Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Appearance before the Standing Senate Committee on National Security, Defence and Veterans Affairs during its review of Bill C-26

November 18, 2024

Ottawa, Ontario

Opening statement by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

Thank you to the Chair and Members of the Committee for this invitation to appear on your study of Bill C-26.

Your study is very important, as individuals, businesses, and all levels of government in Canada remain vulnerable to a range of serious cyber threats from a variety of cyber-threat actors.

In its National Cyber Threat Assessment for 2025-2026, that was released in October, the Canadian Centre for Cyber Security underscores an expanding and complex cyber threat landscape, including a growing risk posed by state and non-state threat actors that are targeting Canada’s critical infrastructure. The Cyber Centre warns that such incidents could immobilize critical services, disrupt operations, destroy or damage important business data, and reveal sensitive information.

Bill C-26 recognizes that Canada’s critical infrastructure must be protected against such threats as they continue to evolve in sophistication and complexity.

In addition to potential impacts on the health, safety, security, and economic well-being of Canadians, cyber incidents can have significant privacy implications when they result in the unauthorized access to, or disclosure of, personal information.

Today, the protection of personal information increasingly relies on the security of the digital systems and infrastructure that house and transmit it. Stronger cybersecurity protections can therefore promote privacy interests by reducing the likelihood and impact of data breaches.

At the same time, we must ensure that efforts to secure these systems and networks also protect and respect Canadians’ fundamental right to privacy. This is not a zero-sum game and privacy and the public interest are not only compatible – they build on and strengthen one another. I strongly support the objectives of Bill C-26, and I was pleased to see that several amendments to the Bill have been adopted in this spirit. I was also pleased to see new references to the Privacy Act in the amended text of the Bill, which confirms its applicability.

Requiring that any collection, use, or disclosure of personal information be both necessary and proportionate is an important privacy principle.

While the Bill establishes a necessity and reasonableness threshold in certain cases, I would continue to recommend that the Committee consider establishing a consistent threshold of necessity and proportionality in Bill C-26 that applies whenever personal information is involved. The adoption of a uniform standard that any collection, use, or disclosure of personal information be both necessary in the circumstances to achieve the stated purpose and proportionate to the benefits to be gained would help address potential privacy implications.

In the alternative, should the standard remain unchanged, I would recommend that the committee consider reintroducing the requirement that information be retained only for as long as necessary. This was added by the SECU committee but deleted by the House at third reading.

Requiring government institutions to conduct Privacy Impact Assessments (PIAs) and to consult my Office on new programs or initiatives created under the authorities in Bill C-26 would also strengthen privacy protections while supporting the public interest and generating trust. 

PIAs, which are currently a policy requirement under the Treasury Board Secretariat’s Directive on Privacy Practices, but not a legally binding requirement under privacy legislation, are an important tool for identifying, analyzing and addressing or mitigating privacy issues before initiatives are put in place, and they can help to reduce inadvertent harms to privacy as initiatives roll out. That is why I have recommended that the preparation of PIAs should be made a legal obligation for the government under the Privacy Act.

The Bill recognizes the importance of collaboration between domestic and international counterparts to ensure that critical infrastructure is protected against a variety of threats.

In order to further enhance this collaboration, my Office should also be notified about cyber incidents that may result in a material breach. This could include being notified by the Communications Security Establishment whenever it receives a report of a cyber incident that may pose a real risk of significant harm to an individual.

International information-sharing agreements should also provide for minimum privacy safeguards in order to strengthen governance and accountability and ensure a consistent standard of privacy protection.

Thank you for your work on ensuring stronger protections for Canada’s cyber infrastructure while protecting Canadians’ fundamental right to privacy.

I would now be happy to answer any questions.

Thank you.

Date modified: