Additional questions and answers

Appearance before the Standing Committee on Public Safety and National Security of February 12, 2024

---

Q 1: Risks re Government-held information

Is there a risk when government collects highly sensitive and confidential information about cybersecurity vulnerabilities? Should we be concerned based on the GAC breach?

Response / Key Messages

• Sensitive information can pose an attractive target to bad actors.
• Government institutions should always seek to safeguard information in ways that are proportionate to the sensitivity of the information, including multiple layers of safeguards where appropriate.
• Institutions can also mitigate risk by limiting collection of sensitive information to only that which is necessary for achieving a given purpose, and promptly destroying the information when no longer needed.

Background

• MP Liepert (CON) asked this question to witnesses during the SECU hearing on C-26 on February 5, 2024.
• D. Shipley (Beauceron Security) raised similar concerns in their opening statement to the same meeting, i.e. the risk of creating a pool of vulnerabilities that could then be stolen by hostile states or criminals.

Prepared by: PRPA

---

Q 2: Increased information sharing

Would you have concerns if amendments were made that would allow for more sharing of intelligence information between industry, regulators, and agencies with active threat information?

Response / Key Messages

• Increased sharing of intelligence information can lead to increased privacy risks when personal information is involved.
• That is why it is important to require that any information sharing be both necessary and proportionate to potential harms, and that a clear evidentiary basis exist for expanding these powers.
• Stronger powers should also be offset by corresponding measures to support oversight, including accountability and transparency measures.

Background

• T. Warnell (Bruce Power) raised this issue during the SECU hearing on C-26 on February 5, 2024.
• In OPC’s 2016 submission to Public Safety on Canada’s National Security Framework, OPC emphasized the need for a clear evidentiary basis for increased intelligence sharing, the importance of using a high legal standard (i.e. necessity and proportionality), and the need for strong transparency reporting requirements.
• In OPC’s 2018 submission on Bill C-59, An Act Respecting National Security Matters, OPC reiterated support for a rigorous legal standard with respect to information sharing under the Security of Canada Information Disclosure Act (SCIDA).
• SCIDA was enacted in 2019 and provides authority for all federal government institutions to disclose information to a designated group of 17 departments and agencies with recognized national security mandates and/or responsibilities.

Prepared by: PRPA

---

Q 3: Risks of not passing C-26

Are there risks if the committee doesn’t pass C-26?

Response / Key Messages

• Cybersecurity threats pose real and substantial risks to privacy.
• These risks are evidenced by recent breaches involving personal information, which can be highly damaging for individuals whose data is compromised.
• Cybersecurity resilience is crucial for the protection of personal information as increasing amounts of data are stored online.
• It is important to ensure strong cybersecurity protections are in place, and to do so with privacy front of mind.

Background

• MP McKinnon (LIB) asked this question to witnesses during the SECU hearing on C-26 on February 5, 2024.

Prepared by: PRPA

---

Q 4: OPC consultation

Was the OPC consulted on the Bill?

Response / Key Messages

• No, we were not.
• My office always welcomes the opportunity to be consulted on Bills that may impact privacy as those Bills are being prepared.
• In fact, I believe such consultations should be a legislative requirement, as they are in some provincial and international jurisdictions.
• Regarding C-26, I am grateful for the opportunity to present my views on the Bill now that it is before committee.
• I would note that my office has a well-developed internal capacity for technical and policy expertise, and regularly provides advice to government institutions on initiatives that may impact privacy.

Background

• Currently, there is a policy level requirement to notify the OPC of any planned initiatives, including legislation, regulations, policies, and programs that relate to the Privacy Act or that may have an impact on the privacy of Canadians.
• Several provincial and international laws now set out an explicit requirement for institutions to consult their data protection authority as they prepare new bills. For example, in Newfoundland and Labrador, the Access to Information and Protection of Privacy Act requires consultation with the Commissioner on a proposed bill that could have implications for access to information or protection of privacy, as soon as possible before, and not later than, the date of notice to introduce the bill in the House of Assembly.
• In OPC’s submission on the modernization of the Privacy Act, we recommended that government institutions should be required to consult with OPC on draft legislation and regulations with privacy implications before they are tabled.

Prepared by: PRPA

---

Q 5: Types of Personal Information

The Bill could impact large amounts of personal information. What are some concrete examples?

Response / Key Messages

• It may be possible to implement orders and directions without collecting large amounts of personal information, but since powers under Bill C-26 are broad and discretionary it is difficult to foresee how they will be used.
• Types of personal information held by organizations that could be subject to directions and orders include:
  • Subscriber / account information like name, address, employment, etc. (telecom providers, banks)
  • Communications data like phone/internet use, website visits, and associated metadata (telecom providers)
  • Location data, for example from cell towers (telecom providers)
  • Financial data, e.g. transaction records (banks)
  • Verification and fraud detection information, including voiceprints, SIN, etc. (banks, telecoms)
  • Personal travel data, i.e. trips domestically and abroad (transportation service providers)

Background

• Section 20 of the Critical Cyber Systems Protection Act (CCSPA) empowers the Governor in Council to order any operator of a critical cyber system to comply with any measure set out in a cyber security direction for the purpose of protecting a critical cyber system. Section 29 authorizes industry-specific regulators to collect “any information” from a person, partnership or unincorporated organization for the purpose of verifying compliance or preventing non-compliance with any provision of the Act.
• Section 15.2(2) of the Telecommunications Act (TA) amendments empowers the Minister of Industry to direct telecommunications service providers to do anything that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system.

Prepared by: PRPA

---

Q 6: “Publicly Available Information”

The LOP summary of Bill C-26 states that the Bill would have the most expansive definition of “publicly available information”. What impact, if any, would this have on the OPC’s treatment of such information under privacy legislation?

Response / Key Messages

• Bill C-26 would not impact the OPC’s treatment of “publicly available information” under existing federal privacy legislation.
• To clarify, the Library of Parliament states that it is the Communications Security Establishment Act (“CSE Act”), that has the most expansive definition of “publicly available information” in Canadian law.
• The Critical Cyber Systems Protection Act (“CCSPA”) does not define the term “publicly available information” and the definition in the CSE Act may provide useful context in interpreting the meaning of “publicly available” in the CCSPA.

Background

• Under paragraph 26(1)(b) of the CCSPA, when “the information to be disclosed is publicly available” it is exempt from the prohibition on disclosure of confidential (ie. commercially sensitive) information (s. 2). The CCSPA does not define the term.
• Section 2 of the CSE Act defines “publicly available information” as: “information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase.” Information with a reasonable expectation of privacy is excluded for Canadians or persons in Canada.
• Under PIPEDA, personal information may be collected, used or disclosed without knowledge or consent if it is publicly available and specified by the regulations, which set out an exhaustive list (ss. 7(1)(d), 7(2)(c.1), 7(3)(h.1) of PIPEDA and Regulations Specifying Publicly Available Information, SOR/2001-7,). Therefore, the OPC would likely not consider the CSE Act definition when interpreting and applying the relevant sections of PIPEDA. We note that under C-27, the definition of “publicly available” in the proposed Consumer Privacy Protection Act (s.2) also references regulations, which are not yet developed.
• The Privacy Act provides that its use and disclosure obligations do not apply to personal information that is “publicly available”, which is undefined (s. 69(2)). Although there is jurisprudence directly interpreting this provision, none of it refers to s. 2 of the CSE Act and it is questionable whether the OPC or a Court would find such a broad definition relevant for the purposes of the Privacy Act.

Prepared by: Legal Services

---

Q 7: Collaboration with OSFI

Do your offices collaborate? If so, how and on what?

Response / Key Messages

• We cannot speak for OSFI, but OPC is not able to collaborate with OSFI on investigations due to our legislative requirements and limitations.
• We have seen situations where such engagement could have been beneficial.
  • For example, when a financial institution’s security safeguards are breached and personal information is compromised. In such situations, both OSFI and the OPC could have jurisdiction.
• The OPC would welcome legislative changes that would facilitate such collaboration.

Background

• S. 20 of PIPEDA provides that the Commissioner shall not disclose any information that comes to their knowledge as a result of the performance or exercise of any of their duties or powers under this Part other than those referred to in subsection 10.1(1) or 10.3(2) [breach reports and breach records].
• S. 23 of PIPEDA allows the Commissioner to consult with any person who, under provincial legislation, has functions and duties similar to those of the Commissioner to ensure that personal information is protected in as consistent a manner as possible. The Commissioner can enter into arrangements/agreements to coordinate activities, undertake and publish research and publish guidelines, develop model contracts or other instruments and to develop information sharing procedures (23(2)). The Commissioner can also share information that could be relevant to an ongoing investigation or audit or that could assist the Commissioner in the exercise of their functions or duties (23(3)).
• S. 23.1 provides for disclosure of information to any person or body who, under the legislation of a foreign state, has similar functions and duties to those of the Commissioner. Only information relevant to an ongoing/potential investigation in respect of a contravention of the laws of a foreign state that address conduct that is substantially similar to conduct that would be in contravention of PIPEDA or that is necessary to disclose to obtain information that may be useful to an ongoing or potential investigation or audit under PIPEDA (23.1(3) can be shared.

Prepared by: Compliance/PRPA

---

Q 8: Intersection with the Privacy Act

Can you comment on how Bill C-26 will intersect with the Privacy Act and is there anything in the Bill that might affect the applicability of the Act?

Response / Key Messages

• The Privacy Act applies in respect of any personal information in control of a government institution. This could include personal information that also falls within the scope of Bill C-26.
• Bill C-26’s amendments to sections 15.6 and 15.7 of the Telecommunications Act and sections 26 to 28 of the proposed Critical Cyber Systems Protection Act (“CCSPA”) authorize specific disclosures, which could include personal information.
• To the extent these disclosures involve personal information and are made by a government institution, they would be authorized under paragraph 8(2)(b) of the Privacy Act, which permits personal information under the control of a government institution to be disclosed “for any purpose in accordance with any of Act of Parliament … that authorizes its disclosure”.
• In other words, the amended Telecommunications Act and CCSPA would provide a legislative basis for disclosures of personal information to be made in compliance with the Privacy Act.

Background

• Bill C-26’s proposed amendments to sections 15.6 and 15.7 of the Telecommunications Act enable certain specified persons and entities (including government institutions) to exchange information and for the Minister of Industry to disclose information, respectively.
• Sections 26 to 28 of the CCSPA permit the disclosure of information by certain persons, which may include government institutions.
• PIPEDA may apply to organizations that disclose personal information to government institutions under Bill C-26.

Prepared by: Legal Services

---

Q 9: Personal Information vs Confidential Information

Can you comment on whether “personal information” should be treated as “confidential information”?

Response / Key Messages

• C-26 places certain protections on “confidential information”, that is commercially sensitive information that would likely not include personal information.
• The treatment of personal information as “confidential” under the amended Telecommunications Act and Critical Cyber Systems Protection Act (“CCSPA”) would subject it to the same restrictions as commercially sensitive information. These existing restrictions and exceptions may not take into account underlying privacy considerations, eg. sensitivity of the information, whether any sharing is necessary and proportionate.
• Instead, C-26 should protect privacy by imposing further limitations and safeguards when personal information can be collected, used or disclosed, separate from the concept of confidential information.

Background

• Under the proposed amendment to section 15.5 of the Telecommunications Act, a information may be designated “confidential” if it is (1) information that is a trade secret; (2) financial, commercial, scientific or technical information that is confidential and is treated consistently in a confidential manner by the person who provided it; or (3) information the disclosure of which could be reasonably be expected to (i) result in material financial loss or gain to any person, (ii) prejudice the competitive position of any person, or (iii) affect contractual or other negotiations of any person.
• Under the CCSPA, “confidential information” is defined as any information obtained under the Act in respect of a critical cyber system that: (1) concerns a vulnerability or protections of any designated operator’s critical cyber system and that is consistently treated as confidential by the designated operator; (2) if disclosed could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, designated operator; or (3) if disclosed could reasonably be expected to interfere with contractual or other negotiations of a designated operator.

Prepared by: Legal Services

---