OTTAWA — Business and civil-liberties groups are united in arguing that the federal Liberals’ sweeping bill on cybersecurity would give the government too much power and too little accountability for how they use it.

As soon as the House of Commons sits again next Monday, its public safety committee plans to start hearings on the bill. Introduced in spring 2022 by then-public safety minister Marco Mendicino—with support from Innovation Minister François-Philippe Champagne—after years of hemming and hawing, the bill has languished on the committee’s to-do list since last March.

“There’s a silver lining in that in the sense that this has given Public Safety, ISED and others the opportunity to really listen to stakeholders and to incorporate that into their thinking,” said Trevor Neiman, the vice-president of policy at the Business Council of Canada.

“I think there’s going to be a high level of agreement in terms of the objective,” he said, but as written, he believes Bill C-26 leaves gaps and could be abused.

The bill has two main sections, one on the telecommunication sector and one on cybersecurity more broadly.

The first gives the federal cabinet the power to ban particular suppliers from Canadian telecom networks—China-based Huawei and ZTE are the ones the government has in mind—including by ordering their gear removed from existing networks.

The government could also cut a person or company off from telecommunication service in Canada, in the name of protecting the telecom system, like a no-fly list for the internet and telephones.

The second part authorizes the cabinet to make a list of digital systems that are “vital to national security or public safety.” Those systems’ operators would have to make and file cybersecurity plans, submit to supervision from their regulators on whether their plans and practices are good enough, and report breaches to the Communications Security Establishment, the national cyberspying agency. The cabinet could also issue orders for “any measure … for the purpose of protecting a critical cyber system.”

The key complaints about the bill:

Uncalibrated risk: The Business Council of Canada’s biggest objection is that the bill would impose the same cybersecurity demands on every operator it covers, without regard for either the importance of the service it runs or its ability to protect itself.

“Those operators that pose the least amount of risk should have a lower set of obligations that would free up those organizations to spend more of their finite resources on incident prevention,” Neiman said.

Unlimited powers: “There’s not very many safeguards that are built around Canada’s proposed regime,” Neiman said. He compared it to a cybersecurity law that took effect in Australia in 2022 which includes a requirement for the government there to consult with operators before issuing cybersecurity directions to them.

Canadian telcos share that worry.

“Some of our concerns relate to the overly broad scope of order-making powers and the absence of a requirement for government to consult with or consider the advice of industry and security experts,” wrote Eric Smith, senior vice-president of the Canadian Telecommunications Association, in a statement to The Logic.

Civil liberties groups, meanwhile, object to the way the new powers could be used on individuals.

“Bill C-26 fails to set out any explicit regime, such as an independent regulator with robust powers, for dealing with the collateral impacts of government security orders,” a coalition headed by the Canadian Civil Liberties Association complained in a brief submitted to the public safety and national security committee. It has no “proportionality, privacy, or equity assessments, or other guardrails, to constrain abuse of the new powers it grants the government.”

Secrecy: Many of the bill’s measures include gag orders. A direction to cut a person or business off from telecom services “may also include a provision prohibiting the disclosure of its existence, or some or all of its contents, by any person,” it says.

Furthermore, orders on cybersecurity must be kept secret.

“While we recognize there may be situations where orders must be kept secret, the bill errs on the side of secrecy rather than transparency,” wrote Smith, of the telecom association.

“The public needs to have a sense of how these powers are being exercised, how often, and to what effect, if decision-makers are to be held to account,” the civil-liberties groups’ brief said. 

Even secret orders should be published within 180 days and the government should report annually to Parliament on how it’s used the powers Bill C-26 gives it, they say.

Privacy invasion: Private information shouldn’t be disclosed to the government without specific reasons and judicial oversight, it should be deleted when it’s no longer needed, and people should have rights to compensation if their data is improperly disclosed, the civil-liberties groups’ brief said. The government should also be forbidden to share personal information outside Canada, it said.

No compensation: The bill would let the government bar equipment-makers it doesn’t trust from new Canadian telecom systems.

Beyond that, it would let the government order gear removed from existing networks, at a cost that could run into the hundreds of millions of dollars.

The telecom industry objects that “the bill prohibits the government from providing compensation to parties for the costs associated with complying with a government order,” Smith wrote.

Coordination: The Canadian Bankers Association told The Logic in a statement that it would prefer dedicated regulators like the Office of the Superintendent of Financial Institutions to be in charge of their sectors, rather than a mix of regulators, the public-safety minister and the federal cabinet as a whole. The banking sector would also like to get information from the Canadian Security Intelligence Service (CSIS) on what it should be worried about, spokesperson Maggie Cheung wrote in an email.

Neiman at the Business Council said the federal legislation rightly focuses on the sectors the federal government controls—like telecom, financial services and interprovincial transportation—but that leaves big swathes of the economy to provincial governments to regulate.

“I think the business community would caution both the provincial and federal governments to ensure that those regimes link up, so there’s not any conflicts or undue overlap,” he said.

Leaving it to MPs: Facing broad criticism of a different law-in-the-making, Bill C-27 on privacy protections and artificial intelligence, Champagne sent his own pack of proposed amendments to the committee examining it.

A spokesperson for Dominic LeBlanc, the current public-safety minister, told The Logic that LeBlanc isn’t planning a similar move: “We will leave it to the members of the standing committee to determine the next steps as it pertains to their study of Bill C-26. In the meantime, we continue to meet with stakeholders to hear their perspectives on this legislation,” Jean-Sébastien Comeau wrote in an email.