Civil Society groups highlight concerns with ‘deeply problematic’ Cybersecurity Bill C-26 ahead of Commons debate
Serious concerns around privacy, accountability, judicial due process, and digital rights set out in open letter to Public Safety Minister Marco Mendicino.
Updated on November 16, 2022 to add the National Council of Canadian Muslims to the list of signatories of the open letter.
28 September, 2022: The federal government’s cybersecurity legislation, Bill C-26, is deeply problematic and must be fixed. That’s the verdict of Canadian civil society organizations and experts who set out a series of detailed concerns in an open letter to Public Safety Minister Marco Mendicino ahead of a House of Commons debate on the legislation expected soon.
Noting that “All residents of Canada can agree on the need for cybersecurity,” the group warns that Bill C-26 in its current form “risks undermining our privacy rights, and the principles of accountable governance and judicial due process which are the fabric of Canadian democracy.”
Bill C-26 grants the government sweeping new powers not only over vast swathes of the Canadian economy, but also to intrude on the private lives of Canadians. The letter calls on Parliament to amend the legislation to ensure these powers are strictly delimited and accompanied by meaningful safeguards and reporting requirements to protect privacy, accountability, judicial transparency, and digital rights.
Concerns about the bill include:
● Opens the door to new surveillance obligations: Bill C-26 empowers the government to secretly order telecom providers “to do anything or refrain from doing anything.” This opens the door to imposing surveillance obligations on private companies, and to other risks such as weakened encryption standards — something the public has long rejected as inconsistent with our privacy rights.
● Allows termination of essential services: Under Bill C-26, Canadian companies or individuals risk being cut off from essential services by secret government order, without explanation. Bill C-26 fails to set out any explicit regime, such as an independent regulator for dealing with the collateral impacts of these orders.
● Undermines privacy: Bill C-26 empowers the government to collect broad categories of information from designated operators, which may enable it to obtain identifiable personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.
● Lacks guardrails to constrain abuse: Bill C-26 lacks mandatory proportionality, privacy, or equity assessments, or other guardrails, to constrain abuse of the new powers it grants the government — powers accompanied by steep fines or even imprisonment for non-compliance.
● Secrecy undermines accountability and due process: Bill C-26 enables the government to shroud its orders in secrecy, with no mandatory public reporting requirements. While there is a need for some degree of confidentiality in this sphere, the public must have a sense of how these powers are being exercised, how often, and to what effect, if decision-makers are to be held to account.
● Permits unknowable orders to trump public regulation: Bill C-26 tilts the balance so far toward secrecy, its orders and regulations may take precedence over decisions previously issued by regulatory agencies — rendering the security-related rules currently in effect unknowable for members of the public.
● Authorizes the use of secret evidence in Court: Even if Security Orders are subjected to judicial review, Bill C-26 could restrict applicants’ access to evidence. Bill C-26 also does not include any consideration of security-cleared advocates to be appointed on applicants’ behalf. While such provisions are an imperfect solution for due process, they do provide at least a minimal level of protection for applicants’ rights.
● Grants power without accountability for the CSE: Bill C-26 would let the CSE — Canada’s signal intelligence and cybersecurity agency — obtain and analyze security-related data from federally-regulated companies that Canadians entrust with their most sensitive personal information. The CSE's use of this information is not constrained to the cybersecurity aspect of its mandate, and any uses would be largely subject to after-the-fact review rather than real-time oversight, resulting in a significant deficit in democratic accountability.
● Lacks Justification: Although the government claims that such sweeping and secretive new powers are required it has not published any sufficiently comprehensive data establishing the necessity and proportionality of the proposed powers.
Bill C-26 was first published in June, and is expected to be debated by the House of Commons in the coming weeks, before moving to the Standing Committee on Public Safety and National Security for more detailed study.
Dr. Brenda McPhail, Director of the Privacy, Technology & Surveillance Program at the Canadian Civil Liberties Association: "Privacy protections for people across Canada must be a core component of legislation seeking to enhance our security if it is to be fit for purpose. Bill C-26 must be amended to ensure that new surveillance obligations and expanded information sharing powers are appropriately constrained, subject to effective oversight, and respect privacy rights."
Dr. Christopher Parsons, Senior Research Associate at the Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto: “The Government of Canada has rightly recognised that it is imperative to secure federally regulated critical infrastructure. Legislation that fulfils this objective, however, must have the principles of proportionality, accountability, and due process embedded in its DNA. Bill C-26 does not contain these principles and, consequently, the legislation absolutely must be amended prior to its passage.”
Tim McSorley, National Coordinator, International Civil Liberties Monitoring Group: "Time and again, we've seen federal governments try to grant themselves the power to intrude on our private lives in the name of ‘security’ -- and time and again, people in Canada have come together to push back. Let's fix Bill C-26 so that it delivers strong cybersecurity, while ensuring accountability and upholding our basic rights."
Matthew Hatfield, Campaigns Director at OpenMedia: “Canadians deserve to have their cybersecurity defended by our government, but also from our government. A full set of checks and balances must be introduced in Bill C-26 before it is passed to keep it from handing a blank cheque to government spy agencies that could justify considerable abuse of our rights and privacy.”
The open letter to Minister Mendicino is endorsed by:
Canadian Civil Liberties Association
Canadian Constitution Foundation
International Civil Liberties Monitoring Group
Ligue des droits et libertés
Privacy & Access Council of Canada
National Council of Canadian Muslims
Dr. Christopher Parsons, Senior Research Associate at the Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto
Tamir Israel, Digital Rights Lawyer
Andrew Clement, Professor Emeritus, Faculty of Information, University of Toronto
Digital Rights Campaigner,
1 (888) 441-2640 ext. 705