Federal cybersecurity bill threatens privacy, transparency, civil society groups say

Sep 28, 2022 | 11:55 AM

OTTAWA — Several civil society groups are pushing for changes to the Liberal government’s cybersecurity bill, saying it would undermine privacy, accountability and judicial transparency.

In an open letter to Public Safety Minister Marco Mendicino, the groups and prominent researchers call for substantive amendments to ensure the legislation delivers effective cybersecurity protections while respecting democratic principles.

Among the signatories are the Canadian Civil Liberties Association, the International Civil Liberties Monitoring Group, Ligue des droits et libertés and OpenMedia.

The government wants to establish a framework to better shield systems vital to national security and give authorities new tools to respond to emerging dangers in cyberspace.

Under the bill introduced in June, key enterprises in the banking and telecommunications industries would be among those required to bolster cybersecurity and report digital attacks, or possibly face penalties.

The bill proposes giving regulators the ability to enforce measures through audit powers and fines, and would allow for criminal penalties in cases of non-compliance.

“All residents of Canada can agree on the need for cybersecurity,” says the letter to Mendicino. “However, civil liberties, privacy, and confidence in the rule of law and accountable governance are foundational for that sense of security.”

The groups say the bill would allow the government to:

— impose new surveillance obligations on private companies, something the public has long rejected as inconsistent with privacy rights;

— bar a person or company from receiving specific services by secret order;

— collect broad categories of information from operators, posing a risk for personal data;

— levy penalties for non-compliance without proper limitations to prevent abuse; and

— shroud its orders in secrecy, with no mandatory public reporting requirements or appropriate safeguards should the orders be reviewed in court.

The groups also say the legislation would allow the Communications Security Establishment, the federal cybersecurity and electronic surveillance agency, to obtain and analyze data from banks, credit unions, telecommunications and energy providers, and even some transit agencies.

“The CSE’s use of this information is not constrained to the cybersecurity aspect of its mandate, and any uses would be largely subject to after-the-fact review rather than real-time oversight, resulting in a significant deficit in democratic accountability.”

This report by The Canadian Press was first published Sept. 28, 2022.

Jim Bronskill, The Canadian Press