Privacy Commissioner of Canada Philippe Dufresne speaking during the Standing Committee on Public Safety and National Security's meeting on Oct. 30, 2025 (photo: ParlVU).
Independent oversight, guardrails needed in new cybersecurity bill, Privacy, Intelligence Commissioners tell MPs
Regulatory | |October 31, 2025
While federal Privacy Commissioner Philippe Dufresne and Intelligence Commissioner Simon Noël support strengthening Canada’s cybersecurity measures, they are both calling for changes to be made to the government’s proposed bill aimed at doing so, saying it needs more oversight measures and safeguards to prevent any possible overreach by the government.
Dufresne and Noël were part of a panel of witnesses that appeared in front of the House Public Safety and National Security Committee on Thursday, Oct. 30, for its study of Bill C-8, which would amend the Telecommunications Act and enact the Critical Cyber Systems Protection Act.
The bill proposes allowing the Minister of Industry to order telecom service providers to “do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” That includes ordering them to cut an individual’s services if deemed necessary.
Despite improvements that have been made to C-8 compared to its predecessor, Bill C-26, “some privacy risks remain,” Dufresne told the committee. He highlighted a low threshold for authorities to use certain powers that raise privacy concerns; no mechanism that ensures the Office of the Privacy Commissioner is notified of relevant cybersecurity breaches; and weak privacy requirements around information shared with foreign governments.
Dufresne called for any measures related to the collection, use, or disclosure of personal information to be both necessary and proportional — meaning the purpose of the measure should be made clear, as well as how it achieves its objective in the least intrusive way possible.
The privacy commissioner said the “necessity and proportionality test” exists in the part of the bill that would allow the industry minister to order someone’s telecom services to be cut because it requires an order to be “reasonable in relation to the gravity of the threat.” However, when it comes to the minister’s ability to require anyone to provide her with “any information” that she believes is relevant, that test does not exist.
“We have to reinforce criteria where there’s a certain proportionality [when dealing with] private information and protect [it] better,” said Dufresne in French, echoing remarks he made during a Senate committee meeting on Bill C-26 last November.
Further stressing the need for a uniform standard, Dufresne pointed out that the proposed Critical Cyber Systems Protection Act already includes a recognition of proportionality requirements, noting that the minister is required to submit an annual report to Parliament that includes an explanation of the “necessity, proportionality, reasonableness and utility” of the cybersecurity directions issued.
“There’s already a recognition that it should be in the report, but it should also be in the power [itself],” he argued.
Dufresne confirmed that his office plans to provide the committee with specific recommendations for amendments by the time it gets around to the clause-by-clause and amendment phase.
Intelligence Commissioner Simon Noël raised concerns about the process for sharing cyber incident information with the Communications Security Establishment (CSE). He noted that while he approves ministerial authorizations for CSE activities to ensure a reasonable balance between security and Canadian privacy, the proposed framework in the bill suggests that regulations will stipulate what information about cyber incidents is shared and how. Noël noted there is no independent oversight of a regulation. He proposed requiring an annual ministerial authorization governing how the CSE uses and shares this information, making that framework subject to review and approval by the intelligence commissioner.
Noël contested the idea that the information dealt with during cyber operations is mainly technical in nature and handling private content is not necessary, stating that he has seen cases where intrusion into content was necessary during an investigation. Based on his experience with at least 12 cyber incidents in Canada, he maintained that privacy intrusions occur on an exceptional basis.
Noël also voiced concern regarding the current legislation’s silence on warrantless search and seizure, asserting that if the act permits search and seizure without a warrant, especially when penalties are involved, it clearly presents a Charter issue.
In contrast to the commissioners’ calls for oversight, Philip Stupack, senior director of advocacy at the International Information System Security Certification Consortium (ISC2), expressed strong support for Bill C-8, describing it as an essential step toward bolstering Canadian defenses. He commended the bill for strengthening the telecom sector by prohibiting high-risk suppliers and requiring pre-approval for certain technologies.
“Vulnerabilities in telecommunications are vulnerabilities everywhere,” Stupack said to the committee.
He praised the decision to consolidate policy and incident response powers in one minister, arguing it creates uniformity and clearly assigns responsibility.
Stupack also highlighted the utility of the minister’s capacity to direct industry to take specific actions, a power he noted was absent in the U.S. system where he previously served during the Biden-Harris administration as the White House’s Assistant National Cyber Director.
When discussing Canada’s ability to strengthen its cybersecurity measurements, Stupack assured the committee that the country possesses a “very robust workforce” capable of implementing the act, but insisted that more training, education, and certification for cybersecurity professionals is still required.
