Philippe Dufresne, Canada’s privacy commissioner, has welcomed Bill C-8’s efforts to protect systems and services essential to national security or public safety from cybersecurity threats and vulnerabilities, with stronger safeguards able to decrease the likelihood and effects of privacy breaches.
According to a news release from the Office of the Privacy Commissioner of Canada (OPC), before the House of Commons Standing Committee on Public Safety and National Security, Dufresne recently offered his insights into the privacy implications of Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
He supported Bill C-8’s incorporation of improvements to its predecessor C-26, including more guardrails on the planned order-making powers and new notification and reporting obligations, to help improve the balance between the legislation’s cybersecurity goals and privacy rights and interests.
According to Dufresne, like its predecessor, Bill C-8 acknowledged the need to take steps to safeguard critical infrastructure from increasingly sophisticated and complicated cyber threats from the standpoint of security and privacy alike.
“While stronger cybersecurity protections can help to reduce the likelihood and impact of privacy breaches, it is also essential to ensure that new powers, authorities, and obligations that are created to improve cybersecurity contain the necessary limits and that they do not have unintended impacts on privacy,” he said in the statement.
However, Dufresne noted that the following privacy risks remained, including:
- lower thresholds for exercising some powers and authorities with possible privacy implications
- the lack of a mechanism to ensure OPC learns about significant cybersecurity breaches affecting people’s privacy
- inadequate minimum privacy requirements for sharing information with foreign governments
Recommendations
In his statement, Dufresne recommended the following measures to fortify the bill in terms of privacy, tackle the remaining privacy risks, and improve the balance between security and privacy:
- The bill should set a uniform standard requiring that any collection, use, or disclosure of personal information be necessary in the circumstances to attain the stated goal and proportional to the expected benefits
- Information-sharing agreements under the bill should impose minimum privacy safeguards to enhance governance and accountability, and ensure a consistent privacy protection standard when information exchanges occur outside the country
- The Canadian Security Establishment and other relevant government institutions should update the OPC upon discovering a cybersecurity incident amounting to a material privacy breach to enable collaboration and coordination to protect Canadians’ privacy
“While this is not specific to Bill C-8, I would also reiterate my overarching recommendation that government institutions be legally required to conduct privacy impact assessments and to consult my Office when developing any new programs or initiatives with privacy implications for Canadians,” he said in the statement.
In his statement, Dufresne acknowledged that the cyber-threat landscape shows the increasingly disruptive and far-reaching impacts of cyber incidents. He expressed concerns about critical infrastructure breaches like the incident involving Nova Scotia Power last May.
He noted that such incidents could jeopardize the systems and services needed to maintain Canadians’ health, safety, security, and economic prosperity, leading to unauthorized access or disclosure of personal information and harm to the impacted individuals.