OpenMedia Urges Senate: Finish the Job of Fixing the Flawed Bill C-8

Canada's cybersecurity bill could weaken the very protections it claims to offer. OpenMedia testified before the Senate to push for four critical fixes to close the privacy gaps in Bill C-8.

On May 25, 2026, OpenMedia’s Executive Director, Matt Hatfield, testified before the Standing Senate Committee on National Security, Defence and Veterans Affairs (SECD) on Bill C-8, An Act respecting cyber security, and finishing the work the other house began.

Introduced in June 2025, Bill C-8 brought back an earlier cybersecurity bill without fixing some dangerous loopholes that leave Canadian networks vulnerable to attack. Bill C-8 mirrors a half-baked cybersecurity law, Bill C-26, from the Trudeau era, and inherited most of the dangerous privacy and security risks from its predecessor.

The bill gives government ministers broad powers to issue secret orders, compelling telecom companies, banks, and other federally regulated organizations to act in ways that could weaken encryption. These orders can last indefinitely, with no independent review and minimal oversight, leaving both the public and Parliament in the dark. The bill’s intention—strengthening cybersecurity—is valid and important, and significant improvements were made to the Bill during the House of Commons amendment process. Nonetheless, the way it is currently written still risks undermining the very protections it claims to offer.

Before the bill passed the House

Since September 2025, over 5,500 OpenMedia community members across the country have written to their elected representatives, urging them to fix Bill C-8, and stop the fast-track of this flawed cybersecurity bill. In December 2025, we testified before the House of Commons Standing Committee on Public Safety and National Security (SECU) to push back against the broadly written portions of Bill C-8, and demanded real accountability, privacy, and security.

Bill C-8 went into clause-by-clause at the House SECU in early February 2026. Some significant amendments were tabled from the Conservative Party of Canada (CPC) and the Bloc Québécois. These included requirements for judicial authorization before ministers could issue certain cybersecurity orders, stronger encryption protections to prevent the bill's powers from being used to weaken digital infrastructure, restrictions on telecom providers' ability to consent to sharing personal or de-identified information on behalf of Canadians, and new proportionality and necessity requirements on government information collection.

Not all of these amendments survived. Bill C-8 passed the House in late March 2026 with some real improvements. The final version requires that the Minister and Governor in Council consider the potential privacy impacts on Canadians before issuing cybersecurity orders. It includes provisions clarifying that the bill's security powers cannot be used to arbitrarily weaken encryption or digital infrastructure. And it prohibits orders directing the suspension of service to an individual unless strictly necessary to address a specific technical threat. All of these were meaningful improvements we fought for.

Now before the Senate

These are real wins, but they don't go far enough. The bill that arrived in the Senate still lacks the full set of robust, independent oversight and proactive privacy safeguards that Canadians deserve. That's why on May 25, we testified before the SECD, urging them to finish the job of fixing Bill C-8. 

Our testimony put four concrete asks on the table. 

1. Limit data use to cybersecurity. Once information reaches an agency like the Communications Security Establishment, nothing in the bill stops it from being repurposed for domestic  intelligence or unrelated operations, or be shared with foreign intelligence services. The bill should explicitly restrict collected data to its stated purpose.
2. Require necessity and proportionality. The bill's current "reasonable in relation to the threat" standard falls short of the Privacy Commissioner's recommendation — and of the test used everywhere else in Canadian privacy law. Any collection, use, or disclosure of personal information should be necessary and proportionate to the benefit.
3. Put a clock on secrecy. The non-disclosure provisions in Bill C-8 have no expiry date. Secret orders shouldn't stay secret forever by default, lest we risk a growing empire of invisible orders. Orders that must be secret initially should eventually become public, with any extension of their secrecy requiring a Federal Court order.
4. Restore independent judicial authorization. The most safeguard the House committee adopted — and lost on a procedural ruling — should be restored by the Senate, so that by default, a judge reviews the government’s orders before they take effect.

These aren't sweeping demands. They are narrow, surgical fixes that hold the government to its own stated purpose of protecting Canadians' networks without sacrificing Canadians' rights. More than 10,000 OpenMedia community members have written to ask that Bill C-26 and its successor, Bill C-8, become law only once they prioritize both privacy and cybersecurity. The Senate is now the last place that can make that happen.

For anyone who wants to learn more, the recording and full text of our Senate testimony are available here.

OpenMedia will continue advocating for strong, rights-respecting cybersecurity legislation, and your support makes a difference. Support our work and help protect privacy, security, and democracy in Canada!