Skip to main content
;

SECU Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication
Skip to Document Navigation Skip to Document Content






House of Commons Emblem

Standing Committee on Public Safety and National Security


NUMBER 101 
l
1st SESSION 
l
44th PARLIAMENT 

EVIDENCE

Monday, April 8, 2024

[Recorded by Electronic Apparatus]

(1540)

[English]

     I call the meeting to order.
    Welcome to meeting 101 of the House of Commons Standing Committee on Public Safety and National Security.
    Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders. Members are attending in person in the room and remotely by using the Zoom application.
    I would like to make a few comments for the benefit of the witnesses and members.
    Please wait until I recognize you by name before speaking. To prevent disruptive audio feedback incidents during our meeting, we kindly ask that all participants keep their earpieces away from any microphone. Audio feedback incidents can seriously injure interpreters and disrupt our proceedings. I will remind you that all comments should be addressed through the chair.
    I will also quickly remind you of an informal meeting with the Norwegian delegation at 5:30 today, for those interested.
    Pursuant to the order of reference of Monday, March 27, 2023, the committee is resuming its study of Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. Today the committee resumes its clause-by-clause consideration, beginning with clause 12.
    I will now welcome the officials who are with us. They are available to answer questions regarding the bill, but will not deliver any opening statements.
    From the Department of Industry, we have Andre Arbour, director general, strategy and innovation policy sector; from the Department of Public Safety and Emergency Preparedness, we welcome Colin MacSween, director general, national cybersecurity directorate, and William Hartley, acting manager; and from the Communications Security Establishment, we have Stephen Bolton, director general, strategic policy, and Richard Larose, senior technical adviser.
    Thank you for joining us today. With that, we will begin—
    Yes, Mr. Shipley, please go ahead.
    First of all, welcome back, everyone. It's been a couple of weeks. Hopefully everyone remembers where we left off, because I certainly don't remember exactly where we were.
    I have a couple of housekeeping items. Could I ask for UC to reopen the items that we need to change, because the legislative drafting folks have informed us that there are a couple of little mistakes?
    Is there agreement?
    Some hon. members: Agreed.
    Thank you.
    Did everybody get these? Yes, they have them.
    The first one is that we need to reopen NDP-7 and add, under section 15.21(2)(b), a subparagraph (i) that would read, “the number of times during the previous fiscal year that, under subsection 15.2(6), an order prevailed over a decision of the Commission made under this Act”.
    While we're figuring out the specific language, could I ask the ISED officials if that is just technical, or do they deem it to change in any way the intention of what was passed prior?
    No, I don't see an operational problem with this text. It actually had been discussed in the last session, but it might have got lost in some of the line overlap.
    It refers to a “for greater clarity” provision in the bill to say that in the event of an inconsistency between an order under this section and a decision of the CRTC, the security order prevails. This just adds an element to the reporting that says it needs to be included in a report if that should happen. It's very unlikely that this will happen, but it's not a problem to report on it if it does.
    Thank you.
    Thank you.
     Mr. Chair, I just want to say that I'm very impressed with the coordination of your suit and our witnesses' suits today. I did not get the memo, so I wore a blue suit, and I apologize for that, but I'm very impressed. I haven't seen that degree of coordination in a long time.
     You're very attentive today, Mr. Julian. It could be a long day or a good day.
    On the first one, the analyst said NDP-7 is fine, so we're good to go.
    Go ahead, Mr. Shipley.
(1545)
    Thank you for that. I'm sorry for the delay.
    The next one.... I'm sorry.
     Thank you again. The next one is to correct also in NDP-7, paragraph 3....
     We've been informed that after “Act during the previous fiscal year”, we need to delete “and must cause the report to be tabled before each House of Parliament on any of the first 15 days on which the House is sitting after the report is completed”. We're deleting that part.
    Okay. That's considered good.
    Do you have one more?
    We need to reopen G-6.2. We need to add a proposed subsection 15.81(3) to G-6.2, saying that “The report must also state the number of times an order prevailed over a decision of the Commission made under this Act during the previous fiscal year.”
    That would be an addition. It would be proposed subsection 15.81(3).
    I'm sorry. Are you proposing a subsection 15.81(3)?
    Yes.
     Thank you, Mr. Shipley.
    With unanimous consent, we'll move on.
    Some hon. members: Agreed.
    (On clause 12)
    The Chair: We'll move to clause 12.
    Go ahead, Ms. O'Connell.
    For G-6.4, I don't know if I'm jumping ahead, but I'm getting ready to withdraw it.
    You are, but that's okay. We know you're hungry.
    You're withdrawing G-6.4
(1550)
     Yes, I am. That's all.
    (Clause 12 agreed to)
    (On clause 13)
    We're moving to clause 13.
     Next is G-7.
     Is there any discussion?
    We have Mr. Julian, please.
    Thank you, Mr. Chair.
    I just want to ask our terrifically coordinated witnesses what the impact would be of taking out “private”.
    I understand the need to capture crime corporations in this. I'm wondering if there are unintended consequences that may be of concern in terms of what that means for private companies.
    No, it was exactly for that reason. The unintended consequence, unfortunately, with including the word “private” in there is that some federally regulated Crown corporations may not be captured, and so we wanted to expand the language to ensure they were included to capture the breadth of all federally regulated sectors.
    Thank you, Mr. Julian.
    Go ahead, Ms. O'Connell.
    I'll just move it, and the explanation is exactly that. We're just removing the word “private”.
    Shall G-7 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next is G-8.
     Go ahead, Ms. O'Connell.
    Thanks, Mr. Chair. I'll move that amendment.
    It's the same as G-7. The rationale is to remove the word “private” from “federally regulated private sector” just to expand and ensure everything is captured.
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next is G-9.
     Go ahead, Ms. O'Connell.
    Thank you, Chair.
    I'll move this. It's just to correct a drafting error to ensure that publicly owned and operated organizations can also be captured. It's similar to G-7 and G-8.
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next is G-9.1.
    Thank you.
    We're just moving so fast. I have to catch up with my notes.
    I'll move this again. It's essentially to ensure the federal government can enter into agreements with provincial and territorial governments. It's to include, as one of the provisions, “with the provinces and territories”. That's the language it's adding.
    (Amendment agreed to [See Minutes of Proceedings])
    Next is G-10. Go ahead, Ms. O'Connell.
     I'm sorry....
    Chair, I'll move this one, and maybe the officials could just explain to us how this preserves the due diligence defence, which is the intent of the amendment.
    Thank you for the question.
    The amendments will reinforce the policy intent of these sections, which was to create a strict liability offence for contravening the act as well as to ensure the applicability of a due diligence defence.
    In strict liability, the defendant is liable for the offences, regardless of intent. For example, in drug possession cases, it is assumed someone found in possession of drugs has committed this offence, and they are responsible to prove their innocence.
    In the case of the CCSPA, for example, you could say a designated operator failed to establish a cybersecurity program within the 90 days designated under the act. This is a punishable offence.
    It's currently written that the Crown must demonstrate that the designated operator did not meet this requirement. Instead, and what was originally intended, is that the amendment would assume the offence occurred, and the designated operator would then have the opportunity to prove otherwise in a judicial review process by showing they tried to comply. This is otherwise known as the due diligence defence.
(1555)
     Thank you.
    I think this amendment is needed to make sure that due diligence defence is in the legislation.
    The Chair: Shall G-10 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    Thank you.
    Next we have BQ-12. Go ahead, Madame Michaud.

[Translation]

    The purpose of BQ‑12 is to avoid regulatory overlap. It stems from a request Electricity Canada made in its brief. As you can well imagine, some organizations already have cybersecurity programs, so adding this provision would ensure that they were exempted from the cybersecurity program requirements.
    The idea is really to avoid regulatory overlap. Electricity Canada submits that infrastructure already subject to stricter standards won't be made any more secure. In its brief, Electricity Canada refers to the standards set by the North American Electric Reliability Corporation, which many provincial regulators have adopted, applied and reviewed.
    That's the purpose of this amendment.

[English]

    Thank you, Madame Michaud.
    Ms. O'Connell, please go ahead.
    Thank you, Chair.
    Through you, to any of the officials who could answer this, would this effectively mean that designated operators could determine, themselves, if they meet the threshold, and therefore wouldn't be subject...?
    I understand the intention. I just want to make sure there isn't a self-regulating thing like, “Oh, we have these cybersecurity policies, and therefore there's no need to look here.” That's how I am reading it, but perhaps you could elaborate if this is of concern.
    We absolutely appreciate the intent behind this provision; however, I think an unintended consequence could be that it would effectively allow designated operators to determine, themselves, whether their existing cybersecurity programs meet the requirements of the CCSPA and whether they are therefore obligated to comply with the obligations regarding the cybersecurity programs.
    Unfortunately, this would undermine the purpose of the CCSPA, which is to ensure that all designated operators meet a base level of cybersecurity.
    Mr. Julian, please go ahead.

[Translation]

    Although I very much appreciate the intention behind the amendment, I can't support it since it would mean that operators themselves could determine that they met the requirements.

[English]

    Is there any further discussion?
     Shall BQ-12 carry?
    (Amendment negatived [See Minutes of Proceedings])
    The Chair: We are now on G-11.
    Ms. O'Connell, please go ahead.
    Thank you.
    This amendment, again, is dealing with the prescribed time frame for notification of changes.
    We had lots of discussion around this, and the proposed language, which would be “within a period prescribed by the regulations” instead of “without delay”, will provide more clarity.
    Not every industry will require the same time frames. Some might be more complicated than others. Through the regulations, industry would probably welcome the ability to have those conversations.
    This language achieves the same things, but provides a little bit more certainty to the private sector or those who might have to comply under this legislation.
(1600)
    Thank you.
    Is there any discussion?
    Shall G-11 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next we have G-12.
    Ms. O'Connell, go ahead.
    Thank you.
    This amendment removes the reference to “reasonable steps” in proposed section 15. This would allow for the availability of the due diligence defence and provide more clarity to the intention of this bill. However, based on feedback, we want to put in some language that would ease some of those concerns.
     Is there any discussion?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: We're now on BQ-13.
    Ms. Michaud, go ahead, please.

[Translation]

    Thank you, Mr. Chair.
    BQ‑13 is pretty straightforward.
    A number of stakeholders asked us to better protect the information in question or the sharing of that information. The purpose of the amendment is simply to increase confidence around the sharing of the information and to strengthen the conditions applicable to how the information is used.

[English]

    Thank you, Ms. Michaud.
    If BQ-13 is moved, CPC-19 cannot be moved, as they are identical.
     I should have read that out before you did your comments. My apologies.
    Go ahead, Mr. Motz.
    I'm just wondering if the officials have any comment on BQ-13 and its potential for limiting CSE in using information only for cybersecurity purposes.
    First off, I think it is important to note that CSE would not receive any new authorities under the act. It would leverage our existing mandate under the Communications Security Establishment Act. Section 16 of the act is for cybersecurity and information assurance to provide technical advice, guidance and services, both to designated operators and to Government of Canada partners.
    Information collected by CSE pursuant to one aspect of its mandate can be used by CSE under another aspect of the mandate as long as it meets specific conditions set out in the CSE Act. Information related to security programs will enable CSE and its cyber centre to gain a better understanding of the supply chain risk of designated operators as well as the intentions of a foreign entity via its penetration into respective sectors.
    Without being able to leverage CSE's mandate as a whole, CSE's understanding of foreign actors' intentions against our critical infrastructure and the proper strategic mitigations would be greatly diminished. Any limitation would also reduce CSE's collaboration with our Five Eyes partners.
    I would therefore suggest that this amendment may not be necessary.
    Thank you, Mr. Motz.
    Mr. Chair, I have a point of order.
    Go ahead, Mr. McKinnon.
    I'm not in the room, so I can't really tell how the votes are going. I don't know if CPC-12 carried or not. I wonder if you could be sure to announce the results each time. That would helpful.
    Thank you.
    Thank you, Mr. McKinnon.
    Go ahead, Ms. O'Connell, please.
    Thank you.
    For members' benefit, I will say on this amendment that while I understand the rationale, we also agree in the sense that any collection of data should not be used for surveillance purposes. I just want to point members to our changes in G-9.1 and eventually G-14.2, which will reiterate that.
    We won't be supporting this amendment, but we do agree and want to put the point home that this legislation, as the officials have pointed out, is not to create a new surveillance mandate. That's why we won't be supporting it, but I think it's important that we point to those other amendments.
    Thank you.
    Is there any further discussion?
    (Amendment negatived [See Minutes of Proceedings])
    The Chair: We're now moving on to NDP-10.
    If NDP-10 is moved, BQ-14 and CPC-20 cannot be moved, as they are identical. Also, if NDP-10 is adopted, G-13 cannot be moved due to a line conflict.
    Go ahead, Mr. Julian.
(1605)
     Thank you very much, Mr. Chair.
    This is regarding the issue of Bill C-26 and to ask whether it needs operators to immediately report a cybersecurity incident.
     The reality is that we heard testimony from the Canadian Chamber of Commerce and other witnesses about a 72-hour reporting period, with “immediate” being defined as 72 hours.
    It's important to note that in the U.S., the Cyber Incident Reporting for Critical Infrastructure Act also talks about a 72-hour reporting time frame.
     Our witnesses said very clearly that “immediately” made it potentially difficult for them to resolve the issue and to respond to the cyber-attack, because they would be concerned about the impacts of not reporting in that immediate time frame. A 72-hour window would provide the ability to combat the cybersecurity incident and do the reporting in a very timely way.
    I'd like to move what we heard from witnesses and move NDP-10 to essentially provide an amendment such that the designated operator must report the cybersecurity incident within 72 hours from the time the operator reasonably believes the incident occurred.
    Thank you, Mr. Julian.
    Are there any further discussions?
    Ms. O'Connell, go ahead, please.
    Thank you, Chair.
     I think that all parties have submitted something in terms of dealing with the time frame. I think we all are in agreement on the intent and removing “immediately”, as it is not clear enough.
    We still prefer G-13, which creates a “period prescribed by the regulations” that could also address industry differences, but I'm open to hearing the conversation, because we're obviously not on G-13 yet.
     Perhaps through the chair to officials, what happens if the 72-hour period is adopted and, in some industries...? For example, banking might be able to comply quite easily, but for telecom, by the time they track down what the issue might be, is that going to be a problem? Is this too prescriptive or not prescriptive enough?
    I want to get a sense of what we think will be achieved with this. Also, given that all parties are concerned about the initial drafting of the language, how do we come to a better consensus of what it should be replaced with?
    On the timeline for the mandatory reporting, probably one of the benefits of moving it into regulations, as you mentioned, is that it does allow for more flexibility, not just in consideration of the different sectors and their abilities but also in terms of changes down the road.
    If we codify it in legislation, we would have to go through the legislative process to amend it at any point, whereas if there were a need to change it in three, five or 10 years, doing that in the regulations would be a more straightforward process, I suppose.
    Mr. Chair, with that being said, I agree that if things change, if things happen faster and need more time, I would like to be able to do it through regulations instead of opening up the legislation.
    I won't support this amendment, but I look forward to, hopefully, G-13, unless there is something discussed here. I don't know where my other colleagues stand on the differences.
    Mr. Motz, go ahead, please.
    Thank you.
    I'm not generally a fan of hiding everything in regulations, but it makes total sense to have some flexibility with respect to the different aspects we're dealing with here. It's not just one stream; we're dealing with a lot of different players. I think it makes sense, in this case, to put it in regulations.
     I won't be supporting this one, but I will be supporting G-13.
(1610)
    Mr. Julian, go ahead, please.
     I'm going to push back against the coalition a bit, in the sense that, first off, we have, within the idea of a 72-hour reporting period, harmonization with existing regimes, such as the United States. The reporting mechanism is already in place in the United States and well understood.
    It is also, I think, incumbent on us to listen to the witnesses who came forward and talked about the 72-hour reporting period.
    As my friend Mr. Motz pointed out, it's less transparent when it's in regulations. The reality is that governments of the day are able to tweak legislation if, 10 years down the road, it is something that requires some tweaking. There are a variety of ways of doing that.
    I would suggest that the 72-hour reporting mechanism is reasonable and an improvement on what currently exists in the bill. It is in keeping with our major trading partner—which has exactly that same legislation in place—and it responds to what we repeatedly heard from witnesses, which was that a 72-hour reporting period was reasonable and something they believed would allow the bill to be effective and would allow entities to respond in a timely way to the urgency of a cyber-attack.
    With that, Mr. Chair, I'll turn it over to the committee to decide.
    Thank you.
    Ms. O'Connell, go ahead, please.
    I'm sorry. I have a couple of points.
    First, even if we don't pass this amendment and go with G-13, there's nothing to say that a 72-hour reporting time wouldn't be a thing determined based on a particular sector. I hear Mr. Julian's point about consistency with our allies—I don't disagree—but I think that can be determined through consultations and regulations as well.
    However, that being said, I forgot to ask this earlier: It's not just about the 72 hours. Through the chair to our officials, the other line I have some concerns about in this amendment is “from the time the operator reasonably believes the incident occurred.” I have some concerns about relying on when the determining operator starts that clock. I don't know if I'm alone in that.
    Could we perhaps get some commentary on that line in the amendment as well?
    Yes, I think that's a valid point.
    When we reviewed the draft wording, that was one of the unintended consequences that was raised. It could leave crucial aspects of Canada's cybersecurity and the timeliness of cyber-incident reporting up to the discretion of the operators themselves.
    In a scenario based on previous amendments.... Even in a scenario where this wasn't the case, if there was some concern about the operators, the due diligence offence would still apply.
    To make a long story short, I think your concern is quite valid.
    Thank you.
    Mr. Shipley is next.
    Just very quickly, to speed things up a bit, we will not be supporting NDP-10, but we will be supporting G-13 with the amendment by Mr. Motz.
    Thank you, Mr. Shipley.
    Is there any further discussion on NDP-10?
    (Amendment negatived [See Minutes of Proceedings])
    The Chair: G-13 can only be moved if NDP-10 is defeated. Also, if G-13 is adopted....
    Go ahead, Ms. O'Connell.
    Thank you.
    I'll move it, but for the sake of time, I think we've had the conversations and my earlier comments about this.
    The change is needed, but I think we should go through regulations for the different time frames for reporting.
(1615)
    Mr. Motz, go ahead, please.
    I would agree, and if the parties are amicable about it, a subamendment that would put it in the regulations. The witnesses talked about a 72-hour time period. If we can put that in the regulations in some way, shape or form to ensure that the timeline is honoured, so that it's in the regulations....
     I'm not contradictory. I'm saying that we need to do it in some way. I have some flexibility in the way we do it, but it shouldn't be in the act itself.
     Go ahead, Mr. Julian, please.
    I agree with Mr. Motz. I believe he's moving a motion for reconsideration of NDP-10.
    As for the 72 hours, in terms of regulation, I believe we could provide some guidance in the regulations, but it would be safer and clearer if we just had the 72 hours written into the legislation.
    Go ahead, Ms. Damoff, please.
    I'm going to defer.
    Ms. O'Connell is next.
    Thanks.
    I'm throwing this out there so that we can have some discussion, and I would like to include the officials.
    If we included something along the lines of “not to exceed 72 hours”....
    The intention is in terms of speed, but in a way that could allow, through regulations, industry-specific or sector-specific....
    Before I move that language, could I just make sure that it would actually be achievable?
    Maybe Mr. MacSween could answer.
    Yes, that would work. We could put that in regulations.
    For the committee's consideration, part of the rationale for recommending it be moved to regulations was to allow for flexibility—not just in changing it, but actually in recognizing the differences in sectors as well. When we did our consultations, we heard very clearly from the energy sector, for example, that they were very interested in a 72-hour time frame, obviously because of the cross-border linkages of the international pipeline, for example, with the U.S. That certainly made a lot of sense.
    We would like to take the opportunity through the regulatory process to do sort of in-depth consultations with the other impacted parties in order to determine that the reporting requirement will work for them in a way that is best placed for their sector. With that in mind, then, another possible consideration could be consideration of the reporting timelines of major partners, or something to that effect.
    Thanks.
    I agree and I support the idea of having some of that flexibility while not losing the intention of speed as a necessity. If we added...or if the Conservatives moved a subamendment to include “not to exceed” and there was a sector that had issues, could you come back within the regs and deal with that, or is that kind of the floor—or ceiling, depending on who you are—in terms of looking at the time frame?
    I believe it was codified in such a way as to say—I'm sorry; I forget the exact wording—“within 72 hours”. I feel that we'd be bound to that. However, that could make sense in the circumstance.
    As I understand it, I believe the proposal is for that to be captured in regulations, so that could also be amended through the regulatory process as well.
    Mr. Motz is next, please.
    Would it work if we inserted some language to “not exceed”, but made it sector-specific, and also in circumstances to not exceed or be within 72 hours?
    Again, it's to give flexibility within the wording. I don't know how to think of that right now, but it's to give flexibility in the wording that would allow for energy-specific time adjustments, although it should be within 72 hours if possible.
    Is that something that's workable?
(1620)
    Yes, I believe that would be workable.
    Is everybody good?
    We need language.
    At the end of this “within a period prescribed by regulations within 72 hours”....
    Mr. Chair, could we maybe park this one, work on a little bit of language and come back?
    I don't want to do it on the fly. I think our intentions are good. It would allow us to work on the proper language without having to do it like this.
     I have a question, Mr. Chair—
    Because clause 13 may have an effect on other parts of this bill, we're going to suspend for about two or three minutes and just get some language around this.
    We are suspended.
(1620)

(1625)
    I will ask Mr. Motz to read out his amendment to G-13, for the record.
    Thank you, Chair.
    With respect to proposed section 17, it says, “A designated operator must, within a period prescribed by the regulations,” and then it would say “not to exceed 72 hours”.
    We've taken “energy” out of this specific section because the regulations require consultation with sector-specific operators anyway, so it would be “not to exceed 72 hours”.
    Is there further discussion on this?
    Mr. Julian, go ahead.
    It's “A designated operator must, within a period not to exceed 72 hours”. Is that right?
    The Chair: Yes.
    Mr. Peter Julian: I support this amendment.
    Thank you, Mr. Julian.
    Mr. McKinnon, is your hand up?
    Yes, Mr. Chair.
    I am just wondering if there are any industries that require a longer period or whether that's really acceptable as a maximum.
    Mr. MacSween, go ahead, please.
    Thank you, Mr. Chair.
    During our consultations, one of the points raised most frequently was about harmonization with the requirement of CISA in the U.S., which is the 72-hour requirement. I don't recall any other input that specifically suggested that anything longer would be needed.
    Ms. O'Connell, go ahead, please.
    Chair, thank you.
    Just to clarify, for us I think the issue is not the 72 hours per se, because we do want to ensure we can have consistency with the U.S. The issue with the previous amendment was really around when that clock started ticking, that being at the operator's discretion, so we're very happy to support this 72-hour amendment.
    There is no further discussion, so we will vote on the subamendment.
    (Subamendment agreed to [See Minutes of Proceedings])
    The Chair: Now we'll go back to the original amendment.
    Mr. Brock, go ahead.
    I'd like to move a motion at this time, Mr. Chair. It has been distributed to the clerk in both official languages.
    We need to finish amendment G-13, Mr. Brock, before you can move that motion.
    Okay.
    Back to the—
    On a point of order, did the subamendment pass? I didn't hear that.
    Yes, it carried.
    We will go back to the original amendment G-13.
    Is there any further discussion on it?
    (Amendment as amended agreed to [See Minutes of Proceedings])
    The Chair: Mr. Brock, go ahead, please.
     Thank you, Chair.
    The motion is in both official languages. I move as follows:
    “Given that under the current NDP-Liberal government, car thefts across Canada have surged by 34%, and that the Insurance Bureau of Canada, IBC, has deemed the number of car thefts a “national crisis”, stating that insurers have had to pay out record numbers, and these costs are passed directly on to Canadians, costing every driver an extra $130 per year, and that as recently reported in the media, a Montrealer went through hell in March when his car was stolen twice in just three weeks, the committee report to the House that Canada is facing a national auto theft crisis and request that the Minister of Public Safety appear before the committee for no less than three hours in relation to the ongoing auto theft study.”
    Thank you.
    Go ahead, Ms. O'Connell, please.
    Mr. Chair, I move that we adjourn debate on this motion.
    Go ahead, Mr. Clerk, and take the vote.
    (Motion agreed to: yeas 6; nays 5)
     The Chair: We're on CPC-21.
(1630)
    Am I right that BQ-14 and CPC-20 are toast?
    That's right.
    I would like to move CPC-21, please. This amendment would require a “designated operator” to notify the regulator of a cyber-incident within 24 hours instead of immediately.
    Is there any discussion?
    Go ahead, Mr. Julian.
    I'm a little confused by the Conservative amendment. Perhaps Mr. Shipley could explain a bit more the discrepancy between the 72 hours we were speaking of earlier and the 24 hours targeted by their amendment.
    Thank you, Mr. Julian.
    We'll go back to Mr. Shipley, please.
    After Mr. Motz's amendment, we're going to ask for UC to withdraw CPC-21. I'm sorry about that, everyone.
    Do we have unanimous consent?
    Some hon. members: Agreed.
    (Amendment withdrawn)
    The Chair: We're on NDP-11.
    Thank you, Mr. Chair.
     As we go along, I'm going to be withdrawing a number of NDP amendments just in the interest of moving forward, but in this particular case, we would be deleting “on request” for a designated operator to report to the appropriate regulator. It shouldn't be “on request”; it should be mandatory. That's why I'm proposing this amendment.
    Is there any discussion on NDP-11?
    Shall NDP-11 carry?
    Some hon. members: Agreed.
    (Amendment agreed to [See Minutes of Proceedings])
     The Chair: We're on CPC-21.1.
    Thank you, Chair. This one, we will be moving.
     CPC-21.1 would require operators to report ransomware payments to the CSE. There is currently no requirement in the legislation to report payments to the CSE.
     The CSE has often remarked that ransomware payments are under-reported. This will align with the United States' version of this bill.
    Is there any further discussion?
    Go ahead, Ms. O'Connell, please.
    Thank you, Chair. Through you, I would like to ask our two officials about the impacts of this language and if this is not already covered.
     My rationale and thinking are that if a sector is already required to report, then whether or not they pay ransomware, the request or the breach would trigger the reporting, in my understanding of it, but I would like to know if I'm wrong.
    Indeed, the act seeks to prevent any and all types of cybersecurity incidents, including but not limited to ransomware. The legislation as written would already capture ransomware incidents, because ransomware is simply a form of malicious code that is used for a particular purpose. Often, it's extortion.
    The act already gives the government the ability to collect technical information to prevent, respond to and recover from ransomware incidents. If we stop the malicious code from getting into our systems in the first place, then malicious actors won't have the opportunity to hold us to ransom.
    That said, Mr. Chair, I think the intention makes a lot of sense, but if this is already covered within the rest of the act, what the amendment proposes is to create a 24-hour rule for a specific type of attack, which is ransomware, versus what we just discussed about having an overall regulation around the timing of reporting for all activities.
    If we start breaking up these cyber-incidents and create different standards for reporting, I think it will become confusing, and that confusion could even cause sectors to not know when or what to report.
    For clarity's sake, I feel comfortable that a ransomware attack would be covered in the reporting side of the rest of this legislation. We don't need to isolate and create a specific new reporting time frame just for ransomware.
(1635)
    Thank you.
    Mr. Shipley, is there anything further?
    (Amendment negatived [See Minutes of Proceedings])
    The Chair: Next is BQ-15.

[Translation]

    I won't be moving the amendment, Mr. Chair, given the discussion we had regarding the test for reasonableness and proportionality during the first part of our study of the bill.

[English]

    Thank you. The amendment is withdrawn.
    Next is G-14. If G-14 is adopted, CPC-22 cannot be moved due to a line conflict.
    Is there any discussion?
    Go ahead, Ms. O'Connell.
    Thank you.
    This amendment just creates a bit more clarity to keep in line with the intent of the legislation. We heard concerns, for sure, about creating guardrails and about transparency. This amendment provides additional language to make sure that there are reasonable grounds for an order, and it lists some of the factors that might be considered.
    Again, it's just in relation to providing clarity in the legislation, which we always believed was the intent of the law, to give some reassurance to those who raised some concerns.
    Thank you.
    If there's no further discussion, shall G-14 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next is G-14.1.
     Go ahead, Ms. O'Connell.
    Thanks.
    I think we spoke about this in the first half of the bill. It creates the obligation to notify NSICOP and NSIRA within 90 days of issuing a cybersecurity directive.
    Just to refresh everyone's memory, what was of some concern was how anyone would know if a secret order was made while still maintaining national security protections. As well, I'm sure certain sectors don't necessarily want competitors to know of any gaps.
     We felt this was a reasonable opportunity to provide notice to NSICOP and NSIRA. They are the masters of what they study, but this would allow for that pre-emptive acknowledgement, if an order was actually issued, to ensure that somebody knows to look for it and could look deeper into it with the protections that NSICOP and NSIRA have in dealing with sensitive information.
     Shall G-14.1 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: We'll move to G-14.2.
    Ms. O'Connell, go ahead, please.
    Thank you.
    This goes to the earlier point I made about not expanding surveillance purposes but providing greater clarity around the language that the Governor in Council is not permitted to order any designated operator or class of operators to intercept a private communication. It goes on to list these things. Again, it's just making clear that the intention of the bill is to collect data and not to create or expand any sort of surveillance powers.
(1640)
    Thank you, Ms. O'Connell.
    Seeing no further discussion, shall G-14.2 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: On NDP-12, if NDP-12 is moved, CPC-23 cannot be moved because they are identical. Also, if NDP-12 is adopted, BQ-16 cannot be moved due to a line conflict.
    Go ahead, Mr. Julian.
    Thank you very much, Mr. Chair.
    We had this debate at a previous meeting. I am going to raise it for the final time today. If the committee decides that the argument holds merit, then we will continue the discussions. If not, I will withdraw the amendment.
    This is a recommendation that comes from the coalition. We've had a variety of recommendations around not exempting this legislation from the Standing Joint Committee for the Scrutiny of Regulations. Currently, it says very clearly that an order made here is exempt from the application of the Statutory Instruments Act. This amendment would delete those lines, lines 26 to 28 on page 26, so it would no longer exempt the applications of the sections of the act from the Statutory Instruments Act and thus allow the ability of these regulations to be accessible to the Standing Joint Committee for the Scrutiny of Regulations.
    I have raised this point before. Certainly the testimony we heard from witnesses was very compelling on this issue. At previous discussions of similar amendments, the committee has not chosen to move forward with those amendments. I am giving a last opportunity for members of the committee to support subjecting clauses of this bill to the Standing Joint Committee for the Scrutiny of Regulations and the Statutory Instruments Act. If the committee chooses to go in a different direction, I may disagree, but I will then ask for withdrawal of NDP amendments 13 to 24 that treat the same subject, as you know, Mr. Chair.
    I hope that the committee will move to adopt this amendment, but that is not how the committee has decided on amendments like this that I have presented in the past.
    Thank you, Mr. Julian.
    Ms. O'Connell, go ahead, please.
    Thank you, Chair.
    Again, I understand the need for that transparency and oversight, but this is precisely why the amendments that we just dealt with were to identify and notify NSIRA and NSICOP of any orders made.
    The challenge with this amendment, keeping in mind that I do understand the intent, is that it would create a delay that would essentially make the legislation obsolete.
    To ensure that I understand that correctly, maybe through the chair to Mr. MacSween, am I correct in the assumption that excluding the exemption would create a delay in going forward and being able to make an order to bring in compliance or to, let's say, speed up the issue if we don't have someone in the sector who is taking the matter urgently at hand?
    Mr. MacSween, go ahead, please.
    Yes, that is a concern. It is similar to the concerns raised when the committee considered part 1 of the act as well. It does create a time lag as to when the decisions can be made.
    Another unintended potential consequence with this specific amendment is that requiring publishing in the Canada Gazette could potentially, or would, make confidential or identifiable information about critical infrastructure public.
     Thank you.
    Is there any further discussion?
    (Amendment negatived [See Minutes of Proceedings])
    Mr. Chair, I'll withdraw amendments NDP-13 to NDP-24.
(1645)
    Thank you, Mr. Julian.
    Amendment BQ-16 could only be moved if NDP-12 or CPC-23 were defeated, so we're good.

[Translation]

    Thank you, Mr. Chair, but I won't be moving BQ‑16.

[English]

    Then we will move now to G-15.
    Go ahead, Ms. O'Connell.
    Thank you, Chair.
    This is just to clarify that confidential information that is collected is disclosed under the section and that it must always be treated as confidential. The confidentiality travels with the information and is not just with whoever initially received it.
    It's just to clarify that this was always the intention and to make it perfectly clear.
    Thank you, Ms. O'Connell.
    Is there any further discussion?
    Ms. Michaud, go ahead, please.

[Translation]

    Could you confirm something for me, Mr. Chair? If G‑15 is adopted, I assume BQ‑17 and BQ‑18 can't be moved, because they apply to the same spot. Can I still move them?
    An hon. member: They're additions.
    I can, then. Thank you.

[English]

    Is there any further discussion on G-15?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: We are on BQ-17.
    If BQ-17 is moved, CPC-24 cannot be moved, as they are identical.

[Translation]

    Thank you, Mr. Chair.
    BQ‑17 is pretty simple. It reflects a recommendation made by organizations concerned about civil liberties. The idea is to ensure that the information collected or obtained is retained only for as long as is necessary to make an order under section 20 of the proposed act, and that the designated operators be informed of the retention periods.
    It's that simple.

[English]

    Thank you, Ms. Michaud.
    Is there any discussion?
    Go ahead, Ms. O'Connell.
    Thank you.
    I have a question for officials.
    As I read this amendment, it's simply dealing with the retention of that information. Are there concerns or issues in terms of limiting this amendment, which really just defines how long the information is kept for and provides clarity to the sector that it's coming from? Do we have concerns?
    What would be the problem with something like this in clarifying the retention of information?
    There are two considerations for the committee related to this amendment.
    When the act was constructed, it was built in such a way as to contemplate the collection of technical information and information related to commercial interests and whatnot. The intention was that it would work with related pieces of legislation, such as those governing the agencies associated with it, which may, in some cases, already have requirements around the retention and disposition of information.
    The other consideration I would point out is that the amendment reads “for as long as is necessary”. Typically, in statute we would see a time frame attached to the retention period.
    I would offer those two considerations up to committee.
    Thanks.
    If I understand correctly, you don't have an issue with a retention period, but “as long as is necessary” keeps it too broad.
     Yes, in a way it could be read to be overly broad. That's absolutely a consideration.
    Go ahead, Mr. Motz.
    To the officials, I'm curious about what a reasonable retention period would be, based on this clause.
    It's a difficult question to answer because, as I said, when we initially set up the legislation, we intended it to work with the existing pieces that were out there—for example, CSE's enabling legislation and the enabling legislation of public safety—and the retention periods that apply to those, whether that's from Library and Archives Canada or the Privacy Act, etc. It's hard to give you a specific number, because the numbers vary across statutes.
(1650)
    For the purposes of this particular clause, we need to ensure there's not information floating out there needlessly, but if it's too broad to have “for as long as is necessary”, how do you define it so that the officials and private operators whose information we want to protect is comfortable? What's a reasonable term? I can't think of reasonable language, other than a set date.
    Generally, there are a set number of days, months or years that you can retain information, and then it has to be destroyed.
    Go ahead, Monsieur Larose.

[Translation]

    For data that are not particularly useful, the retention period is a maximum of one year. That is for sure. Furthermore, when working with organizations that report incidents, we have agreements with them on how long we can retain their information.
    If a product is created by a cybersecurity incident, we have to retain the information from that product as long as it's useful. As I said, if the product is useful, we retain the data. If the analysis is complete or the incident is over, we stop and destroy all the data related to the incident.

[English]

     Is there any further discussion?
    I believe we'll vote on this amendment. It's BQ-17, just so we're all clear. We're voting on this amendment.
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: We're on BQ-18. If BQ-18 is moved, CPC-25 cannot be moved, as they are identical.
    Is there any discussion?

[Translation]

    Thank you, Mr. Chair.
    BQ‑18 is also pretty straightforward.
    It would add the following provision:
(2) A person or entity that collects or receives information under subsection (1) must not use it for any purpose other than that set out in section 5.
    That was recommended by one of the organizations the committee heard from, the Canadian Internet Registration Authority.

[English]

    Thank you, Ms. Michaud.
    Is there any discussion?
    I'm sorry, Mr. Chair, but I'm just catching up.
    Ms. O'Connell, go ahead, please.
    Thank you.
    I have concerns about the exchange of information. I feel that this is a little bit redundant, since we, in our earlier amendment, dealt with the issues around confidentiality and that any of that information must not....
    This amendment reads, “must not use it for any purpose other than that set out in section 5”. I think it's a little redundant, in the sense that we've already clarified that the confidentiality continues. We've also clarified that the collection of data is specifically for its use; it's not expanding powers.
    The intention is fine. I just think we've already addressed it in other amendments.
    Thank you, Ms. O'Connell.
    Are there any further comments?
    Shall we vote on this?
    (Amendment negatived [See Minutes of Proceedings])
    The Chair: We're on CPC-26. Go ahead, Mr. Shipley.
(1655)
     Thank you, Mr. Chair.
    I would actually like to ask for unanimous consent to try to speed things up a little bit today. We might be able to get through this.
    With unanimous consent from the committee, we would like to withdraw CPC-26 right through to CPC-50.
    Oh, it seems we don't need unanimous consent. We'll just do it, then.
    Okay, we're on BQ-19.
    Go ahead, Ms. Michaud.

[Translation]

    I won't be moving BQ‑19 or BQ‑20, Mr. Chair.

[English]

    Thank you. Then we're on BQ-21.

[Translation]

    The purpose of BQ‑21 is merely to add definitions for the terms “de‑identify” and “personal information”.
    Since the bill contains other definitions, I thought it was appropriate that these two be added.

[English]

    Is there any further discussion?
    Mr. MacSween, what would the implications of this amendment be? My concern would be that it removes the ability of disclosure from an operator. Am I reading that incorrectly? It's if an order is actually issued.
    I'm sorry. I'm reading, thinking and speaking at the same time. However, my understanding is that this would be a little contrary to, I think, the intentions of the act.
    Thank you, Ms. O'Connell.
    Wait. I'm sorry. I had a question for Mr. MacSween.
    Go ahead, Mr. MacSween.
    The disclosure and use provisions of the CCSPA only include protections for confidential information right now. That's partially because, again, the act was constructed in such a way that it only contemplated the collection of technical information, information related to commercial interests, and that type of thing.
    Similar to what I explained earlier, the way the law is set up is that because it only intends to collect that type of information, it defers responsibility for, say, personal information to existing statutes—for example, the charter and the Privacy Act and the requirements therein. Then, as well, for any of the statutory requirements that may be found in the acts of the agencies that are involved in the administration of the act, there are many safeguards built in there.
    One of the challenges here is that it introduces two new concepts to part 2: the de-identified information and the personal information that the government would need to consider when disclosing this. Taken together, the consequences of accepting this amendment could be that information regarding the protection of critical cyber-systems is not shared because it does apparently raise the statutory requirement to share that information.
    What does that mean in the real world? Can you give me an example of information that could be shared but isn't shared and of how that looks—if that's what I'm understanding—or are you saying that this limits even the information that can be shared?
    It could potentially limit the information that could be shared. It is a bit difficult to say, because it does introduce, as I said, these two new concepts.
    There are two concerns. One is that depending on who is doing the disclosing, they would now need to consider these requirements above and beyond whatever safeguards are already in place. I think the other key component is just simply that it does seemingly raise the overall threshold beyond, say, what is currently in the Privacy Act.
(1700)
     Okay. I think one of my concerns here is that it's confusing in that what is being added is above and beyond disclosure. Why would we want to limit disclosure? If there is an ability to disclose something, notwithstanding some of the challenges, why would we limit that even further? That's why I have issues with that idea.
    Unless colleagues can make a more compelling or stronger argument, I don't see why we would want to limit where we can disclose any of that information.
    Is there any further discussion?
    (Amendment negatived [See Minutes of Proceedings])
    The Chair: We are on G-16.
    Ms. O'Connell, go ahead, please.
    This would provide greater clarity that confidential information would be disclosed only under authorized circumstances and with those with whom there is already a defined need to access the information.
    Again, the confidentiality of the information continues with those to whom it's passed, but only in circumstances when they're authorized to have it.
    Is there any further discussion?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: We are on BQ-22.

[Translation]

    Thank you, Mr. Chair.
    BQ‑22 would add the following provision to clause 13:
(1.1) If an exchange of information occurs under an agreement or arrangement with the government of a foreign state or with an international organization established by the governments of foreign states, the Minister must, without delay, notify the person to whom the information relates of the disclosure and of the state or organization that received it.
    It's something organizations concerned about civil liberties asked for. Telecommunications service providers or designated operators under the critical cyber systems protection act should be explicitly notified of when and, as appropriate, to whom the information may be disclosed when the disclosure is to a foreign state, agency, organization or party.

[English]

    Is there any further discussion on BQ-22?
    (Amendment negatived [See Minutes of Proceedings])
    The Chair: We move to BQ-23.
    Ms. Michaud, go ahead, please.

[Translation]

    Thank you, Mr. Chair.
    BQ‑23 would add the following provision to clause 13, after line 6:
(1.1) The agreement or arrangement must restrict the retention of the information to the period necessary for the purposes set out in subsection (1) and provide for its subsequent disposal.
    Here again, the idea is to ensure that the information obtained from providers and designated operators is retained only for as long as is necessary.

[English]

    Thank you, Ms. Michaud.
    Is there any further discussion?
    (Amendment negatived)
    The Chair: We move now to G-17, please.
    This is providing more clarity that confidential information is to be disclosed only under authorized circumstances and shared with those who have that defined access to information.
    This just goes to address some concerns and provide that clarifying language that the information is to be used only when it's required and with whom it's required, and it will always maintain that confidentiality component with it.
    Thank you.
    Shall G-17 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: We are on NDP-13.
(1705)
    Mr. Chair, we—I mean the royal we—withdrew NDP-13 to NDP-24. My colleagues from the Conservative Party have withdrawn amendments up to CPC-50, so I believe we would be moving to NDP-25.
     Okay. On NDP-25, we have Mr. Julian.
    That would mean, according to my records, Mr. Chair, that we're just about to hit the final page of amendments, so I would like to speak just once on the series of amendments and again test the feeling of the committee.
    NDP-25 to NDP-36 seek to amend the legislation to give clear direction to the Office of the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canada Energy Regulator and the Minister of Transport. The amendments would require them to file a notice of violation and to make those violations public.
    What this does is twofold: In terms of violations of the act, it pushes those regulators to issue a notice of violation, and it makes it public.
    It may not have the support of the committee. I do believe it's important in terms of transparency and in terms of ensuring that we are doing everything in our power to push back against the cyber-attacks that have threatened some of our key institutions.
    In an unusual way, because we're now at the back end of consideration of amendments, I'd like to propose NDP-25. Depending on the committee's reaction to NDP-25, if NDP-25 is supported, I'll continue to move the other amendments for the institutions I've just spoken of. If NDP-25 is rejected, I will withdraw NDP-26 to NDP-36.
    We're at NDP-25.
    Is there any further discussion on NDP-25?
    Shall NDP-25 carry?
    (Amendment negatived [See Minutes of Proceedings])
    I have a point of order, Mr. Chair.
    Go ahead, Mr. Julian.
    That is a very clear result. I'm not going to ask for a recount, but I will withdraw NDP-26 to NDP-36.
    Thank you, Mr. Julian. I'll give everybody a second to catch up.
    Next, we have G-18.
    Ms. O'Connell, please go ahead.
    Thank you, Chair.
    This is just putting a comma, removing the word “and”, and then inserting “manner and period”. It's a very technical language change.
    Thank you, Ms. O'Connell.
    Is there any discussion?
    Shall G-18 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next, we have BQ-24.
    Go ahead, Madame Michaud.

[Translation]

    Thank you, Mr. Chair.
    BQ‑24 addresses a concern raised by Crown corporations such as Hydro-Québec. The concern is that parts of the bill could infringe on the jurisdiction of the provinces and Quebec.
    This amendment would simply add the following lines:
(2) For greater certainty, the power provided by subsection (1) must be exercised in accordance with the jurisdiction and powers of the provinces and territories.
(1710)

[English]

    Ms. O'Connell, go ahead.
     Thank you, Chair.
    I have concerns about this one. The amendment would ultimately reduce or diminish the ability of the federal government to determine the level of cybersecurity required. I think a good cyber-practice is working with provinces and territories in these areas. That makes a lot of sense.
    I would worry that some provinces and territories may not have the cyber-capabilities the federal government has. Some provinces may have excellent capabilities and others may require more time, expertise or technical support. I worry about the current language requiring the federal government to, first, work in accordance with provinces and territories when not all might be at the same level in cyber-capability.
    Obviously, some of our agencies, such as CSE, CSIS and the RCMP at higher levels, are specifically federal. It is no fault of the provinces and territories that they wouldn't have access to all of that information. That's where I have some issues with this amendment.
    Mr. Chair, I don't know if Mr. MacSween has any comments or concerns in regard to whether this would limit or prevent the federal government from moving forward without first having that provincial buy-in. That could also add time delays. The technical experience might be in some places, but not all.
    Thank you for the question.
    There are some challenges.
    To your point, there is a potentially unintended consequence here. It could result in the government giving up some jurisdiction to provinces and territories in areas that are federally regulated. Obviously, because of that confusion, this could very much cause delays in implementation. I believe you mentioned this, but I think it would reduce or greatly limit the federal government's ability to determine the level of cybersecurity for federally regulated critical infrastructure.
    I have a couple of considerations. One is that if a designated operator is also provincially regulated, the bill as currently written would only apply to those areas that are subject to the federal regulations.
    As well, based on the government amendment that was provided earlier, there is a commitment within the bill to work collaboratively with provinces and territories. The provisions exist within the bill already to ensure that information can be shared.
    Is there any further discussion?
    (Amendment negatived)
    The Chair: Go ahead on BQ-25, Ms. Michaud.

[Translation]

    This is a similar amendment, although the wording is slightly different. That tells me where my fellow members stand, but I will move it anyways.
    The amendment would add the following provision:
    
(2) Any law of a province relating to cybersecurity that provides for more stringent rules than those prescribed by regulations made under subsection (1) is to prevail in that province.
    Quebec, for instance, has a ministry of cybersecurity and digital technology. It's reasonable to think that Quebec's rules are pretty relevant, if not more stringent, as may be the case in other provinces. If so, the amendment would ensure that the rules of the province in question overrode the federal rules set out in Bill C-26.

[English]

    Thank you, Ms. Michaud.
    I have a chair's ruling that I'm going to read.
    The purpose of Bill C-26 is to help protect critical cyber systems in order to support the continuity and security of vital services and vital systems. The amendment would allow any law of the province relating to cybersecurity that provides for more stringent rules than those prescribed by regulations to prevail in that province. As House of Commons Procedure and Practice, third edition, states on page 770, “An amendment to a bill that was referred to committee after second reading is out of order if it is beyond the scope and principle of the bill.”
    In the opinion of the chair and for the above-mentioned reason, giving precedence to a provincial law constitutes a new concept which goes beyond the scope of the bill as adopted by the House at second reading. Therefore, I declare the amendment inadmissible.
    Thank you, Ms. Michaud.
    We're at CPC-50.1, reference 12922438.
(1715)
     The amendment is that in clause 13, after line 34 on page 80, we add the following:
(2) In making regulations under subsection (1), the Governor in Council must seek to ensure consistency with existing regulatory regimes, such as those established by provincial regulatory agencies and the North American Electric Reliability Corporation Critical Infrastructure Protection Standards.
    This particular amendment is to address two reoccurring concerns raised by witnesses during the study of this bill. One is that many provisions of this bill would be dealt with in regulations via the Governor in Council, and the other is that new requirements and definitions should be harmonized with existing regulatory requirements.
    Manulife, the Canadian Gas Association, the Canadian Chamber of Commerce and the Canadian Electricity Association all agree and share those concerns, and I agree with them.
    Go ahead, Ms. O'Connell, please.
    I have some concerns, but I'm going to first ask Mr. MacSween, or whoever is best, to address it.
    My initial concern is that this amendment just creates duplication, but if I'm wrong, I'm happy to open this up for a bit more discussion. I also think the word “must” might be a challenge.
     I'll ask the officials to speak to this amendment first.
    Go ahead, Mr. MacSween, please.
    Thank you, Mr. Chair.
    We greatly appreciate the intention of this amendment. It was certainly always intended that those considerations would be taken into the regulatory-making process. However, the amendment could remove discretion from the government on what regulations are appropriate.
    The challenge with the word “must” is that it cannot be guaranteed that consistency will be ensured. Softening the language to “may” or to “consider” consistency could work in that circumstance. Here we are asking ourselves what the consequence would be if there are contradictory regimes. We want to make sure that we're putting in place the best regulations that make sense for Canada's critical infrastructure in consideration of other requirements as well.
    The other aspect is that the legislation itself was intended to be agnostic and not speak to very specific requirements. Those considerations were intended to be built into the regulations. There is additional consideration for the committee there as well.
    Thank you.
    Go ahead, Mr. Motz.
    Thank you.
     I appreciate those comments, but I think we heard during witness testimony that when it comes to cybersecurity, our sector organizations should be directing their time, their money and their talent towards prevention, detection and rapid remediation of cybersecurity incidents rather than being bogged down in potentially duplicate paperwork and jurisdictional overlap.
    If it works that we can change the wording from “must” to “should” or “may”—and I think it's important that we still have this language there, and it gives some comfort around the ability—then I would propose someone make a subamendment to my amendment.
(1720)
    I'm wondering if Glen would be willing to remove naming the agencies and just say “existing regulatory regimes”. I think it's generally not a good idea to specifically spell them out. If that's okay, I would move that we change “must” to “may” in this amendment after the word “regimes”. It's Just to remove “such as those established”. It would just end at “regimes”.
    Do you mean to take out “provincial regulatory”...?
    I think we could end it after “agencies”.
    Yes, after “agencies” would work better. I'm fine with it. Then it would be “such as those established by provincial regulatory agencies.” Yes.
    Mr. Julian is next, please.
     Thank you, Mr. Chair.
    I'm not sure that “may” is better than “should” as the operative word. It isn't giving permission to work to ensure consistency; it's more providing direction and saying that this is the goal that we are looking for, but it doesn't prescribe it.
    I agree that “must” is far too rigid a word, but I would suggest “should” instead of “may” because I think that's the intent of the amendment as well.
     Go ahead, Ms. O'Connell.
    Thanks.
    If we're in a debate about “should” or “may”, I don't know.... I was going to suggest “consider consistency” to make sure that it is being considered. If the debate is really now at “should”, “may” or “consider”....
    Before we get to that, I would just ask for clarity.
    Mr. MacSween, if we ended the amendment after “existing regulatory regimes”, is that ideal? Should we include “such as those established by provincial regulatory agencies”?
    If we do leave in “such as those established by provincial regulatory agencies”, that's pretty specific to provincial regulated industries rather than existing regulatory regimes.
    Thank you for the question.
    I don't see any concern with ending it at “provincial regulatory agencies”. The caveat to that comment, of course, is that the “must” is taken out.
    You're agnostic to the regulatory regimes and whether they're provincial or whatnot. The debate is around “may”, “should” or “must” at this point.
    An hon. member: We could use “shall”.
    Ms. Jennifer O'Connell: “Shall” is the same as “must”.
    For clarity, Ms. Damoff used the word “may”. Are we sticking with that?
    Some hon. members: Agreed.
    The Chair: Officials, is “may” okay?
    It will soon be May.
    We'll call a vote on the subamendment.
    Is the subamendment “may”?
    Mr. Julian, we'll read it. Let's be clear. We'll read exactly what it's supposed to say before we do anything further.
    It will read: “(2) In making regulations under subsection (1), the Governor in Council may seek to ensure consistency with existing regulatory regimes, such as those established by provincial regulatory agencies.”
    That's it.
    May I suggest, Mr. Chair, that we have two votes on this? I support the second half. I don't support “may”. I believe it should read “should”.
    I'm torn because I'm supporting one half of the subamendment and not supporting the other.
    The first thing I can do, I'm told, is ask if there is unanimous consent to separate them out. If there's not UC, then we'll vote on the whole subamendment.
    We didn't get UC, Mr. Julian, so we will call for a vote on what we just read out for the subamendment.
    (Subamendment agreed to)
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next is G-19.
(1725)
    Chair, this is just to address a discrepancy between the French and English versions of the legislation.
    Thank you.
    There's no further discussion. Shall G-19 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next is G-20.
    Go ahead, Ms. O'Connell.
    Thank you, Chair.
    This provides that amendment that we dealt with in G-10 and G-12 It's to ensure the availability of the due diligence defence for designated operators.
    There's no further discussion. Shall G-20 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    The Chair: Next is NDP-37.
    Go ahead, Mr. Julian.
    We're actually coming to a close, Mr. Chair. You've been very efficient, and so has the committee.
    I move NDP-37. It is the same as NDP-9. This would establish a special advocate for issues such as security orders subject to judicial review.
    Mr. Chair, I did write to the minister a number of weeks ago—I'm disappointed to have not received a reply—calling on the minister to ensure royal recommendation for this particular amendment.
    I am sure he has sent you a letter saying he agrees with the royal recommendation. If he hasn't, you would be compelled to rule this amendment out of order, which would be a shame.
     Thank you, Mr. Julian.
    The amendment attempts to give the power to a judge to appoint a person from a list established by the minister to act as a special advocate in the proceeding, creating a new and distinct spending to be drawn from the treasury.
    As House of Commons Procedure and Practice, third edition, states on page 772:
Since an amendment may not infringe upon the financial initiative of the Crown, it is inadmissible if it imposes a charge on the public treasury, or if it extends the objects or purposes or relaxes the conditions and qualifications specified in the royal recommendation.
    In the opinion of the chair and for the above-mentioned reason, the amendment proposes to appoint a special advocate, which imposes a charge on the public treasury; therefore, I rule the amendment inadmissible.
    We are on NDP-38.
    Thank you, Mr. Chair.
    This endeavours to do what we've already done in accepting NDP-7. What this does is amend line 13 on page 84 with the same reporting requirements.
    Earlier in this meeting we made some changes to NDP-7 as adopted. I will move NDP-38 with the hope that those changes would be forthcoming as subamendments so that it would then be consistent with what we adopted earlier at the beginning of the legislation. It would allow for consistency by putting in place the same type of amendment and reporting mechanism in the latter part of the bill.
    Mr. Julian, BQ-26 and CPC-52 cannot be moved, as they are identical.
    Ms. O'Connell, go ahead, please.
(1730)
     Thank you, Chair.
    We recognize that we've accepted changes throughout the course of this study. I guess it's a bit awkward in the sense that we prefer G-20.1 in addressing this issue, but because we're dealing with NDP-38 first, if there is support for NDP-38, we would have some amendments to be consistent, or we would just support G-20.1.
    Maybe I'll put the subamendments on the floor. For the sake of discussion, in paragraphs (e) and (f), similar to what we did earlier, I would move to replace “the number” in (e) and (f) with “prescription of compliance”. This is going back to our earlier conversation that just having “the number” could be problematic, but we would rather—
    An hon. member: It's the same line as we had before.
    Ms. Jennifer O'Connell: Yes.
    It was to replace “the number” in (e) and (f) with “prescription of compliance”....
    I have “prescription”, but I think “description” is fine.
    This a subamendment, then.
     I'm going to get Ms. O'Connell to read it so that everybody is clear on what we're doing.
    Thank you, Mr. Chair.
    In NDP-38, I would replace the words “the number” in paragraphs (e) and (f) with “prescription of compliance” in both of them.
    Is there any further discussion?
    We'll vote on the subamendment.
    (Subamendment agreed to [See Minutes of Proceedings])
    The Chair: Now we go back to the main amendment and the motion.
     Shall NDP-38 carry as amended?
    (Amendment as amended agreed to [See Minutes of Proceedings])
    The Chair: Now we're on G-20.1.
    Thank you, Mr. Chair.
    This is creating a non-exhaustive list of contents that need to be included in the minister's annual report. We've had different discussions about this. I think it's just to provide clarity so that we didn't need to get into a report on number of events or on this or on that. This will provide some clarity on what should be covered in the annual report.
(1735)
     Shall G-20.1 carry?
    (Amendment agreed to [See Minutes of Proceedings])
    (Clause 13 as amended agreed to on division)
    (Clause 14 agreed to)
    I have a point of order. If there is a will around this table, Mr. Chair, you could group all of the clauses that have not been amended and see if they are agreed to.
    Thank you, Mr. Julian.
    (Clauses 15 to 19 inclusive agreed to on division)
    (Schedule agreed to [See Minutes of Proceedings])
    The Chair: Shall the title carry?
    Some hon. members: Agreed.
    The Chair: Shall the bill as amended carry?
    Some hon. members: Agreed.
    The Chair: Shall the chair report the bill to the House as amended?
    Some hon. members: Agreed.
    The Chair: Shall the committee order a reprint of the bill as amended for the use of the House at report stage?
    Some hon. members: Agreed.
    Mr. Chair, if I may, I have a special point of order. It's a good thing. I have three things to say.
    First off, I circulated a notice of motion that forest wildland firefighters should be included under the firefighter category in the national occupational classification, the NOC, and that this be reported to the House. There hasn't been sufficient notice, but of course if there is a groundswell of support, we could have UC and adopt this motion. If not, I certainly leave it as something, hopefully, that could be adopted at the next meeting of the public safety committee. I'm hoping that it would have all-party consensus and support.
    Second, this is my last meeting on the public safety committee and I want to thank all members of the committee—you, Mr. Chair, and of course all members of the committee. This is a very smart and very effective committee. I've been very impressed with every single member on it and enjoyed the spirit that everybody brings to this table. Sometimes we have disagreements, but we work through them. I find that extremely important.

[Translation]

    I also want to extend a big thank you to the committee staff, the clerks, analysts and interpreters, as well as everyone on this well-functioning committee.

[English]

    I would like to thank, as well, the person who takes the lead on our team, Doris Mah, who's been a big part of our work over the last 14 months. I've been here 14 months, and I've really enjoyed it.
    I will be coming back for special guest spots and look forward to the same welcome that Alistair MacGregor got when he came back for guest spots, but Alistair will be joining this committee as of Thursday.

[Translation]

    Thank you for all the work we've done together.

[English]

    Thank you, Mr. Julian. It was a real pleasure getting to know you a little better as chair. I appreciate everything that you brought to the table and I'm sure everyone else around here does as well.
    To get back to your motion, you want unanimous consent on your—
    If I understood Mr. Julian correctly, is he saying that if we don't get unanimous consent, he's coming back Thursday to move this motion?
    No, I wasn't threatening to come back. I was—
    Mr. Glen Motz: That affects my decision.
    Mr. Peter Julian: I was suggesting that if all members felt comfortable and there was a groundswell of support, I would be more than pleased if there was unanimous consent. If folks want to check back with their respective teams, that's quite all right. This would then be a notice of motion for the next meeting, and Alistair MacGregor would be moving it on my behalf.
    I understand that a number of people around the table, including Mr. Lloyd and Madame Michaud, are already very supportive of this, so we would hopefully have consensus on it, if not today, then in the coming days.
(1740)
    Thank you, Mr. Julian.
    Do we have unanimous consent?
    Ms. O'Connell, go ahead, please.
    Thank you.
    First of all, thank you, Mr. Julian, for your service on this committee. It has been nice to work with you, although my time was short with you.
    In terms of the motion itself, I just don't know enough and have enough background on it. I'm not sure if the committee had dealt with it previously, before I was here, but I would ask if I could go back and have a little bit of a briefing on it. It's not to say we're necessarily opposed; I just don't know enough and I would appreciate a more thorough conversation, if that's okay.
     Fair enough.
    Go ahead, Ms. Damoff.
    I just want the record to show that thanks to the NDP, this committee has done exceptional work.
    There you go.
    These officials are going to want to come back every week, you guys.
    Next time, wear blue.
    I need a motion to adjourn.
    I move to adjourn.
    It is so moved. The meeting is adjourned.
Publication Explorer
Publication Explorer
ParlVU