Public Safety Committee on April 8th, 2024

Thank you.

First of all, welcome back, everyone. It's been a couple of weeks. Hopefully everyone remembers where we left off, because I certainly don't remember exactly where we were.

I have a couple of housekeeping items. Could I ask for UC to reopen the items that we need to change, because the legislative drafting folks have informed us that there are a couple of little mistakes?

Is there agreement?

Thank you.

Did everybody get these? Yes, they have them.

The first one is that we need to reopen NDP-7 and add, under section 15.21(2)(b), a subparagraph (i) that would read, “the number of times during the previous fiscal year that, under subsection 15.2(6), an order prevailed over a decision of the Commission made under this Act”.

While we're figuring out the specific language, could I ask the ISED officials if that is just technical, or do they deem it to change in any way the intention of what was passed prior?

Thank you.

Thank you.

Mr. Chair, I just want to say that I'm very impressed with the coordination of your suit and our witnesses' suits today. I did not get the memo, so I wore a blue suit, and I apologize for that, but I'm very impressed. I haven't seen that degree of coordination in a long time.

You're very attentive today, Mr. Julian. It could be a long day or a good day.

On the first one, the analyst said NDP-7 is fine, so we're good to go.

Go ahead, Mr. Shipley.

Thank you for that. I'm sorry for the delay.

The next one.... I'm sorry.

Thank you again. The next one is to correct also in NDP-7, paragraph 3....

We've been informed that after “Act during the previous fiscal year”, we need to delete “and must cause the report to be tabled before each House of Parliament on any of the first 15 days on which the House is sitting after the report is completed”. We're deleting that part.

Okay. That's considered good.

Do you have one more?

We need to reopen G-6.2. We need to add a proposed subsection 15.81(3) to G-6.2, saying that “The report must also state the number of times an order prevailed over a decision of the Commission made under this Act during the previous fiscal year.”

That would be an addition. It would be proposed subsection 15.81(3).

I'm sorry. Are you proposing a subsection 15.81(3)?

Yes.

Thank you, Mr. Shipley.

With unanimous consent, we'll move on.

(On clause 12)

We'll move to clause 12.

Go ahead, Ms. O'Connell.

For G-6.4, I don't know if I'm jumping ahead, but I'm getting ready to withdraw it.

You are, but that's okay. We know you're hungry.

You're withdrawing G-6.4

Yes, I am. That's all.

(Clause 12 agreed to)

(On clause 13)

We're moving to clause 13.

Next is G-7.

Is there any discussion?

We have Mr. Julian, please.

Thank you, Mr. Chair.

I just want to ask our terrifically coordinated witnesses what the impact would be of taking out “private”.

I understand the need to capture crime corporations in this. I'm wondering if there are unintended consequences that may be of concern in terms of what that means for private companies.

Thank you, Mr. Julian.

Go ahead, Ms. O'Connell.

I'll just move it, and the explanation is exactly that. We're just removing the word “private”.

Shall G-7 carry?

(Amendment agreed to [See Minutes of Proceedings])

Next is G-8.

Go ahead, Ms. O'Connell.

Thanks, Mr. Chair. I'll move that amendment.

It's the same as G-7. The rationale is to remove the word “private” from “federally regulated private sector” just to expand and ensure everything is captured.

(Amendment agreed to [See Minutes of Proceedings])

Next is G-9.

Go ahead, Ms. O'Connell.

Thank you, Chair.

I'll move this. It's just to correct a drafting error to ensure that publicly owned and operated organizations can also be captured. It's similar to G-7 and G-8.

(Amendment agreed to [See Minutes of Proceedings])

Next is G-9.1.

Thank you.

We're just moving so fast. I have to catch up with my notes.

I'll move this again. It's essentially to ensure the federal government can enter into agreements with provincial and territorial governments. It's to include, as one of the provisions, “with the provinces and territories”. That's the language it's adding.

(Amendment agreed to [See Minutes of Proceedings])

Next is G-10. Go ahead, Ms. O'Connell.

I'm sorry....

Chair, I'll move this one, and maybe the officials could just explain to us how this preserves the due diligence defence, which is the intent of the amendment.

Thank you.

I think this amendment is needed to make sure that due diligence defence is in the legislation.

Shall G-10 carry?

(Amendment agreed to [See Minutes of Proceedings])

Thank you.

Next we have BQ-12. Go ahead, Madame Michaud.

Thank you, Mr. Chair.

The purpose of BQ‑12 is to avoid regulatory overlap. It stems from a request Electricity Canada made in its brief. As you can well imagine, some organizations already have cybersecurity programs, so adding this provision would ensure that they were exempted from the cybersecurity program requirements.

The idea is really to avoid regulatory overlap. Electricity Canada submits that infrastructure already subject to stricter standards won't be made any more secure. In its brief, Electricity Canada refers to the standards set by the North American Electric Reliability Corporation, which many provincial regulators have adopted, applied and reviewed.

That's the purpose of this amendment.

Thank you, Madame Michaud.

Ms. O'Connell, please go ahead.

Thank you, Chair.

Through you, to any of the officials who could answer this, would this effectively mean that designated operators could determine, themselves, if they meet the threshold, and therefore wouldn't be subject...?

I understand the intention. I just want to make sure there isn't a self-regulating thing like, “Oh, we have these cybersecurity policies, and therefore there's no need to look here.” That's how I am reading it, but perhaps you could elaborate if this is of concern.

Mr. Julian, please go ahead.

Although I very much appreciate the intention behind the amendment, I can't support it since it would mean that operators themselves could determine that they met the requirements.

Is there any further discussion?

Shall BQ-12 carry?

(Amendment negatived [See Minutes of Proceedings])

We are now on G-11.

Ms. O'Connell, please go ahead.

Thank you.

This amendment, again, is dealing with the prescribed time frame for notification of changes.

We had lots of discussion around this, and the proposed language, which would be “within a period prescribed by the regulations” instead of “without delay”, will provide more clarity.

Not every industry will require the same time frames. Some might be more complicated than others. Through the regulations, industry would probably welcome the ability to have those conversations.

This language achieves the same things, but provides a little bit more certainty to the private sector or those who might have to comply under this legislation.

Thank you.

Is there any discussion?

Shall G-11 carry?

(Amendment agreed to [See Minutes of Proceedings])

Next we have G-12.

Ms. O'Connell, go ahead.

Thank you.

This amendment removes the reference to “reasonable steps” in proposed section 15. This would allow for the availability of the due diligence defence and provide more clarity to the intention of this bill. However, based on feedback, we want to put in some language that would ease some of those concerns.

Is there any discussion?

(Amendment agreed to [See Minutes of Proceedings])

We're now on BQ-13.

Ms. Michaud, go ahead, please.

Thank you, Mr. Chair.

BQ‑13 is pretty straightforward.

A number of stakeholders asked us to better protect the information in question or the sharing of that information. The purpose of the amendment is simply to increase confidence around the sharing of the information and to strengthen the conditions applicable to how the information is used.

Thank you, Ms. Michaud.

If BQ-13 is moved, CPC-19 cannot be moved, as they are identical.

I should have read that out before you did your comments. My apologies.

Go ahead, Mr. Motz.

I'm just wondering if the officials have any comment on BQ-13 and its potential for limiting CSE in using information only for cybersecurity purposes.

Thank you, Mr. Motz.

Mr. Chair, I have a point of order.

Go ahead, Mr. McKinnon.

I'm not in the room, so I can't really tell how the votes are going. I don't know if CPC-12 carried or not. I wonder if you could be sure to announce the results each time. That would helpful.

Thank you.

Thank you, Mr. McKinnon.

Go ahead, Ms. O'Connell, please.

Thank you.

For members' benefit, I will say on this amendment that while I understand the rationale, we also agree in the sense that any collection of data should not be used for surveillance purposes. I just want to point members to our changes in G-9.1 and eventually G-14.2, which will reiterate that.

We won't be supporting this amendment, but we do agree and want to put the point home that this legislation, as the officials have pointed out, is not to create a new surveillance mandate. That's why we won't be supporting it, but I think it's important that we point to those other amendments.

Thank you.

Is there any further discussion?

(Amendment negatived [See Minutes of Proceedings])

We're now moving on to NDP-10.

If NDP-10 is moved, BQ-14 and CPC-20 cannot be moved, as they are identical. Also, if NDP-10 is adopted, G-13 cannot be moved due to a line conflict.

Go ahead, Mr. Julian.

Thank you very much, Mr. Chair.

This is regarding the issue of Bill C-26 and to ask whether it needs operators to immediately report a cybersecurity incident.

The reality is that we heard testimony from the Canadian Chamber of Commerce and other witnesses about a 72-hour reporting period, with “immediate” being defined as 72 hours.

It's important to note that in the U.S., the Cyber Incident Reporting for Critical Infrastructure Act also talks about a 72-hour reporting time frame.

Our witnesses said very clearly that “immediately” made it potentially difficult for them to resolve the issue and to respond to the cyber-attack, because they would be concerned about the impacts of not reporting in that immediate time frame. A 72-hour window would provide the ability to combat the cybersecurity incident and do the reporting in a very timely way.

I'd like to move what we heard from witnesses and move NDP-10 to essentially provide an amendment such that the designated operator must report the cybersecurity incident within 72 hours from the time the operator reasonably believes the incident occurred.

Thank you, Mr. Julian.

Are there any further discussions?

Ms. O'Connell, go ahead, please.

Thank you, Chair.

I think that all parties have submitted something in terms of dealing with the time frame. I think we all are in agreement on the intent and removing “immediately”, as it is not clear enough.

We still prefer G-13, which creates a “period prescribed by the regulations” that could also address industry differences, but I'm open to hearing the conversation, because we're obviously not on G-13 yet.

Perhaps through the chair to officials, what happens if the 72-hour period is adopted and, in some industries...? For example, banking might be able to comply quite easily, but for telecom, by the time they track down what the issue might be, is that going to be a problem? Is this too prescriptive or not prescriptive enough?

I want to get a sense of what we think will be achieved with this. Also, given that all parties are concerned about the initial drafting of the language, how do we come to a better consensus of what it should be replaced with?

Mr. Chair, with that being said, I agree that if things change, if things happen faster and need more time, I would like to be able to do it through regulations instead of opening up the legislation.

I won't support this amendment, but I look forward to, hopefully, G-13, unless there is something discussed here. I don't know where my other colleagues stand on the differences.

Mr. Motz, go ahead, please.

Thank you.

I'm not generally a fan of hiding everything in regulations, but it makes total sense to have some flexibility with respect to the different aspects we're dealing with here. It's not just one stream; we're dealing with a lot of different players. I think it makes sense, in this case, to put it in regulations.

I won't be supporting this one, but I will be supporting G-13.

Mr. Julian, go ahead, please.

I'm going to push back against the coalition a bit, in the sense that, first off, we have, within the idea of a 72-hour reporting period, harmonization with existing regimes, such as the United States. The reporting mechanism is already in place in the United States and well understood.

It is also, I think, incumbent on us to listen to the witnesses who came forward and talked about the 72-hour reporting period.

As my friend Mr. Motz pointed out, it's less transparent when it's in regulations. The reality is that governments of the day are able to tweak legislation if, 10 years down the road, it is something that requires some tweaking. There are a variety of ways of doing that.

I would suggest that the 72-hour reporting mechanism is reasonable and an improvement on what currently exists in the bill. It is in keeping with our major trading partner—which has exactly that same legislation in place—and it responds to what we repeatedly heard from witnesses, which was that a 72-hour reporting period was reasonable and something they believed would allow the bill to be effective and would allow entities to respond in a timely way to the urgency of a cyber-attack.

With that, Mr. Chair, I'll turn it over to the committee to decide.

Thank you.

Ms. O'Connell, go ahead, please.

I'm sorry. I have a couple of points.

First, even if we don't pass this amendment and go with G-13, there's nothing to say that a 72-hour reporting time wouldn't be a thing determined based on a particular sector. I hear Mr. Julian's point about consistency with our allies—I don't disagree—but I think that can be determined through consultations and regulations as well.

However, that being said, I forgot to ask this earlier: It's not just about the 72 hours. Through the chair to our officials, the other line I have some concerns about in this amendment is “from the time the operator reasonably believes the incident occurred.” I have some concerns about relying on when the determining operator starts that clock. I don't know if I'm alone in that.

Could we perhaps get some commentary on that line in the amendment as well?

Thank you.

Mr. Shipley is next.

Just very quickly, to speed things up a bit, we will not be supporting NDP-10, but we will be supporting G-13 with the amendment by Mr. Motz.

Thank you, Mr. Shipley.

Is there any further discussion on NDP-10?

(Amendment negatived [See Minutes of Proceedings])

G-13 can only be moved if NDP-10 is defeated. Also, if G-13 is adopted....

Go ahead, Ms. O'Connell.

Thank you.

I'll move it, but for the sake of time, I think we've had the conversations and my earlier comments about this.

The change is needed, but I think we should go through regulations for the different time frames for reporting.

Mr. Motz, go ahead, please.

I would agree, and if the parties are amicable about it, a subamendment that would put it in the regulations. The witnesses talked about a 72-hour time period. If we can put that in the regulations in some way, shape or form to ensure that the timeline is honoured, so that it's in the regulations....

I'm not contradictory. I'm saying that we need to do it in some way. I have some flexibility in the way we do it, but it shouldn't be in the act itself.

Go ahead, Mr. Julian, please.

I agree with Mr. Motz. I believe he's moving a motion for reconsideration of NDP-10.

As for the 72 hours, in terms of regulation, I believe we could provide some guidance in the regulations, but it would be safer and clearer if we just had the 72 hours written into the legislation.

Go ahead, Ms. Damoff, please.

I'm going to defer.

Ms. O'Connell is next.

Thanks.

I'm throwing this out there so that we can have some discussion, and I would like to include the officials.

If we included something along the lines of “not to exceed 72 hours”....

The intention is in terms of speed, but in a way that could allow, through regulations, industry-specific or sector-specific....

Before I move that language, could I just make sure that it would actually be achievable?

Maybe Mr. MacSween could answer.

Thanks.

I agree and I support the idea of having some of that flexibility while not losing the intention of speed as a necessity. If we added...or if the Conservatives moved a subamendment to include “not to exceed” and there was a sector that had issues, could you come back within the regs and deal with that, or is that kind of the floor—or ceiling, depending on who you are—in terms of looking at the time frame?

Mr. Motz is next, please.

Would it work if we inserted some language to “not exceed”, but made it sector-specific, and also in circumstances to not exceed or be within 72 hours?

Again, it's to give flexibility within the wording. I don't know how to think of that right now, but it's to give flexibility in the wording that would allow for energy-specific time adjustments, although it should be within 72 hours if possible.

Is that something that's workable?

Is everybody good?

We need language.

At the end of this “within a period prescribed by regulations within 72 hours”....

Mr. Chair, could we maybe park this one, work on a little bit of language and come back?

I don't want to do it on the fly. I think our intentions are good. It would allow us to work on the proper language without having to do it like this.

I have a question, Mr. Chair—

Because clause 13 may have an effect on other parts of this bill, we're going to suspend for about two or three minutes and just get some language around this.

We are suspended.

I will ask Mr. Motz to read out his amendment to G-13, for the record.

Thank you, Chair.

With respect to proposed section 17, it says, “A designated operator must, within a period prescribed by the regulations,” and then it would say “not to exceed 72 hours”.

We've taken “energy” out of this specific section because the regulations require consultation with sector-specific operators anyway, so it would be “not to exceed 72 hours”.

Is there further discussion on this?

Mr. Julian, go ahead.

It's “A designated operator must, within a period not to exceed 72 hours”. Is that right?

Yes.

I support this amendment.

Thank you, Mr. Julian.

Mr. McKinnon, is your hand up?

Yes, Mr. Chair.

I am just wondering if there are any industries that require a longer period or whether that's really acceptable as a maximum.

Mr. MacSween, go ahead, please.

Ms. O'Connell, go ahead, please.

Chair, thank you.

Just to clarify, for us I think the issue is not the 72 hours per se, because we do want to ensure we can have consistency with the U.S. The issue with the previous amendment was really around when that clock started ticking, that being at the operator's discretion, so we're very happy to support this 72-hour amendment.

There is no further discussion, so we will vote on the subamendment.

(Subamendment agreed to [See Minutes of Proceedings])

Now we'll go back to the original amendment.

Mr. Brock, go ahead.

Thank you.

I'd like to move a motion at this time, Mr. Chair. It has been distributed to the clerk in both official languages.

We need to finish amendment G-13, Mr. Brock, before you can move that motion.

Okay.

Back to the—

On a point of order, did the subamendment pass? I didn't hear that.

Yes, it carried.

We will go back to the original amendment G-13.

Is there any further discussion on it?

(Amendment as amended agreed to [See Minutes of Proceedings])

Mr. Brock, go ahead, please.

Thank you, Chair.

The motion is in both official languages. I move as follows:

“Given that under the current NDP-Liberal government, car thefts across Canada have surged by 34%, and that the Insurance Bureau of Canada, IBC, has deemed the number of car thefts a “national crisis”, stating that insurers have had to pay out record numbers, and these costs are passed directly on to Canadians, costing every driver an extra $130 per year, and that as recently reported in the media, a Montrealer went through hell in March when his car was stolen twice in just three weeks, the committee report to the House that Canada is facing a national auto theft crisis and request that the Minister of Public Safety appear before the committee for no less than three hours in relation to the ongoing auto theft study.”

Thank you.

Go ahead, Ms. O'Connell, please.

Mr. Chair, I move that we adjourn debate on this motion.

Go ahead, Mr. Clerk, and take the vote.

(Motion agreed to: yeas 6; nays 5)

We're on CPC-21.

Am I right that BQ-14 and CPC-20 are toast?

That's right.

I would like to move CPC-21, please. This amendment would require a “designated operator” to notify the regulator of a cyber-incident within 24 hours instead of immediately.

Is there any discussion?

Go ahead, Mr. Julian.

I'm a little confused by the Conservative amendment. Perhaps Mr. Shipley could explain a bit more the discrepancy between the 72 hours we were speaking of earlier and the 24 hours targeted by their amendment.

Thank you, Mr. Julian.

We'll go back to Mr. Shipley, please.

After Mr. Motz's amendment, we're going to ask for UC to withdraw CPC-21. I'm sorry about that, everyone.

Do we have unanimous consent?

(Amendment withdrawn)

We're on NDP-11.

Thank you, Mr. Chair.

As we go along, I'm going to be withdrawing a number of NDP amendments just in the interest of moving forward, but in this particular case, we would be deleting “on request” for a designated operator to report to the appropriate regulator. It shouldn't be “on request”; it should be mandatory. That's why I'm proposing this amendment.

Is there any discussion on NDP-11?

Shall NDP-11 carry?

(Amendment agreed to [See Minutes of Proceedings])

We're on CPC-21.1.

Thank you, Chair. This one, we will be moving.

CPC-21.1 would require operators to report ransomware payments to the CSE. There is currently no requirement in the legislation to report payments to the CSE.

The CSE has often remarked that ransomware payments are under-reported. This will align with the United States' version of this bill.

Is there any further discussion?

Go ahead, Ms. O'Connell, please.

Thank you, Chair. Through you, I would like to ask our two officials about the impacts of this language and if this is not already covered.

My rationale and thinking are that if a sector is already required to report, then whether or not they pay ransomware, the request or the breach would trigger the reporting, in my understanding of it, but I would like to know if I'm wrong.

That said, Mr. Chair, I think the intention makes a lot of sense, but if this is already covered within the rest of the act, what the amendment proposes is to create a 24-hour rule for a specific type of attack, which is ransomware, versus what we just discussed about having an overall regulation around the timing of reporting for all activities.

If we start breaking up these cyber-incidents and create different standards for reporting, I think it will become confusing, and that confusion could even cause sectors to not know when or what to report.

For clarity's sake, I feel comfortable that a ransomware attack would be covered in the reporting side of the rest of this legislation. We don't need to isolate and create a specific new reporting time frame just for ransomware.

Thank you.

Mr. Shipley, is there anything further?

(Amendment negatived [See Minutes of Proceedings])

Next is BQ-15.

I won't be moving the amendment, Mr. Chair, given the discussion we had regarding the test for reasonableness and proportionality during the first part of our study of the bill.

Thank you. The amendment is withdrawn.

Next is G-14. If G-14 is adopted, CPC-22 cannot be moved due to a line conflict.

Is there any discussion?

Go ahead, Ms. O'Connell.

Thank you.

This amendment just creates a bit more clarity to keep in line with the intent of the legislation. We heard concerns, for sure, about creating guardrails and about transparency. This amendment provides additional language to make sure that there are reasonable grounds for an order, and it lists some of the factors that might be considered.

Again, it's just in relation to providing clarity in the legislation, which we always believed was the intent of the law, to give some reassurance to those who raised some concerns.

Thank you.

If there's no further discussion, shall G-14 carry?

(Amendment agreed to [See Minutes of Proceedings])

Next is G-14.1.

Go ahead, Ms. O'Connell.

Thanks.

I think we spoke about this in the first half of the bill. It creates the obligation to notify NSICOP and NSIRA within 90 days of issuing a cybersecurity directive.

Just to refresh everyone's memory, what was of some concern was how anyone would know if a secret order was made while still maintaining national security protections. As well, I'm sure certain sectors don't necessarily want competitors to know of any gaps.

We felt this was a reasonable opportunity to provide notice to NSICOP and NSIRA. They are the masters of what they study, but this would allow for that pre-emptive acknowledgement, if an order was actually issued, to ensure that somebody knows to look for it and could look deeper into it with the protections that NSICOP and NSIRA have in dealing with sensitive information.

Shall G-14.1 carry?

(Amendment agreed to [See Minutes of Proceedings])

We'll move to G-14.2.

Ms. O'Connell, go ahead, please.

Thank you.

This goes to the earlier point I made about not expanding surveillance purposes but providing greater clarity around the language that the Governor in Council is not permitted to order any designated operator or class of operators to intercept a private communication. It goes on to list these things. Again, it's just making clear that the intention of the bill is to collect data and not to create or expand any sort of surveillance powers.

Thank you, Ms. O'Connell.

Seeing no further discussion, shall G-14.2 carry?

(Amendment agreed to [See Minutes of Proceedings])

On NDP-12, if NDP-12 is moved, CPC-23 cannot be moved because they are identical. Also, if NDP-12 is adopted, BQ-16 cannot be moved due to a line conflict.

Go ahead, Mr. Julian.

Thank you very much, Mr. Chair.

We had this debate at a previous meeting. I am going to raise it for the final time today. If the committee decides that the argument holds merit, then we will continue the discussions. If not, I will withdraw the amendment.

This is a recommendation that comes from the coalition. We've had a variety of recommendations around not exempting this legislation from the Standing Joint Committee for the Scrutiny of Regulations. Currently, it says very clearly that an order made here is exempt from the application of the Statutory Instruments Act. This amendment would delete those lines, lines 26 to 28 on page 26, so it would no longer exempt the applications of the sections of the act from the Statutory Instruments Act and thus allow the ability of these regulations to be accessible to the Standing Joint Committee for the Scrutiny of Regulations.

I have raised this point before. Certainly the testimony we heard from witnesses was very compelling on this issue. At previous discussions of similar amendments, the committee has not chosen to move forward with those amendments. I am giving a last opportunity for members of the committee to support subjecting clauses of this bill to the Standing Joint Committee for the Scrutiny of Regulations and the Statutory Instruments Act. If the committee chooses to go in a different direction, I may disagree, but I will then ask for withdrawal of NDP amendments 13 to 24 that treat the same subject, as you know, Mr. Chair.

I hope that the committee will move to adopt this amendment, but that is not how the committee has decided on amendments like this that I have presented in the past.

Thank you, Mr. Julian.

Ms. O'Connell, go ahead, please.

Thank you, Chair.

Again, I understand the need for that transparency and oversight, but this is precisely why the amendments that we just dealt with were to identify and notify NSIRA and NSICOP of any orders made.

The challenge with this amendment, keeping in mind that I do understand the intent, is that it would create a delay that would essentially make the legislation obsolete.

To ensure that I understand that correctly, maybe through the chair to Mr. MacSween, am I correct in the assumption that excluding the exemption would create a delay in going forward and being able to make an order to bring in compliance or to, let's say, speed up the issue if we don't have someone in the sector who is taking the matter urgently at hand?

Mr. MacSween, go ahead, please.

Thank you.

Is there any further discussion?

(Amendment negatived [See Minutes of Proceedings])

Mr. Chair, I'll withdraw amendments NDP-13 to NDP-24.

Thank you, Mr. Julian.

Amendment BQ-16 could only be moved if NDP-12 or CPC-23 were defeated, so we're good.

Thank you, Mr. Chair, but I won't be moving BQ‑16.

Then we will move now to G-15.

Go ahead, Ms. O'Connell.

Thank you, Chair.

This is just to clarify that confidential information that is collected is disclosed under the section and that it must always be treated as confidential. The confidentiality travels with the information and is not just with whoever initially received it.

It's just to clarify that this was always the intention and to make it perfectly clear.

Thank you, Ms. O'Connell.

Is there any further discussion?

Ms. Michaud, go ahead, please.

Could you confirm something for me, Mr. Chair? If G‑15 is adopted, I assume BQ‑17 and BQ‑18 can't be moved, because they apply to the same spot. Can I still move them?

I can, then. Thank you.

Is there any further discussion on G-15?

(Amendment agreed to [See Minutes of Proceedings])

We are on BQ-17.

If BQ-17 is moved, CPC-24 cannot be moved, as they are identical.

Thank you, Mr. Chair.

BQ‑17 is pretty simple. It reflects a recommendation made by organizations concerned about civil liberties. The idea is to ensure that the information collected or obtained is retained only for as long as is necessary to make an order under section 20 of the proposed act, and that the designated operators be informed of any delays.

It's that simple.

Thank you, Ms. Michaud.

Is there any discussion?

Go ahead, Ms. O'Connell.

Thank you.

I have a question for officials.

As I read this amendment, it's simply dealing with the retention of that information. Are there concerns or issues in terms of limiting this amendment, which really just defines how long the information is kept for and provides clarity to the sector that it's coming from? Do we have concerns?

What would be the problem with something like this in clarifying the retention of information?

Thanks.

If I understand correctly, you don't have an issue with a retention period, but “as long as is necessary” keeps it too broad.

Go ahead, Mr. Motz.

To the officials, I'm curious about what a reasonable retention period would be, based on this clause.

For the purposes of this particular clause, we need to ensure there's not information floating out there needlessly, but if it's too broad to have “for as long as is necessary”, how do you define it so that the officials and private operators whose information we want to protect is comfortable? What's a reasonable term? I can't think of reasonable language, other than a set date.

Generally, there are a set number of days, months or years that you can retain information, and then it has to be destroyed.

Go ahead, Monsieur Larose.

Is there any further discussion?

I believe we'll vote on this amendment. It's BQ-17, just so we're all clear. We're voting on this amendment.

(Amendment agreed to [See Minutes of Proceedings])

We're on BQ-18. If BQ-18 is moved, CPC-25 cannot be moved, as they are identical.

Is there any discussion?

Thank you, Mr. Chair.

BQ‑18 is also pretty straightforward.

It would add the following provision:

(2) A person or entity that collects or receives information under subsection (1) must not use it for any purpose other than that set out in section 5.

That was recommended by one of the organizations the committee heard from, the Canadian Internet Registration Authority.

Thank you, Ms. Michaud.

Is there any discussion?

I'm sorry, Mr. Chair, but I'm just catching up.

Ms. O'Connell, go ahead, please.

Thank you.

I have concerns about the exchange of information. I feel that this is a little bit redundant, since we, in our earlier amendment, dealt with the issues around confidentiality and that any of that information must not....

This amendment reads, “must not use it for any purpose other than that set out in section 5”. I think it's a little redundant, in the sense that we've already clarified that the confidentiality continues. We've also clarified that the collection of data is specifically for its use; it's not expanding powers.

The intention is fine. I just think we've already addressed it in other amendments.

Thank you, Ms. O'Connell.

Are there any further comments?

Shall we vote on this?

(Amendment negatived [See Minutes of Proceedings])

We're on CPC-26. Go ahead, Mr. Shipley.

Thank you, Mr. Chair.

I would actually like to ask for unanimous consent to try to speed things up a little bit today. We might be able to get through this.

With unanimous consent from the committee, we would like to withdraw CPC-26 right through to CPC-50.

Oh, it seems we don't need unanimous consent. We'll just do it, then.

Okay, we're on BQ-19.

Go ahead, Ms. Michaud.

I won't be moving BQ‑19 or BQ‑20, Mr. Chair.

Thank you. Then we're on BQ-21.

The purpose of BQ‑21 is merely to add definitions for the terms “de‑identify” and “personal information”.

Since the bill contains other definitions, I thought it was appropriate that these two be added.

Is there any further discussion?

Mr. MacSween, what would the implications of this amendment be? My concern would be that it removes the ability of disclosure from an operator. Am I reading that incorrectly? It's if an order is actually issued.

I'm sorry. I'm reading, thinking and speaking at the same time. However, my understanding is that this would be a little contrary to, I think, the intentions of the act.

Thank you, Ms. O'Connell.

Wait. I'm sorry. I had a question for Mr. MacSween.

Go ahead, Mr. MacSween.

What does that mean in the real world? Can you give me an example of information that could be shared but isn't shared and of how that looks—if that's what I'm understanding—or are you saying that this limits even the information that can be shared?

Okay. I think one of my concerns here is that it's confusing in that what is being added is above and beyond disclosure. Why would we want to limit disclosure? If there is an ability to disclose something, notwithstanding some of the challenges, why would we limit that even further? That's why I have issues with that idea.

Unless colleagues can make a more compelling or stronger argument, I don't see why we would want to limit where we can disclose any of that information.

Is there any further discussion?

(Amendment negatived [See Minutes of Proceedings])

We are on G-16.

Ms. O'Connell, go ahead, please.

This would provide greater clarity that confidential information would be disclosed only under authorized circumstances and with those with whom there is already a defined need to access the information.

Again, the confidentiality of the information continues with those to whom it's passed, but only in circumstances when they're authorized to have it.

Is there any further discussion?

(Amendment agreed to [See Minutes of Proceedings])

We are on BQ-22.

Thank you, Mr. Chair.

BQ‑22 would add the following provision to clause 13:

(1.1) If an exchange of information occurs under an agreement or arrangement with the government of a foreign state or with an international organization established by the governments of foreign states, the Minister must, without delay, notify the person to whom the information relates of the disclosure and of the state or organization that received it.

It's something organizations concerned about civil liberties asked for. Telecommunications service providers or designated operators under the critical cyber systems protection act should be explicitly notified of when and, as appropriate, to whom the information may be disclosed when the disclosure is to a foreign state, agency, organization or party.

Is there any further discussion on BQ-22?

(Amendment negatived [See Minutes of Proceedings])

We move to BQ-23.

Ms. Michaud, go ahead, please.

Thank you, Mr. Chair.

BQ‑23 would add the following provision to clause 13, after line 6:

(1.1) The agreement or arrangement must restrict the retention of the information to the period necessary for the purposes set out in subsection (1) and provide for its subsequent disposal.

Here again, the idea is to ensure that the information obtained from providers and designated operators is retained only for as long as is necessary.

Thank you, Ms. Michaud.

Is there any further discussion?

(Amendment negatived)

We move now to G-17, please.

This is providing more clarity that confidential information is to be disclosed only under authorized circumstances and shared with those who have that defined access to information.

This just goes to address some concerns and provide that clarifying language that the information is to be used only when it's required and with whom it's required, and it will always maintain that confidentiality component with it.

Thank you.

Shall G-17 carry?

(Amendment agreed to [See Minutes of Proceedings])

We are on NDP-13.

Mr. Chair, we—I mean the royal we—withdrew NDP-13 to NDP-24. My colleagues from the Conservative Party have withdrawn amendments up to CPC-50, so I believe we would be moving to NDP-25.

Okay. On NDP-25, we have Mr. Julian.

That would mean, according to my records, Mr. Chair, that we're just about to hit the final page of amendments, so I would like to speak just once on the series of amendments and again test the feeling of the committee.

NDP-25 to NDP-36 seek to amend the legislation to give clear direction to the Office of the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canada Energy Regulator and the Minister of Transport. The amendments would require them to file a notice of violation and to make those violations public.

What this does is twofold: In terms of violations of the act, it pushes those regulators to issue a notice of violation, and it makes it public.

It may not have the support of the committee. I do believe it's important in terms of transparency and in terms of ensuring that we are doing everything in our power to push back against the cyber-attacks that have threatened some of our key institutions.

In an unusual way, because we're now at the back end of consideration of amendments, I'd like to propose NDP-25. Depending on the committee's reaction to NDP-25, if NDP-25 is supported, I'll continue to move the other amendments for the institutions I've just spoken of. If NDP-25 is rejected, I will withdraw NDP-26 to NDP-36.

We're at NDP-25.

Is there any further discussion on NDP-25?

Shall NDP-25 carry?

(Amendment negatived [See Minutes of Proceedings])

I have a point of order, Mr. Chair.

Go ahead, Mr. Julian.

That is a very clear result. I'm not going to ask for a recount, but I will withdraw NDP-26 to NDP-36.

Thank you, Mr. Julian. I'll give everybody a second to catch up.

Next, we have G-18.

Ms. O'Connell, please go ahead.

Thank you, Chair.

This is just putting a comma, removing the word “and”, and then inserting “manner and period”. It's a very technical language change.

Thank you, Ms. O'Connell.

Is there any discussion?

Shall G-18 carry?

(Amendment agreed to [See Minutes of Proceedings])

Next, we have BQ-24.

Go ahead, Madame Michaud.

Thank you, Mr. Chair.

BQ‑24 addresses a concern raised by Crown corporations such as Hydro-Québec. The concern is that parts of the bill could infringe on the jurisdiction of the provinces and Quebec.

This amendment would simply add the following lines:

(2) For greater certainty, the power provided by subsection (1) must be exercised in accordance with the jurisdiction and powers of the provinces and territories.

Ms. O'Connell, go ahead.

Thank you, Chair.

I have concerns about this one. The amendment would ultimately reduce or diminish the ability of the federal government to determine the level of cybersecurity required. I think a good cyber-practice is working with provinces and territories in these areas. That makes a lot of sense.

I would worry that some provinces and territories may not have the cyber-capabilities the federal government has. Some provinces may have excellent capabilities and others may require more time, expertise or technical support. I worry about the current language requiring the federal government to, first, work in accordance with provinces and territories when not all might be at the same level in cyber-capability.

Obviously, some of our agencies, such as CSE, CSIS and the RCMP at higher levels, are specifically federal. It is no fault of the provinces and territories that they wouldn't have access to all of that information. That's where I have some issues with this amendment.

Mr. Chair, I don't know if Mr. MacSween has any comments or concerns in regard to whether this would limit or prevent the federal government from moving forward without first having that provincial buy-in. That could also add time delays. The technical experience might be in some places, but not all.

Is there any further discussion?

(Amendment negatived)

Go ahead on BQ-25, Ms. Michaud.

This is a similar amendment, although the wording is slightly different. That tells me where my fellow members stand, but I will move it anyways.

The amendment would add the following provision:

(2) Any law of a province relating to cybersecurity that provides for more stringent rules than those prescribed by regulations made under subsection (1) is to prevail in that province.

Quebec, for instance, has a ministry of cybersecurity and digital technology. It's reasonable to think that Quebec's rules are pretty relevant, if not more stringent, as may be the case in other provinces. If so, the amendment would ensure that the rules of the province in question overrode the federal rules set out in Bill C-26.

Thank you, Ms. Michaud.

I have a chair's ruling that I'm going to read.

The purpose of Bill C-26 is to help protect critical cyber systems in order to support the continuity and security of vital services and vital systems. The amendment would allow any law of the province relating to cybersecurity that provides for more stringent rules than those prescribed by regulations to prevail in that province. As House of Commons Procedure and Practice, third edition, states on page 770, “An amendment to a bill that was referred to committee after second reading is out of order if it is beyond the scope and principle of the bill.”

In the opinion of the chair and for the above-mentioned reason, giving precedence to a provincial law constitutes a new concept which goes beyond the scope of the bill as adopted by the House at second reading. Therefore, I declare the amendment inadmissible.

Thank you, Ms. Michaud.

We're at CPC-50.1, reference 12922438.

The amendment is that in clause 13, after line 34 on page 80, we add the following:

(2) In making regulations under subsection (1), the Governor in Council must seek to ensure consistency with existing regulatory regimes, such as those established by provincial regulatory agencies and the North American Electric Reliability Corporation Critical Infrastructure Protection Standards.

This particular amendment is to address two reoccurring concerns raised by witnesses during the study of this bill. One is that many provisions of this bill would be dealt with in regulations via the Governor in Council, and the other is that new requirements and definitions should be harmonized with existing regulatory requirements.

Manulife, the Canadian Gas Association, the Canadian Chamber of Commerce and the Canadian Electricity Association all agree and share those concerns, and I agree with them.

Go ahead, Ms. O'Connell, please.

I have some concerns, but I'm going to first ask Mr. MacSween, or whoever is best, to address it.

My initial concern is that this amendment just creates duplication, but if I'm wrong, I'm happy to open this up for a bit more discussion. I also think the word “must” might be a challenge.

I'll ask the officials to speak to this amendment first.

Go ahead, Mr. MacSween, please.

Thank you.

Go ahead, Mr. Motz.

Thank you.

I appreciate those comments, but I think we heard during witness testimony that when it comes to cybersecurity, our sector organizations should be directing their time, their money and their talent towards prevention, detection and rapid remediation of cybersecurity incidents rather than being bogged down in potentially duplicate paperwork and jurisdictional overlap.

If it works that we can change the wording from “must” to “should” or “may”—and I think it's important that we still have this language there, and it gives some comfort around the ability—then I would propose someone make a subamendment to my amendment.

I'm wondering if Glen would be willing to remove naming the agencies and just say “existing regulatory regimes”. I think it's generally not a good idea to specifically spell them out. If that's okay, I would move that we change “must” to “may” in this amendment after the word “regimes”. It's Just to remove “such as those established”. It would just end at “regimes”.

Do you mean to take out “provincial regulatory”...?

I think we could end it after “agencies”.

Yes, after “agencies” would work better. I'm fine with it. Then it would be “such as those established by provincial regulatory agencies.” Yes.

Mr. Julian is next, please.

Thank you, Mr. Chair.

I'm not sure that “may” is better than “should” as the operative word. It isn't giving permission to work to ensure consistency; it's more providing direction and saying that this is the goal that we are looking for, but it doesn't prescribe it.

I agree that “must” is far too rigid a word, but I would suggest “should” instead of “may” because I think that's the intent of the amendment as well.

Go ahead, Ms. O'Connell.

Thanks.

If we're in a debate about “should” or “may”, I don't know.... I was going to suggest “consider consistency” to make sure that it is being considered. If the debate is really now at “should”, “may” or “consider”....

Before we get to that, I would just ask for clarity.

Mr. MacSween, if we ended the amendment after “existing regulatory regimes”, is that ideal? Should we include “such as those established by provincial regulatory agencies”?

If we do leave in “such as those established by provincial regulatory agencies”, that's pretty specific to provincial regulated industries rather than existing regulatory regimes.

You're agnostic to the regulatory regimes and whether they're provincial or whatnot. The debate is around “may”, “should” or “must” at this point.

“Shall” is the same as “must”.

For clarity, Ms. Damoff used the word “may”. Are we sticking with that?

Officials, is “may” okay?

It will soon be May.

We'll call a vote on the subamendment.

Is the subamendment “may”?

Mr. Julian, we'll read it. Let's be clear. We'll read exactly what it's supposed to say before we do anything further.

May I suggest, Mr. Chair, that we have two votes on this? I support the second half. I don't support “may”. I believe it should read “should”.

I'm torn because I'm supporting one half of the subamendment and not supporting the other.

The first thing I can do, I'm told, is ask if there is unanimous consent to separate them out. If there's not UC, then we'll vote on the whole subamendment.

We didn't get UC, Mr. Julian, so we will call for a vote on what we just read out for the subamendment.

(Subamendment agreed to)

(Amendment agreed to [See Minutes of Proceedings])

Next is G-19.

Chair, this is just to address a discrepancy between the French and English versions of the legislation.

Thank you.

There's no further discussion. Shall G-19 carry?

(Amendment agreed to [See Minutes of Proceedings])

Next is G-20.

Go ahead, Ms. O'Connell.

Thank you, Chair.

This provides that amendment that we dealt with in G-10 and G-12 It's to ensure the availability of the due diligence defence for designated operators.

There's no further discussion. Shall G-20 carry?

(Amendment agreed to [See Minutes of Proceedings])

Next is NDP-37.

Go ahead, Mr. Julian.

We're actually coming to a close, Mr. Chair. You've been very efficient, and so has the committee.

I move NDP-37. It is the same as NDP-9. This would establish a special advocate for issues such as security orders subject to judicial review.

Mr. Chair, I did write to the minister a number of weeks ago—I'm disappointed to have not received a reply—calling on the minister to ensure royal recommendation for this particular amendment.

I am sure he has sent you a letter saying he agrees with the royal recommendation. If he hasn't, you would be compelled to rule this amendment out of order, which would be a shame.

Thank you, Mr. Julian.

The amendment attempts to give the power to a judge to appoint a person from a list established by the minister to act as a special advocate in the proceeding, creating a new and distinct spending to be drawn from the treasury.

As House of Commons Procedure and Practice, third edition, states on page 772:

Since an amendment may not infringe upon the financial initiative of the Crown, it is inadmissible if it imposes a charge on the public treasury, or if it extends the objects or purposes or relaxes the conditions and qualifications specified in the royal recommendation.

In the opinion of the chair and for the above-mentioned reason, the amendment proposes to appoint a special advocate, which imposes a charge on the public treasury; therefore, I rule the amendment inadmissible.

We are on NDP-38.

Thank you, Mr. Chair.

This endeavours to do what we've already done in accepting NDP-7. What this does is amend line 13 on page 84 with the same reporting requirements.

Earlier in this meeting we made some changes to NDP-7 as adopted. I will move NDP-38 with the hope that those changes would be forthcoming as subamendments so that it would then be consistent with what we adopted earlier at the beginning of the legislation. It would allow for consistency by putting in place the same type of amendment and reporting mechanism in the latter part of the bill.

Mr. Julian, BQ-26 and CPC-52 cannot be moved, as they are identical.

Ms. O'Connell, go ahead, please.

Thank you, Chair.

We recognize that we've accepted changes throughout the course of this study. I guess it's a bit awkward in the sense that we prefer G-20.1 in addressing this issue, but because we're dealing with NDP-38 first, if there is support for NDP-38, we would have some amendments to be consistent, or we would just support G-20.1.

Maybe I'll put the subamendments on the floor. For the sake of discussion, in paragraphs (e) and (f), similar to what we did earlier, I would move to replace “the number” in (e) and (f) with “prescription of compliance”. This is going back to our earlier conversation that just having “the number” could be problematic, but we would rather—

Yes.

It was to replace “the number” in (e) and (f) with “prescription of compliance”....

I have “prescription”, but I think “description” is fine.

This a subamendment, then.

I'm going to get Ms. O'Connell to read it so that everybody is clear on what we're doing.

Thank you, Mr. Chair.

In NDP-38, I would replace the words “the number” in paragraphs (e) and (f) with “prescription of compliance” in both of them.

Is there any further discussion?

We'll vote on the subamendment.

(Subamendment agreed to [See Minutes of Proceedings])

Now we go back to the main amendment and the motion.

Shall NDP-38 carry as amended?

(Amendment as amended agreed to [See Minutes of Proceedings])

Now we're on G-20.1.

Thank you, Mr. Chair.

This is creating a non-exhaustive list of contents that need to be included in the minister's annual report. We've had different discussions about this. I think it's just to provide clarity so that we didn't need to get into a report on number of events or on this or on that. This will provide some clarity on what should be covered in the annual report.

Shall G-20.1 carry?

(Amendment agreed to [See Minutes of Proceedings])

(Clause 13 as amended agreed to on division)

(Clause 14 agreed to)

I have a point of order. If there is a will around this table, Mr. Chair, you could group all of the clauses that have not been amended and see if they are agreed to.

Thank you, Mr. Julian.

(Clauses 15 to 19 inclusive agreed to on division)

(Schedule agreed to [See Minutes of Proceedings])

Shall the title carry?

Shall the bill as amended carry?

Shall the chair report the bill to the House as amended?

Shall the committee order a reprint of the bill as amended for the use of the House at report stage?

Thank you, Mr. Julian. It was a real pleasure getting to know you a little better as chair. I appreciate everything that you brought to the table and I'm sure everyone else around here does as well.

To get back to your motion, you want unanimous consent on your—

If I understood Mr. Julian correctly, is he saying that if we don't get unanimous consent, he's coming back Thursday to move this motion?

No, I wasn't threatening to come back. I was—

That affects my decision.

I was suggesting that if all members felt comfortable and there was a groundswell of support, I would be more than pleased if there was unanimous consent. If folks want to check back with their respective teams, that's quite all right. This would then be a notice of motion for the next meeting, and Alistair MacGregor would be moving it on my behalf.

I understand that a number of people around the table, including Mr. Lloyd and Madame Michaud, are already very supportive of this, so we would hopefully have consensus on it, if not today, then in the coming days.

Thank you, Mr. Julian.

Do we have unanimous consent?

Ms. O'Connell, go ahead, please.

Thank you.

First of all, thank you, Mr. Julian, for your service on this committee. It has been nice to work with you, although my time was short with you.

In terms of the motion itself, I just don't know enough and have enough background on it. I'm not sure if the committee had dealt with it previously, before I was here, but I would ask if I could go back and have a little bit of a briefing on it. It's not to say we're necessarily opposed; I just don't know enough and I would appreciate a more thorough conversation, if that's okay.

Fair enough.

Go ahead, Ms. Damoff.

I just want the record to show that thanks to the NDP, this committee has done exceptional work.

There you go.

These officials are going to want to come back every week, you guys.

Next time, wear blue.

I need a motion to adjourn.

I move to adjourn.

It is so moved. The meeting is adjourned.