former customers includes names, phone numbers, email addresses, mailing addresses, dates of birth, customer account histories (including customer payment/billing/credit history/bank account numbers), driver’s license numbers, and social insurance numbers.
• The company identified and notified over 280,000 affected individuals. The OPC has received 77 complaints.
• The Nova Scotia Energy Board is investigating the breach. We have had discussions with them regarding our respective processes, within confidentiality limitations under PIPEDA.

Lead: CPE

---

Workplace monitoring

Speaking points

• The OPC implemented a hybrid work model aimed at fostering a culture of trust and defining expected behaviours in a hybrid environment.
• This model is communicated through a charter designed to encourage autonomy, collaboration, engagement, which are crucial for the success of our hybrid work model.
• Monitoring compliance at the individual level is the responsibility of managers and is based on their observation and employee self-reporting. The OPC only verifies organizational compliance at an aggregate level using turnstile data.
• Our advice to other federal institutions on this topic has emphasized proportionality, limiting access to individual compliance data, and allowing employees recourse in cases of inaccurate data.

Background

• The OPC has implemented a hybrid work model in line with the TBS Direction on Prescribed Presence in the Workplace in order to support a collaborative post-pandemic work environment and contribute to government sustainability goals.
• Our internal tool for workstation reservations ensures the OPC meets our occupational health and safety obligations. The tool is used to better maximize the use of different work zones (collaboration, transition, focus). It is not used to monitor office presence.
• Managers are responsible to track and manage employee attendance and respect the government’s Direction.
• Turnstile data is only used to verify overall organisational compliance at an aggregate level and provide management with information on daily volumes. The OPC did not conduct a new PIA as the use of aggregate level data was an authorized use under the existing PIB. However, if the OPC was to use turnstile data to systematically monitor employee presence, a new PIA would be required.
• The OPC has conducted nine consultations and reviewed PIAs from seven federal institutions on the topic of workplace presence monitoring; we have opened an investigation following receipt of a complaint related to verification of compliance with the Direction on Prescribed Presence in the Workplace.

Lead: ES and CPE

---

Bill C-12 (Strengthening Canada’s Immigration System and Borders Act)

Speaking points

• Although Bill C-12 does not retain the lawful-access provisions from Bill C-2, aspects of the bill still raise privacy considerations, including amendments that would create or expand authorities to collect, use, or share personal information (e.g., under the Department of Citizenship and Immigration Act and Sex Offender Information Registration Act).
• In my view, the privacy implications of such amendments are generally of a lower order of magnitude than those in Bill C-2.

Background

• Bill C-12 consists of 11 parts originally put forward in Bill C-2 but excludes its most controversial elements. It was introduced by the Minister of Public Safety on October 8, 2025, shortly after the Conservatives announced that they would not support Bill C-2 as drafted.
• Elements of the bill with implications for privacy include:
  • amendments to the Oceans Act to provide that coast guard services include activities related to security and to authorize the responsible minister to collect, analyze, and disclose information and intelligence (part 4);
  • expanded information-sharing authorities under the Department of Citizenship and Immigration Act (DCIA) (part 5);
  • new authorities for disclosing information to the Commissioner of Canada Elections, and new information-collection and -disclosure provisions for a new enrolment process, both under the PCMLTFA (part 9);
  • amendments to the Office of the Superintendent of Financial Institutions Act to make FINTRAC a member of the committee established under subsection 18(1), and amendments to the PCMLTFA to enable FINTRAC to exchange information with the other members of that committee; and,
  • expanded information-sharing authorities between law-enforcement agencies under the Sex Offender Information Registration Act (part 11).
• The proposed amendments to the DCIA incorporate previous OPC advice with respect to requirements for information-sharing agreements.

Lead: PRPA

---

Bill C-2 (Strong Borders Act)

Speaking points

• Bill C-2 raises significant privacy considerations, including its amendments to the Criminal Code and the CSIS Act to create or modify a number of investigative powers, and the proposed Supporting Authorized Access to Information Act, which would require electronic service providers to implement capabilities to facilitate access to information by authorized persons.
• When assessing the reasonableness of such measures, key questions my Office considers include: do they strike an appropriate balance between privacy and state interests? Do they provide adequate oversight, accountability, and transparency? Are thresholds appropriate in light of the potential invasiveness of new powers?
• The OPC’s assessment is also guided by the principles of necessity and proportionality: in other words, is the intrusion on privacy demonstrably necessary to achieve a legitimate objective, and is the degree of intrusiveness proportional to the benefits gained?
• As the Minister of Public Safety recently acknowledged, Bill C-2 does not achieve the right balance.

Background

• Bill C-2 was introduced in the House by the Minister of Public Safety in June 2025. On October 8, 2025 the Minister introduced Bill C-12, which consists of 11 parts originally put forward in Bill C-2 but omits its most controversial elements, including:
  • amendments to the Canada Post Corporation Act to permit the demand, seizure, detention, or retention of anything in the course of post in accordance with an Act of Parliament and to enable Canada Post to open letter mail;
  • amendments to the Criminal Code, the CSIS Act, and a number of other statutes to create or modify a range of investigative powers (including a warrantless “information demand”) and to facilitate cross-border information-sharing between law-enforcement authorities; and,
  • the proposed Supporting Authorized Access to Information Act, which would require electronic service providers to have the technical and operational capabilities to enable authorized persons to access or intercept information and communications in support of criminal or intelligence investigations.
• These provisions remain in Bill C-2, which may move forward at a later date.

Lead: PRPA

---

Bill C-4 (the Making Life More Affordable for Canadians Act)

Speaking points

• I have repeatedly called for political parties to be subject to privacy law, as is the case in British Columbia, Quebec, as well as the EU and UK.
• This would help to promote public trust in the political process, potentially improving voter participation while also protecting Canadians’ fundamental right to privacy.
• In June 2025, I provided a written submission to FINA proposing that Bill C-4 be strengthened to better protect electors’ personal information, that political parties be subject to specific privacy standards and that my Office play a role in ensuring the protection of privacy rights.

Background

• Part 4 of Bill C-4 maintains currently prescribed elements for privacy policies that political parties are required to provide to the Chief Electoral Officer with an application for registration (see s. 385(2)(k) of the Canada Elections Act (CEA)).
• It also adds a new section 446.6 which requires that privacy policies contain specific elements (largely overlapping with s. 385(2)(k)) and are to be made publicly available, be in plain language, and be in both official languages.
• Part 4 of Bill C-4 also proposes to explicitly exempt parties from any provincial or territorial privacy law (see new section 446.4).
• Your submission to FINA recommended that Bill C-4:
  1. Establish minimum privacy standards – specifically, requirements for political parties to identify the purposes for which personal information is collected, seek consent (subject to express authority in the legislation), limit collection, use and disclosure, and provide a mechanism for access and correction to personal information under their control.
  2. Privacy breach reporting – a requirement to report privacy breaches, including that breaches be reported to affected individuals as well as to a relevant, independent body such as the Privacy Commissioner of Canada, Elections Canada and/or the Commissioner of Canada Elections without unreasonable delay and no later than seven calendar days after a political party becomes aware of the breach.
  3. Improved oversight – authorize formal collaboration between the Privacy Commissioner, the Commissioner of Canada Elections and Elections Canada.

Lead: PRPA

---