Parliamentary Committee Notes: Minister Anandasangaree’s Appearance Before the Standing Committee on Public Safety and National Security (SECU)
Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

November 6, 2025

Table of contents

Overview and Opening Remarks

Overview Note

Appearance Before the Standing Committee on Public Safety and National Security (SECU)

Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

General Information

Date: Thursday, November 6, 2025
Time: 11:00 a.m. to 12:00 p.m.
Location: Room 025-B, West Block

Context

You have been invited to appear at SECU for one hour on the Committee's study on Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

The committee will hold four meetings on the bill before proceeding to clause-by-clause consideration of the bill. The committee began hearing from witnesses for its study of the bill on Thursday, October 30, 2025, including the Intelligence Commissioner and the Privacy Commissioner. In addition, officials from Public Safety Canada (PS), and Innovation, Science and Economic Development Canada (ISED) delivered a technical briefing on October 28, followed by a Q&A session.

Recent discussions around government overreach and civil liberties have frequently emerged in response to this bill. Your briefing package includes key messages that directly address these concerns and provide clear, factual context to support your appearance.

Officials

You will be appearing for the first hour with the following officials:

  • Richard Bilodeau, Senior Assistant Deputy Minister, National Cyber Security Directorate, PS
  • Colin MacSween, Director General, National Cyber Security Directorate, PS
  • Kelly-Anne Gibson, Director, Cyber Protection Policy Division, PS
  • Andre Arbour, Director General, Strategy and Innovation Policy Sector, ISED
  • Wen Kwan, Director General, Spectrum and Telecommunications Sector, ISED

You will remain for the second hour to appear on Bill C-12, Strengthening Canada's Immigration System and Borders Act. Additional information and supporting materials for this session will be provided separately.

Opening Remarks

At the beginning of the meeting, the Chair will invite you to deliver opening remarks to last approximately 5 minutes each.

Your proposed opening remarks reinforce the importance of strengthening Canada's cyber security framework, while directly acknowledging and responding to concerns raised about oversight, transparency, and the protection of privacy and civil liberties.

Rounds of Questions

Questions from Committee members will follow with the rounds of questions to be as follows:

First Round of Questions:

  • Conservative Party, six minutes.
  • Liberal Party, six minutes.
  • Bloc Québécois, six minutes.

Second and Subsequent Rounds of Questions:

  • Conservative Party, five minutes.
  • Liberal Party, five minutes.
  • Bloc Québécois, two and a half minutes.
  • Conservative Party, five minutes.
  • Liberal Party, five minutes.

Speaking Notes For The Honourable Gary Anandasangaree
Minister of Public Safety at the Standing Committee on Public Safety and National Security (SECU)

Study on Bill C-8: An Act Respecting Cyber Security

November 6, 2025
Ottawa, Ontario

Thank you for the opportunity to speak on Bill C-8, An Act Respecting Cyber Security.

As we know from Canada's National Cyber Threat Assessment, cyber threats are evolving rapidly. Cyber threat actors – both state-sponsored and others – are increasing in number and in sophistication.

Canada must be better prepared to deal with these threats – to protect Canadians, our critical infrastructure and our economy.

Bill C-8 will enhance cyber security in four major sectors: finance, telecommunications, energy and transportation.

Part One of the Bill amends the Telecommunications Act, to enshrine the security of Canada's telecommunications system as a policy objective, bringing the security framework regulating the sector in line with those of other critical infrastructure sectors.

That will allow the Government to act swiftly in an industry where seconds can decide the safety, confidentiality, and availability of essential services.

The Bill also introduces the new Critical Cyber Systems Protection Act, or CCSPA, which would legally require designated operators to protect their critical cyber systems.

This part of the Bill provides the tools the Government needs to take further action to address a range of vulnerabilities.

Right now, the list of vital services and systems is comprised of the Canadian telecommunications services, banking systems, energy and, transportation. However, the Governor-in-Council may also add to that list.

Those designated as operators of vital services and systems would be obligated to develop and implement cyber security programs, mitigate supply-chain and third-party risks, as well as comply with cyber security directions.

The CCSPA will also increase information sharing on cyber threats, by requiring the reporting of cyber security incidents above a certain threshold.

Right now, there are no such legal requirements for industry to share this kind of information, which means there could be threats that the government is not aware of.

There is also legal mechanism for the Government to compel action in the face of known threats or vulnerabilities.

When it comes to national security, we cannot rely on the goodwill of industry alone. We must enshrine a more robust cyber security framework into law.

Since the introduction of this legislation under the former Bill C-26, which was passed unanimously in the House last year, there were widespread consultations with stakeholders. We listened to the concerns that were raised.

Among these was a need for more oversight and transparency, as well as the need to ensure privacy is protected.

Canadians' privacy is already protected through a number of constitutional and legislative instruments, but C-8 will provide greater certainty to Canadians that their privacy and personal information will be protected.

When confidential information must be shared, it must be treated as confidential. Recipients of such information must similarly be respectful of that confidentiality.

The Bill also assures Canadians that orders or directions issued under both Part 1 and Part 2 of the legislation will not be used to engage in surveillance or to intercept private communications. This responds directly to the concerns we heard from civil liberty groups.

Bill C-8 also includes new provisions to increase the Government's transparency and accountability.

For example, stakeholders said there was a potential for orders or directions to be issued without the government consulting or considering relevant factors, such as whether reasonable alternatives exist to issuing the order or direction.

As a result of these concerns, the Bill includes a reasonableness standard and a non-exhaustive list of factors that the Governor-in-Council must first consider before issuing an order or direction.

Bill C-8 provides transparency and accountability to Canadians. It also provides further reassurances to Canadians that their privacy and personal information will be protected.

I hope that my honourable colleagues will agree that Bill C-8 would provide a strong foundation for securing Canada's critical infrastructure against fast-evolving cyber threats.

Thank you.

Core Information – Bill C-8

Bill C-8 Overview – Key Issues

Importance of the bill

Key Message: Bill C-8 is designed to protect Canada's critical infrastructure from cyber incidents.

  • Canada's critical infrastructure is under threat.
    • Average ransom paid in 2023 was C$1.1 million, a 150% increase over two yearsFootnote 1
    • Over 1,400 cyber incidents targeting critical infrastructure last fiscal, almost 20% higher than the previous yearFootnote 2
    • Annual cost of incidents to Canada's economy is C$5 billionFootnote 3
  • Incident reporting improves our visibility of the threat landscape so that we can better protect ourselves.
    • AI-driven cyberattacks and supply chain compromises are escalating
    • The Communications Security Establishment Canada blocks an average 6.6 billion potentially malicious actions dailyFootnote 6
    • Only 380 incidents voluntarily reported last fiscal affecting critical infrastructureFootnote 7
  • Our critical infrastructure is highly interlinked.
    • 2022 Rogers outage lost services to 12 million customersFootnote 11
    • Governments, financial institutions, energy and utilities, transportation services, hospitals, 9-1-1
    • Result of a lack of resiliency built into the system demonstrating effects of an outage
    • Bill C-8 is designed to aid operators with improving resilience to cyber threats

Infringement on privacy

Key Message: Bill C-8 enhances the privacy of Canadians by reducing the likelihood of data breaches of companies who hold their sensitive data.

  • Privacy protection is dependent on good cyber security.
    • Cyber systems are not impenetrable; requiring operators to maintain high levels of cyber security reduces the likelihood of a data breach
    • 2025, Nova Scotia Power ransomware attack exposing 280,000 customers financial information. Undetected for a monthFootnote 4
    • 2019, TransUnion Canada breach of 37,000 Canadians personal credit information. Undetected for 2 monthsFootnote 5
  • The cost of recovering from an incident is far greater than the cost of investing in cyber security.
    • The average cost of a data breach is nearly C$7 millionFootnote 8
    • The cost of a data breach in Canada rose by 10% last yearFootnote 9
    • 72% of Canadian organizations are concerned that new technologies will make it harder to be cyber secureFootnote 10
  • Canadian's privacy remains protected by the strong institutions Canada has in place.
    • 2 of 5 suggestions from the Privacy Commissioner were adopted
    • Remaining recommendations addressed by explicit reference to the Privacy Act, or not adopted as they would conflict with existing legal frameworks
    • Additional amendments, in-keeping with the Privacy Act, may be considered during clause-by-clause

Government overreach

Key Message: The bill includes important oversight and review mechanisms that make an already strong bill stronger.

  • Bill C-8 includes safeguards such as reasonableness standards, consultation requirements, judicial review, and transparency through public reporting.
    • 52% of all tabled amendments were carried (157 tabled; 72 withdrawn; 44 carried)
    • Of the carried amendments, 30% were opposition amendments (31 Government; 13 Opposition)
    • Amended version supported by all Parties at Third Reading in the House of Commons
  • Bill C-8 does not authorize warrantless access to Canadians' personal data.
    • Prohibits interception of private communication
    • Order making powers must be reasonable and necessary, consider specific factors before issuing, and notify review bodies once issued
    • Regulators' power of entry must be used for verifying compliance with the Act and its regulations
  • Bill C-8 will ensure Canadians' continued access to services.
    • Orders are scoped to protect from malicious cyber activity and guardrails exist to prevent misuse
    • Canadians and small and medium sized businesses rely on the telecommunications, energy, finance and transportation sectors to conduct business, for safety, and daily life

Cyber Incidents Targeting Canada's Critical Infrastructure: 2023-2025

Key Messages

  • Cyber threats continue to increase in frequency, complexity and sophistication. The risk to public safety, national security, and the economy is real and rising.
  • Cyber incidents cost Canadians dearly, disrupting essential services, exposing sensitive data, and driving up business costs.
  • Just in recent months, we've seen high profile incidents including a ransomware attack on Nova Scotia Power and a breach of WestJet's servers and software systems.
  • And the 2021 ransomware attack on the Colonial Pipeline, a major U.S. fuel pipeline, demonstrated how cyber incidents on critical infrastructure can have immediate and serious societal and economic impacts, including widespread fuel shortages, price spikes, and public panic.

Key Statistics

  • There has been a significant rise in incidents targeting Canada's critical infrastructure.
    • In 2024–25, there were 1,406 cyber incidents against critical infrastructure, an average of almost four incidents every single day. That's nearly 20% more than the 1,175 reported the year before.Footnote 12
  • Ransomware is the top cybercrime threat facing Canada's critical infrastructure
    • In 2023, ransomware incidents rose 159% in telecommunications, 157% in finance, and 67% in the energy sector compared to the previous year.Footnote 13
  • Every cyber incident comes at a cost to Canadians, to businesses, and to the economy.
    • Cyber incidents cost Canada's economy C$5 billion annually.Footnote 14
    • Recovery costs for Canadian businesses doubled from C$600 million in 2021 to C$1.2 billion in 2023.Footnote 15
    • Canadian organizations pay an average of nearly C$7 million per data breach.Footnote 16
    • In 2023, the average ransom paid in Canada in 2023 was C$1.1 million.Footnote 17
  • Cyber incidents put our sensitive data at risk.
    • In FY 2024–25, private-sector organizations reported 693 breaches to the Office of the Privacy Commissioner (OPC), affecting approximately 20 million Canadian accounts. Finance (31%) and telecommunications (12%) were the largest affected sectors.Footnote 18
    • Four in 10 Canadians (43%) said that they have been affected by a privacy breach, according to OPC's latest survey of Canadians.Footnote 19
    • The rapid emergence of double, triple and even now quadruple extortion tactics are adding more pressure on victims to meet ransom demands and increasing the likelihood of more data breaches.
  • Cyber incidents are vastly underreported so the actual numbers are likely much higher.
    • In FY 2024–25, the Cyber Centre received 380 cyber incident reports from critical infrastructure organizations; the actual figure is likely much higher.Footnote 20

Key Cyber Incidents Against Canada's Critical Infrastructure (2023-Present)

2025
August

Wealthsimple

  • A specific software package that was written by a third party was compromised and some personal data of clients was accessible without authorization for a brief period
  • Potential exposure of some Canadian clients' personal information.
July

Colabor Group

  • Internal IT systems impacted
  • Temporary shutdown of operations
  • Personal information of certain employees may have been compromised
June

Pembroke Regional Hospital

Service delays requiring cancellation of certain appointments and procedures

WestJet

  • Internal IT systems impacted
  • Restricted access for users of WestJet application
  • Privacy breach exposed the sensitive personal information and travel-related data of 1.2 million passengers
April

Nova Scotia Power

  • Sophisticated ransomware attack
  • 280,000 customers affected by data breach
  • Breach exposed personal information and resulted in an operational disruption to the utility's smart meter communications systems
2024
June

Shell

Cyber incident targeting a third-party vendor to store data related to its mystery shopper contractors, and the data was exposed through the third-party platform

March

City of Hamilton

  • Internal IT systems impacted
  • Limited employee access to routine software and information
  • City of Hamilton has incurred more than C$18 million in recovery and other costs to date
2023
October

5 hospitals across Southern Ontario

  • Ransomware incident impacted the hospitals' IT provider, forcing them to temporarily shut down internal health systems
  • Delays in patient care
  • Theft of personal data and sensitive health information files
June

Suncor Energy

  • Cyber incident that affected the company's Petro-Canada subsidiary
  • Temporarily impacted credit and debit processing at retail gas stations across Canada
April

Hydro-Quebec

Denial-of-service (DDoS) campaign resulted in 24 hour shut down of Hydro-Québec's website and application.

Ports of Halifax, Montreal, Quebec and Alberni

DDoS campaign resulted in temporary website shutdowns.

February

Ross Memorial

  • Major cyber incident resulted in unauthorized access of 847 patient records
  • Hospital declared an IT "Code Grey," as incident severely impacted its systems, including databases storing patient information and applications like scheduling and payroll
January

Quilliq Energy Corporation

  • Cyber incident resulted in unauthorized access to organization's network and IT systems
  • Temporary shutdown of access to critical data and applications such as procurement, payroll and client information

Government Overreach

QP Notes

Q1 - Could the government remove an individual's access to the internet because, for example, they posted content that is critical of the government
  • The government could not use powers in Bill C-8 to restrict an individual's access to the internet simply because they posted content critical of the government.
  • This power can only be used when the continued functioning of the underlying architecture of the telecommunications network is at risk.
  • Content transmitted through the telecommunications network is outside of the scope of this legislation because it would not affect the continued operation of the telecommunications network as a whole.
  • This power is intended to be used when an entity is threatening the functioning of the network. For example, Dedicated Denial of Service (DDOS) attacks overwhelm a telecommunications network with traffic from multiple sources. Removing a compromised entity helps stop the attack, protect critical systems, and restore service for all Canadians.
Q2 - What safeguards are in place to prevent the government from using cyber security as a pre-text for silencing speech through the order making powers contained in C-8
  • The bill includes significant safeguards before, during, and after the use of this authority.
    • The scope of the bill is limited to the protection of the telecommunications system. The content of a communication does not affect a providers ability to maintain its network or services.
    • The use of the authority must be reasonable to the gravity of the threat and there are criteria established by the Supreme Court to determine what is reasonable.
    • The bill requires that National Security and intelligence Review Agency (NSIRA) and National Security and Intelligence Committee of Parliamentarians (NSICOP) be notified within 90 days of an order being issued, enabling them to review its use as representatives of the Canadian public.
    • The bill mandates an annual report to Parliament detailing the orders that have been issued.
Q3 - Can this bill be used to intercept private communications, weaken encryption or in any way undermine the security of the telecommunications system
  • The bill explicitly prohibits the interception of private communications.
  • The bill cannot be used to break encryption, as encryption, like content, is not essential to the basic operation of the telecommunications network.
  • The purpose of the bill is to protect the security of the telecommunications system. As a result, ordering a provider to deliberately weaken the telecommunications system to facilitate the capture private communications through, for example, delays in upgrades, is inconsistent with the purpose of the bill and outside the scope of the government's authorities.
Q4 - Canadian Security Intelligence Service (CSIS) requires a warrant to engage in Threat Reduction Measures. Why does the government not require a warrant prior to issuing an order or direction?

Powers in C-8 concern regulation of underlying infrastructure and do not engage rights protected by the Canadian Charter of Rights and Freedoms or otherwise contravene Canadian law.

Q5 - What are examples of the types of orders that could be made under this Bill
  • Orders safeguarding Canada's telecommunications system may include, but are not limited to, prohibiting a telecommunications service providers (TSP) from using products or services from certain entities, requiring a TSP to conduct specified reviews of its networks or facilities, or mandating the development of a security plan by the TSP.
  • Orders directed at federally regulated critical cyber systems are intended for serious circumstances where there is an urgent need to address a known threat or vulnerability, such as a requirement to update a software system to address a known vulnerability.
Q6 - Why are orders prohibited from disclosure
  • Confidential orders may be used to protect organizations' confidential information and avoid exploitation of vulnerabilities in Canadian infrastructure by our adversaries.
  • The use of these powers must be reasonable and necessary, consider specific factors like the impact on operations, are subject to review by NSIRA and NSICOP, and reported on in the Annual Report to Parliament.
Q7 - What recourse measures do individuals have to challenge the Government's order-making powers
  • There is a process for judicial review before the federal court of Canada.
  • This regime protects confidential information and allows for the provision of a special advocate.
  • Alternatively, failure to comply with an order may result in a notice of violation which the recipient can make representations to the respectful regulator to have to penalty adjusted.
Q8 - Could the Intelligence Commissioner provide oversight of Governor in Council order-making powers
  • The Intelligence Commissioner does not have the mandate or legislative authority to review orders issued by the Governor in Council under the Critical Cyber Systems Protection Act (CCSPA).
  • To provide Parliamentary oversight, the CCSPA includes a provision to notify NSIRA/NSICOP of the issuance of orders and the factors considered for issuing the order.
Q9 - Why doesn't the CCSPA include a necessity and proportionality standard for direction making powers
  • Part 2 does not include an explicit necessity and proportionality standard because the reasonableness standard and the factors for consideration already include considerations of proportionality.
  • Directions are for circumstances of imminent threat to our critical infrastructure that could affect the safety of Canadians. Adding an explicit proportionality test in a context where commercial interests and not Charter rights are at issue would hinder the Government's ability to issue directions in a timely manner.
  • An explanation of the necessity, proportionality, reasonableness and utility of the directions is required as part of the annual report to Parliament.
Q10 - Can the authorities in Bill C-8 be used to weaken or break encryption
  • No. The bill cannot be used to break or weaken encryption. Strong encryption is the foundation to trustworthy, secure and resilient infrastructure.
  • Authorities contained in Bill C-8 Part I can only be used to promote the security of the telecommunications system. As a result, ordering a provider to deliberately weaken the telecommunications system to facilitate the capture of private communications through, for example, delays in upgrades, is in conflict with the bill's objective and outside the scope of the government's authorities.
Q11 - Could the authorities in the Bill be used to restrict online expression
  • No. The authorities set out in Part I of the bill, including the authority to order a TSP to stop providing service to a person or entity, can be used only to take actions to secure our telecommunications. Online expression has zero bearing on whether the underlying network is secure and resilient.
  • This is not within the scope of the bill. There are further safeguards including the basic administrative law requirement to consult with those affected by an order. There are reporting requirements to Parliament with the need to describe why the order was necessary and parties have recourse to the Federal Court.
  • A telecoms service provider, designated operator, or other interested parties can challenge any order or cyber security direction issued under Bill C-8 in Federal Court. This could occur, for example, if the Court believes the government exceeded its authority when issuing an order.

Privacy

QP Notes

Q1 - Why doesn't Bill C-8 include a data retention regime
  • Creating an alternative regime in Bill C-8 would result in the Government being in contravention of either the Privacy Act orthe Act Respecting Cyber Security (ARCS).
  • For example, if it is only necessary to retain information for one year under ARCS, the Privacy Act still requires personal information to be retained for a minimum of 2 years so Canadians can access their information.
Q2 - Should the Office of the Privacy Commissioner (OPC) be notified if the private information of Canadians were released in a cybersecurity incident

Organizations will still be required to notify the OPC and affected individuals of any breach involving personal data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

Q3 - Why is there no requirement for a Privacy Impact Assessment (PIA) to be conducted

In accordance with the Treasury Board Secretariat Directive on Privacy Practices, a PIA will be completed prior to any collection of information as part of the program's implementation phase.

Q4 - Could information collected through mandatory incident reporting be used in support of Community Security Establishment Canada's (CSE) other mandates (such as foreign intelligence)
  • Information collected through incident reporting is intended to be used by CSE to provide technical advice and guidance to designated operators.
  • Only in specific and limited cases that meet the conditions in the CSE Act can CSE use information collected as part of one aspect of its mandate under another aspect of its mandate.
  • For example, CSE may utilize information about Indicators of Compromise to help inform activities to counter cyber threats under its foreign intelligence mandate, but must ensure that there are measures in place to protect the privacy of Canadians. CSE is also prohibited from directing its activities at Canadians or persons in Canada.
Q5 - Can Canadians' personal information be shared with foreign states and provincial governments
  • Only non-confidential information can be shared with an agreement to do so.
  • These agreements are carefully drafted in accordance with the Privacy Act and the Charter of Rights and Freedoms to protect Canadians personal information.
  • In a crisis, we would want to be able to consult governments and allies on how best to address the threat. Being able to share data about a systems-level incident is fundamental.
Q6 - Why does the Critical Cyber Systems Protection Act (CCSPA) not protect personal and de-identified information

Personal and de-identified information is not defined as confidential under the CCSPA because it is protected under the Privacy Act.

Q7 - Why doesn't Bill C-8 include a necessity and proportionality standard for the collection, use, and disclosure of any personal information that is inadvertently collected
  • The CCSPA is designed to collect technical information and not personal information because personal information is not useful to the protection of the technical architecture of a cyber system.
  • Should personal information be collected inadvertently, Bill C-8 explicitly references the Privacy Act for how personal information is to be handled, including its collection, use and disclosure.
  • The Privacy Act provides strong protections for Canadians' personal information.
Q8 - What are the protections for the sharing of personal and confidential information

Personal Information:

  • The CCSPA is designed to collect technical information and not personal information because personal information is not useful to the protection of the technical architecture of a cyber system.
  • It is recognized that personal information could be inadvertently or incidentally collected when carrying out duties and functions pursuant to the CCSPA. In such cases, the CCSPA relies on the Privacy Act for the protection of personal information.
  • If this were to occur, personal information would be treated in accordance with the Privacy Act, which includes provisions regarding the use, accuracy, retention and disclosure of information.
  • In addition, section 24 of the CSE Act requires CSE to ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure of any private information incidentally collected in the course of its foreign intelligence, cyber security and information assurance aspects of its mandate.

Confidential Information:

  • Bill C-8 prohibits knowingly disclosing confidential information as defined by the Act and requires confidential information, when disclosed, to continue to be treated as confidential.
  • Confidential information can be shared with a province if there is an agreement in place.
  • Confidential information cannot be shared with a foreign entity.
Q9 - Why isn't there a requirement to share breaches with the Office of the Privacy Commissioner (OPC)
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) already requires all organizations to notify the OPC along with affected individuals when there is a breach. This would create a scenario where the Privacy Commissioner would be receiving two reports for the same incident, one from the designated operator and one from CSE.
  • Designated operators, not CSE, are best placed to determine whether a cyber incident meets the thresholds outlined in PIPEDA.
  • The information that would be provided to CSE through mandatory incident reporting would be technical in nature. In most cases, it would not contain sufficient information to determine whether a cyber incident also resulted in a data breach. Moreover, CSE would not know enough about the designated operators' information holdings to determine whether a privacy breach occurred.

Program Design

QP Notes

Q1 - Would Bill C-8 create undue burden on Small and Medium Enterprises (SMEs)
  • This legislation was drafted with the specific intent of limiting undue burden on all service providers and designated operators. Before orders are issued under Part 1 and 2, consideration of operational and financial impacts on the operators is required.
  • The Government remains committed to ongoing collaboration with telecommunications service providers to phase out high-risk equipment and avoid future investments in such equipment.
  • Nothing prevents the Government from providing compensation should it choose to do so.
  • While it is possible that a SME could be captured under an established "Class of Operators," based on criteria for identifying and establishing these classes, it is not likely.
Q2 - How could a future decision on whether to restrict high risk suppliers from 5G networks affect Canada's rural communities' ability to access the Internet
  • Bill C-8 is designed to avoid negative impacts on Internet access in rural markets.
  • The Bill allows for accommodating the modest capabilities of smaller operators, taking into consideration the operational and financial impact.
  • Specifically, the proposed restriction on high-risk suppliers for 4G and 5G networks are accompanied by timelines that allow for replacement of equipment by 2027. This allows for predictability and changes in accordance with capital upgrade cycles.
Q3 - Was a Gender-based Analysis Plus (GBA+) analysis of the initiative completed? If so, what were its findings

GBA+ analyses are conducted during the development of a Memoranda to Cabinet. An unclassified version of the GBA+ analysis that was conducted for Bill C-26 was prepared and shared with the members of the Senate Committee, and can be shared now should the Committee desire.

Q4 - How has the government engaged with stakeholders to address key concerns? Was the Privacy Commissioner consulted

Consultations on this Bill began when it was first introduced as Bill C-26, and included the Privacy Commissioner. Feedback from stakeholders led to key amendments, such as clearer privacy protections, reporting requirements, and due diligence provisions. All of which remain in the current version of the bill.

Q5 - Could the Critical Cyber Systems Protection Act (CCSPA) apply to provincially and territorially regulated critical infrastructure
  • The legislative framework only applies to federally regulated services and systems in the finance, energy, telecommunications, and transportation sectors.
  • The legislation can serve as a model for provinces and territories to help secure critical infrastructure outside of federal jurisdiction.
Q6 - How will the CCSPA interact with existing provincial/territorial cyber security laws and regulations
  • CCSPA obligations apply only to the portions of infrastructure that are federally regulated, provinces and territories would continue to regulate infrastructure within their respective jurisdictions.
  • The Government will work collaboratively with provincial and territorial governments during regulation making to ensure harmonization and avoid duplication.
Q7 - Are there laws with similar fine amounts to those in Bill C-8
  • The fine amounts were replicated from existing legislation. For example, under the Radiocommunications Act, cases of non-compliance can result in administrative monetary penalties of up to $15 million.
  • The impact of a cyber incident can be immense. Maximum penalties are set high enough to ensure billion dollar companies take compliance seriously.
  • There are safeguards, such as considering the nature and scope of the violation or history of compliance, to prevent unreasonable use of penalties. There is also the availability of a due diligence defense to ensure that the penalties are reserved for cases of negligence.
Q8 - Why doesn't Bill C-8 provide sufficient cyber security authorities for vehicles
  • The CCSPA would provide a framework to protect cyber systems and services by setting requirements for designated operators, this generally would not include vehicle importers, retailers, and manufacturers.
  • However, in the 2024 Fall Economic Statement the Government recognized and are considering options to address the potential security risks associated with technology and components that enable vehicle connectivity. The Government also previously sought comments on vehicle security through its public consultations on unfair trade practices in electric vehicles.
Q9 - Why doesn't the Critical Cyber Systems Protection Act(CCSPA) have safe harbour provisions
  • Safe harbour provisions are outside the scope of this legislation.
  • A safe harbour regime encourages voluntary cyber incident reporting by offering legal protections that reduce the legal risks of disclosing information.
  • The CCSPA creates a mandatory incident reporting regime that already includes mechanisms to protect the confidentiality of the information that must be shared with the government.
Q10 - Why doesn't CCSPA include federally regulated water
  • The majority of water regulation, especially concerning usage, allocation, and local quality standards, is managed by municipalities.
  • The Government of Canada is prioritizing the energy, finance, telecommunications, and transportation sectors because they are federally regulated, essential to Canadians' daily lives, and tightly interconnected with other critical sectors. This means that any disruption in these sectors could significantly affect public safety and national security.
  • The Governor in Council has the authority to add other federally regulated vital services and systems to Schedule 1, making them subject to the CCSPA. This includes those portions of water services that are federally regulated.
Q11 - Why doesn't incident reporting require a Ministerial Authorization
  • The CCSPA does not include a requirement for Communications Security Establishment Canada (CSE) to obtain a Ministerial Authorization for CSE to receive mandatory incident reporting because the activity would not contravene Canadian law or interfere with a reasonable expectation of privacy.
  • The information that will be contained in the incident report will be specified through the regulatory process, consulted with stakeholders such as the Intelligence Commissioner, and published in the Canada Gazette Part II.
  • CSE already receives voluntary incident reporting from critical infrastructure operators and other partners, which it manages under its current regime and authorities. CSE's robust privacy protection measures are managed under its internal operational policy regime, which equally applies to information disclosed to CSE.
  • If an incident report indicates that an entity requires additional support from CSE, any subsequent CSE activities, including the handling of related information, would be governed by CSE's existing mandate and legislation, including the need for ministerial authorization where applicable, which would be done under the existing oversight regime of the Intelligence Commissioner.
  • Bill C-8 does not grant CSE new powers, nor does it change CSE's mandate or the oversight role of the Intelligence Commissioner. Operational activities like this are already subject to a robust system of accountability and oversight governing CSE including review of our work by the National Security and Intelligence Review Agency, the National Security and Intelligence Committee of Parliamentarians, and the Privacy Commissioner, the Auditor General, the Canadian Human Rights Commission, and the Commissioner of Official Languages. Further, within CSE, our own internal Audit and Evaluation program regularly examines our activities and makes recommendations for improvement.

Importance of the Bill

QP Notes

Q1 - Why were these four sectors chosen? Could Bill C-8 be expanded to other sectors
  • The finance, energy, telecommunications and transportation sectors are largely federally regulated and were prioritized due to their importance to both Canadians and other sectors, and the impacts of interruption would have on our daily lives.
  • These four sectors serve as the foundation for Canada's economic and national security.
  • Laying the framework in these key sectors first allows for future adoption by other sectors that are partially or fully provincially regulated.
Q2 - What were some of the findings of the Government's 2022 5G security examination

The examination found risks will be more difficult to contain in 5G networks because of their higher degree of interconnectedness of sensitive network functions. Of particular concern, applicable to any vendor, is a requirement to obey extra judicial direction, as is the case with Huawei and ZTE.

Q3 - Can Bill C-8 defend against emerging cyber threats such as Artificial Intelligence

The Critical Cyber Systems Protection Act is designed to be able to adapt and improve Canada's ability to defend and protect against cyber threats from evolving technology, such as Artificial Intelligence (AI).

Background Information

An Act Respecting Cyber Security High Level Overview

Part 1: Telecommunications Act (TA) Amendments

General
  • The TA would be amended to add "to promote the security of the Canadian telecommunications system" as a policy objective.
  • An order making power tied to that objective would be created for the Governor in Council (GIC) and Minister of Industry that could be used to compel action by Canadian Telecommunications Service Providers (TSPs), if deemed necessary to secure the Canadian telecommunications system against any threat, including that of interference, manipulation, disruption or degradation.
  • The legislation would require both the GIC and Minister of Industry to consult as appropriate before making any order. Further, the legislation includes a series of factors that the GIC and Minister of Industry must consider before making an order, including the operational and financial impact on affected TSPs, and the effect on the provision of telecommunications services in Canada.
  • With these authorities, the Government would have the ability to take security-related measures to protect the telecommunications system, much like other federal regulators can do in their respective critical infrastructure sectors.
  • Innovation Science and Economic Development (ISED) will exercise regulatory responsibilities, and an administrative monetary penalty (AMP) scheme would be established and administered to promote compliance with orders and regulations made by the GIC or Minister of Industry.
  • Once amendments to the TA receive Royal Assent, GIC or Ministerial Orders could be issued to TSPs.
  • TSPs that receive an order would be able to seek judicial review if they wish to challenge any part of it (see section on 'Judicial Review' below).

Part 2: Critical Cyber Systems Protection Act (CCSPA)

General
  • The CCSPA will be implemented collaboratively by six departments and agencies – Public Safety Canada, ISED, Transport Canada, Natural Resources Canada, Department of Finance and Communications Security Establishment – across the Government of Canada in recognition that cyber security is a horizontal issue that should have the same objectives and be addressed through a streamlined Government response across sectors.
  • The purpose of the CCSPA is to protect the critical cyber systems that underpin Canada's critical infrastructure (CI) in the finance, telecommunications, energy and transportation sectors by establishing a regulatory framework to improve cyber security for services and systems that are vital to national security and public safety.
  • Schedule 1 of the Act designates services and systems that are vital to the national security or public safety of Canadians. Currently, Schedule 1 includes:
    • Telecommunications services;
    • Transportation systems;
    • Banking systems and clearing and settlement systems (financial sector); and
    • Interprovincial or international pipeline and power line systems and nuclear energy systems (energy sector).
  • Schedule 2 of the Actwill define Classes of Operators of the Vital Services and Systems identified in Schedule 1. Operators captured in a class are designated operators subject to the Act.
  • Minister of Public Safety (PS): In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister will have overall responsibility for the legislation, and lead a number of CCSPA-related processes including regulatory development and implementation.
  • Governor in Council: Decision-making by GIC under the CCSPA ensures that a broad range of relevant factors – including national security, economic priorities, trade, competitiveness, international agreements and commitments – are considered when making decisions that have an impact across sectors.
  • Other Ministers: Other involved ministers would be responsible for aiding in the development of regulations, participating in policy-related discussions for the issuance of Cyber Security Directions (CSD), and actively engage there regulators and share information where necessary for the administration of the Act.
  • Regulators: The CCSPA leverages regulators' expertise and relationships with entities they already regulate under existing legislation.Footnote 20 Schedule 2 of the CCSPA will identify both the classes of designated operators as well as the regulator responsible for enforcing the CCSPA for each class.
  • Canadian Centre for Cyber Security (Cyber Centre): The Cyber Centre is responsible for receiving reports of cyber security incidents under the CCSPA to allow it to use this information to help inform the Government and all cyber system operators of cyber security threats, and of how to better prepare, protect against and recover from cyber incidents. They will receive resources to provide advice, guidance and services to:
    • Designated operators in order to help them protect their critical cyber systems;
    • Regulators in support of their duties and functions to monitor and assess compliance; and
    • Public Safety and lead departments and their ministers as required, to support them in exercising their powers and duties under the Act.

Obligations of Designated Operators

Cyber Security Program
  • The CCSPA will require designated operators to establish a Cyber Security Program (CSP) that documents how the protection and resilience of their critical cyber systems will be ensured.
  • CSPs must be established by designated operators within 90 days of them becoming subject to the Act (i.e. when they fall into a class of designated operators published in Schedule 2 of the CCSPA). Once established, the CSP must be implemented, and must also be maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology.
  • CSPs must include steps to:
    • Identify and manage organizational cyber security risks, including risks associated with the operator's supply chain, and the use of third party products and services;
    • Protect their critical cyber systems from compromise;
    • Detect cyber security incidents affecting, or with the potential to affect CCS; and
    • Minimize the impact of cyber security incidents affecting critical cyber systems.
Mitigation of Supply Chain Risks
  • With the increasing complexity of supply chainsFootnote 21, and increased reliance on the use of third party products and services (for example cloud based data storage or infrastructure-as-service), designated operators can be exposed to significant cyber security risks from those sources. When, through its CSP, a designated operator identifies a cyber security risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA requires that designated operator to mitigate those risks.
Mandatory Reporting of Cyber Security Incidents
  • Under the CCSPA, designated operators will be required to report cyber security incidents affecting or having the potential to affect their critical cyber systems to the Communications Security Establishment, for use by the Cyber Centre.
    • A threshold defining this reporting obligation will be set in regulations.
  • This new obligation will provide the Government of Canada with a reliable source of information about cyber security threats to critical cyber systems. The availability of incident reports will enhance visibility into the overall threat environment for the Cyber Centre as well as regulators' awareness of threats and trends.
  • Findings from the analyses of incident reports will make it possible for the Cyber Centre to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and to inform Canadians of cyber security risks and trends, allowing one organization's detection to become another's prevention.
Cyber Security Directions
  • Through a variety of mechanisms, the Government of Canada can be made aware of potential risks to national security or public safety that result from cyber security vulnerabilities and associated threats to critical cyber systems and the vital services or systems that they underpin.
  • The CCSPA would create a new authority for the Government: under the Act, the Governor in Council (GIC) can issue Cyber Security Directions (CSD) to direct any designated operator to comply with a measure, should the GIC believe on reasonable grounds that a CSD is necessary, in order to protect a critical cyber system. Before making an order, the GIC must also consider relevant factors, like operational and financial impacts.
  • CSDs would apply to specific designated operators or to certain classes of designated operators, and require those designated operators to take the measures identified in the CSD for the purpose of protecting a CCS, and do so within a specific timeframe (e.g. "operator A must take measure X within 30 days"). The designated operator is not permitted to disclose information around the CSD to protect confidential information of designated operators and prevent follow on exploitation of vulnerabilities.
    • A designated operator who fails to comply with a CSD could be subject to an AMP or face a regulatory offence that can lead to fines or imprisonment.
    • A designated operator subject to a CSD would be able to apply to the Federal Court of Canada to seek judicial review.

Judicial Review

  • The Countering Foreign Interference Act amended the Canada Evidence Act to create a harmonized secure administrative review proceedings (SARP) regime for protecting and using sensitive information in Federal Court and Federal Court of Appeal proceedings, which now applies broadly to federal legislation, including Bill C-8.
  • The SARP regime allows a judge to utilize sensitive information in their decision making while ensuring the continued protection of the information from public disclosure. They are permitted to appoint a special counsel if they are of the opinion that the considerations of fairness and natural justice require it. Lastly, it requires a summary of the confidential information to be provided to the non-governmental party to ensure they are reasonably informed.
  • In addition to the provisions of the SARP regime which will apply to Bill C-8, the Minister of Industry for Part 1, and the Minister of Public Safety for Part 2, are provided the ability to withdraw evidence during a judicial review. There is also a requirement for the judge to ensure the confidentiality of all evidence including information withdrawn by the Minister.

An Act Respecting Cyber Security (ARCS): Technical Brief

Table of contents

A Brief History of ARCS

  • 2019: Budget 2019 allocated $144.9M to develop a Critical Cyber Systems framework.
  • 2021: Government completed an inter-departmental 5G Security Examination that recommended an updated security framework to safeguard Canada's telecommunications system.
  • May 2022: The government issued the Securing Canada's Telecommunications System policy statement, announcing plans to restrict Huawei and ZTE equipment in 4G and 5G networks.
  • June 2022: Bill C-26, ARCS, tabled in the house of Commons.
  • January - April 2024: Bill C-26 underwent intense scrutiny from stakeholders and Members of Parliament to complete committee consideration in the House of Commons.
  • June 2024: Bill C-26 passed to Senate and completed first reading.
  • December 2024: Senators and stakeholders studied the bill. The Senate corrected a clause numbering error and referred it back to the House of Commons for concurrence.
  • January 2025: The legislation died on the order paper prior to Royal Assent while it was awaiting concurrence by the House of Commons on the amendment made at the Senate.
  • June 2025: The legislation is reintroduced as Bill C-8.
Introducing Bill C-8
  • An Act Respecting Cyber Security (ARCS) aims to secure Canada's telecommunications system and strengthen cyber security across four federally regulated critical infrastructure sectors vital to national security and economic prosperity.
  • The Communications Security Establishment Canada's (CSE) National Cyber Threat Assessment 2025-26 warns of Canada having an "expanding and complex cyber threat landscape" comprised of state and non-state threat actors targeting our critical infrastructure and endangering our national security.
  • Cyber incidents cost Canada's economy $5 billion annually, with Canadian businesses paying nearly $7 million per data breach.
  • Canada must act to protect critical infrastructure from major incidents and affirm its position as a sovereign, cyber-secure ally.

Legislative Overview

  • ARCS consists of two distinct parts:
    • Part 1 introduces amendments to the Telecommunications Act to add security as a policy objective and provide the Government with the ability to take measures to secure the telecommunications system; and
    • Part 2 introduces the Critical Cyber Systems Protection Act to create a regulatory regime requiring designated operators in the federally regulated finance, telecommunications, energy, and transportation sectors to protect their critical cyber systems.

Part 1: Telecommunications Act Amendments

  • Proposed authorities would allow the Government to strengthen Canada's telecommunications framework to promote the security of Canada's telecommunications system through amendments to the Telecommunications Act.
  • The new authorities would allow for action to implement the Government's intention to ban high-risk suppliers. They also are needed to address increasing threats to telecoms networks, including those related to supply chains, cyber security, and hazards like natural disasters.
Policy Objective

The Telecommunications Act would be amended to add "to promote the security of the Canadian telecommunications system" as a policy objective.

Legislative Tools

An order making power would be created for the Governor in Council (GIC) and Minister of Industry that could be used to compel action by Canadian Telecommunications Service Providers, only if deemed necessary to secure the Canadian telecommunications system against threats, and only if it is reasonable to the threat the order seeks to address.

Monitoring and Enforcement

Info gathering, confidentiality protections, sharing authorities, and an administrative monetary penalty scheme to promote compliance would be included to provide monitoring and enforcement for the Bill.

Part 2: Critical Cyber Systems Protection Act

The Critical Cyber Systems Protection Act (CCSPA) would establish a regulatory regime to strengthen baseline cyber security across the federally regulated finance, telecommunications, energy and transportation sectors.

New Legislative Tools

The Actwould increase information sharing and provide the GIC with the power to issue Cyber Security Directions to designated operators for the purpose of protecting a critical cyber system.

Obligations

Designated operators would be obligated to:

  • Establish a Cyber Security Program.
  • Mitigate supply chain and third-party service or product risks.
  • Report cyber security incidents to CSE.
  • Implement Cyber Security Directions.
Enforcement Powers and Consequences

The CCSPA would provide regulators with powers necessary to enforce the Act (e.g., audits, AMPs), and would create consequences for non-compliance (e.g., summary convictions or convictions on indictment).

Figure 1: CCPA Regulatory framework for protecting critical cyber systems
This image depicts the six steps of the Critical Cyber Systems Protection Act: First to protect, second to detect, third to respond and recover, fourth to report, fifth to share, and sixth to improve defenses.
Figure 1: Image description

This image shows the 6 steps to protect critical cyber systems: Protect, detect, respond and recover, report, share, and improve defenses.

Key Amendments Carried on Former C-26

  • Broad agreement on importance of Bill C-26's objectives; targeted amendments strengthened or clarified certain provisions
  • Amendments on the overall Bill:
    • Added a reasonableness standard for orders and directions
    • Added factors government must consider prior to issuing orders and directions
    • Specified reporting requirements
    • Notification requirements for confidential orders and directions
    • More explicit provisions on privacy and confidential information, including that for greater certainty authorities cannot be used to intercept private communications
  • Amendments more specific to Part 1:
    • Explicit consultation requirement
    • Addition of an explicit due diligence defence
  • Amendments more specific to Part 2:
    • Clarity around program design (timing of reporting, supply chain, etc.)
    • Federal / Provincial considerations around information sharing
  • C-26 provisions on judicial review and confidential information were replaced by the Secure Administrative Review Proceedings regime set out in An Act respecting countering foreign interference (former Bill C-70)

Conclusion

If passed, this legislation would promote Canada's security and resilience and protect our sovereignty, by:

  • Adding security-related authorities for the GIC and Minister of Industry under the Telecommunications Act;
  • Creating cross-sector regulations specific to cyber security;
  • Providing the legislative authority to direct action in response to cyber threats; and,
  • Supporting increased cyber threat information sharing.

Overall, ARCS would emphasize the Government's commitment to increasing the cyber security baseline across Canada and help ensure the national security, economic prosperity, and public safety of Canadians.

Annex A: Stakeholder Consultations

Industry
  • Bell
  • Business Council of Canada
  • Canadian Bankers Association
  • Canadian Chamber of Commerce
  • Canadian Cyber Threat Exchange
  • Canadian Internet Registration Authority
  • Canadian Gas Association
  • Electricity Canada
  • Insurance Bureau of Canada
  • IrisTel / ICE Wireless
  • Railway Association of Canada
  • Telus
Governments
  • Intelligence Commissioner of Canada
  • Privacy Commissioner of Canada
  • Provinces and municipalities
Cyber security experts and civil liberties
  • Canadian Civil Liberties Association
  • Citizen Lab
  • OpenMedia
  • TechNation
Regulators
  • Canada Energy Regulator
  • Canadian Nuclear Safety Commission
  • Office of the Superintendent of Financial Institutions
  • Bank of Canada
  • Minister of Industry
  • Minister of Transport

Stakeholders Consulted on An Act Respecting Cyber Security (ARCS)

Includes those who provided briefs or testimony to Parliamentary Committees (SECU and SECD) and/or those who have been consulted separately.

Industry

  • Business Council of Canada
  • Canadian Internet Registration Authority
  • Canadian Chamber of Commerce
  • IBM Canada
  • Insurance Bureau of Canada
  • Bruce Power
  • BlackBerry
  • Bauceron Security
  • Electricity Canada
  • Canadian Radio-Television and Telecommunications Commission
  • Manulife
  • Canadian Airports Council
  • Information Technology Industry Council
  • American Chamber of Commerce in Canada
  • Global Container Terminals
  • Eastlink
  • Canadian Bankers Association
  • Railway Association of Canada
  • Canadian Telecommunications Association
  • Engineers Canada
  • National Centre for Critical Infrastructure Protection, Security and Resilience
  • Bell
  • Rogers
  • TELUS
  • Canadian Gas Association
  • Kyndryl Canada
  • Tenable Inc.

Cyber Security Experts and Civil Liberties Associations

  • Centre for International Governance Innovation
  • Canadian Constitution Foundation
  • Privacy and Access Council of Canada
  • Citizen Lab
  • OpenMedia
  • Bouchard Avocats
  • Canadian Civil Liberties Association
  • International Civil Liberties Monitoring Group
  • Ligue des droits et libertés
  • National Council of Canadian Muslims
  • Canadian Union of Public Employees
  • TechNation
  • Ashar S., Ahmed, Cyber Security Practitioner
  • ISC2, inc.
  • I-Sigma
  • GeoComply Solutions Inc.
  • Canadian Cyber Threat Exchange
  • Andrew Clement, Professor at the University of Toronto
  • Matt Malone, Balsille Scholar

Governments

  • Intelligence Commissioner of Canada
  • Privacy Commissioner of Canada
  • Provincial and Territorial Governments
  • Municipal Governments
  • Five Eye Principals (United Kingdom, Australia, New Zealand, United States of America)

Regulators

  • Canadian Energy Regulator
  • Canadian Nuclear Safety Commission
  • Office of the Superintendent of Financial Institutions
  • Bank of Canada
  • Minister of Industry
  • Minister of Transport

Summary of Gender-Based Analysis Plus (GBA Plus) Analysis

Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

Gender-Based Analysis Plus (GBA Plus) is an analytical framework that supports the development of responsive and inclusive policies, programs, and services. The GBA Plus framework seeks to identify: who may be affected by a proposed initiative; how the initiative could be tailored to meet diverse needs of the people most affected; and mitigation measures that could be applied to reduce the effects of any potential barriers to accessing or benefitting from the initiative. GBA Plus is an intersectional analysis that looks beyond biological (sex) and socio-cultural (gender), considering factors such as age, disability, education, ethnicity, economic status, geography (including rurality), language, race, religion, and sexual orientation. It is an ongoing process that is applied to all stages of the policy development process.

The GBA Plus framework was applied to the development of the policies enshrined in Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. What follows is a summary of the findings for each Part of Bill C-8.

Part 1

The amendments to the Telecommunications Act seek to establish a security framework and provide the Government of Canada with the authority to promote the security of the Canadian telecommunications system, a critical step in the implementation of near-future technologies that will present new challenges and opportunities for all Canadians. This is in line with two of the themes of Canada's National Cyber Security Strategy: Security & Resilience and Leadership & Collaboration. A concerted effort was made to consider intersectional perspectives with regard to the impact of this decision on various segments of the Canadian population.

The amendments are designed to provide tools to the Government of Canada for the benefit and security of all Canadians as they connect through current and future generations of telecommunications networks. The increase in the magnitude and frequency of cyber incidents globally in recent years has illustrated that no population or organization is immune to the risk of cyber threats including espionage. As critical infrastructure sectors become increasingly connected through Fifth Generation (5G) technologies, the impact of these threats will only increase. Canadians from all demographics, socio-economic backgrounds, as well as private and public sector organizations, rely on critical infrastructure to live and prosper. While it is impossible to fully anticipate the changes to Canadians' lives that 5G implementation will bring, disruption or manipulation in a 5G future could cause enormous harm to wide swathes of Canada's population, regardless of background or demographics.

A preliminary impact assessment of this proposal showed that the proposed security framework would not directly have any GBA Plus related impacts.

It was deemed possible that regulations or orders resulting from the framework could have financial and commercial impacts on Telecommunications Security Providers (TSPs) on a case-by-case basis. Larger TSPs are expected to be better positioned to mitigate negative impacts relative to smaller TSPs, meaning that rural and remote communities serviced by the latter could experience greater indirect impacts than populations residing in urban centres. However, it is possible that these negative impacts may not materialize.

[Redacted]

Part 2

The Critical Cyber Systems Protection Act (CCSPA) seeks to ensure that the cyber systems of vital importance to national security and public safety are sufficiently protected, which was one of the challenges raised in the review of the National Cyber Security Strategy.

Given that Canadians from different backgrounds experience cyber security challenges and opportunities differently, a concerted effort was made to include groups and stakeholders that are representative of Canada's regions and diversity as part of the public consultation on cyber security. With this approach, a range of perspectives were gathered. Input was received from all provinces, one territory, and internationally. Participants consisted of government officials, cyber security industry, private sector leaders and associations, Critical Infrastructure (CI) owners and operators, law enforcement, academia, and engaged citizens of various backgrounds. The proposed Initiative both reflects and accounts for the views of different stakeholders who provided their views. It conveys the importance of cyber security for CI, and its respective implications for Canadians' security and safety.

The increase in the magnitude and frequency of cyber incidents globally illustrates that no population is immune to the risk of cybercrime and cyber threats. In fact, Canadians from all demographics, socioeconomic backgrounds, as well as private and public sectors organizations, will most certainly continue to be targeted. However, evidence suggests that women and girls are more susceptible to the criminal uses of advancements in artificial intelligence and to cybercrime, including cyber violence. Vulnerable populations include youth and seniors, who are disproportionately targeted by cyber criminals as they are likely to have fewer digital literacy skills.

This legislation is expected to raise the cyber security baseline in federally-regulated critical infrastructure, which Canadians rely on every day. Furthermore, the mandatory incident reporting provision in this legislation is expected to not only improve our understanding of the cyber threat landscape but also improve the government's ability to provide advice and guidance to all Canadians so that they may take steps to prevent and mitigate such threats. In this way, the government is taking legislative steps to protect Canadians, including these more targeted groups, from cyber threats writ large.

Clause by Clause Analysis of Bill C-8

Part 1

Section 1: Amendments to Section 7 of the Telecommunications Act
Analysis

Section 1 amends the policy objectives of Telecommunications Act. The Act currently contains nine objectives, which guide how it is applied and which are linked to the various regulatory functions in the Act. This clause adds "to promote the security of the Canadian telecommunications system" to those policy objectives.

Section 2: Amendments to Section 15 of the Telecommunications Act
Analysis

Section 2 amends Section 15 of the Telecommunications Act by adding the following:

15.1 (1) – Security of Canadian telecommunications system – Governor in Council

The Governor in Council may order telecommunications service providers to secure telecommunications systems against threats, including those from interference, manipulation, disruption or degradation.

  • 15.1 (1) (a) – Orders may be used to prohibit specific products or services from being used in a telecommunications service provider's networks or facilities.
  • 15.1 (1) (b) – Orders may be used to remove any product or equipment already incorporated into a telecommunications network or facility.
15.1 (2) – Scope and Substance

Orders made by the Governor in Council must be reasonable to the scope of the threat.

15.1 (3) – Non-Disclosure

The Governor in Council may prohibit the disclosure of an order's existence or any or all of its contents to any person.

15.1 (4) – Factors

The Governor in Council must consider the following things before issuing an order:

  • 15.1 (4) a - how an order would operationally impact a telecommunications service provider;
  • 15.1 (4) b – how an order would financially impact a telecommunications service provider;
  • 15.1 (4) c – the effect an order would have on the provision of telecommunications services in Canada;
  • 15.1 (4) d – any other factors the Governor in Council deems relevant.
15.1 (5) – Prepublication

Draft orders may be published in the Canada Gazette, if requested by the Governor in Council.

15.1 (6) – Publication

Orders must be published in the Canada Gazette within 90 days of being issued, unless directed otherwise by the Governor in Council.

15.1 (7) – Conflict

Should there be a conflict between an order made by the Governor in Council under S. 15.1, and a decision of the Canadian Radio-television and Telecommunications Commission (CRTC), or a ministerial order under the Telecommunications Act or the Radiocommunication Act, the Governor in Council order will prevail.

15.1 (8) – No Compensation

No compensation shall be owed for any financial losses resulting from an order.

15.2 (1) – Security of Canadian telecommunications system – Minister's order

This clause enables the Minister of Industry to, after consultation with the Minister of Public Safety and Emergency preparedness, and any other person the minister deems relevant, order telecommunications service providers to secure networks against threats, including those from interference, manipulation, disruption or degradation.

  • 15.2 (1) (a) – The Minister can order that a telecommunications service provider not provide services to anyone, including to another telecommunication service provider.
  • 15.2 (1) (b) – The Minister can order that a telecommunications service provider cease or suspend providing services to anyone, including to another telecommunication service provider.
15.2 (2) – Order

This clause enables the Minister of Industry to order telecommunications service providers to secure networks against threats, including those from interference, manipulation, disruption, or degradation by undertaking the actions described in 15.2(2)(a) to (k).

  • 15.2 (2) (a) – Ministerial orders may prohibit the use of specific services or equipment, in any or all parts of a telecommunications service provider's associated networks or facilities. This is intended to enable the Minister to order telecommunications service providers to mitigate vulnerabilities in equipment/services from all suppliers.
  • 15.2 (2) (b) – As a corollary to the above, Ministerial orders may require telecommunications service providers to remove any specified product from any supplier, in any or all parts of associated their networks or facilities. Again, this to mitigate vulnerabilities in a specific product that telecommunications service providers have deployed.
  • 15.2 (2) (c) – Ministerial orders may impose conditions on a telecommunications service provider for the use of a service or product, including those supplied by another telecommunications service provider.
  • 15.2 (2) (d) – Ministerial orders may impose conditions on a telecommunications service provider in relation to the provision of a service or product to any person, including on those supplied to another telecommunications service provider.
  • 15.2 (2) (e) – Ministerial orders may prohibit a telecommunications service provider from entering into a service agreement, affecting any or all parts of its networks or facilities.
  • 15.2 (2) (f) – Related to (e) above, Ministerial orders may require that a telecommunications service provider terminate an existing service agreement.
  • 15.2 (2) (g) – Ministerial orders may prohibit a telecommunications service provider from upgrading any specified product or service.
  • 15.2 (2) (h) – Ministerial orders may require that a telecommunications service provider's networks or facilities, including procurement plans, be subject to a review process to examine potential security risks.
  • 15.2 (2) (i) – Ministerial orders may require telecommunications service providers to develop internal security plans to protect their systems and equipment.
  • 15.2 (2) (j) – Ministerial orders may require telecommunications service providers to conduct assessments of the effectiveness and/or weaknesses of any such security plans as above in (i), of their networks, or of their services and facilities.
  • 15.2 (2) (k) – Having assessed vulnerabilities as above in (ij, the Minister may order a telecommunications service provider to address any vulnerability or deficiency.
  • 15.2 (2) (l) – Ministerial orders may require a telecommunications service provider to implement specific standards, including technical or procedural standards.
  • 15.2 (2) (m) – Ministerial orders may require a telecommunications service provider to do something, or refrain from doing something, even if those actions were not specified in subsection (1) or 15.1(1).
  • 15.2 (2) (n) – Ministerial orders may require a telecommunications service provider to use a backup system for their facilities.
15.2 (3) - Scope and Substance

Orders made by the Minister must be reasonable to the scope of the threat.

15.2 (4) – For greater certainty

The Minister is not authorized to order a telecommunications service provider to intercept any private communication or radio-based telephone communication, as these terms are defined in the Criminal Code Section 183.

15.2 (5) – Non-Disclosure

The Minister may prohibit the disclosure, by any person, of the existence or the contents of any order made.

15.2 (6) – Factors

The Minister must consider the following things before issuing an order:

  • 15.2 (6)(a) – How an order would operationally impact a telecommunications service provider
  • 15.2(6)(b) – How an order would financially impact a telecommunications service provider.
  • 15.2(6)(c) – The effect an order would have on the provision of telecommunications services in Canada.
  • 15.2(6)(d) – Any other factors the Minister deems relevant.
15.2 (7) – Prepublication

Draft orders may be published in the Canada Gazette, if requested by the Minister.

15.2 (8) – Publication

Orders issued by the Minister must be published in the Canada Gazette, unless the Minister specifies otherwise.

15.2 (9) – Conflict

Should a Governor in Council or a Ministerial order from Section 15 above conflict with a decision made by the CRTC or an authorization or order made under the Telecommunications Act or the Radiocommunication Act, the Section 15 order will prevail.

15.2 (10) – No Compensation

As with Governor in Council orders, no one is entitled to compensation for losses resulting from a Ministerial order.

15.21 (1) – Report on orders

Within three months after the end of each fiscal year, or within 15 days of the next sitting if the House is not then in session, the Minister will table a report on the Orders made under section 15.1(1) and 15.2(1) and (2).

15.21 (2) – Contents of report

The report must include the following information:

  • 15.21 (2) (a) – The number of orders made, and the nature of those orders.
  • 15.21 (2) (b) – The number of orders revoked.
  • 15.21 (2) (c) – The number of telecommunications service providers affected by an order.
  • 15.21 (2) (d) – A description of compliance by telecommunications service providers who partially complied with an order.
  • 15.21 (2) (e) – A description of compliance by telecommunications service providers who fully complied with an order.
  • 15.21 (2) (f) – And explanation of the necessity, reasonableness and utility of each order.
15.21 (3)

The report will state the number of times that an order prevailed over a decision of the CRTC.

15.22 Obligation to notify

Within 90 days of issuing an order where some or all its contents are to be kept confidential, the Minister will notify the National Security and Intelligence Committee of Parliamentarians (NSICOP), and the National Security and Intelligence Review Agency (NSIRA) of the making of the order.

15.3 (1) – Contravention of an unpublished order

No person is subject to conviction for contravening a Governor in Council or Ministerial order unless the government can provide proof they had been previously notified of its contents.

15.3 (2) – Certificate

The Minister may issue a certificate that states that notice of an order was provided to those likely to be affected by a given order. In the absence of contradictory evidence, this shall be taken as sufficient proof that notification was made.

15.3 (3) – Statutory Instruments Act

Neither Governor in Council nor Ministerial orders are subject to the Statutory Instruments Act.

15.3 (4) – Incorporation by reference

A Governor in Council or a Ministerial order made under section 15.1 or 15.2 can incorporate, by reference, any other document. Such a reference can be made evergreen, and track to the most current such document. For instance, this could be used to reference an international or national technical standard.

15.4 – Provision of information
  • The Minister may require any person to supply information which is reasonably believed is required to make, amend or revoke either a Governor in Council or a Ministerial order, or to verify compliance with existing security-related orders or regulations.
  • The provision of such information can have terms or conditions set (e.g., timelines or format) as appropriate, and as required by the Minister.
15.5 (1) – Confidential information – designation

As information supplied under 15(4) could be of a sensitive nature, this clause allows for those supplying the information to designate such information as confidential. Such types of information could include:

  1. trade secrets;
  2. financial, commercial, scientific or technical information the person otherwise takes efforts to keep confidential; or
  3. information which if released would be prejudicial to the financial competitiveness of the person or company supplying it, affect the a contractual or other negotiations of the person or company supplying, or which otherwise could reasonably be expected to result in a financial loss (or gain) for any person;
  4. personal or de-identified information.
15.5 (2) – Definitions

Personal information carries the same meaning as in section 3 of the Privacy Act. De-identified information is data which is modified so as not to be personally identifiable, although there may be some residual risk it could be later connected to a person.

15.5 (3) – Prohibition

A person may not divulge information which has been designated as confidential by those supplying it, as per section 15.5 (1) above.

15.5 (4) – Exception

There are three situations where information supplied to the Minister in such cases may be disclosed, even if it had been designated as confidential.

  1. it is permissible to disclose such information required by the Minister, if authorised or required by law;
  2. it is permissible to disclose such information required by the Minister, if the party supplying agrees to its disclosure; or
  3. it is permissible to disclose such information required by the Minister, if the Minister deems that doing so is required to protect or secure the Canadian telecommunications systems from interference, manipulation or disruption.
15.6 (1) – Exchange of information
  • The collection of information under 15.4 is designed to allow the Minister to evaluate the need or validity of an order (whether to issue an order, amend an order or discontinue a previous order) and the effectiveness of orders (to confirm that the recipient is in compliance and/or is that compliance having the desired effect).
  • As making, amending and revoking orders and regulations made under 15.1, 15.2 and 15.8(1)(a) may require consultation between government departments, this clause enables information collection and disclosure amongst those parties listed:
    1. the Minister of Industry;
    2. the Minister of Public Safety;
    3. the Minister of Foreign Affairs;
    4. the Minister of National Defence;
    5. the Chief of the Defence Staff of the Canadian Armed Forces;
    6. the Chief of the Communications Security Establishment, and staff in that agency;
    7. the Director of the Canadian Security Intelligence Service, and staff in that agency;
    8. the Chairperson of the Canadian Radio-television and Telecommunications Commission, and staff in that agency;
    9. any person which had been designated under 15.4. While not specified in the legislation, this is meant to include, but not limited to, specific industry expertise or technical/scientific capacity required to evaluate and assess the information provided; and
    10. any other prescribed person or entity.
15.6 (2) – Confidential Information

Information disclosed to those above will continue to be treated as confidential, if it had been designated so.

15.7 (1) Disclosure of information
  • This clause authorizes the Minister to share (except for information designated as confidential per 15.5(1)) information collected under the Act with a provincial or territorial government in Canada, the government of a foreign state, or an international organization, or a subset of those. This may be done if the Minister believes it to be necessary to secure Canadian telecommunication networks, or those of a foreign state, against interference, manipulation or disruption.
  • A formal mechanism in writing will be required to achieve this. The purpose of sharing such information would be to address security concerns on Canadian networks, or foreign networks (i.e., if this was a wider threat event).
15.7 (2) Restriction – use

Information shared with a foreign state as per 15.7(1), shall not be used in law enforcements situations or prosecution in a foreign jurisdiction, unless those situations would also be considered breaches under Canadian law.

15.8 (1) (a) – Regulations

The Governor in Council may create regulations which could include anything contained in a Ministerial order (S. 15.2).

15.8 (1) (b)

The Governor in Council may also create by regulation a listing of persons or entities with whom collected information may be shared under 15.6 (1) (j). For instance, this could be used to establish a listing of trusted laboratories for testing telecommunications services and equipment.

15.8 (2) – Conflict

In the case of an inconsistency between a regulation created by the Governor in Council, and a decision of the CRTC, a Ministerial order or authorization, or an order made under the Radiocommunication Act, the regulation will prevail.

15.81 (1) – Annual Report

Within three months after the end of each fiscal year, or within 15 days of the next sitting if the House is not then in session, the Minister will table a report regarding all Governor in Council and Ministerial orders made in the previous fiscal year.

15.81 (2) – Contents

The report will include the number of orders issued in the preceding fiscal year.

15.81 (3) Contents of reports: conflicts

The report will also state the number of times that an order prevailed over a decision of the CRTC.

15.9 (1) – Judicial Review: Rules

The rules described below apply to judicial review proceedings regarding a Governor in Council or Ministerial order or a regulation made under 15.8 (1) (a). These rules are intended to be complementary to the single, consistent Secure Administrative Review Proceedings regimen set out in the Countering Foreign Interference Act.

Rules
15.9 (1) (a)

Should the judge determine that confidential evidence or other information is not relevant to the matter under judicial review, or should the Minister withdraw it, the judge cannot consider that evidence or information when rendering a decision.

15.9 (1) (b)

Even if the Minister requests confidential information be withdrawn from consideration, its confidentiality must be ensured by the judge.

15.9 (2) – Definition of judge

'Judge' for the section above is understood to mean the Chief Justice of the Federal Court, or another federal judge which has been designated by the Chief Justice.

15.91 – Protection of information appeal

The process and protections for confidential information set out in 15.9 (1), would apply in any appeal process of the initial judicial review.

Section 3: Amendment to Section 47 of the Telecommunications Act
Analysis

Section 3 replaces Section 47 of the Telecommunications Act. This clause creates a general obligation for the CRTC to consider any orders, standards or regulations made by either the Governor in Council or the Minister in exercising its duties and functions.

Section 4: Amendment to Section 71 of the Telecommunications Act
Analysis

Subsection 4(1) replaces Section 71(2) of the Telecommunications Act. This clause modifies the general authority of the Minister to appoint inspectors for verifying compliance with the Act to include the ability to verify the implementation of orders made under 15.1 and 15.2 and for regulations made under 15.8(1)(a).

Subsection 4(2) replaces Paragraph 71(4)(a) of the Telecommunications Act. This clause modifies the general authority of inspectors appointed by the Minister to enter any place that they believe reasonably necessary to verify compliance with the Act, adding authorities to verify the implementation of orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a).

Subsection 4(3) replaces Paragraph 71(6)(b) of the Telecommunications Act. This clause modifies the general authority of inspectors appointed by the Minister to enter any dwelling-house that is believed to be reasonably necessary to verify compliance with the Act, including to verify the implementation of orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a).

Subsection 4(4) replaces Subsection 71(9) of the Telecommunications Act. This clause modifies the general authority of inspectors appointed by the Minister to require a person to supply any information they believe reasonably necessary for verifying compliance with the Act, including to verify the implementation of orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a).

Section 5: Amendment to Section 72 of the Telecommunications Act
Analysis

Section 5 replaces Subsection 72(3) of the Telecommunications Act. This clause modifies the general exemption of the Crown from civil liability for costs resulting from the actions of a person who is not in compliance with the Act, and specifically costs related for being in breach of orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a).

Section 6: Amendment to Section 72 of the Telecommunications Act
Analysis

Section 6 modifies paragraph 72.001 of the Telecommunications Act. This clause modifies the definitions for 'violations under the Act' to include violations of orders made under 15.1 and 15.2 and regulations under 15.8(1)(a)

Section 7: Administrative Monetary Penalties – Security of the Canadian Telecommunications System
Analysis

Section 7 establishes the administrative monetary penalty regime for contraventions of orders made under 15.1 or 15.2, or regulations made under 15.8(1)(a). Specifically, it adds the following to the Telecommunications Act after Section 72.13:

72.131 Commission of violation

This clause makes specific additions to the general clauses defining violations of the Act. Specifically, it defines that contravening orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a) is a violation of the Act, and specifies the administrative monetary penalty for doing so.

72.131 (a)

In regard to 72.131 an administrative monetary penalty for an individual could result in a penalty of up to $25,000, and up to $50,000 for subsequent violations.

72.131 (b)

In regard to 72.131 an administrative monetary penalty for a non-individual (e.g., companies) could result in a penalty of up to $10 million, and up to $15 million for subsequent violations.

72.132 – Continuing violation

Every day a violation under 72.131 could be considered a separate incident, with additional penalties being assessed daily.

72.133 (1) – Determination of penalty amount

The amount of the penalty is to be determined by taking into account the following factors:

  1. the nature and scope of the violation;
  2. the history of compliance with the implementation of orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a) by the company or person who committed the violation;
  3. any benefit that the person obtained from the commission of the violation;
  4. the person's ability to pay the penalty;
  5. any factors established by any regulations; and
  6. any other relevant factor.
72.133 (2) – Purpose of penalty

The purpose of penalties for breaching orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a) is to promote compliance, and not to punish.

72.134 (a) – Power of Minister – violation

The Minister may designate a person, or class of persons, to issue notices of violation or enter into compliance or remediation agreements for violations of orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a)

72.134 (b)

The Minister may create a descriptive means to be used in notices of violation of orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a).

72.135 (1) - Issuance and service

A person designated by the Minister to issue notices of may also issue notices to persons that violate orders made under 15.1 and 15.2 or regulations made under 15.8(1)(a).

72.135 (2) - Contents of Notice

Notices issued under 72.135(1) must include the name of the person committing the violation, the nature of the violation, and:

  1. the amount of the penalty;
  2. a 30-day deadline (or other as may be set) for either payment of the assessed penalty, or for challenging the validity of the violation and penalty to the Minister; and
  3. a statement indicating that failing either to pay or challenge the penalty shall be deemed to be acceptance that a violation occurred by the person responsible.
72.135 (3) – Correction or cancellation of notice of violation

At any time before a request to challenge a violation and penalty is made, the official designated to issue a notice may correct any errors it contained, including by cancelling the notice of violation.

72.136 (1) – Payment

Payment of a penalty for a violation of an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a) is deemed to be acceptance, and related proceedings are ended.

72.136 (2) – Representations

A person may choose to contest a notice of a violation of an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a) to the Minister.

Having heard those representations, the Minister may decide, based on a balance of probabilities, to uphold the original penalty, reduce it, or cancel it outright.

72.136 (3) – Failure to pay or make representations

If a notified party neither pays the assessed penalty, nor contests it by representation to the Minister, it is deemed to be acceptance of the validity of the violation. In such a case, the Minister may impose the penalty described in the notice.

72.136 (4) – Copy of decision

If a notified party neither pays the assessed penalty, nor contests it by representation to the Minister, the Minister will serve a copy of their decision on the outcome of that process to the notified party.

72.137 (1) – Compliance agreements

If a party receiving a notification of violation of an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a), they can choose to enter into a compliance agreement to rectify the situation. In such an agreement, the government may reduce, in whole or in part, the assessed penalty for the violation.

72.137 (2) – Representations

Should a person enter into a compliance agreement following a notification of violation, that person forgoes their right to contest the violation to the Minister as per 72.135(2)(b).

72.137 (3) – Deeming

If a notified party enters into a compliance agreement for a notification of violation, it is deemed to have committed the violation.

72.137 (4) – Notice of compliance

If a notified party has entered into a compliance agreement, and is in full compliance with it, they shall be notified of that, and the proceedings will be considered ended.

72.137 (5) – Notice of default

If a notified party has entered into a compliance agreement, and they are found to not be in full compliance, they shall be informed of this, and be imposed the original assessed penalty, minus any partial money received under the terms of the compliance agreement.

72.137 (6) – Payment

If a party found in default of a compliance agreement pays the original assessed penalty, the proceedings in respect of the violation are considered to be ended.

72.138 – Officer, director or agent or mandatary of corporations

Officers, Directors or other personnel of a corporation found to be violating an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a) may themselves be found to be liable for the violation, if they directed, authorized, assented to or participated in that violation. This can be pursued even if the corporation itself is not proceeded against.

72.139 (1) – Debt due to His Majesty

Penalties levied for violating of an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a) are considered owed to His Majesty in right of Canada, and may be recovered, including any interest, in the Federal Court or other relevant court.

72.139 (2) – Limitation period or prescription

Efforts to recover a debt owed to the Crown must begin no later than five years after the date the debt becomes payable.

72.139 (3) – Receiver General

Debts assessed as part of violations are payable to the Receiver General for Canada.

72.139 (4) – Certificate of default

Should any or all of an assessed penalty remain unpaid, the Minister may issue of a certificate of default.

72.139 (5) – Registration in Federal Court

Registration of a certificate of default with the Federal Court, as above at 72.139 (4), shall be considered the same as a judgement of that Court, and may include related registration costs.

72.1391 (1) – Limitation period or prescription

Proceedings in respect of a violation may not begin later than three years after the day in which the Minister becomes aware of them.

72.1391 (2) – Minister – certificate

A certificate issued by the Minister certifying the date on which they became aware of a proceeding as above, will be deemed to be authentic, in the absence of evidence to the contrary.

72.1392 (a) – Publication

In the case of a compliance agreement for a notified violation of an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a), the Minister is authorized to (but not required to) make public many aspects of the agreement, including the name of a person or company who enters into a compliance agreement.

Details which can be the included in the public notification include the nature of the compliance agreement, its terms and conditions, the assessed severity of the violation, and the amount of the monetary penalty levied.

72.1392 (b)

Further to the conditions above for making public compliance agreements, the name of the person who committed a violation can be released publicly, as can the nature of the assessed violation and the conditions surrounding the violation.

72.1393 – Regulations

Regulations may be created by the Governor in Council to:

  1. modify the enforcement of orders made for security purposes 15.1 and 15.2 and regulations made under 15.8(1)(a), as set out in 72.131;
  2. modify the factors to consider is assessing the amount for an administrative monetary penalty for violating orders made under 15.1 and 15.2 and regulations made under 15.8(1)a, as set out in 72.133(1)(e); and
  3. articulate the specifics of compliance agreements as set out in 72.137(1).
Section 8: Amendment of the heading prior to Section 72.14 of the Telecommunications Act
Analysis

Section 8 replaces the heading prior to Section 71.14 of the Telecommunications Act to say the following:

Provisions Common to Administrative Monetary Penalties Schemes

Section 9: Amendment to Section 72 of the Telecommunications Act
Analysis

Section 9 modifies subsection 72.14 of the Telecommunications Act. Aligns the administrative monetary penalty regime supporting enforcement of violations of an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a), with the existing enforcement regime in the Act.

Specifically, that a notice of violation (72.135(1)), or a copy of a Minister's decision upon a violation being contested (72.136(4)) shall be taken as authentic with regard to being used as evidence in a proceeding.

Section 10: Amendment to Section 73 of the Telecommunications Act
Analysis

Subsection 11(1) replaces Paragraph 73(3)(a) of the Telecommunications Act. This clause excludes regulations made by the Governor in Council under 15.8(1)(a) from the general enforcement regime. This next section is dedicated to summary offences for contravening an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a).

Subsection 11(2) amends Section 73 of the Telecommunications Act by adding paragraphs after Subsection 73(3). The first - 73(3.1) - specifies that any person that contravenes an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a), is guilty of a summary offence, and liable:

  1. for offenses by individuals, fines of an amount to be decided by the Court, imprisonment for two years less a day, or both; and
  2. for offenses by persons other than individuals (e.g., companies) to a fine at the discretion of the Court.

The second paragraph - 73(3.2) - specifies that officers, directors, agents or mandataries of a person or company which commits an offence in 73(3.1) may individually be found guilty of the offence if they directed, authorized or otherwise participated in the commission of the offence.

The third paragraph - 73(3.3) - specifies that if it can be demonstrated, a director, officer, agent or mandatary directed an employee or other agent to perform the violation will be sufficient proof of the offence, regardless of whether the employee is proceeded against.

The fourth paragraph – 73(3.4) - accommodates proceedings of offences for violations of security related orders with the existing provisions of the Act, which deal with regulations. Specifically, it allows for a defence of due diligence for proceedings seeking summary convictions of an offence.

The existing exception against a due diligence defence within the Act, for offences under 73(2)d which deals with efforts to deceive the Minister or their designated inspectors, remains unchanged.

The fifth paragraph - 73(3.5) – specifies that no consent is required to prosecute an offence for contravention of 73(3.1), contravention of an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a).

Subsection 11(3) replaces Subsection 73(7) of the Telecommunications Act. This clause makes explicit that contravention of an order made under 15.1 and 15.2 or regulations made under 15.8(1)(a) can be the subject of a court injunction, upon application by the Minister, and the court may take such actions as it deems appropriate.

Part 2

Clause 11: Enactment
Analysis

Clause 13 specifies that the following text containing Sections 1 to 146, as well as Schedules 1 and 2, is enacted as An Act respecting the protection of critical cyber systems in the federally regulated sector (CCSPA), and provides the preamble.

The preamble specifies what the purpose and reasoning for the CCSPA is, focusing on the responsibility of the federal government to protect Canadians, the importance of certain cyber systems in ensuring the continuity of systems and services that Canadians rely on, an acknowledgement that the national cyber security strategy committed to protecting these systems and that the federal government is committed to working with stakeholders (including provinces and territories) to protect them, all while remaining in accordance with the Privacy Act.

Section 1: Short Title
Analysis

Section 1 specifies that Sections 1 to 146, as well as Schedules 1 and 2 can be referred to as for simplicity: the Critical Cyber Systems Protection Act (CCSPA).

Section 2: Definitions
Analysis

Section 2 sets out in alphabetical order the definition of terms used in the Critical Cyber Systems Protection Act.

Appropriate regulator
The definition of "appropriate regulator" provides clarity regarding which regulator this Act is referring to in relation to a designated operator. Schedule 2 of this Act will identify the class of operators (designated operators) and the corresponding regulator who will be responsible for the administration and enforcement of this Act in relation to those designated operators who are part of that class.
Bank
The definition of "Bank" ensures that the use of this word throughout the CCSPA Bill is referring to the Bank of Canada (a regulator under this Act), and not any other bank.
Canadian Energy Regulator
The definition of "Canadian Energy Regulator" ensures that, throughout the CCSPA Bill, it corresponds to its definition / enactment under the Canadian Energy Regulator Act.
Canadian Nuclear Safety Commission
The definition of "Canadian Nuclear Safety Commission" ensures that, throughout the CCSPA Bill, it corresponds to the definition of Commission under the Nuclear Safety and Control Act.
Chief Executive Officer
The definition of "Chief Executive Officer" ensures that, throughout the CCSPA Bill, it corresponds to its definition under the Canadian Energy Regulator Act.
Commission
The definition of "Commission" ensures that, throughout the CCSPA Bill, it corresponds to its definition under the Canadian Energy Regulator Act.
Confidential information
The definition of "confidential information" ensures that appropriate protection is given to any information that has been obtained under this Act in respect of a critical cyber system. This protection is necessary because of the nature of the information or of the impact that its inappropriate disclosure could have on one or more designated operator. Such information is confidential when
  1. (a) it concerns a vulnerability of, or the methods used to protect a critical cyber system, when the designated operator keeps the information confidential;
  2. (b) its disclosure could result in financial loss or gain to the designated operator, or could prejudice its competitive position; or
  3. (c) its disclosure could be expected to interfere with contractual or other negotiations of a designated operator.
Critical cyber system

A critical cyber system (CCS) is a cyber system that underpins a vital service or a vital system. This means that the compromise of such a cyber system, by any means, could have a detrimental effect on the continuity or the security of this vital service or vital system. This includes any part of the cyber system that if compromised, would impact the cyber system's confidentiality (where information contained or processed in the cyber system is accessed without authorization), integrity (where information contained or processed in the cyber system is modified or deleted unintentionally or without authorization) or availability (where the cyber system, information contained or processed in it, cannot be accessed when necessary).

Specific elements of any CCS may vary rapidly and regularly, since technology evolves at a rapid pace; however, at any point in time, all the components of a cyber system that meet the above definition would be part of the CCS.

Cyber security incident
An incident, including an act, an omission or a circumstance that interferes or could interfere with the continuity or security of a vital service or vital system. An act, omission or circumstance that affects or could affect the confidentiality, integrity or availability of the critical cyber system, would also constitute a cyber security incident.
Cyber system
A cyber system is defined under this Act as a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information. This definition is designed to capture the different types of components, physical or virtual, that work together to underpin a vital service or a vital system. This definition aims at capturing current and future states of technologies that are key to vital services or systems.
Designated operator
The definition of "designated operator" refers to a person, partnership or unincorporated organization that belongs to any class of operators identified in Schedule 2. Designated operators will be responsible for complying with the obligations under this Act in relation to the critical cyber system that they own, control or operate.
Governor
The definition of "Governor" ensures that, throughout the CCSPA Bill, it corresponds to its definition under the Bank of Canada Act.
Minister
At the time of the tabling of this Act, this expression refers to the Minister of Public Safety and Emergency Preparedness. However section 4 of this Act confers the Governor in Council with the power to appoint any other federal minister to serve as the Minister for this Act.
Regulator
This Act lists the regulators that are responsible for enforcing and administering this Act, including:
  1. the Minister of Industry;
  2. the Minister of Transport;
  3. the Superintendent of Financial Institutions appointed under subsection 5(1) of the Office of the Superintendent of Financial Institutions Act;
  4. the Bank of Canada established by subsection 3(1) of the Bank of Canada Act;
  5. the Canadian Energy Regulator, established by section 10 of the Canadian Energy Regulator Act; and
  6. the Canadian Nuclear Safety Commission, established by section 8 of the Nuclear Safety and Control Act.
Responsible minister
This definition identifies the minister responsible for an Act that is ordinarily administered by an appropriate regulator with respect to any class of operators set out in Schedule 2 as the responsible minister. This ensures clarity when this Act is referring to the minister responsible for this Act, and other ministers who have responsibilities under this Act.
Superintendent
The definition of "Superintendent" ensures that, throughout the CCSPA, it corresponds to the Superintendent of Financial Institutions established under the Office of the Superintendent of Financial Institutions Act.
Tribunal
The definition of "Tribunal" ensures that, throughout the CCSPA Bill, it corresponds to Transportation Appeal Tribunal of Canada established under the Transportation Appeal Tribunal of Canada Act.
Vital service
A service that is determined to be vital to national security or public safety under this Act and is identified in Schedule 1 of this Act.
Vital systems
A system that is determined to be vital to national security or public safety under this Act and is identified in Schedule 1 of this Act.
Section 3: Application
Analysis

Section 3 makes clear that this Act is binding on the Crown.

Section 4: Power to designate Minister
Analysis

Section 4 gives the Governor in Council the power to designate any federal minister to be the Minister for this Act.

If no minister is designated under section 4, the Minister of Public Safety and Emergency Preparedness is the minister responsible for this Act.

Section 5: Purpose
Analysis

The purpose of this Act is to help to protect critical cyber systems in order to support the continuity and security of services and systems that are vital to national security or the safety of Canadians.

In particular, the purpose of this Act is to encourage the protection of critical cyber systems by identifying a number of cyber security related outcomes that this regime is intended to address including,

  1. any cyber security risks in respect of critical cyber systems are identified and managed, including risks associated with supply chains, and the use of third party products and services;
  2. critical cyber systems are protected from being compromised;
  3. any cyber security incidents affecting, or having the potential to affect critical cyber systems are detected; and
  4. the impacts of cyber security incidents affecting critical cyber systems are minimized.
Section 6: Vital Services and Vital Systems
Analysis

Subsection 6(1) authorizes the Governor in Council (GIC) to identify, in Schedule 1 of this Act, any service or system that is vital to national security or public safety. The GIC may only designate services or systems that are delivered or operated as part of a "work, undertaking or business" that are within the legislative authority of Parliament. Schedule 1 is already populated with vital services and vital systems.

Subsection 6(2) authorizes the Governor in Council to amend or delete any service or system set out in Schedule 1.

Section 7: Designated Operators of Critical Cyber Systems
Analysis

Section 7 gives the Governor in Council the power to add to Schedule 2 a class of operators, along with the name of the corresponding regulator for that class, in respect of a vital service or vital system listed in Schedule 1.

Only classes containing entities that are persons, partnerships or unincorporated organizations that operate a work or carry on an undertaking or business that is within the legislative authority of Parliament can be added. This ensures that only the vital service provider or the vital system operator will be responsible for complying with this Act, and not third parties.

Section 7 also allows the Governor in Council to amend or delete a class of operators or a regulator.

Section 8: Critical cyber system — obligation of designated operator
Analysis

Section 8 ensures that a designated operator that owns, controls or operates a critical cyber system is responsible for complying with the requirements of this Act and the regulations with respect to that critical cyber system.

Upon falling within a class of operators in Schedule 2, the designated operator will be responsible for complying with this Act in relation to any components of cyber systems that are part of their critical cyber system. While this set of technologies can vary from time to time, at any point in time, the vital service or vital system would depend on a specific set of technologies which would form the CCS.

Sections 9 to 14: Establishing and maintaining a cyber security program
Analysis

Section 9 creates the obligation for designated operators to establish a cyber security program (CSP) in respect of its critical cyber systems.

Subsection 9(1) provides that the CSP must be established within 90 days after the designated operator becomes subject to the obligations under this Act, and that the CSP must include reasonable steps to, in accordance with any regulations:

  1. identify and manage any organizational cyber security risks, including risks associated with the designated operator's supply chain and its use of third-party products and services;
  2. protect its critical cyber system from being compromised;
  3. detect any cyber security incidents affecting, or having the potential to affect, its critical cyber systems;
  4. minimize the impact of cyber security incidents affecting critical cyber systems; and
  5. do anything that is prescribed by the regulations.

Under e), additional objectives requiring reasonable steps be taken as part of the CSP can be prescribed by regulations.

Subsection 9(2) requires the designated operator to notify its regulator as soon as its CSP has been established.

Section 10 requires the designated operator to provide its CSP to its regulator as set out in Schedule 2 (or to make the CSP available to the regulators) within 90 days after becoming subject to this Act.

It also makes clear that regulation can prescribe the manner in which the CSP must be provided. If no manner is so prescribed, then the CSP must be provided in the manner that the appropriate regulator considers appropriate.

Section 11 allows the regulator to, upon written request, extend the 90-day period to establish a cybersecurity program and/or provide it to the regulator, and gives the regulator discretion to extend this period more than once.

Section 12 requires the designated operator to implement the CSP by taking the reasonable steps included in the CSP.

The designated operator must also maintain the CSP, in order to keep it current in its capacity to identify and respond to evolving threats, changing technology, etc.

Subsection 13(1) specifies that a designated operator must conduct an annual review of its CSP beginning on the anniversary of their CSPs establishment, or on a date prescribed in regulation.

Subsection 13(2) also specifies that the designated operator must complete the review within 60 days, or within the period prescribed by the regulations if such regulation is made, and amend its program as a result of the review if needed.

Subsection 13(3) obligates the designated operator to inform its regulator of whether or not any changes were made to the program, within 30 days after completion of the review that was conducted, unless a regulation prescribes another period of time.

Subsection 14(1) requires a designated operator, within a period prescribed by the regulations, to notify its regulator of a material change in its ownership or control, or in its supply chain or in its use of third-party products, and do so without delay. This notification aims at identifying circumstances that would have an impact on the inherent risks of this operator. This Act also allows other circumstances to trigger the notification requirement, if they are included in a regulation.

Subsection 14(2) specifies that the designated operator must also inform their regulator of whether or not changes were made to the program – and if so, of the nature of those changes as a result of the changes in circumstances – and do so within 90 days after they notified their regulator.

Subsection 14(3) allows the regulator to extend the 90-day period for a designated operator who requests it, and gives the regulator discretion to extend this period more than once.

Section 15: Mitigation of Supply-chain and Third-party Risks
Analysis

Section 15 requires a designated operator who, as part of its CSP, has identified any cyber security risk associated with its supply chain or its use of third-party products and services, to take reasonable steps, including any steps prescribed by regulations, to mitigate those risks.

The mitigation of risks is understood to mean that the steps taken should reduce the likelihood of the risk materializing, or the impact on the CCS, the vital service or the vital system, of such risk materializing.

Section 16 allows a regulator to provide to Communications Security Establishment Canada (CSE) any information, including information that is confidential respecting:

  • a designated operator's cyber security program or
  • any steps taken by the designated operator to mitigate cyber security risk associated with its supply chain or its use of third-party products and services.

The regulator is authorised to do so for the purpose of requesting advice, guidance or services from CSE in accordance with the mandate of CSE in respect of the exercise of the regulator's powers or the performance of its duties and functions under the CCSPA.

Sections 17 to 19: Report — cyber security incident
Analysis

Section 17 requires a designated operator to, within a period prescribed by the regulations, not to exceed 72 hours, report a cyber security incident in respect of any of its critical cyber systems to the Communications Security Establishment (in accordance with the regulations), who will use the information under its existing mandate. This information is necessary for the Government of Canada to gain a better understanding of the threats to CCS, resulting in a more accurate picture of the cyber security landscape in Canada and provide more evidence in support of its protection.

Regulations will specify what must be reported, and the format for reporting; it is expected that regulations will be sector-specific so that reporting can be tailored to each sector's specific context.

Subsection 18(a) obligates the designated operator to notify its regulator in the manner prescribed by the regulations, immediately after reporting a cyber security incident.

Subsection 18(b) specifies that this notification obligation can include sending the incident report to the regulator, if the regulator requests it.

Section 19 requires CSE to give to a regulator who requests it a copy of any incident report or any portion of it that relates to a designated operator under the purview of that regulator, without delay. This is for the purpose of verifying compliance or preventing noncompliance with the provisions of this Act and the regulations.

Sections 20 and 21: Cyber Security Directions
Analysis

Subsection 20(1) gives the Governor in Council the authority to issue, by order, a cyber security direction (CSD) to direct any designated operator, or a class of operators, to comply with any measure that is included in the CSD for the purpose of protecting the critical cyber system that the designated operator is responsible for. The Governor in Council has this authority so long as they reasonably believe that making the order is necessary to protect this critical cyber system.

Subsection 20(2) allows the Governor in Council to amend or revoke a direction in whole or in part. A CSD would apply until it is revoked, unless it contains specific application timeframes specified under subsections 21(1) or 21(2).

Subsubsection 20(3) details a list of considerations the Governor in Council must consider before making an order under subsection 20(1). This list includes considering the operational and financial impacts on designated operators, the impact on the public safety of Canadians, the impact on the delivery of vital services, and other factors that are deemed relevant.

Subsection 20(4) obligates every designated operator to comply with a direction that it is subject to.

Subsection 20(5) requires the Minister to notify the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency within 90 days of making an order under subsection 20(1).

Subsection 20(6) specifies for greater certainty that the Governor in Council is prohibited from ordering a designated operator to intercept private communications or radio-based telephone communications as defined under the Criminal Code.

Subsection 21(1) specifies what must be contained in a CSD. The CSD must include the name of the designated operator or the class of operators subject to the direction; it must specify the measures to be taken by the designated operator(s), along with any associated conditions; and finally, the CSD must specify the period within which those measures are to be taken.

Subsection 21(2) adds that in addition to those under 21(1)(b), the Governor in Council may include other conditions in a direction.

Subsection 22(1) provides that an order made under section 20 is exempt from the application of sections 3, 5 and 11 of the Statutory Instruments Act and as such, the order that creates a CSD does not have to be examined, registered, or published in the Canada Gazette.

Subsection 22(2) provides that a designated operator will not be found to have contravened a CSD unless it is proved that the operator had been informed of the CSD or reasonable steps had been taken to notify the operator of the CSD and its application to the operator.

Subsection 22(3) further explains that for the purpose of proving that the designated operator had been informed of a CSD, a certificate signed by the Minister or responsible minister and stating that a notice containing the order was given to designated operators likely to be affected by it is, in the absence of evidence to the contrary, proof that notice was given to that designated operator.

Subsection 23(1) lists the persons or entities that are authorized to disclose or collect information, including confidential information, to and from each other, to the extent necessary, for any purpose related to the making, amending or revoking of a CSD, namely:

  1. the Minister;
  2. the responsible minister;
  3. the appropriate regulator;
  4. the Minister of Foreign Affairs;
  5. the Minister of National Defence;
  6. the Chief of the Defence Staff
  7. the Chief or an employee of CSE;
  8. the Director or an employee of the Canadian Security Intelligence Service; and
  9. any additional person or entity that is prescribed by regulations.

Subsection 23(2) specifies that information collected by or disclosed by a person or entity listed in section 23(1) must be treated as confidential.

Section 24 prohibits designated operators that are subject to a cyber security direction from disclosing (or allowing to be disclosed) the fact that a cyber security direction was issued, as well as the content of that direction, with the exception of what is permitted under section 25.

This prohibition ensures that, to the extent possible, the exact parameters, methods or techniques used in the protection of CCS, are not publicly known, in an effort to minimize the risk of having any threat actor use that information to compromise a CCS.

Subsection 25(1) allows a designated operator that is subject to a CSD to disclose the fact that the direction was issued, and its content, only if that disclosure is necessary for the operator to comply with the direction. For example, this could include providing details about measures that must be taken to a third party who operates part of a CCS, if that third party is the one who can take the measure.

Subsection 25(2) prohibits the person who is informed under 25(1) from further disclosing this information without the authorization of the designated operator who informed them in the first place.

Sections 26 to 29: Prohibition
Analysis

Subsection 26(1) prohibits the willful disclosure of confidential information by any person. It also prohibits any person from allowing it to be disclosed to, or to allow access to it by, any agency, body or other person, except in specific cases.

Disclosure of confidential information is authorized only if:

  1. the disclosure is required by law;
  2. the information to be disclosed is publicly available;
  3. the designated operator to which the information relates consents to its disclosure;
  4. the disclosure is necessary for any purpose related to the protection of vital services, vital systems or critical cyber systems;
  5. the disclosure is made in accordance with any provision of this Act; or
  6. the disclosure is made in accordance with the Security of Canada Information Disclosure Act.

Subsection 26(2) ensures that a person currently authorized by law to provide such information to a law enforcement agency, or to the Canadian Security Intelligence Service, is not prohibited from doing so if the provision of the information is otherwise lawful.

The goal of this enhanced protection is to minimize the concerns of private sector stakeholders who are required under this Act to share this information with the government, and address concerns with the information being widely shared.

Subsection 26(3) specifies that confidential information disclosed or allowed to be accessed under subsection 26(1) must be treated as confidential.

Subsection 27(1) allows the Minister, a responsible minister or a regulator to enter into a written agreement or arrangement with

  1. the government of a province;
  2. the government of a foreign state; or
  3. an international organization established by the governments of foreign states, for the exchange of information, excluding confidential information, relating to the protection of critical cyber systems.

Under such an agreement, the Minister, responsible minister or regulator could share information, other than confidential information, with any institution or agency of the government, or the international organization party to the agreement.

Subsection 27(2) permits that, while confidential information cannot be shared under 27(1), it can be disclosed to any institution or agency of the government of a province under an agreement or arrangement, but only if the Minister, responsible minister or the regulator is satisfied that the information will be treated in a confidential manner and would not be further disclosed without their express consent.

Subsection 28(1) authorizes a regulator, if necessary to protect vital systems or services, for any purpose related to this Act, to provide the Minister or the responsible minister with any information, including any confidential information, when that information is related to

that regulator's exercise of powers or the performance of its duties and functions under this Act or the regulations.

It further specifies that when the information is requested by the Minister or by a responsible minister for the same reason, the regulator must provide the information.

Subsection 28(2) specifies that any confidential information (within the meaning of this Act or any other Act of Parliament that applies to or is administered by the appropriate regulator) that is provided under subsection 28(1) must be treated as confidential.

Section 29 allows the appropriate regulator to request any information from any person, partnership or unincorporated organization, for the purpose of verifying compliance or preventing noncompliance with any provision of this Act or the regulations, and requires that this information be provided to the regulator within the time and in the manner that the regulator specifies.

The language "person, partnership or unincorporated organization" is used to ensure that information can be requested from any person or entity who may be a designated operator. For example, this information could be necessary for the regulator to assess whether the "person, partnership or unincorporated organization" belongs to a class of designated operators.

Section 30: Record Keeping
Analysis

Subsection 30(1) specifies that a designated operator must keep records in respect of

  1. any steps taken to implement the designated operator's cyber security program;
  2. every cyber security incident that the designated operator reported under section 17;
  3. any steps taken by the designated operator under section 15 to mitigate any supply-chain or third-party risks;
  4. any measures taken by the designated operator to implement a cyber security direction; and
  5. any additional matters that regulations prescribe.

Subsection 30(2) further requires that the records are to be kept by the designated operator in Canada at its place of business or in a place prescribed in the regulations, and kept in the manner and for the period that is determined by the regulator, unless it is otherwise prescribed by the regulations.

Section 31: Limitation on Liability
Analysis

Subsection 31(1) ensures that any person who exercises powers or performs duties or functions under this Act is not liable for anything done or omitted to be done in good faith while they exercise those powers or perform their duties or functions.

Subsection 31(2) extends this immunity to the person who is permitted under this Act to accompany the regulator while that person is helping the regulator in the performance of its duties or functions under this Act.

Sections 32 to 39: Powers of the Superintendent of Financial Institutions
Analysis

Sections 32 to 39 provide the Superintendent of Financial Institutions with powers to exercise its functions as a regulator under this Act.

Subsection 32(1) provides the Superintendent with the power to enter a place for the purpose of verifying compliance or preventing noncompliance with this Act.

Subsection 32(2) specifies the powers that the Superintendent has when entering a place to ensure compliance, including:

  1. examining anything in the place;
  2. using any systems to assess information contained within them;
  3. preparing any documents based on that information;
  4. examining records, reports or data, and making copies of them;
  5. using any equipment in the place to copy; and
  6. removing any documents, record or system, or portions of them from the place to examine or copy them.

Subsection 32(3) specifies that any thing removed (through subsection 32(2)(f)) must be returned once examined or copied.

Subsection 32(4) ensures that whoever is in charge of the place that is entered by the Superintendent (either owner or person in charge) and any person in there must assist the Superintendent in the exercising of their powers.

Subsection 32(5) allows the Superintendent to be accompanied by any person they deem necessary to help them in the exercising of their powers under this section. For example, the regulator could ask a cyber security expert to help during audits under the CCSPA.

Subsection 32(6) allows the Superintendent to pass through any property other than a dwellinghouse in the exercising of their powers.

Subsection 33(1) notes that the Superintendent cannot enter a dwellinghouse without the owner's consent unless a warrant allows it.

Subsection 33(2) specifies that a justice of peace may issue a warrant to enter a dwellinghouse if they are satisfied that the following 3 conditions are met:

  1. it is the location where compliance must be enforced (i.e. the location required for subsection 32(1));
  2. entry to this location is required to enforce compliance; and
  3. entry has been refused, or it is reasonable to believe it will be refused.

Subsection 33(3) specifies that the Superintendent is not authorized to use force unless authorized by the warrant and accompanied by a peace officer.

Subsection 34(1) allows the Superintendent to direct a designated operator to conduct an audit on itself (an internal audit) to determine whether or not they are in compliance.

Subsection 34(2) specifies that these internal audit orders are exempt from the Statutory Instruments Act.

Section 35 requires the designated operator to comply with the internal audit order, and to provide a report of the audit to the Superintendent within a specified time period. This must include whether or not the designated operator deems itself to be compliant or noncompliant with this Act or its regulations. If deemed noncompliant, they must identify what they are noncompliant with and what they are doing to remedy the noncompliance.

Subsection 36(1) authorizes the Superintendent to issue a compliance order, directing the designated operator to either (a) stop doing something that is or is likely to cause noncompliance, or (b) to do something necessary to meet requirements or mitigate noncompliance.

Subsection 36(2) outlines that the time and manner for a request of a review of the order must be specified in the order itself.

Subsection 36(3) ensures that the compliance order is exempt from the Statutory Instruments Act.

Subsection 37(1) specifies that any designated operator who is subject to a compliance order must comply with it.

Subsection 37(2) notes that when a designated operator is in compliance with a compliance order, they must notify the Superintendent without delay.

Subsection 38(1) specifies that a designated operator can request (in writing) a review by the Superintendent of the compliance order subject to them.

Subsection 38(2) specifies that the written request for review made by the designated operator must be made within a time and manner that is specified within the compliance order itself. It also notes that the request for review must state why a review is necessary, as well as the evidence that supports this.

Subsection 38(3) notes that the compliance order is still in effect while the review is underway unless specified by the Superintendent.

Subsection 39(1) notes that once the review of the compliance order is completed by the Superintendent, the designated operator must be notified of the result of, and reasoning for, that review. The compliance order could be either confirmed, amended, revoked or cancelled.

Subsection 39(2) notes that if a decision by the Superintendent is not completed within 90 days, it is assumed that the Superintendent has confirmed the order.

Sections 40 to 48: Powers of the Minister of Industry
Analysis

Sections 40 to 48 provide the Minister of Industry with powers to exercise its functions as a regulator under this Act.

Subsection 40(1) provides the Minister of Industry with the ability to designate a person or class of persons as inspectors for the purposes of assessing compliance and enforcement under this Act.

Subsection 40(2) specifies that each inspector designated by the Minister of Industry under this Act must be given a certification of designation and are required to produce it if asked to do so by the designated operator.

Subsection 41(1) provides the inspector with the power to enter a place for the purpose of verifying compliance or preventing noncompliance with this Act.

Subsection 41(2) specifies the powers that the inspector has when entering a place to ensure compliance, including:

  1. examining anything in the place;
  2. using any systems to assess information contained within them;
  3. preparing any documents based on that information;
  4. examining records, reports or data, and making copies of them;
  5. using any equipment in the place to copy; and
  6. removing any documents, record or system, or portions of them from the place to examine or copy them.

Subsection 41(3) specifies that anything removed by the inspector (through subsection 41(2)(f)) must be returned once examined or copied.

Subsection 41(4) ensures that whoever is in charge of the place that is entered by the inspector (either owner or person in charge) and every person in there must assist them in the exercising of their powers.

Subsection 41(5) allows the inspector to be accompanied by any person they deem necessary to help them in the exercising of their powers under this section. For example, the regulator could ask a cyber security expert to help during audits under the CCSPA.

Subsection 41(6) allows the inspector to pass through any property other than a dwellinghouse in the exercising of their powers.

Subsection 42(1) notes that the inspector cannot enter a dwellinghouse without the owner's consent unless a warrant allows it.

Subsection 42(2) specifies that a justice of peace may issue a warrant to enter a dwellinghouse if they are satisfied that the following 3 conditions are met:

  1. it is the location where compliance must be enforced (i.e. the location required for subsection 41(1));
  2. entry to this location is required to enforce compliance; and
  3. entry has been refused, or it is reasonable to believe it will be refused.

Subsection 42(3) specifies that the inspector is not authorized to use force unless authorized by the warrant and accompanied by a peace officer.

Subsection 43(1) allows the inspector to direct a designated operator to conduct an audit on itself (an internal audit) to determine whether or not they are in compliance.

Subsection 43(2) specifies that these internal audit orders are exempt from the Statutory Instruments Act.

Section 44 requires the designated operator to comply with the internal audit order, and to provide a report of the audit to the Minister of Industry within a specified time period. This must include whether or not the designated operator deems itself to be compliant or noncompliant with this Act or its regulations. If deemed noncompliant, they must identify what they are noncompliant with and what they are doing to remedy the noncompliance.

Subsection 45(1) authorizes the Minister of Industry or a designated inspector to issue a compliance order, directing the designated operator to either (a) stop doing something that is or is likely to cause noncompliance, or (b) to do something necessary to meet requirements or mitigate noncompliance.

Subsection 45(2) outlines that the time and manner for a request of a review of the order must be specified in the order itself.

Subsection 45(3) ensures that the compliance order is exempt from the Statutory Instruments Act.

Subsection 46(1) specifies that any designated operator who is subject to a compliance order must comply with it.

Subsection 46(2) notes that when a designated operator is in compliance with a compliance order, they must notify the Minister of Industry without delay.

Subsection 47(1) specifies that a designated operator can request (in writing) a review by the Minister of Industry of the compliance order subject to them.

Subsection 47(2) specifies that the written request for review made by the designated operator must be made within a time and manner that is specified within the compliance order itself. It also notes that the request for review must state why a review is necessary, as well as the evidence that supports this.

Subsection 47(3) notes that the compliance order is still in effect while the review is underway unless specified by the Minister of Industry.

Subsection 48(1) notes that once the review of the compliance order is completed by the Minister of Industry, the designated operator must be informed of the result of that review and the reasoning. The compliance order could be either confirmed, amended, revoked or cancelled.

Subsection 48(2) notes that if a decision by the Minister of Industry is not completed within 90 days, it is assumed that the Minister of Industry has confirmed the order.

Sections 49 to 57: Powers of Bank of Canada
Analysis

Sections 49 to 57 provide the Bank of Canada with powers to exercise its functions as a regulator under this Act.

Subsection 49(1) provides the Bank of Canada with the ability to designate a person or a group of persons for the purposes of assessing compliance and enforcement under this Act.

Subsection 49(2) specifies that each person designated by the Bank of Canada under this Act must be given a certification of designation and are required to produce it if asked to do so by the designated operator.

Subsection 50(1) provides the person designated under subsection 49(1) of this Act with the power to enter a place for the purpose of verifying compliance or preventing noncompliance with this Act.

Subsection 50(2) specifies the powers that the person designated under subsection 49(1) has when entering a place to ensure compliance, including:

  1. examining anything in the place;
  2. using any systems to assess information contained within them;
  3. preparing any documents based on that information;
  4. examining records, reports or data, and making copies of them;
  5. using any equipment in the place to copy; and
  6. removing any documents, record or system, or portions of them from the place to examine or copy them.

Subsection 50(3) specifies that anything removed by the person designated under subsection 49(1) (through subsection 50(2)(f)) must be returned once examined or copied.

Subsection 50(4) ensures that whoever is in charge of the place that is entered by the person designated under subsection 49(1) (either owner or person in charge) and every person in there must assist them in the exercising of their powers.

Subsection 50(5) allows the person designated under subsection 49(1) to be accompanied by any person they deem necessary to help them in the exercising of their powers under this section. For example, the regulator could ask a cyber security expert to help during audits under the CCSPA.

Subsection 50(6) allows the person designated under subsection 49(1) to pass through any property other than a dwellinghouse in the exercising of their powers.

Subsection 51(1) notes that the person designated under subsection 49(1) cannot enter a dwellinghouse without the owners consent unless a warrant allows it.

Subsection 51(2) specifies that a justice of peace may issue a warrant to enter a dwellinghouse if they are satisfied that the following 3 conditions are met:

  1. it is the location where compliance must be enforced (i.e. the location required for subsection 50(1));
  2. entry to this location is required to enforce compliance; and
  3. entry has been refused, or it is reasonable to believe it will be refused.

Subsection 51(3) specifies that the person designated under subsection 49(1) is not authorized to use force unless authorized by the warrant and accompanied by a peace officer.

Subsection 52(1) allows the person designated under subsection 49(1) to direct a designated operator to conduct an audit on itself (an internal audit) to determine whether or not they are in compliance.

Subsection 52(2) specifies that these internal audit orders are exempt from the Statutory Instruments Act.

Section 53 requires the designated operator to comply with the internal audit order, and to provide a report of the audit to the Bank of Canada within a specified time period. This must include whether or not the designated operator deems itself to be compliant or noncompliant with this Act or its regulations. If deemed noncompliant, they must identify what they are noncompliant with and what they are doing to remedy the noncompliance.

Subsection 54(1) authorizes the Bank of Canada or a person designated under subsection 49(1) to issue a compliance order, directing the designated operator to either (a) stop doing something that is or is likely to cause noncompliance, or (b) to do something necessary to meet requirements or mitigate noncompliance.

Subsection 54(2) outlines that the time and manner for a request of a review of the order must be specified in the order itself.

Subsection 54(3) ensures that the compliance order is exempt from the Statutory Instruments Act.

Subsection 55(1) specifies that any designated operator who is subject to a compliance order must comply with it.

Subsection 55(2) notes that when a designated operator is in compliance with a compliance order, they must notify the Bank of Canada without delay.

Subsection 56(1) specifies that a designated operator can request (in writing) a review by the Governor of the Bank of Canada of the compliance order subject to them.

Subsection 56(2) specifies that the written request for review made by the designated operator must be made within a time and manner that is specified within the compliance order itself. It also notes that the request for review must state why a review is necessary, as well as the evidence that supports this.

Subsection 56(3) notes that the compliance order is still in effect while the review is underway unless specified by the Governor of the Bank of Canada.

Subsection 57(1) notes that once the review of the compliance order is completed by the Governor of the Bank of Canada, the result of that review and reasoning must be notified to the designated operator. The compliance order could be either confirmed, amended, revoked or cancelled.

Subsection 57(2) notes that if a decision by the Governor of the Bank of Canada is not completed within 90 days, it is assumed that the Governor has confirmed the order.

Sections 58 to 66: Powers of the Canadian Nuclear Safety Commission (CNSC)
Analysis

Sections 58 to 66 provide the CNSC with powers to exercise its functions as a regulator under this Act, including the power to designate persons to exercise them.

Subsection 58(1) provides the CNSC with the ability to designate persons or groups of persons for the purposes of assessing compliance and enforcement under this Act.

Subsection 58(2) specifies that each person designated under subsection 58(1) by the CNSC under this Act must be given a certification of designation and are required to produce it if asked to do so by the designated operator.

Subsection 59(1) provides the person designated under subsection 58(1) with the power to enter a place for the purpose of verifying compliance or preventing noncompliance with this Act.

Subsection 59(2) specifies the powers that the person designated under subsection 58(1) has when entering a place to ensure compliance, including:

  1. examining anything in the place;
  2. using any systems to assess information contained within them;
  3. preparing any documents based on that information;
  4. examining records, reports or data, and making copies of them;
  5. using any equipment in the place to copy; and
  6. removing any documents, record or system, or portions of them from the place to examine or copy them.

Subsection 59(3) specifies that anything removed by the person designated under subsection 58(1) (through subsection 59(2)(f)) must be returned once examined or copied.

Subsection 59(4) ensures that whoever is in charge of the place that is entered by the person designated under subsection 58(1) (either owner or person in charge) and every person in there must assist them in the exercising of their powers.

Subsection 59(5) allows the person designated under subsection 58(1) to be accompanied by any person they deem necessary to help them in the exercising of their powers under this section. For example, the regulator could ask a cyber security expert to help during audits under the CCSPA.

Subsection 59(6) allows the person designated under subsection 58(1) to pass through any property other than a dwellinghouse in the exercising of their powers.

Subsection 60(1) notes that the person designated under subsection 58(1) cannot enter a dwellinghouse without the owner's consent unless a warrant allows it.

Subsection 60(2) specifies that a justice of peace may issue a warrant to enter a dwellinghouse if they are satisfied that the following 3 conditions are met:

  1. it is the location where compliance must be enforced (i.e. the location required for subsection 59(1));
  2. entry to this location is required to enforce compliance; and
  3. entry has been refused, or it is reasonable to believe it will be refused.

Subsection 60(3) specifies that the person designated under subsection 58(1) is not authorized to use force unless authorized by the warrant and accompanied by a peace officer.

Subsection 61(1) allows the person designated under subsection 58(1) to direct a designated operator to conduct an audit on itself (an internal audit) to determine whether or not they are in compliance.

Subsection 61(2) specifies that these internal audit orders are exempt from the Statutory Instruments Act.

Subsection 61(3) specifies that the person designated under subsection 58(1) must submit any internal order to the CNSC for review, and that following this review, the CNSC must confirm, amend or revoke the internal order.

Section 62 requires the designated operator as designated under 58 (1) to comply with the internal audit order, and to provide a report of the audit to the CNSC within a specified time period. This must include whether or not the designated operator deems itself to be compliant or noncompliant with this Act or its regulations. If deemed noncompliant, they must identify what they are noncompliant with and what they are doing to remedy the noncompliance.

Subsection 63(1) authorizes the CNSC or a person designated under subsection 58(1) to issue a compliance order, directing the designated operator to either (a) stop doing something that is or is likely to cause noncompliance, or (b) to do something necessary to meet requirements or mitigate noncompliance.

Subsection 63(2) outlines that the time and manner for a request of a review of the order must be specified in the order itself.

Subsection 63(3) ensures that the compliance order is exempt from the Statutory Instruments Act.

Subsection 63(4) specifies that the person designated under subsection 58(1) must refer any compliance order to the CNSC for review, and that following the review, the CNSC must confirm, amend or revoke the internal order.

Subsection 64(1) specifies that any designated operator designated under 58 (1) who is subject to a compliance order must comply with it.

Subsection 64(2) notes that when a designated operator is in compliance with a compliance order, they must notify the CNSC without delay.

Subsection 65(1) specifies that a designated operator can request (in writing) a review by the CNSC of the compliance order subject to them.

Subsection 65(2) specifies that the written request for review made by the designated operator must be made within a time and manner that is specified within the compliance order itself. It also notes that the request for review must state why a review is necessary, as well as the evidence that supports this.

Subsection 65(3) notes that the compliance order is still in effect while the review is underway unless specified by the CNSC.

Subsection 66(1) notes that once the review of the compliance order is completed by the CNSC, the result of that review and reasoning must be notified to the designated operator. The compliance order could be either confirmed, amended, revoked or cancelled.

Subsection 66(2) notes that if a decision by the CNSC is not completed within 90 days, it is assumed that they have confirmed the order.

Sections 67 to 76: Powers of the Canadian Energy Regulator (CER)
Analysis

Sections 67 to 76 provide the CER and its Chief Executive Officer (CEO) with powers to exercise its functions as a regulator under this Act, including the power to designate inspection officers to exercise them.

Subsection 67(1) provides the CEO of the CER with the ability to designate inspection officers for the purposes of assessing compliance and enforcement under this Act.

Subsection 67(2) specifies that each inspection officer designated by the CEO of the CER under this Act must be given a certification of designation and are required to produce it if asked to do so by the designated operator.

Subsection 68(1) provides the inspection officer with the power to enter a place for the purpose of verifying compliance or preventing noncompliance with this Act.

Subsection 68(2) specifies the powers that the inspection officer has when entering a place to ensure compliance, including:

  1. examining anything in the place;
  2. using any systems to assess information contained within them;
  3. preparing any documents based on that information;
  4. examining records, reports or data, and making copies of them;
  5. using any equipment in the place to copy; and
  6. removing any documents, record or system, or portions of them from the place to examine or copy them.

Subsection 68(3) specifies that anything removed by the inspection officer (through subsection 68(2)(f)) must be returned once examined or copied.

Subsection 68(4) ensures that whoever is in charge of the place that is entered by the inspection officer (either owner or person in charge) and every person in that place must assist the inspector in the exercising of their powers.

Subsection 68(5) allows the inspection officer to be accompanied by any person they deem necessary to help them in the exercising of their powers under this section. For example, the regulator could ask a cyber security expert to help during audits under the CCSPA.

Subsection 68(6) allows the inspection officer to pass through any property other than a dwellinghouse in the exercising of their powers.

Subsection 69(1) notes that the inspection officer cannot enter a dwellinghouse without the owner's consent unless a warrant allows it.

Subsection 69(2) specifies that a justice of peace may issue a warrant to enter a dwellinghouse if they are satisfied that the following 3 conditions are met:

  1. it is the location where compliance must be enforced (i.e. the location required for subsection 68(1));
  2. entry to this location is required to enforce compliance; and
  3. entry has been refused, or it is reasonable to believe it will be refused.

Subsection 69(3) specifies that the inspection officer is not authorized to use force unless authorized by the warrant and accompanied by a peace officer.

Subsection 70(1) allows the inspection officer to direct a designated operator to conduct an audit on itself (an internal audit) to determine whether or not they are in compliance.

Subsection 70(2) specifies that the inspection officer must report the circumstances and terms of the internal audit to the Commission of the CER.

Subsection 70(3) specifies that these internal audit orders are exempt from the Statutory Instruments Act.

Section 71 requires the designated operator to comply with the internal audit order, and to provide a report of the audit to the inspection officer within a specified time period. This must include whether or not the designated operator deems itself to be compliant or noncompliant with this Act or its regulations. If deemed noncompliant, they must identify what they are noncompliant with and what they are doing to remedy the noncompliance.

Subsection 72(1) authorizes the inspection officer to issue a notice of noncompliance to a designated operator if they believe that there has been a contravention of the CCSPA or its regulations by a designated operator or other person.

Subsection 72(2) specifies the guidelines that an inspection officer must follow when issuing a notice of noncompliance. They must be made in writing, and must:

  1. state the name of the designated operator or person;
  2. identify the section of the CCSPA or its regulations that has been contravened;
  3. the relevant facts around the contravention; and
  4. the period available to the designated operator to respond.

Subsection 73(1) authorizes the CEO of the CER or a designated inspection officer to issue a compliance order, directing the designated operator to either (a) stop doing something that is or is likely to cause noncompliance, or (b) to do something necessary to meet requirements or mitigate noncompliance.

Subsection 73(2) outlines that the time and manner for a request of a review of the order must be specified in the order itself.

Subsection 73(3) specifies that the inspection officer issuing a compliance order must notify the designated operator in writing of the terms and reasons for the order, and report it to the Commission of the CER.

Subsection 73(4) ensures that the compliance order is exempt from the Statutory Instruments Act.

Subsection 74(1) specifies that any designated operator who is subject to a compliance order must comply with it.

Subsection 74(2) notes that when a designated operator is in compliance with a compliance order, they must notify the inspection officer without delay.

Subsection 75(1) allows the Commission of the CER to designate an individual or a group as authorized to conduct reviews under section 75.

Subsection 75(2) specifies that a designated operator can request (in writing) a review by the Commission of the CER or the designated reviewer (under subsection 75(1)) of the compliance order subject to them.

Subsection 75(3) specifies that the written request for review made by the designated operator must be made within a time and manner that is specified within the compliance order itself. It also notes that the request for review must state why a review is necessary, as well as the evidence that supports this.

Subsection 75(4) notes that the compliance order is still in effect while the review is underway unless specified by the Commission of the CER or the designated reviewer (under subsection 75(1)).

Subsection 76(1) notes that once the review of the compliance order is completed by the Commission of the CER, the result of that review and reasoning must be notified to the designated operator. The compliance order could be either confirmed, amended, revoked or cancelled.

Subsection 76(2) notes that if a decision by the Commission of the CER or the designated reviewer under subsection 75(1) is not completed within 90 days, it is assumed that they have confirmed the order.

Sections 77 to 85: Powers of the Minister of Transport
Analysis

Sections 77 to 85 provide the Minister of Transport with powers to exercise its functions as a regulator under this Act, including the power to designate persons to exercise them.

Section 77 authorizes the Minister of Transport to delegate their powers, duties and functions under the CCSPA to any person or group of persons (with the exception of the delegation power provided under this section). The Minister can set any restrictions or limitations for this.

Subsection 78(1) provides the Minister of Transport with the power to enter a place for the purpose of verifying compliance or preventing noncompliance with this Act.

Subsection 78(2) specifies the powers that the Minister of Transport has when entering a place to ensure compliance, including:

  1. examining anything in the place;
  2. using any systems to assess information contained within them;
  3. preparing any documents based on that information;
  4. examining records, reports or data, and making copies of them;
  5. using any equipment in the place to copy; and
  6. removing any documents, record or system, or portions of them from the place to examine or copy them.

Subsection 78(3) specifies that anything removed by the Minister of Transport (through subsection 78(2)(f)) must be returned once examined or copied.

Subsection 78(4) ensures that whoever is in charge of the place that is entered by the Minister of Transport (either owner or person in charge) must assist the Minister of Transport in the exercising of their powers.

Subsection 78(5) allows the Minister of Transport to be accompanied by any person they deem necessary to help them in the exercising of their powers under this section. For example, the Minister of Transport could ask a cyber security expert to help during audits under the CCSPA.

Subsection 78(6) allows the Minister of Transport to pass through any property other than a dwellinghouse in the exercising of their powers.

Subsection 79(1) notes that the Minister of Transport cannot enter a dwellinghouse without the owner's consent unless a warrant allows it.

Subsection 79(2) specifies that a justice of peace may issue a warrant to enter a dwellinghouse if they are satisfied that the following 3 conditions are met:

  1. it is the location where compliance must be enforced (i.e. the location required for subsection 78(1));
  2. entry to this location is required to enforce compliance; and
  3. entry has been refused, or it is reasonable to believe it will be refused.

Subsection 79(3) specifies that the Minister of Transport is not authorized to use force unless authorized by the warrant and accompanied by a peace officer.

Subsection 80(1) allows the Minister of Transport to direct a designated operator to conduct an audit on itself (an internal audit) to determine whether or not they are in compliance.

Subsection 80(2) specifies that these internal audit orders are exempt from the Statutory Instruments Act.

Section 81 requires the designated operator to comply with the internal audit order, and to provide a report of the audit to the Minister of Industry within a specified time period. This must include whether or not the designated operator deems itself to be compliant or noncompliant with this Act or its regulations. If deemed noncompliant, they must identify what they are noncompliant with and what they are doing to remedy the noncompliance.

Subsection 82(1) authorizes the Minister of Transport to issue a compliance order, directing the designated operator to either (a) stop doing something that is or is likely to cause noncompliance, or (b) to do something necessary to meet requirements or mitigate noncompliance.

Subsection 82(2) outlines that the time and manner for a request of a review of the order must be specified in the order itself.

Subsection 82(3) ensures that the compliance order is exempt from the Statutory Instruments Act.

Subsection 83(1) specifies that any designated operator who is subject to a compliance order must comply with it.

Subsection 83(2) notes that when a designated operator is in compliance with a compliance order, they must notify the Minister of Transport without delay.

Subsection 84(1) specifies that a designated operator can request (in writing) a review by the Minister of Transport of the compliance order subject to them.

Subsection 84(2) specifies that the written request for review made by the designated operator must be made within a time and manner that is specified within the compliance order itself. It also notes that the request for review must state why a review is necessary, as well as the evidence that supports this.

Subsection 84(3) notes that the compliance order is still in effect while the review is underway unless specified by the Minister of Transport.

Subsection 85(1) notes that once the review of the compliance order is completed by the Minister of Transport, the designated operator must be notified of the result of that review and the reasoning. The compliance order could be either confirmed, amended, revoked or cancelled.

Subsection 85(2) notes that if a decision by the Minister of Transport is not completed within 90 days, it is assumed that the Minister of Transport has confirmed the order.

Sections 86 and 87: General Provisions
Analysis

Section 86 specifies that a person must not obstruct or hinder regulators, and those designated by the regulators as the case may be, from exercising their powers or performing their duties and functions under this Act – for example, during an audit.

Subsection 87 prohibits any person from:

  1. knowingly providing false or misleading information to any person, for any purpose under this Act; and
  2. knowingly providing any incident report that contains false or misleading information.
Sections 88 to 98: General Provisions of the Administrative Monetary Penalty Regime
Analysis

Section 88 clarifies the meaning of penalty as an administrative monetary penalty for a violation as imposed under sections 88 to 135.

Section 89 specifies that the purpose of a penalty is to promote compliance with this Act and not to punish.

Section 90 specifies that designated operators or other persons that contravene or fails to comply with the provisions of this Act or regulations made under it, commits a violation and is liable to a penalty of an amount determined in accordance with this Act and regulations.

Section 91 sets out the maximum amounts that can be imposed as penalties in regulations:

  1. sets this amount at $1,000,000 in the case of an individual.
  2. sets this amount, in any other case, at $15,000,000.

Regulations will ensure that the maximum penalty for any given sector is harmonized with existing penalties for that sector.

Subsection 92(1) provides that due diligence is a defence that can be relied upon in any proceeding in respect of a violation.

Subsection 92(2) specifies that common law rules and principles can be used as justification or excuse in relation to a violation of an offence under this Act to the extent that it is not inconsistent with this Act.

Section 93 specifies that when a designated operator commits a violation, any director or officer of that designated operator that directed, authorized, assented to, acquiesced in or participated in the commission of the violation is party to the violation and liable to the penalty of an amount determined in accordance with this Act and the regulations.

This applies whether or not a designated operator has been proceeded against in accordance with this Act.

Section 94 specifies a violation that is committed or continued for more than one day is considered a separate violation for each day on which it is committed or continued.

Subsection 95(1) specifies that proceeding with any act or omission as a violation precludes proceeding with it as an offence under this Act, and vice versa.

Subsection 95(2) clarifies that a violation is not an offence and that section 126 of the Criminal Code does not apply in respect of a violation.

Section 96 limits to three years after the violation becomes known to the appropriate regulator the time by which legal proceedings in respect of a violation can be commenced.

Subsection 97(1) specifies that monetary penalties and any accrued interest is a debt to the Crown and that it may be recovered in the Federal Court or any court of competent jurisdiction.

Subsection 97(2) specifies that proceedings to recover debts must not be commenced following a period of five years beginning on the day on which the debt became payable.

Subsection 97(3) clarifies that penalties are to be made payable and remitted to the Receiver General.

Subparagraph 98(1)(a) authorizes the appropriate regulator to certify an unpaid amount of any debt referred to in subsection 97(1).

Subparagraph 98(1)(b) authorizes the Transportation Appeal Tribunal of Canada to certify unpaid debts if the appropriate regulator is the Minister of Transport.

Subsection 98(2) specifies that the registration of a certificate in the Federal Court or in another court of competent jurisdiction has the same force and effect as a judgement of that court for a debt of the amount specified in the certificate and all related registration costs.

Sections 99 to 102: Administrative Monetary Penalty Regime for the Superintendent of Financial Institutions
Analysis

Subsection 99(1) allows the Superintendent to issue a notice of violation (NOV) to a designated operator or another person if the Superintendent has reasonable grounds to believe that a violation has been made. The Superintendent must also serve on the designated operator or person this NOV.

Subsection 99(2) specifies what must be included in the NOV, including the name of the designated operator or person who committed the violation, the identification of the violation, and set out

  1. the penalty for the violation that is liable to be paid;
  2. the right of the designated operator or person to either pay the penalty or make representations to the Superintendent with respect to the violation or the proposed penalty within 30 days (or any period longer specified), and explain how to do so; and,
  3. the fact that, if the penalty is not paid for and representations are not made within the time period specified in the notice, the designated operator or person will be deemed to have committed the violation and is liable to pay the penalty set out in the notice.

Subsection 99(3) specifies that, at any time before the designated operator or person pays the penalty or makes representations in respect of a NOV, or enters into a compliance agreement with the Superintendent, the Superintendent can cancel the NOV or correct an error in it.

Section 100 outlines the following factors that must be taken into account when determining the penalty for a violation:

  1. the designated operator or person's history of compliance or noncompliance with the provisions of this Act or of the regulations;
  2. the nature and scope of the violation;
  3. whether or not the designated operator or person made reasonable efforts to mitigate or reverse the effect of the violation;
  4. whether or not the designated operator or person gained any competitive or economic benefit from the violation;
  5. any other factors prescribed in regulations; and
  6. any other factors that the Superintendent considers relevant.

Subsection 101(1) specifies that if the designated operator or person pays the penalty set out in the notice of violation, they are deemed to have committed the violation, ending any proceedings commenced in respect of the violation.

Subsection 101(2) provides alternatives to paying the penalty set out in the notice for the designated operator or person, including

  1. making representations to the Superintendent in respect of the alleged violation or the penalty; or
  2. if offered, entering into a compliance agreement with the Superintendent to ensure the designated operator or person's compliance with the violated provision.

Subsection 102(1) outlines that the Superintendent must determine on a balance of probabilities, following any representations made, whether or not the designated operator or person committed the violation. The Superintendent can then decide whether to impose the same penalty as was set out in the notice, a lesser penalty, or no penalty.

Subsection 102(2) specifies that the Superintendent must put its decision in writing, along with the reason for it, and provide a copy of it to the designated operator or person.

Subsection 102(3) specifies that if the Superintendent determines that the designated operator or person committed the violation, they are liable to pay the penalty as set out in the decision.

Subsection 102(4) specifies that, provided the designated operator or person pays the penalty as set out in the decision, the Superintendent must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Subsection 102(5) outlines that if the Superintendent decides that the designated operator or person did not commit the violation, any proceedings commenced in respect of the violation are ended.

Subsection 103(1) specifies that if the Superintendent offers to enter into a compliance agreement with a designated operator or person, the agreement is subject to any terms that the Superintendent considers appropriate, including the reduction in whole or in part of the penalty.

Subsection 103(2) clarifies that if a compliance agreement is entered into, the designated operator or person cannot make representations.

Subsection 103(3) clarifies that if a compliance agreement is entered into, the designated operator or person is deemed to have committed the violation.

Subsection 103(4) specifies that if the Superintendent believes that a designated operator or person has complied with the compliance agreement, the Superintendent must notify the designated operator or person and end proceedings commenced in respect of the violation.

Subsection 103(5) outlines that if the Superintendent believes that the designated operator or person has not complied with the compliance order, the Superintendent must serve the designated operator or person with a notice of default and specify that

  1. the designated operator or person is liable to pay the penalty set out in the notice of violation, less any amount they paid under the compliance agreement; and
  2. the Superintendent can make public the designated operator or person's name, violation, scope of the noncompliance with the compliance agreement and penalty.

Subsection 103(6) specifies that, provided the designated operator or person pays the penalty as set out in the notice, the Superintendent must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Sections 104 to 109: Administrative Monetary Penalty Regime for the Minister of Industry
Analysis

Section 104 allows the Minister of Industry to designate persons or classes of persons that can issue notices of violation and enter into compliance agreements.

Subsection 105(1) permits the designated person to issue a notice of violation (NOV) to a designated operator or another person if the designated person has reasonable grounds to believe that a violation has been made. The designated person must also serve on the designated operator or other person this notice of violation.

Subsection 105(2) specifies what must be included in the NOV, including the name of the designated operator or other person who committed the violation, the identification of the violation, and set out

  1. the penalty for the violation that is liable to be paid;
  2. the right of the designated operator or other person to either pay the penalty or make representations to the designated person within 30 days (or any period longer specified), and explain how to do so; and,
  3. the fact that, if the penalty is not paid for and representations are not made within the time period specified in the notice, the designated operator or other person will be deemed to have committed the violation and is liable to pay the penalty set out in the notice.

Subsection 105(3) specifies that, at any time before the designated operator or other person pays the penalty or makes representations in respect of a NOV to the Minister of Industry, or enters into a compliance agreement with the designated person, the designated person can cancel the NOV or correct an error in it.

Section 106 outlines the following factors that must be taken into account when determining the penalty for a violation:

  1. the designated operator or other person's history of compliance or noncompliance with the provisions of this Act or of the regulations;
  2. the nature and scope of the violation;
  3. whether or not the designated operator or other person made reasonable efforts to mitigate or reverse the effect of the violation;
  4. whether or not the designated operator or other person gained any competitive or economic benefit from the violation;
  5. any other factors prescribed in regulations; and,
  6. any other factors that the designated person considers relevant.

Subsection 107(1) specifies that if the designated operator or other person pays the penalty set out in the notice of violation, they are deemed to have committed the violation, ending any proceedings commenced in respect of the violation.

Subsection 107(2) provides alternatives to paying the penalty set out in the notice for the designated operator or other person, including

  1. making representations to the Minister of Industry in respect of the alleged violation or the penalty; or
  2. if offered, entering into a compliance agreement with the designated person to ensure the designated operator or other person's compliance with the violated provision.

Subsection 108(1) specifies that should any representations be made, the Minister of Industry must determine, on a balance of probabilities, whether or not the designated operator or other person committed the violation, and decide whether to impose the penalty in the notice, a lesser penalty, or no penalty.

Subsection 108(2) specifies that the Minister of Industry must put its decision in writing, along with the reason for it, and provide a copy of it to the designated operator or other person.

Subsection 108(3) specifies that if the Minister of Industry determines that the designated operator or other person committed the violation, they are liable to pay the penalty as set out in the decision.

Subsection 108(4) specifies that, provided the designated operator or other person pays the penalty as set out in the decision, the Minister of Industry must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Subsection 108(5) outlines that if the Minister of Industry decides that the designated operator or other person did not commit the violation, any proceedings commenced in respect of the violation are ended.

Subsection 109(1) specifies that if the designated person offers to enter into a compliance agreement with a designated operator or other person, the agreement is subject to any terms that the designated person considers appropriate, including the reduction in whole or in part of the penalty.

Subsection 109(2) clarifies that if a compliance agreement is entered into, the designated operator or other person cannot make representations.

Subsection 109(3) clarifies that if a compliance agreement is entered into, the designated operator or other person is deemed to have committed the violation.

Subsection 109(4) specifies that if the designated person believes that a designated operator or other person has complied with the compliance agreement, the designated person must notify the designated operator or other person and end proceedings commenced in respect of the violation.

Subsection 109(5) outlines that if the designated person believes that the designated operator or other person has not complied with the compliance order, the designated person must serve the designated operator or other person with a notice of default and specify that

  1. the designated operator or other person is liable to pay the penalty set out in the notice of violation, less any amount they paid under the compliance agreement; and
  2. the Minister of Industry can make public the designated operator or other person's name, violation, scope of the noncompliance with the compliance agreement and penalty.

Subsection 109(6) specifies that, provided the designated operator or person pays the penalty as set out in the notice, the Minister of Industry must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Sections 110 to 114: Administrative Monetary Penalty Regime for the Bank of Canada
Analysis

Subsection 110(1) permits the Bank to issue a notice of violation (NOV) to a designated operator or another person if the Bank has reasonable grounds to believe that a violation has been made. The Bank must also serve on the designated operator or person this NOV.

Subsection 110(2) specifies what must be included in the NOV, including the name of the designated operator or person who committed the violation, the identification of the violation, and set out

  1. the penalty for the violation that is liable to be paid;
  2. the right of the designated operator or person to either pay the penalty or make representations to the Bank with respect to the violation or the proposed penalty within 30 days (or any period longer specified), and explain how to do so; and,
  3. the fact that, if the penalty is not paid for and representations are not made within the time period specified in the notice, the designated operator or person will be deemed to have committed the violation and is liable to pay the penalty set out in the notice.

Subsection 110(3) specifies that, at any time before the designated operator or person pays the penalty or makes representations in respect of a NOV to the Governor, or enters into a compliance agreement with the Bank, the Bank can cancel the NOV or correct an error in it.

Section 111 outlines the following factors that must be taken into account when determining the penalty for a violation:

  1. the designated operator or person's history of compliance or noncompliance with the provisions of this Act or of the regulations;
  2. the nature and scope of the violation;
  3. whether or not the designated operator or person made reasonable efforts to mitigate or reverse the effect of the violation;
  4. whether or not the designated operator or person gained any competitive or economic benefit from the violation;
  5. any other factors prescribed in regulations; and,
  6. any other factors that the Bank considers relevant.

Subsection 112(1) specifies that if the designated operator or person pays the penalty set out in the notice of violation, they are deemed to have committed the violation, ending any proceedings commenced in respect of the violation.

Subsection 112(2) provides alternatives to paying the penalty set out in the notice for the designated operator or person, including

  1. making representations to the Governor in respect of the alleged violation or the penalty; or
  2. if offered, entering into a compliance agreement with the Bank to ensure the designated operator or person's compliance with the violated provision.

Subsection 113(1) outlines that the Governor must determine on a balance of probabilities, following any representations made, whether or not the designated operator or person committed the violation, and decide whether to impose the penalty in the notice, a lesser penalty, or no penalty.

Subsection 113(2) specifies that the Governor must put its decision in writing, along with the reason for it, and the Bank must provide a copy of it to the designated operator or person.

Subsection 113(3) specifies that if the Governor determines that the designated operator or person committed the violation, they are liable to pay the penalty as set out in the decision.

Subsection 113(4) specifies that, provided the designated operator or person pays the penalty as set out in the decision, the Bank must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Subsection 113(5) outlines that if the Governor decides that the designated operator or person did not commit the violation, any proceedings commenced in respect of the violation are ended.

Subsection 114(1) specifies that if the Bank offers to enter into a compliance agreement with a designated operator or person, the agreement is subject to any terms that the designated person considers appropriate, including the reduction in whole or in part of the penalty.

Subsection 114(2) clarifies that if a compliance agreement is entered into, the designated operator or person cannot make representations.

Subsection 114(3) clarifies that if a compliance agreement is entered into, the designated operator or person is deemed to have committed the violation.

Subsection 114(4) specifies that if the Bank believes that a designated operator or person has complied with the compliance agreement, the Bank must notify the designated operator or person, and end proceedings commenced in respect of the violation.

Subsection 114(5) outlines that if the Bank believes that the designated operator or person has not complied with the compliance order, the Bank must serve the designated operator or person with a notice of default and specify that

  1. the designated operator or person is liable to pay the penalty set out in the notice of violation, less any amount they paid under the compliance agreement; and
  2. the Bank can make public the designated operator or person's name, violation, scope of the noncompliance with the compliance agreement and penalty.

Subsection 114(6) specifies that, provided the designated operator or person pays the penalty as set out in the notice, the Bank must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Sections 115 to 120: Administrative Monetary Penalty Regime for the Canadian Nuclear Safety Commission
Analysis

Section 115 allows the Canadian Nuclear Safety Commission (CNSC) to designate persons or classes of persons that can issue notices of violation and enter into compliance agreements.

Subsection 116(1) permits the designated person to issue a notice of violation to a designated operator or another person if the designated person has reasonable grounds to believe that a violation has been made. The designated person must also ensure that the designated operator or other person receives this notice of violation.

Subsection 116(2) specifies what must be included in the notice of violation, including the name of the designated operator or other person who committed the violation, the identification of the violation, and set out

  1. the penalty for the violation that is liable to be paid;
  2. the right of the designated operator or other person to either pay the penalty or make representations with respect to the violation or the proposed penalty within 30 days (or any period longer specified), and explain how to do so; and,
  3. the fact that, if the penalty is not paid for and representations are not made within the time period specified in the notice, the designated operator or other person will be deemed to have committed the violation and is liable to pay the penalty set out in the notice.

Subsection 116(3) specifies that, at any time before the designated operator or other person pays the penalty or makes representations in respect of a notice of violation to the CNSC, or enters into a compliance agreement with the designated person, the designated person can cancel the notice of violation or correct an error in it.

Section 117 outlines the following factors that must be taken into account when determining the penalty for a violation

  1. the designated operator or other person's history of compliance or noncompliance with the provisions of this Act or of the regulations;
  2. the nature and scope of the violation;
  3. whether or not the designated operator or other person made reasonable efforts to mitigate or reverse the effect of the violation;
  4. whether or not the designated operator or other person gained any competitive or economic benefit from the violation;
  5. any other factors prescribed in regulations; and,
  6. any other factors that the designated person considers relevant.

Subsection 118(1) specifies that if the designated operator or other person pays the penalty, they are deemed to have committed the violation, ending any proceedings commenced in respect of the violation.

Subsection 118(2) provides alternatives to paying the penalty set out in the notice for the designated operator or person, including

  1. making representations to the CNSC regarding the violation or penalty; or
  2. if offered, entering into a compliance agreement with the designated person to ensure the designated operator or other person's compliance with the violated provision.

Subsection 119(1) outlines that the CNSC must determine on a balance of probabilities, following any representations made, whether or not the designated operator or person committed the violation, and decide whether to impose the penalty in the notice, a lesser penalty, or no penalty.

Subsection 119(2) specifies that the CNSC must put its decision in writing, along with the reason for it, and provide a copy of it to the designated operator or other person.

Subsection 119(3) specifies that if the CNSC determines that the designated operator or person committed the violation, they must pay the penalty as set out in the decision.

Subsection 119(4) specifies that, provided the designated operator or other person pays the penalty as set out in the decision, the CNSC must accept this as satisfaction of the penalty in respect of the violation, ending any proceedings commenced in respect of the violation.

Subsection 119(5) outlines that if the CNSC decides that the designated operator or person did not commit the violation, any proceedings commenced in respect of the violation are ended.

Subsection 120(1) specifies that if the designated person offers to enter into a compliance agreement with a designated operator or other person, the agreement is subject to any terms that the designated person considers appropriate, including the reduction in whole or in part of the penalty.

Subsection 120(2) clarifies that if a compliance agreement is entered into, the designated operator or other person cannot make representations.

Subsection 120(3) clarifies that if a compliance agreement is entered into, the designated operator or other person is deemed to have committed the violation.

Subsection 120(4) specifies that if the designated person believes that a designated operator or other person has complied with the compliance agreement, the designated person must notify the designated operator or other person, and end proceedings commenced in respect of the violation.

Subsection 120(5) outlines that if the designated person believes that the designated operator or other person has not complied with the compliance order, the designated person must serve the designated operator or other person with a notice of default and specify that

  1. the designated operator or person is liable to pay the penalty set out in the notice of violation, less any amount they paid under the compliance agreement; and
  2. the CNSC can make public the designated operator or other person's name, violation, scope of the noncompliance with the compliance agreement and penalty.

Subsection 120(6) specifies that, provided the designated operator or other person pays the penalty as set out in the notice, the CNSC must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Sections 121 to 126: Administrative Monetary Penalty Regime for the Canadian Energy Regulator
Analysis

Section 121 allows the Chief Executive Officer to designate persons or classes of persons that can issue notices of violation and enter into compliance agreements.

Subsection 122(1) permits the designated person to issue a notice of violation to a designated operator or another person if the designated person has reasonable grounds to believe that a violation has been made. The designated person must also serve on the designated operator or other person this notice of violation.

Subsection 122(2) specifies what must be included in the notice of violation, including the name of the designated operator or person who committed the violation, the identification of the violation, and set out

  1. the penalty for the violation that is liable to be paid;
  2. the right of the designated operator or other person to either pay the penalty or make representations with respect to the violation or the proposed penalty to the designated person within 30 days (or any period longer specified), and explain how to do so; and,
  3. the fact that, if the penalty is not paid for and representations are not made within the time period specified in the notice, the designated operator or other person will be deemed to have committed the violation and is liable to pay the penalty set out in the notice.

Subsection 122(3) specifies that, at any time before the designated operator or other person pays the penalty or makes representations in respect of a notice of violation to the Commission, or enters into a compliance agreement with the designated person, the designated person can cancel the notice of violation or correct an error in it.

Section 123 outlines the following factors that must be taken into account when determining the penalty for a violation:

  1. the designated operator or other person's history of compliance or noncompliance with the provisions of this Act or of the regulations;
  2. the nature and scope of the violation;
  3. whether or not the designated operator or other person made reasonable efforts to mitigate or reverse the effect of the violation;
  4. whether or not the designated operator or other person gained any competitive or economic benefit from the violation;
  5. any other factors prescribed in regulations; and,
  6. any other factors that the designated person considers relevant.

Subsection 124(1) specifies that if the designated operator or other person pays the penalty, they are deemed to have committed the violation, ending any proceedings commenced in respect of the violation.

Subsection 124(2) provides alternatives to paying the penalty set out in the notice for the designated operator or person, including

  1. making representations to the Commission regarding the violation or penalty; or
  2. if offered, entering into a compliance agreement with the designated person to ensure the designated operator or person's compliance with the violated provision.

Subsection 125(1) allows the Commission to designate persons or classes of persons to consider the representations made under paragraph 124(2)(a).

Subsection 125(2) outlines that the Commission or the person it designates must determine on a balance of probabilities following any representations made, whether or not the designated operator or other person committed the violation, and decide whether to impose the penalty in the notice, a lesser penalty, or no penalty.

Subsection 125(3) specifies that the Commission or the designated person must put its decision in writing, along with the reason for it, and provide a copy of it to the designated operator or other person.

Subsection 125(4) specifies that if the Commission determines that the designated operator or other person committed the violation, they must pay the penalty as set out in the decision.

Subsection 125(5) specifies that, provided the designated operator or other person pays the penalty as set out in the decision, the Commission must accept this as satisfaction of the penalty in respect of the violation, ending any proceedings commenced in respect of the violation.

Subsection 125(6) outlines that if the Commission decides that the designated operator or other person did not commit the violation, any proceedings commenced in respect of the violation are ended.

Subsection 125(7) specifies that the Federal Court has exclusive jurisdiction for judicial review of a decision made under this section by the Commission or the designated person.

Subsection 126(1) specifies that if the designated person offers to enter into a compliance agreement with a designated operator or other person, the agreement is subject to any terms that the designated person considers appropriate, including the reduction in whole or in part of the penalty.

Subsection 126(2) clarifies that if a compliance agreement is entered into, the designated operator or other person cannot make representations.

Subsection 126(3) clarifies that if a compliance agreement is entered into, the designated operator or other person is deemed to have committed the violation.

Subsection 126(4) specifies that if the designated person believes that a designated operator or other person has complied with the compliance agreement, the designated person must serve the designated operator or other person with a notice of default and end proceedings commenced in respect of the violation.

Subsection 126(5) outlines that if the designated person believes that the designated operator or person has not complied with the compliance order, the designated person must serve the designated operator or other person with a notice of default and specify that:

  1. the designated operator or person is liable to pay the penalty set out in the notice of violation, less any amount they paid under the compliance agreement; and
  2. the CER can make public the designated operator or person's name, violation, scope of the noncompliance and penalty.

Subsection 126(6) specifies that, provided the designated operator or other person pays the penalty as set out in the notice, the CER must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Sections 127 to 134: Administrative Monetary Penalty Regime for the Minister of Transport
Analysis

Subsection 127(1) permits the Minister of Transport to issue a notice of violation to a designated operator or another person if they have reasonable grounds to believe that a violation has been made. The Minister of Transport must also serve on the designated operator or person this notice of violation.

Subsection 127(2) specifies what must be included in the notice of violation, including the name of the designated operator or person who committed the violation, the identification of the violation, and set out

  1. the penalty for the violation that is liable to be paid;
  2. the right of the designated operator or person to either pay the penalty to the Minister of Transport within 30 days (or any period longer specified), and explain how to do so;
  3. the right of the designated operator or person to file a request for review under paragraph 129(2)a) to the Tribunal within 30 days (or within any longer period that the Tribunal allows); and
  4. the fact that, if the penalty is not paid for and a request for review with the Tribunal is not filed within the time period specified in the notice, the designated operator or person will be deemed to have committed the violation and is liable to pay the penalty set out in the notice.

Subsection 127(3) specifies that, at any time before a request for review is made by the designated operator (to the Tribunal), or enters into a compliance agreement with the Minister of Transport, the notice of violation can be canceled or an error in it corrected.

Section 128 outlines the factors that must be taken into account when determining the penalty for a violation:

  1. the designated operator or person's history of compliance or noncompliance with the provisions of this Act or of the regulations;
  2. the nature and scope of the violation;
  3. whether or not the designated operator or person made reasonable efforts to mitigate or reverse the effect of the violation;
  4. whether or not the designated operator or person gained any competitive or economic benefit from the violation;
  5. any other factors prescribed in regulations; and,
  6. any other factors that the Minister of Transport considers relevant.

Subsection 129(1) specifies that if the designated operator or person pays the penalty, they are deemed to have committed the violation, ending any proceedings commenced in respect of the violation.

Subsection 129(2) provides alternatives to paying the penalty set out in the notice for the designated operator or person, including

  1. filing a request for review with the Tribunal in respect of the alleged violation or the penalty; or
  2. if offered, entering into a compliance agreement with the Minister of Transport to ensure the designated operator or person's compliance with the violated provision.

Subsection 130(1) specifies that the Tribunal must appoint a time and place for the review when requested, and notify the Minister of Transport and the designated operator or other person in writing.

Subsection 130(2) specifies that both the Minister of Transport and the designated operator or other person must be allowed to make representations.

Subsection 130(3) clarifies that the Minister of Transport has the burden of proving on a balance of probabilities that the designated operator or other person committed the violation.

Subsection 130(4) clarifies that the designated operator or other person that is alleged to have committed a violation is not required to give any evidence or testimony.

Subsection 130(5) specifies that confidential information may be shared during reviews to the Tribunal.

Section 131 outlines that, at the end of a review, if the Tribunal member determines that

  1. the designated operator or other person did not commit the violation, then the Tribunal member must inform the Minister of Transport and that designated operator or that other person, ending any other proceedings under this Act against the designated operator or other person regarding this violation; and,
  2. the designated operator or other person committed the violation, then the member must inform the Minister of Transport and the designated operator or other person of the determination, the amount of the penalty, and when it must be paid.

Subsection 132(1) explains that the Minister of Transport, the designated operator or another person affected by the determination may appeal the determination to the Tribunal within 30 days of the decision.

Subsection 132(2) specifies that a party who does not appear at a review hearing loses its right to appeal the determination, unless they establish that there was sufficient reason to justify their absence.

Subsection 132(3) specifies that the panel of the Tribunal that is assigned to hear an appeal may dismiss it or allow it. If the appeal is allowed, the panel can substitute its decision for the determination.

Subsection 132(4) clarifies that if the panel determines that the designated operator or the other person has committed the violation, it must immediately inform the designated operator or the other person and the Minister of Transport of this determination, and, in accordance with regulations regarding penalty amounts, of the amount determined by the panel to be payable to the Tribunal by or on behalf of the designated operator or other person, in respect of the violation and the time within which it must be paid.

Subsection 132(5) clarifies that if the panel finds that no violation has been committed, it must inform the designated operator or other person, as the case may be and the Minister of Transport of this finding immediately.

Section 133 allows the Minister of Transport to obtain from the Tribunal or the member, as the case may be, a certificate in the form established by the Governor in Council setting out the penalty required to be paid by the designated operator or other person that fails, within the time required,

  1. to pay the penalty set out in the notice of violation or to file request for a review under paragraph 129(2)(a); or
  2. to pay the amount determined under subparagraph 131(b).

Subsection 134(1) specifies that if the Minister of Transport offers to enter into a compliance agreement with a designated operator or person, the agreement is subject to any terms that the Minister of Transport considers appropriate, including the reduction in whole or in part of the penalty.

Subsection 134(2) clarifies that if a compliance agreement is entered into, the designated operator or person is no longer allowed to file a request for review under paragraph 129(2)(a).

Subsection 134(3) clarifies that if a compliance agreement is entered into, the designated operator or person is deemed to have committed the violation.

Subsection 134(4) specifies that if the Minister of Transport believes that a designated operator or person has complied with the compliance agreement, the Minister of Transport must notify the designated operator or person and end proceedings commenced in respect of the violation.

Subsection 134(5) outlines that if the Minister of Transport believes that the designated operator or person has not complied with the compliance agreement, the Minister of Transport must serve the designated operator or person with a notice of default and specify that

  1. the designated operator or person is liable to pay the penalty set out in the notice of violation, less any amount they paid under the compliance agreement; and
  2. the Minister of Transport can make public the designated operator or person's name, violation, scope of the noncompliance with the compliance agreement and penalty.

Subsection 134(6) specifies that, provided the designated operator or person pays the penalty as set out in the notice, the Minister of Transport must accept this as satisfaction of the penalty in respect of the violation, and end any proceedings commenced in respect of the violation.

Section 135: Regulations
Analysis

Subsection 135(1) gives the Governor in Council the power to make regulations for carrying out the purposes and provisions of this Act, including regulations:

  1. Respecting cyber security programs;
  2. Respecting conditions and criteria regarding internal audits;
  3. Respecting the form, manner, and period for reporting cyber security incidents and the types of incidents that must be reported;
    • c.1) Respecting the period within which a notification referred to under subsection 14(1) is to be provided;
  4. Respecting the management of records referred to in section 30, including the collection, use, retention, disclosure and disposal of those records;
  5. Designating any provision of this Act or of the regulations made under this Act for the purposes of section 90;
  6. Classifying each violation as a minor violation, a serious violation or a very serious violation;
  7. Fixing the maximum penalty in respect of each class of violations;
  8. Defining, for the purposes of this Act, any word or expression that is used in this Act but is not defined; and,
  9. Prescribing anything that is to be prescribed under this Act.

Subsection 135(2) allows the Governor in Council to ensure consistency between the regulations to be established under subsection 135(1) with existing regulatory regimes, such as those established by provincial agencies.

Sections 136 to 145: Offences
Analysis

Section 136 creates regulatory offences punishable on summary conviction.

Section 136(1) specifies that every person who contravenes the sections identified in this section is guilty of an offence punishable on summary conviction.

Section 136(2) specifies that every person, partnership or unincorporated organization that contravenes Section 29 by failing to provide requested information to the appropriate regulator is guilty of an offence punishable on summary conviction.

Section 137 creates hybrid offences.

It specifies that every person who contravenes the sections identified in this section is guilty of an offence and is liable

  1. on summary conviction
    1. in the case of an individual, to a fine in an amount that is in the discretion of the court or to imprisonment for a term of not more than two years less a day, or to both, and
    2. in the case of a corporation, to a fine in an amount that is in the discretion of the court; or
  2. on conviction on indictment
    1. in the case of an individual, to a fine in an amount that is in the discretion of the court or to imprisonment for a term of not more than five years, or to both, and
    2. in the case of a corporation, to a fine in an amount that is in the discretion of the court.

Section 138 establishes that any director or officer of a designated operator that committed an offence that directed, authorized, assented to, acquiesced in or participated in the commission of the offence is party to the offence and liable on the conviction to the punishment provided for by this Act. This applies whether or not the designated operator is prosecuted for or convicted of the offence.

Section 139 specifies that if an offence under section 136 (a summary offence) or 137 (a hybrid offence) is committed or continued on more than one day, it is considered a separate offence for each day on which it is committed or continued.

Section 140 specifies that a prosecution must not be commenced in respect of an offence under this Act later than three years after the day on which the subject matter of the prosecution arose.

Section 141 protects a person, partnership or unincorporated organization from being found guilty of an offence under this Act– other than those under section 137 that is in respect of a contravention of subsection 9(1), section 15 or 26 or paragraph 87(a) or (b) — if the person can demonstrate that they exercised all due diligence to prevent the commission of the offence.

Section 142 provides that in a prosecution under this Act, it is sufficient proof of an offence to establish that it was committed by an employee or agent or mandatary of the accused whether or not said person is identified or has been prosecuted for the offence.

Section 143 outlines that in any action or proceeding under this Act, any document certified by a regulator as a legitimate copy of the document given or issued under this Act is

  1. evidence of the original document of which it asserts to be a copy;
  2. evidence of the fact that the original document was made, given or issued by the authority of or provided by the person identified in it, and was made, given or issued at the time stated in the certified copy; and,
  3. evidence of the fact that the original document was signed, certified, attested or executed by the persons and in the manner shown in the certified copy.

Section 144 indicates that in any legal action or proceeding under this Act, any record required under this Act to be kept is, absent contrary evidence, proof of the matters stated in it against the person who made the entry or the designated operator that was required to keep the record.

Subsection 145(1) specifies that the following rules apply to judicial reviews of the issuance of a CSD (in addition to those rules associated with the general secure administrative review proceedings regime)

  1. if the judge determines that evidence or other information provided by the Minister is not relevant or if the Minister withdraws the evidence or other information, the decision of the judge must not be based on that evidence or other information and must return it to the Minister; and
  2. the judge must ensure the confidentiality of all evidence and other information that the Minister withdraws.

Subsection 145(2) clarifies that subsection (1) applies, with any necessary modifications, to both appeals of judicial decisions made in this section and any further appeal.

Subsection 145(3) defines, for this section, judge as "the Chief Justice of the Federal Court or a judge of that Court designated by the Chief Justice."

Section 146: Report to Parliament
Analysis

Section 146(1) obligates the Minister to prepare an annual report on the administration of the CCSPA for that fiscal year within 3 months of the end of the fiscal year, and to table it before each House of Parliament within the first 15 sitting days following its completion.

Subsection 146(2) specifies, for the fiscal year covered by the report, the following must be included in the report:

  1. the number of orders made under subsection 20(1) and the nature of the directions set out in those orders;
  2. the number of directions revoked under subsection 20(2);
  3. the number of designated operators that were subject to a direction;
  4. description of compliance of designated operators that partially complied with a direction;
  5. description of compliance of designated operators that fully complied with a direction; and
  6. an explanation of the necessity, proportionality, reasonableness, and utility of the directions.[2R]

Subsection 146(3) specifies that the report must also contain, among other things:

  1. the number of directions issued under subsection 20(1) in the immediately preceding fiscal year;
  2. the number of designated operators that were issued directions under subsection 20(1) in the immediately preceding fiscal year; and
  3. any other information relating to the immediately preceding fiscal year that the Minister considers relevant, if that information is not likely to be about an identifiable designated operator or other person.
Clauses 12 to 15: Consequential amendments

Clause 12 replaces subsection 23(1) of the Office of the Superintendent of Financial Institutions Act (OFSI) with the following:

Superintendent to ascertain expenses

23(1) The Superintendent shall, before December 31 in each year, ascertain the total amount of expenses incurred during the immediately preceding fiscal year for or in connection with the administration of the Bank Act, the Cooperative Credit Associations Act, the Critical Cyber Systems Protection Act, the Green Shield Canada Act, the Insurance Companies Act, the Protection of Residential Mortgage or Hypothecary Insurance Act and the Trust and Loan Companies Act.

Clause 13 amends the OSFI Act by adding the following in alphabetical order:

  • Critical Cyber Systems Protection Act
  • Loi sur la protection des cybersystèmes essentiels

Clause 14 replaces subsections 21(2) and (3) of the Nuclear Safety and Control Act by the following:

  • Fees recoverable under any other Act of Parliament
    • (1.1) The Commission may charge any fees that may be prescribed for any information, product or service that it provides under any other Act of Parliament.
  • Refund of fees
    • (2) The Commission may, under the prescribed circumstances, refund all or part of any fee referred to in paragraph (1)(g) or subsection (1.1).
  • Expenditure of revenue from fees
    • (3) The Commission may spend for its purposes the revenue from the fees it charges in the fiscal year in which the revenues are received or in the next fiscal year.

Clause 15 replaces subsection 2(3) of the Transportation Appeal Tribunal of Canada Act by the following:

  • Jurisdiction in respect of other Acts
    • (3) The Tribunal also has jurisdiction in respect of reviews and appeals in connection with administrative monetary penalties provided for under sections 177 to 181 of the Canada Transportation Act, sections 127133 of the Critical Cyber Systems Protection Act, sections 43 to 55 of the International Bridges and Tunnels Act, sections 129.01 to 129.19 of the Canada Marine Act, sections 16.1 to 16.25 of the Motor Vehicle Safety Act, sections 39.1 to 39.26 of the Canadian Navigable Waters Act and sections 130.01 to 130.19 of the Marine Liability Act.
Clause 16: Coming into force
Analysis

Section 16 specifies that all provisions come into force on a day or days decided on by order of the GIC.

Schedule 1: Vital services and vital systems
Analysis

Schedule 1 includes a list of the services and systems that are vital to national security or public safety.

At the time of tabling this Act, these include:

  • Telecommunications service
  • Interprovincial or international pipeline and power line systems
  • Nuclear energy systems
  • Transportation systems that are within the legislative authority of Parliament
  • Banking systems
  • Clearing and settlement systems.

As per section 6 of this Act, Schedule 1 can be modified by an Order in Council adding any service or system to this list, or removing any service or system from this list.

Schedule 2: Classes of operators and corresponding regulators
Analysis

Schedule 2 is empty at the time of tabling this Act.

When the Governor in Council is ready to do so, this schedule will be populated by an Order in Council that will define classes of operators that will become subject to this Act.

This schedule will also identify the corresponding regulator (as defined in section 2) for each class of operators. The regulator becomes the appropriate regulator for all of the operators captured in that class.

Date modified: