Monthly Archives: November 2025

Statement on Bill C-8: Strengthening Cybersecurity While Preserving Digital Trust

November 12, 2025

Bill C-8 establishes the Critical Cyber Systems Protection Act (CCSPA) and enhances federal oversight of telecommunications to protect Canada’s critical infrastructure from cyber threats. DIACC recognizes the urgent need to protect vital systems underpinning our digital economy while maintaining the trust foundations essential to Canada’s prosperity.

Key Provisions

Bill C-8 establishes mandatory cybersecurity obligations for designated operators in telecommunications, banking, energy, transportation, and nuclear sectors:

  • Cybersecurity programs are required within 90 days, with annual reviews
  • Incident reporting to the Communications Security Establishment within 72 hours
  • Supply chain risk management and record-keeping in Canada
  • The federal government may issue confidential, binding directions without prior consultation
  • Penalties up to $15 million per violation for organizations

Critical Considerations

Encryption and Privacy Protections
Provisions grant broad powers to direct telecommunications providers “to do anything or refrain from doing anything.” The Privacy Commissioner noted Bill C-8 could result in the collection of subscriber information, communication data, metadata, and location data. The Intelligence Commissioner questioned whether warrantless seizure of information can be constitutionally justified.

Technical experts warn these powers could require weakening encryption standards. Encryption is foundational infrastructure for digital trust, protecting financial transactions, healthcare communications, and secure authentication systems that enable digital identity solutions.

Transparency and Accountability
The bill authorizes confidential directions without requiring consultation with affected operators or notification to the privacy oversight body. The Privacy Commissioner recommended that government institutions notify his Office of cybersecurity incidents involving material privacy breaches. The absence of privacy impact assessment requirements represents a significant safeguard gap.

Interoperability and Standards
Cybersecurity measures should align with frameworks, including DIACC’s Pan-Canadian Trust Framework (PCTF), which provides consensus-based protocols for digital identity and authentication. Consistency between federal cybersecurity requirements and provincial privacy regimes is essential for seamless digital services and interprovincial trade.

Economic Impact
Limited implementation detail exists, with specifics deferred to future regulations. The absence of exemptions for organizations with mature cybersecurity protocols and the lack of financial incentives for proactive investments may disproportionately impact small and medium enterprises. Requirements diverging from international standards could affect Canada’s competitiveness as a trusted destination for digital business.

DIACC’s Recommendations

DIACC encourages policy frameworks that:

  • Strengthen security without compromising privacy: Preserve encryption standards and privacy-enhancing technologies, enabling trusted digital interactions
  • Promote transparency and accountability: Implement privacy impact assessments and meaningful consultation with oversight bodies.
  • Ensure interoperability: Align federal requirements with provincial frameworks and international standards
  • Balance security with civil liberties: Maintain robust Charter rights protections while securing critical infrastructure.
  • Foster innovation: Enable Canadian organizations to compete globally while maintaining high security standards

Canada can establish cybersecurity governance that protects critical infrastructure while preserving trust, privacy, and innovation. DIACC encourages ongoing consultation to ensure Bill C-8 achieves security objectives while maintaining digital trust foundations essential to Canada’s economic prosperity and democratic values.

Joni Brennan
President, DIACC

Statement on Bill C-4: Balancing Economic Relief with Privacy Considerations

November 12, 2025

Bill C-4 introduces essential economic relief measures for Canadians, including tax reduction, housing incentives, and cost-of-living support during challenging times. These provisions respond to real pressures facing Canadian households and businesses, and represent meaningful efforts to provide fiscal relief when it is needed most.

However, Part 4 of the bill warrants careful consideration by policymakers and stakeholders across Canada’s digital trust ecosystem. This section amends the Canada Elections Act regarding how federal political parties handle personal information. According to the bill’s summary, Part 4 “amends the Canada Elections Act to make changes to the requirements relating to political parties’ policies for the protection of personal information.”

Key Provisions

The amendments would require parties’ privacy policies to be available in both official languages and written in plain language, stating “the types of personal information in relation to which the party carries out its activities” and explaining “using illustrative examples, how the party carries out its activities in relation to personal information.” These transparency requirements represent positive steps toward helping Canadians understand how their data is used in the political process.

However, the bill also includes a provision stating that “a registered party … cannot be required to comply with an Act of a province or territory that regulates activities in relation to personal information … unless the party’s policy … provides otherwise.” This clause raises questions about the interoperability of federal and provincial privacy frameworks, particularly as provinces continue to strengthen their own privacy legislation.

Considerations for the Digital Trust Economy

Privacy protection is a cornerstone of digital trust and civic confidence in democratic institutions. As Canadians increasingly engage with political processes through digital channels, the handling of personal information by political parties becomes more consequential. The data collected, ranging from contact information to political preferences and engagement patterns, requires robust safeguards that align with contemporary privacy standards.

Some stakeholders have raised questions about how these amendments align with evolving privacy standards across jurisdictions and sectors. One analysis suggests the changes could create “a regime where parties are held to standards far below those governing businesses, governments, and national security agencies.” While political parties operate in a unique context with constitutional dimensions around freedom of expression and association, the question of appropriate oversight mechanisms merits thoughtful examination.

Provincial privacy commissioners and data protection authorities have developed significant expertise in overseeing privacy practices across various sectors. The relationship between federal electoral processes and provincial privacy frameworks presents both jurisdictional complexities and opportunities for collaborative governance approaches.

DIACC Recommendations

As a multi-stakeholder organization focused on digital identity and trust, DIACC offers the following recommendations to strengthen Bill C-4 while maintaining its economic relief objectives:

  1. Establish Independent Oversight: Consider establishing an oversight role for the Office of the Privacy Commissioner of Canada regarding federal political parties’ handling of personal information, with appropriate investigative and enforcement mechanisms that respect the unique context of democratic processes.
  2. Maintain Baseline Provincial Standards: Amend the provision to ensure federal political parties remain subject to applicable provincial privacy laws as a baseline, while allowing parties to adopt higher standards voluntarily. This would maintain consistency with the principle of cooperative federalism and avoid creating a privacy protection gap.
  3. Align with Modern Privacy Principles: Ensure party privacy policies align with the core principles of PIPEDA and contemporary provincial privacy legislation, including consent, purpose limitation, data minimization, accuracy, and accountability.
  4. Implement Transparency and Reporting: Require federal political parties to publish annual transparency reports detailing the types and volumes of personal information collected, purposes of use, data retention periods, and any third-party sharing arrangements.
  5. Enable Technical Interoperability: Encourage alignment with recognized privacy frameworks such as the Pan-Canadian Trust Framework (PCTF) to facilitate consistent privacy practices across federal and provincial jurisdictions and sectors.
  6. Conduct Privacy Impact Assessments: Require political parties to conduct and publish privacy impact assessments when implementing new data collection technologies or significantly changing data handling practices.
  7. Establish a Review Mechanism: Include a mandatory parliamentary review provision within three years to assess the effectiveness of these amendments and their alignment with evolving privacy standards and technologies.
  8. Enhance Public Education: Support Elections Canada in developing public education resources to help Canadians understand their privacy rights in the political context and how to exercise control over their personal information.

DIACC encourages ongoing consultation between federal and provincial authorities, privacy commissioners, political parties, and civil society stakeholders throughout the implementation of these amendments. Strong privacy safeguards and economic relief need not be mutually exclusive; both are essential to building a resilient digital economy and maintaining trust in Canadian institutions.

By strengthening the privacy provisions in Part 4 while maintaining the essential economic relief measures in other parts of the bill, Parliament can demonstrate that protecting Canadians’ personal information and supporting their economic well-being are complementary priorities.

Joni Brennan
President, DIACC

DIACC AI Consultation Submission to the Federal Government

October 31, 2025 – Canada has the opportunity not only to develop world-class AI capabilities, but also to build an ecosystem where AI innovation and responsible deployment are enabled by a strong foundation of digital trust, identity, authentication, and interoperability. DIACC’s mission is to accelerate the adoption of digital trust by enabling privacy-respecting, secure, interoperable digital trust and identity verification services through the DIACC Pan-Canadian Trust Framework (PCTF).

In this submission, we outline how investments in trust infrastructure, standards and verification can help deliver four key outcomes: scale Canadian AI champions, attract investment, support adoption and foster responsible, efficient deployment of AI systems.

About DIACC

The Digital ID and Authentication Council of Canada (DIACC) is a non-profit public–private coalition created following the federal Task Force for the Payments System Review. DIACC’s mission is to accelerate the adoption of digital trust by enabling privacy-respecting, secure, and interoperable identity systems.

DIACC is the steward of the Pan-Canadian Trust Framework (PCTF)™ — a public and private sector, industry-developed, standards-based, technology-neutral framework designed to enable scalable, certifiable digital trust infrastructure that meets the needs of governments, businesses, and individuals.

The DIACC PCTF has been developed in collaboration with experts from federal, provincial, and territorial governments as well as industry and civil society. It supports verifiable credentials, authentication services, fraud prevention, and information integrity across the Canadian digital economy.

Scaling Canadian AI champions and attracting investment

A major barrier for Canadian AI firms is not solely algorithmic innovation, but the ability to build scalable, trusted solutions that can be easily integrated with government and industry systems — particularly in regulated sectors. To scale, Canadian AI companies must demonstrate trustworthiness, security, privacy compliance, identity/credential verification, and interoperability — all of which raise costs and complexity when the underlying infrastructure is fragmented or weak.

Further, investors increasingly look for ventures that not only have technical sophistication but also strong risk management, data provenance, identity assurance and governance frameworks;   Canada can differentiate itself by emphasizing trusted AI ecosystems.

Recommendations:

  • Recognize identity, authentication, verification and trust-framework services (e.g., the DIACC PCTF) as critical infrastructure to underpin secure and trustworthy AI ecosystem scaling — and include funding streams, procurement support and regulatory recognition accordingly.
  • Introduce targeted incentives (grants/tax credits) for Canadian AI firms that embed standards-based verifiable credentials, identity proofing and interoperability from day one — thereby lowering investor risk and improving export readiness.
  • Foster public-private collaborations where government platforms adopt standards-based digital credentials (for authentication, identity verification, data-sharing) and invite Canadian AI firms to build on those platforms — this creates domestic anchor opportunities and global reference cases.
  • Promote and fund initiatives that allow Canadian AI firms to export trust by aligning Canada’s trust-framework credentials with international equivalents (e.g. UK identity frameworks) so that Canadian-built AI solutions come with built-in identity/credential assurance for global markets.

Enabling adoption of AI across industry and government

Adoption by industry and government is facilitated when the infrastructure for authenticating, verifying identity, sharing data, and managing credentials is streamlined and standards-based. AI solutions deployed in real-world workflows often hinge on knowing who is interacting, what credentials they hold, which data sources are valid — not just the AI model itself.

Fragmentation in identity verification, digital credentials and interoperability across jurisdictions (federal/provincial/territorial) also increases friction, slows procurement and reduces the number of “ready” integration points for AI vendors.

Recommendations:

  • Deploy a reusable digital credential/single sign-on system for government services (federal, provincial, municipal) modelled on widely used private-sector login tools. This makes it easier for government agencies and vendors (including Canadian AI firms) to plug in.
  • Encourage government procurement frameworks to demand standards-based trust services (identity proofing, verifiable credentials) as part of AI solutions — thereby embedding adoption readiness from the procurement side.
  • Provide and consume standardized capability services offered by the public and private sectors (identity/credential verification, verifiable data sources, API hubs) that AI firms can access respecting privacy, leveraging a consent-based framework,  rather than each reinventing, reducing cost and time-to-market.
  • Support industry-government collaborations in regulated sectors (e.g. health and finance) where trust and identity verification matter first — by creating pilot environments that leverage trustworthy identity and credentials as the foundation for AI deployment.

Building safe, reliable and trustworthy AI systems, and strengthening public trust

Public trust in AI is undermined when the authenticity of interactions, data and verified identities cannot be reliably determined — for example, synthetic identities, manipulated documents, fraud-enabled onboarding, and unverified credentials all impact trust and impede safe AI deployment.

Identity assurance, verifiable credentials and trustworthy provenance of data and interactions are vital to enable AI in environments where safety, ethics, regulation, and accountability matter (e.g. financial decisions, cross-border labour credentials).

A standards-based trust framework such as DIACC’s PCTF can support traceability, transparency and audit capability in AI workflows, making systems safer, more explainable, and more investable.

Recommendations:

  • Fund the adoption and certification of privacy-respecting, standards-based identity, verification and credential-issuance systems (e.g. the DIACC PCTF) across sectors that will use AI.
  • Recognize identity verification, credentialing and data provenance as core components of AI governance frameworks (not just “nice to have” add-ons), and include them in AI risk-assessment, certification and procurement guidance.
  • Invest in research and development of identity and credentialing tools that are specifically tailored for AI use-cases (e.g. verifying data source authenticity).

Building enabling infrastructure, including data, connectivity and skills

While data and connectivity are widely recognized as AI-enablers, equally critical is the infrastructure of trust, including identity frameworks, verifiable credentials, authentication services, and certification of trust services — without which data sharing, inter-jurisdictional collaboration, and large-scale deployment face bottlenecks.

Digital sovereignty is also critical. Canada must ensure that infrastructure (cloud, data centres, identity/trust services) aligns with domestic values, jurisdictional control and regulatory frameworks in order to attract both domestic and foreign investment that values provenance and security.

Recommendations:

  • Invest in Canadian-based trust infrastructure, including domestic cloud and data centres, specifically for identity/credential/trust-services, to support AI readiness, digital sovereignty and economic resilience (as previously recommended by DIACC).
  • Ensure that interoperability standards for identity, credentials and trust-services are integrated into AI infrastructure planning — enabling cross-sector and cross-jurisdiction data flows, credentials reuse, and reduced duplication of onboarding/verification.
  • Support development of shared digital identity and credential hubs, which can serve as infrastructure building blocks for AI-enabled systems, enabling smaller firms or remote/Indigenous communities to access AI infrastructure.
  • Link infrastructure investment to skills and operational readiness, and include training programs for identity/trust-service management, credential issuance and verification, and interoperable system design, ensuring the human infrastructure is aligned with the technical.

Conclusion

Scaling Canada’s AI champions, attracting investment, accelerating adoption, and building safe and trusted AI systems all rest on a foundation of digital trust, verifiable identity, credentialing and interoperability. By recognizing and investing in trust infrastructure as a core enabler alongside data and connectivity, Canada can create a differentiated and competitive AI ecosystem.

DIACC welcomes further collaboration with federal partners and key stakeholders to implement standards-based trust frameworks, support interoperable credentialing and enable Canada’s AI ecosystem to flourish on the global stage.

Thank you once again for the opportunity to provide this input.

Joni Brennan
President, DIACC