In June 2022, the federal government introduced its first-ever federal cyber security law of general application aimed at protecting critical infrastructure. The reaction was, at first, muted but positive. The bill has not moved past first reading, and since Gowling WLG's initial review of the bill, damning critiques of the bill have emerged from many groups.

What does Bill C-26 do?

Bill C-26, formally titled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, implements positive cyber security (as opposed to privacy) obligations on operators of critical infrastructure. There are two portions to the bill:

  1. Amendments to the Telecommunications Act: C-26 amends the federal Telecommunications Act to allow the federal government to impose obligations on telecommunications service providers to "secure the Canadian telecommunications system"; and
  2. Critical Cyber Systems Protection Act (the "CCSPA"): The bill also introduces an entirely new law empowering government to designate services or systems as "vital" and to impose data protection obligations on their operators, require mandatory reporting of cyber security incidents, and facilitate threat information exchange "between relevant parties."

Schedule 1 to the CCSPA designates the following services and systems (all areas of existing federal jurisdiction under the constitutional division of powers) as vital:

  1. Telecommunications services
  2. Interprovincial or international pipeline and power line systems
  3. Nuclear energy systems
  4. Transportation systems that are within the legislative authority of Parliament
  5. Banking systems
  6. Clearing and settlement systems

Enforcement mechanisms under the CCSPA include:

  1. The power to issue compliance orders;
  2. The power to order an operator to conduct internal audits to assist the regulator in determining the extent of an operator's compliance with the CCSPA and regulations;
  3. The power to conduct searches of premises (evidently without warrants, except where the search is to be conducted at a "dwelling-house," i.e. private residence) to verify compliance or prevent non-compliance with the CCSPA and regulations, and in the process of such a search, to access any "cyber system" located and to access information contained on it, to copy and/or remove documents or records located;
  4. The ability to obtain ex parte warrants to conduct searches of dwelling-houses;
  5. Where authorized by warrant, the power to use force to carry out searches of dwelling-houses;
  6. The ability to impose administrative monetary penalties of up to:
    1. $1 million per individual (i.e. an officer or director who "directed, authorized, assented to, acquiesced in or participated in the commission of [a] violation"), or
    2. $15 million per organization.

The CCSPA also establishes summary and indictable criminal offences for violations of provisions of the CCSPA (including, for example, failure to establish, implement and maintain a cyber security program may be an indictable offence).

The statute provides an exemption from liability for officers and directors where they have performed their duties under the CCSPA in good faith despite the occurrence of a breach. A defence of due diligence is available for violations of the CCSPA.

The civil rights critique

In late-September 2022, the Canadian Civil Liberties Association, along with a collective including the International Civil Liberties Monitoring Group, the Privacy & Access Council of Canada, and several other groups and academics, released their "Joint Letter of Concern Regarding Bill C-26."[1] While stating the collective's agreement with the goal of improving cyber security, the Joint Letter goes on to state that the bill "is deeply problematic and needs fixing" because it "risks undermining our privacy rights, and the principles of accountable governance and judicial due process."

The Joint Letter outlines several areas of concern, including the following:

  • Increased surveillance: The bill allows the federal government to "secretly order telecom providers" to "do anything or refrain from doing anything… necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption." While this portion of the bill (s.15.2(2)) goes on to list several examples of what 'doing anything' might entail—including, for example, prohibiting telecom providers from using specific products or services from certain vendors, or requiring service providers to develop security plans—the collective expresses the concern that the power to order a telecom to 'do anything' "opens the door to imposing surveillance obligations on private companies, and to other risks such as weakened encryption standards."
  • Termination of essential services: C-26 allows government to "bar a person or company from being able to receive specific services, and bar any company from offering these services to others, by secret government order," which raises the risk of "companies or individuals being cut off from essential services without explanation."
  • Undermining privacy : The bill provides for collection of data from designated operators, which could potentially allow the government "to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations."
  • Lack of "guardrails to constrain abuse": The bill would allow government to act without first being required to perform proportionality, privacy or equity assessments to hedge against abuse, which is concerning to the collective given the severity of the penalties available under the statute.
  • Secrecy impairing accountability, due process and public regulation: Many of the collective's concerns stem from the fact that government orders issued under the bill may be made in secret, without public reporting requirements, making it impossible for rights groups and the public to monitor and challenge how power is exercised under the bill. The secrecy attaching to such orders could impair the ability of operators subject to orders to challenge them in court, because key evidence about secret orders (which would be required for a court challenge) could also be kept secret from the operators.
  • Potential for abuse by CSE: The CCSPA would grant the Communications Security Establishment (the federal agency responsible for cyber security, but more prominently, signal intelligence) access to large volumes of sensitive data, but would not constrain its use of such data to its cyber security mandate.[2]

Citizen Lab, an academic research laboratory studying digital threats to civil society, released a report[3] of the Joint Letter. Focusing on the bill's amendments to the Telecommunications Act in particular, the report raises several additional concerns about Bill C-26, including the following:

  • Compliance costs : As not all telecom service providers are large companies, the cost of complying with orders made under the amended statute (which could include having to change service providers and/or swap out already-purchased equipment) "may endanger the viability of smaller providers";
  • Vague language : The report notes that:
    • Key terms in the bill such as "interference," "manipulation," and "disruption" (which trigger the government's ability to make orders binding on telecom service providers) are undefined;
    • The Minister of Industry's scope of power to make orders is undefined; and
    • The bill does not explain how personally identifiable information about individual Canadians (which attracts privacy law obligations under both current and proposed federal privacy laws) is to be handled and protected.

Citizen Lab's report makes no fewer than 30 different recommendations for fixing the myriad problems it identifies in Bill C-26.

The business community critique

The Business Council of Canada released its own letter to the Minister of Public Safety expressing the business community's concerns about Bill C-26. Focusing on the proposed CCSPA, Council's concerns include the following:

  • Lack of a risk-based approach : The CCSPA requires the same actions from all operators falling under the statute's jurisdiction "irrespective of their cyber security maturity," meaning many critical infrastructure operators that already have robust cyber security programs will have to incur additional costs to comply with the CCSPA "with no associated benefit" to them for doing so.
  • Information sharing is one-way : Operators are required to provide information to government, but receive nothing back from the government or other operators, i.e. the bill misses the opportunity to implement an information-sharing regime that could benefit all operators subject to the law;
  • The legal threshold for issuing directions is too low : As drafted, the government may issue secret orders to operators "for the purpose of protecting a critical cyber system" (s.20(1)). The Council is concerned that this threshold is vague enough to allow orders to be made even where the threat to a critical system is "negligible, and therefore not a credible danger to Canada's national security."
  • Penalties : The Council suggests the proposed monetary penalties and prison terms are "unduly high and unnecessary to encourage" operators to take the measures the CCSPA requires to improve their cyber security posture.
  • Brain drain : The prospect of personal liability for certain breaches of the CCSPA could dissuade cyber security professionals from taking jobs in Canada (the Council points out that there are already over 25,000 unfilled positions in the field in Canada).

In all, the Council's letter proposes 21 measures for improving the CCSPA, and four recommendations for changing the proposed amendments to the Telecommunications Act.

Conclusion

While more groups are likely to comment on the bill in the weeks to come, the emerging stakeholder consensus appears to be that Bill C-26 contains myriad flaws ranging from the technical to the conceptual and fundamental. It will be interesting to see whether and how the bill emerges from the Committee stage of its review.


[1] Brenda McPhail is credited as the author of the letter on the CCLA's website. McPhail gave a lengthy interview about the bill on law professor Michael Geist's podcast, Law Bytes, which helpfully explains with examples the collective's concerns about the bill: "The Law Bytes Podcast, Episode 142: CCLA's Brenda McPhail on the Privacy and Surveillance Risks in Bill C-26."

[2] While not stated in the Joint Letter, the director of CCLA's Privacy, Technology and Surveillance Program has publicly raised the concern that CSE might share this data with foreign intelligence authorities, and would not be able to control how those authorities use the data. She raises the historical example of information being shared with U.S. authorities resulting in the torture of Canadian Maher Arar. Brenda McPhail, "The Law Bytes Podcast, Episode 142: CCLA's Brenda McPhail on the Privacy and Surveillance Risks in Bill C-26."