Issue sheets on Bill C-26

---

Scope and Objectives of the Bill

Key Messages

• OPC supports the overall objective of the Bill to strengthen cybersecurity protection for critical infrastructure.
• However, stronger guardrails and limitations are needed to ensure that new powers respect privacy rights and minimize privacy risks.
• New powers proposed in the Bill include the ability for governments and regulators to collect a wide range of information from certain private sector organizations, and to share that information across federal, provincial, and international governments and intelligence bodies.
• Organizations subject to these new powers include banks, telecom providers, and some transportation services.

Background

• Cyber security directions can be applied to any “designated operator” or class of designated operators (s.20(1)). These are defined by Schedules 1 and 2 of the Critical Cyber Systems Protection Act (CCSPA), and include operators of: telecoms services, pipeline/powerline systems, and (federal) systems for nuclear energy, transportation, banking, and clearing and settlement.
• Additional services and systems can be added to the list of designated operators by the Governor in Council (s. 6(1)).
• C-26 does not include specific carve-outs/protections for personal information. It does, however, apply special restrictions to the disclosure of “confidential information” (e.g. trade secrets, information about vulnerabilities, etc.).
• In addition to powers to make orders and directions, C-26 also creates requirements for designated operators to establish cyber security programs (with certain features prescribed by legislation/regulation), report cyber security incidents to CSE and their industry regulator, and mitigate supply chain risks.
• C-26 also establishes a framework for enforcement and compliance, including powers of entry, record-keeping requirements, administrative monetary penalties, and rules for judicial review.

Prepared by: PRPA

---

Charter Concerns

Key Messages

• C-26 provides specific regulators with certain search and seizure powers for warrantless searches, which may engage section 8 of the Charter: freedom from unreasonable search and seizure.
• For a search to be reasonable under section 8, prior judicial authorization is the gold standard. However, it is possible to authorize searches through statute provided that these statutes build in sufficient safeguards.
• Notably Bill C-26 does not limit the collection of personal information. Nor does it contain safeguards to ensure that regulators (or their delegates) who carry out warrantless searches have done so reasonably.
• The absence of review processes or other independent oversight results in limited checks on regulators’ powers to search premises.

Background

• The threshold for authorizing a warrantless search is “reasonable grounds to believe” that an activity regulated under the Critical Cyber Systems Protection Act is being conducted or that there exists at a place any document, information or thing that is relevant to verifying compliance or preventing non-compliance with the act (s. 32, 41, 50, 59, 68 and 78). This is appropriate.
• In the case of a search of a dwelling-house, a warrant or consent is needed (s. 33, 42, 51, 60, 69 and 79 of the Critical Cyber Systems Protection Act). This is additionally positive.
• However, the Critical Cyber Systems Protection Act does not provide for a judicial oversight or review process for warrantless searches.
• Furthermore, the proposed provisions authorize most regulators to designate or delegate the powers to conduct searches and seizures to any persons or classes of persons. In the absence of strong review or oversight mechanisms, it will be difficult to ensure accountability when so many persons could be conducting warrantless searches.

Prepared by: Legal Services

---

Judicial Review

Key Messages

• Cyber security directions and orders for the security of telecommunications systems could be subject to greater oversight.
• While directions and orders are subject to judicial review, the judicial review hearings may be held in secret and evidence used against applicants may be withheld from them.
• Bill C-26 does not otherwise set out specific oversight measures for cyber security directions or orders.
• This means that individuals whose personal information may have been collected by the government, and used to support a direction or order that affects them, may never know.

Background

• Rules for judicial review of orders and directions are set out under the proposed section 15.9 of the Telecommunications Act and section 145 of the Critical Cyber Systems Protection Act, respectively.
• These rules give substantial latitude to ministers to withhold evidence or information from affected parties, including whether any personal information has been collected, used or disclosed by the government institution.
• The OPC would maintain oversight over any collection, use, or disclosure of personal information under Privacy Act and PIPEDA, when applicable.
• Analogous judicial review regimes exist in the national security context.
• For example, the appeals procedures set out at subsection 16(6) of the Secure Air Travel Act are virtually identical to the judicial review procedures proposed for the amended Telecommunications Act and Critical Cyber Systems Protection Act. They provide for the non-disclosure of information in an appeal where the disclosure could be injurious to national security or endanger the safety of any person.

Prepared by: Legal Services

---

OPC Oversight

Key Messages

• The OPC can initiate investigations to review federal institutions’ compliance with the Privacy Act, including in a national security context, with or without complaints from individuals.
• Ss. 29(3) and Ss. 37(1) of the Act empower the OPC to initiate investigations at my discretion.
• Under Ss. 37(5), my Office can coordinate its investigations carried out pursuant to Ss. 37(1) with the National Security and Intelligence Review Agency, as appropriate.
• My Office can do so where, in my view, new authorities warrant a review of the collection, use and disclosure of personal information – for instance, our joint review with NSIRA of the use of novel authorities under the Security of Canada Information Disclosure Act (SCIDA).

Background

• Subsection 29(3) of the Privacy Act allows me to initiate a complaint if I am satisfied that there are reasonable grounds to investigate a matter.
• Section 37 permits me to carry out investigations in respect of personal information under the control of government institutions to ensure compliance with sections 4 to 8 (collection, accuracy, retention, use and disclosure provisions), and also permits the OPC to collaborate with NSIRA for such reviews, though it may also conduct reviews independently.
  • In February 2022, under this provision, the OPC/NSIRA jointly released a review of the collection and disclosure of personal information by federal institutions under SCIDA in 2020. (SCIDA came into force in 2019 and permitted certain new disclosures for the purposes of national security.)
• In the course of conducting investigations, I can summon and compel oral and written evidence and the production of documents. At the conclusion of an investigation, I may issue a report of findings to the implicated institutions and may, and within limits of confidentiality, make reports to Parliament on such findings.

Prepared by: Compliance

---

Transparency

Key Messages

• Bill C-26 allows government institutions to issue orders and directions – which could involve the collection, analysis and disclosure of personal information – in secret.
• While a limited degree of secrecy can be necessary in national security contexts, these measures make it difficult for oversight bodies and the public to know what information is collected and how it is used, and would reduce public transparency regarding the Bill’s implementation.
• To allay these concerns, C-26 should be amended to include stronger transparency measures, such as requirements to report publicly on the number, nature, and purpose of orders and directions made under the Bill.

Background

• Section 24 of the Critical Cyber Systems Protection Act (CCSPA) prohibits organizations subject to a cyber security direction from disclosing its existence or contents, except as necessary to comply with the direction.
• Section 15.2(3) of the amendments to the Telecommunications Act (TA) allows the Minister to include a provision in an order prohibiting disclosure of the order’s existence, or some or all of its contents, by any person.
• Section 15.3(3) of the TA and section 22(1) of the CCSPA exempt orders and directions from being published in the Canada Gazette.
• The above sections would restrict public disclosure of orders and directions made under C-26. Government institutions would remain subject to general transparency measures that are otherwise applicable to public bodies (e.g. ATIA), but these may be limited where exceptions apply in national security contexts.
• Section 146 of the CCSPA requires the Minister to report to Parliament annually on the administration of the Act, but does not specify what information such reports must include.

Prepared by: PRPA

---

Thresholds and Privacy Safeguards

Key Messages

• Bill C-26 would grant the government broad authority to collect and disclose a substantial amount of information, potentially including personal information.
• The thresholds for collection and disclosure of information are largely discretionary and create potential privacy risks.
• Only information defined as “confidential” is subject to more restrictions on disclosure; however, this is generally commercial information and is unlikely to include personal information.
• Bill C-26 would also grant certain regulators with warrantless search powers.

Background

• Although not a legal requirement based on the current law, the OPC has long advocated that the collection of personal information by government institutions be governed by a necessity and proportionality standard.
• The thresholds authorizing the collection of information in Bill C-26 however fall short of this, are largely subjective and overly broad (e.g. such as by requiring the Minister’s opinion that it is “necessary … to secure the Canadian telecommunications system”, see e.g. s. 15.2 of the Telecommunications Act amendment).
• The thresholds for disclosure of information are similarly quite low, only requiring either “related to” (see e.g. s. 28 of the Critical Cyber Systems Protection Act) or “to the extent necessary” for a broad range of purposes (see e.g. s. 15.6 of the Telecommunications Act amendment).
• Without more rigorous thresholds authorizing collection and disclosure of information, there is the potential that the personal information of individuals not at all involved in malicious cyber activity could be at risk.
• The threshold authorizing warrantless searches under the Critical Cyber Systems Protection Act would be “reasonable grounds to believe” (see e.g. s. 32(1)).

Prepared by: Legal Services

---

Collection and Use of Personal Information

Key Messages

• C-26 would allow government bodies to collect and use information, including personal information, from operators of telecoms and critical cyber systems.
• These powers are high-level and discretionary, and could be used to compel organizations to provide the government with sensitive and/or large volumes of information about their clients (e.g. banking activity, online activities, location data).
• C-26 needs stronger limits on how and when these powers can be used, including requirements to collect personal information from operators of critical cyber systems only when doing so is necessary and proportionate to privacy risks.

Background

• Section 20 of the Critical Cyber Systems Protection Act (CCSPA) empowers the Governor in Council to order any operator of a critical cyber system to comply with any measure set out in a cyber security direction for the purpose of protecting a critical cyber system. Directions can presumably include requirements to collect and/or transmit personal information of individuals interacting with a cyber system.
• Section 15.2(2) of the Telecommunications Act (TA) amendments empowers the Minister of Industry to direct telecommunications service providers to do anything that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system. This can presumably include requirements to collect and/or transmit personal information.
• Section 29 of the CCSPA authorizes industry-specific regulators to collect “any information” from a person, partnership or unincorporated organization for the purpose of verifying compliance or preventing non-compliance with any provision of the Act.
• Given the cyber/telecommunications systems and operators covered by the Bill, and the broad and discretionary authorization of powers, the scope, scale, and nature of personal information collection and use could be quite broad.

Prepared by: PRPA

---

Information Sharing

Key Messages

• Bill C-26 would allow government bodies to share personal information within the federal government and with provincial and foreign governments.
• These broad powers could lead to far-reaching and persistent information-sharing, without individuals’ awareness or consent.
• Higher thresholds of necessity and proportionality should be required to share personal information.
• Disclosure of personal information to foreign jurisdictions should be subject to stronger privacy requirements – for example, minimum requirements for the contents of information sharing agreements (e.g. restrictions on onward transfer, safeguarding requirements, penalties for non-compliance, etc).

Background

• Sections 23 of the Critical Cyber Systems Protection Act (CCSPA) and 15.6 of the Telecommunications Act (TA) amendments authorize information sharing between various Ministers, regulators, and national security/intelligence bodies (e.g. CSE, CSIS) to the extent necessary for any purpose related to the making, amending or revoking of a cyber security direction (or order under the TA).
• Section 28 of the CCSPA authorizes industry-specific regulators, for any purpose related to the Act, to share with relevant Ministers any information related to the exercise of the regulator’s duties under the Act.
• Section 27 of the CCSPA authorizes relevant Ministers and regulators to enter into agreements to share information relating to the protection of critical cyber systems with provincial and foreign governments (and international organizations established by foreign governments).
• Section 15.7(1) of the TA authorizes the Minister to share information collected under the TA, via an agreement, MOU, or written arrangement, with provincial and foreign governments (and international organizations established by foreign states), if the Minister believes that the information may be relevant to securing the Canadian (or a foreign) telecommunications system.

Prepared by: PRPA

---

Breach Reporting

Key Messages

• Preventing cyber incidents is not only important to the security of Canada’s critical infrastructure, but also to Canadians, whose personal information can be compromised in cyberattacks.
• Compromised personal information of Canadians can be used by cyber attackers for purposes such as fraud, identity theft, or extortion, etc.
• C-26 could be strengthened by ensuring that the OPC becomes an active partner in the oversight of cyber security incidents where personal information is involved.

Background

• Reporting cyber security incidents will be mandatory under the C-26.
  • A designated operator, such as a bank, must immediately report a cyber security incident of its critical cyber systems to the Communications Security Establishment (CSE).
  • A designated operator must also notify its appropriate regulator. Appropriate regulators are named for each class of operators in the Critical Cyber Systems Protection Act (e.g. the Superintendent of Financial Institutions in the case of a bank).
• The OPC is not listed as an appropriate regulator for a class of operators under the Critical Cyber Systems Protection Act.
• While C-26 does not amend PIPEDA’s privacy breach reporting obligations, organizations may be reluctant to engage with the OPC given the oversight referenced above, orders that may be issued, and the monetary penalties introduced under C-26.
• The explicit authority to share cyber incident reports with the OPC and an ability to engage with other regulators, where personal information is involved, could bolster privacy breach reporting and facilitate investigations.
• This fiscal year to date, the OPC received 29 cyber-related privacy breaches from industries that would be covered under C-26.

Prepared by: Compliance, Intake and Resolution Directorate

---

Adequacy

Key Messages

• We welcome the European Commission’s finding that Canada continues to offer an adequate level of protection under the General Data Protection Regulation, allowing organizations to continue transferring data from the EU to Canada without additional requirements.
• Any changes made to Canada’s national security activities could affect the next adequacy assessment, as this was a noted area of interest for the Commission.
  • We recommend that any changes to Canada’s privacy and security frameworks are made in a way that ensures we retain adequacy.
• The Commission recommends legislating some protections developed at the sub-legislative level to enhance legal certainty and consolidate new requirements, such as those regarding sensitive personal information.
  • The Commission notes that the ongoing reform of PIPEDA (C-27) could offer such an opportunity.

Background

• Article 45 of the GDPR allows personal data to be transferred to a third country without additional requirements where the European Commission has decided that the third country ensures an “adequate level of protection”.
• PIPEDA was granted adequacy status in 2001 on the basis of Article 25(6) of Directive 95/46/EC. When the GDPR came into force in 2018, existing decisions remained in force until amended, replaced, or repealed by the Commission.
• On January 15th, 2024, the European Commission concluded a review of 11 existing adequacy decisions, including Canada’s. The review of the adequacy decision focused on developments since the adoption of the decision, including Canada’s data protection framework, issues concerning oversight, enforcement, redress, and government access to data.
• The Commission states an intention to closely monitor future developments in Canada. As the GDPR requires decisions to be reviewed every four years, we expect another review to come in 2028.

Prepared by: PRPA

---

Schrems I and II and Adequacy

Key Messages

• In July 2023, the European Commission provided the US with adequacy status.
• The current EU-US Data Privacy Framework limits access to EU data by US public authorities to what is necessary and proportionate to protect national security.
• Previously, the European Court of Justice had invalidated agreements for the transfer of personal data from the EU to the US on the basis that US national security and surveillance laws did not contain minimum safeguards and did not meet proportionality requirements (Schrems I and II decisions).
• The thresholds authorizing the collection of information in Bill C-26 fall short of a necessity and proportionality standard and may attract scrutiny of Canada’s adequacy status which will be reviewed every four years.

Background

• In Schrems I, the European Court of Justice (ECJ) invalidated the Safe Harbour Agreement as, under US law, US authorities were able to access the personal data transferred beyond what was strictly necessary and proportionate to the protection of national security. The ECJ also held that the agreement deprived individuals from pursuing legal remedies relating to their data rights.
• In Schrems II, the ECJ invalidated the Privacy Shield, successor to Safe Harbour Agreement, on similar grounds to Schrems I.
• The ECJ also held that where standard contractual clauses (SCCs) are being relied upon as a basis for transferring data to countries outside the EU, where the legal regime of a third country conflicts with the SCCs then either additional safeguards may be required or the transfer must be stopped.
• The thresholds authorizing the collection of information in Bill C-26 are largely subjective and overly broad (e.g. being governed by only a subjective necessity standard, such as by requiring the Minister’s opinion that it is “necessary … to secure the Canadian telecommunications system”).

Prepared by: Legal Services

---

Other International Frameworks

Key Messages

• Bill C-26 is part of an international trend where the Five Eyes and EU countries enact legislative frameworks to respond to increasing cybersecurity risks.
• While approaches have varied, other jurisdictions’ frameworks, in particular the U.S., U.K. and Australia generally have more limits and guardrails than Canada’s Bill C-26.
• These limits include minimizing the amount of personal information being shared and requiring information sharing be necessary, relevant and proportionate.

Background

• In the EU, the 2023 Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) aims to strengthen the overall level of cybersecurity and expands the scope of cybersecurity rules to new sectors and entities. It builds upon the previous 2016 EU cybersecurity rules.
• In New Zealand, the regulation of cybersecurity and cyber-related incidents continues to be fragmented. For example, the Intelligence and Security Act 2017 regulates state-based surveillance and provides for the establishment of the Government Communications Security Bureau that supports the response to cybersecurity incidents impacting New Zealand’s nationally significant organisations, while many financial institutions are subject to separate, sector-specific guidance in relation to cyber resilience.
• For details on Australia, the UK and the US, please see the respective Issue Sheets for each jurisdiction.

Prepared by: Legal

---

Australia’s Security of Critical Infrastructure Act 2018

Key Messages

• While the Australian SCIA provides a more general risk management regime for critical infrastructure than C-26, the SCIA demonstrates that stronger guardrails can accompany powers to regulate critical infrastructure/systems.
• SCIA authorizes the Australian government to respond to cyber security incidents and issue directions relating to critical infrastructure assets, like orders and directions under C-26.
• Directions are subject to various limitations, including that the Minister first: believe the direction is reasonably necessary to eliminating or reducing a security risk; take steps to negotiate an outcome without a direction; consider the potential consequences of a direction; be given an adverse security assessment; and, consult with state/terr. governments.

Background

• SCIA creates a framework for managing risks to national security relating to critical infrastructure assets, which can be defined expansively under the Act. SCIA applies to cyber security incidents, but does not address cyber systems.
• SCIA (s.32) authorizes the Minister to require operators of critical infrastructure assets to do or refrain from doing an act or thing if the Minister is satisfied that there is a risk prejudicial to security, subject to certain conditions (see above).
• SCIA includes provisions on information collection, sharing, and disclosure. S.37 allows information to be collected from operators of critical infrastructure if the Secretary has reason to believe it is relevant to the exercise of powers/duties under the Act. Once collected, this information becomes “protected information” as defined in SCIA.
• S. 41 allows protected information to be used and disclosed to ensure compliance with the Act, while ss. 42-43 allow protected information to be disclosed to various Ministries and other bodies (law enforcement, sub-national governments) to assist in fulfilling their duties.
• SCIA also sets out a framework for registering critical assets, and for requiring operators to report on incidents in relation to critical assets.

Prepared by: PRPA

---

United Kingdom (UK)

Key Messages

• The UK has similar legislation to C-26 but there are more limits on information collection and information sharing.
• In the UK, operators of essential services (OESs) (e.g. transport, energy, etc.) and relevant digital service providers (RDSPs) (e.g. online marketplaces, etc.) are subject to cybersecurity rules and reporting obligations.
• Under the UK legislation, information sharing must be necessary, and also relevant and proportionate.

Background

• Under the UK Network and Information Systems Regulations 2018:
  • Enforcement authorities are permitted to share information that is necessary for the requirements of the regulations, and relevant and proportionate (s.6);
  • Regulators can require information from OESs or RDSPs that is “reasonably required” to assess the security of network and information systems and the implementation of an operator’s security policies (s.15).
• In comparison, C-26’s Critical Cyber Systems Protection Act (CCSPA) requires information to be “necessary” to be collected/disclosed for cybersecurity directions (s.23). It also permits regulators to provide the relevant Minister with any information that is related to the exercise of their powers and to request any information for the purpose of overseeing compliance with the CCSPA (ss.28-29).
• The UK Telecommunications (Security) Act 2021 amended the UK Communications Act 2003 to, among other things:
  • Enable the Secretary of State to make orders to telecommunications providers (s. 15) and make proportionate requests to specified persons to provide information that it “reasonably” requires for certain functions (s.23);
  • The UK Office of Communications can require necessary information from telecommunications providers for specific purposes (s.12(3)) in addition to information to monitor Secretary of State directions (s.18).
• In contrast, Bill C-26’s amendments to s.15.4 of the Telecommunications Act enable the Minister of Industry to request any information that the Minister believes on reasonable grounds is relevant to an order or the relevant regulation.

Prepared by: Legal

---

United States (US)

Key Messages

• The US Cybersecurity Information Sharing Act of 2015 (“CISA”) sets out a framework for the voluntary sharing of cyber-threats by companies with the US government for cybersecurity purposes.
• The CISA adopts a more privacy protective approach than Bill C-26 by placing limits on what personal information can be shared with government, requiring guidance and oversight.

Background

• The CISA’s privacy and oversight mechanisms include:
  • Requiring the deletion of personal information “not directly related” to the cybersecurity threat: (i) by companies prior to sharing information with the Government (s. 104(d)(2)), and (ii) by the Government if it nonetheless receives personal information (Guidelines required under s. 105(b)(3)(B)).
  • Requiring that the US Government issue guidelines relating to privacy and civil liberties governing the information received under the Act (s. 105(b)).
  • An oversight reporting requirement to Congress (s. 107), including an independent report to Congress on the actions of the US government to remove any personal information received under the Act (s. 107(c)).
• Bill C-26 does not require the deletion of personal information, the issuance of guidance or detailed reporting requirements, only general annual reporting.
• The US has also more recently enacted the following of relevance:
  • A 2021 Executive Order which ensures the inclusion in US Government contracts of cyber incident reporting and information sharing requirements.
  • The Secure Equipment Act of 2021 prevents the authorization of certain communications equipment and services.
  • The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires the development of regulations requiring covered entities to report covered cyber incidents and ransom payments. As regulations have not yet been issued, the requirement to report is not yet in force.
• Unlike in Bill C-26, these U.S. laws do not have warrantless search powers.

Prepared by: Legal

---

FPT

Key Messages

• Bill C-26 seeks to regulate cyber systems and infrastructure falling under federal jurisdiction (e.g. telecommunications, banking, etc.).
• No province or territory has enacted comparable legislation seeking to regulate the cybersecurity risks in relation to cyber systems or infrastructure falling under provincial jurisdiction.
• Some provincial governments have created policies and strategies setting out best practices relating to cybersecurity.
• Provincial privacy legislation may provide some protection against cyber security risks.

Background

• Public Safety Canada has noted that the C-26 could serve as a model for provinces, territories, and municipalities to help secure their critical infrastructure in collaboration with the federal government.
• Bill C-26 allows for information-sharing agreements with provincial governments (see proposed s. 15.7 of the Telecommunications Act, s. 27 of the Critical Cyber Systems Protection Act).
• In 2022, the Province of Québec passed legislation, M-17.1.1 - Loi sur le ministère de la Cybersécurité et du Numérique, which aims to coordinate government action in the areas of cybersecurity and digital technology. Under the legislation, the Ministre de la Cybersécurité et du Numérique is responsible for proposing the general policy direction in cybersecurity and digital technology. Unlike Bill C-26, the legislation does not set out a regulatory framework in respect of critical cyber systems.
• The Government of Alberta Cybersecurity Strategy sets out a framework of best practices. The British Columbia Utilities Commission and Ontario Energy Board, which are provincial regulatory bodies, have both created Cybersecurity Frameworks to set out expectations for public utilities and energy providers.
• Where personal information is at issue, the applicable provincial privacy legislation may set out safeguarding and reporting obligations.

Prepared by: (redacted) / PRPA

---

Breach Reporting Trends

Key Messages

• We remain concerned with under-reporting of privacy breaches in the public sector, as many institutions that handle sensitive personal information have never reported a breach to us.
• In 2022-2023, only one cyber breach was reported by the public sector. This contrasts markedly with the private sector, where 278 cyber breaches were reported during the same period.
• Over the course of the last year, we noticed a new trend: cyber attacks targeting service providers, affecting numerous organizations at once.
  • This was the case with the recent BGRS breach, as well as the MoveIT and GoAnywhere breaches.
• We are concerned that, under PIPEDA, service providers do not currently have direct breach reporting obligations to the OPC. Rather, they are to inform their affected clients. Experience has shown that this approach leaves gaps.

Background

• To date this fiscal year, our Office received 467 reports of breaches from the public sector. Those breaches were primarily relating to the loss of personal information (69%), with unauthorized disclosure (16%) and unauthorized access (15%) being the next most common cause of breaches.
• For the same reporting period, the OPC received 573 breach reports from the private sector. Slightly less than half of those (262) were said to be cyberattacks initiated through malware, compromised credentials, or phishing schemes.
• We note that the gap between public and private sector reporting narrowed; with 573 reports received from the private sector and 467 from the public sector (as of January 30). Nevertheless, we remain concerned that most breach reports from the public sector come from the same departments.
• Under C-27, we propose that service providers report breaches that meet the “Real Risk of Significant Harm” threshold to their clients that control the personal information, and to the OPC.

Prepared by: CIRD

---

Global Affairs Canada Breach

Key Messages

• On January 26, GAC verbally advised our Office of a breach of their Canadian VPN network from 20 December 2023 to 24 January 2024. The breach is now contained.
• GAC submitted a preliminary breach report to our Office on February 2, 2024. While GAC is still investigating, it advised that the breach was caused by a cyberattack on its VPN and that data, including personal information, may have been compromised.
• We are currently working with the institution to obtain further information, which we will use to determine next steps.

Background

• In accordance with TBS policy, institutions are required to report material privacy breaches to TBS and the OPC no later than seven days after the institution determines the breach is material.
• GAC has submitted a preliminary/partial privacy breach report to our Office.
• Per its breach report, GAC has identified 1,761 affected individuals.
• GAC indicates that any information stored in affected employees’ personal and corporate shared drives, along with any unencrypted communications, may have been compromised in the breach.
• As of February 8, 2024, our Office has received 5 complaints related to this breach.

Prepared by: CIRD

---