Appearance before the Standing Committee on Public Safety and National Security on Bill C-26
February 12, 2024
Opening statement by Philippe Dufresne
Privacy Commissioner of Canada
(Check against delivery)
Good afternoon, Mr. Chair, Members of the Committee,
I am pleased to be here to assist the Committee in its study of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
Cyber security is an area of significant importance, in Canada and globally. Digital services that are delivered through cyber systems and telecommunications networks are central to the ways that we live, work, and interact, and impact large volumes of personal information and data. That is why it is critical to protect Canada’s cyber infrastructure from potential threats.
At the same time, we must ensure that efforts to secure these systems and networks also protect and respect Canadians’ fundamental right to privacy. This is not a zero-sum game and privacy and the public interest are not only compatible – they build on and strengthen one another.
I strongly support the objectives of Bill C-26, and believe that as a society, it is imperative that we have the necessary tools and the ability to address this important public interest goal. In my testimony today, I will share ways that the Bill could be strengthened in order to further protect the fundamental right to privacy and address potential privacy implications while achieving the Bill’s important objectives.
Under Bill C-26, specified persons or entities would be able to collect and analyze a wide range of information, including sensitive personal information that is held by banks, telecommunications operators and energy services providers.
The Bill would also allow for the sharing of that information with organizations such as intelligence agencies, provincial and foreign governments, as well as organizations established by foreign states.
As drafted, these powers are broad. In order to ensure that personal information is protected and that privacy is treated as a fundamental right, I would recommend that the Committee consider making the thresholds for exercising these powers more stringent, and placing stricter limits on the use of those powers.
One way of doing so would be to require that any collection, use, or disclosure of personal information be both necessary and proportionate. This is a core principle for the handling of personal information that is recognized internationally.
Requiring government institutions to conduct Privacy Impact Assessments (PIAs) and to consult my Office on new programs or initiatives created under the authorities in Bill C-26 would also strengthen privacy protections while supporting the public interest and generating trust. PIAs, which are currently a policy requirement under the Treasury Board Secretariat’s Directive on PIAs, but not a legally binding requirement under privacy legislation, are an important tool for identifying, analyzing and addressing or mitigating privacy issues before initiatives are put in place, and they can help to reduce inadvertent harms to privacy as initiatives roll out. That is why I have recommended that the preparation of PIAs should be made a legal obligation for the government under the Privacy Act.
Bill C-26 would also allow the Minister of Innovation, Science and Industry Canada to prohibit public disclosure of certain orders and directions made under the proposed Act (in whole or in part). It is important that any such confidentiality provisions, which have the effect of reducing public scrutiny regarding the Bill’s implementation, including any collection, use, or disclosure of personal information, be accompanied by appropriate transparency measures.
This could include requiring the government to report to Parliament and/or to my Office regularly on the number, nature, and purpose of such orders and directions, especially when they involve sensitive personal information. This would reassure Canadians that their privacy is protected at all times.
I would also recommend that the Bill be amended to include stronger accountability measures to ensure the protection of personal information that is shared outside of Canada. These could include, for example, additional oversight mechanisms and established criteria that must be included in information-sharing agreements with foreign jurisdictions, such as restrictions on any onward transfers of the personal information, establishing safeguards that must be applied, and consequences for non-compliance.
Finally, should Bill C-26 be adopted, it will be important that my Office has the necessary flexibility to coordinate, as appropriate, with other regulatory and oversight bodies that are involved in responses to cybersecurity incidents in cases that may involve a breach of personal information.
I would be happy to take your questions.
- Date modified: