Blog Archives

Statement on Bill C-8: Strengthening Cybersecurity While Preserving Digital Trust

November 12, 2025

Bill C-8 establishes the Critical Cyber Systems Protection Act (CCSPA) and enhances federal oversight of telecommunications to protect Canada’s critical infrastructure from cyber threats. DIACC recognizes the urgent need to protect vital systems underpinning our digital economy while maintaining the trust foundations essential to Canada’s prosperity.

Key Provisions

Bill C-8 establishes mandatory cybersecurity obligations for designated operators in telecommunications, banking, energy, transportation, and nuclear sectors:

  • Cybersecurity programs are required within 90 days, with annual reviews
  • Incident reporting to the Communications Security Establishment within 72 hours
  • Supply chain risk management and record-keeping in Canada
  • The federal government may issue confidential, binding directions without prior consultation
  • Penalties up to $15 million per violation for organizations

Critical Considerations

Encryption and Privacy Protections
Provisions grant broad powers to direct telecommunications providers “to do anything or refrain from doing anything.” The Privacy Commissioner noted Bill C-8 could result in the collection of subscriber information, communication data, metadata, and location data. The Intelligence Commissioner questioned whether warrantless seizure of information can be constitutionally justified.

Technical experts warn these powers could require weakening encryption standards. Encryption is foundational infrastructure for digital trust, protecting financial transactions, healthcare communications, and secure authentication systems that enable digital identity solutions.

Transparency and Accountability
The bill authorizes confidential directions without requiring consultation with affected operators or notification to the privacy oversight body. The Privacy Commissioner recommended that government institutions notify his Office of cybersecurity incidents involving material privacy breaches. The absence of privacy impact assessment requirements represents a significant safeguard gap.

Interoperability and Standards
Cybersecurity measures should align with frameworks, including DIACC’s Pan-Canadian Trust Framework (PCTF), which provides consensus-based protocols for digital identity and authentication. Consistency between federal cybersecurity requirements and provincial privacy regimes is essential for seamless digital services and interprovincial trade.

Economic Impact
Limited implementation detail exists, with specifics deferred to future regulations. The absence of exemptions for organizations with mature cybersecurity protocols and the lack of financial incentives for proactive investments may disproportionately impact small and medium enterprises. Requirements diverging from international standards could affect Canada’s competitiveness as a trusted destination for digital business.

DIACC’s Recommendations

DIACC encourages policy frameworks that:

  • Strengthen security without compromising privacy: Preserve encryption standards and privacy-enhancing technologies, enabling trusted digital interactions
  • Promote transparency and accountability: Implement privacy impact assessments and meaningful consultation with oversight bodies.
  • Ensure interoperability: Align federal requirements with provincial frameworks and international standards
  • Balance security with civil liberties: Maintain robust Charter rights protections while securing critical infrastructure.
  • Foster innovation: Enable Canadian organizations to compete globally while maintaining high security standards

Canada can establish cybersecurity governance that protects critical infrastructure while preserving trust, privacy, and innovation. DIACC encourages ongoing consultation to ensure Bill C-8 achieves security objectives while maintaining digital trust foundations essential to Canada’s economic prosperity and democratic values.

Joni Brennan
President, DIACC

Statement on Bill C-4: Balancing Economic Relief with Privacy Considerations

November 12, 2025

Bill C-4 introduces essential economic relief measures for Canadians, including tax reduction, housing incentives, and cost-of-living support during challenging times. These provisions respond to real pressures facing Canadian households and businesses, and represent meaningful efforts to provide fiscal relief when it is needed most.

However, Part 4 of the bill warrants careful consideration by policymakers and stakeholders across Canada’s digital trust ecosystem. This section amends the Canada Elections Act regarding how federal political parties handle personal information. According to the bill’s summary, Part 4 “amends the Canada Elections Act to make changes to the requirements relating to political parties’ policies for the protection of personal information.”

Key Provisions

The amendments would require parties’ privacy policies to be available in both official languages and written in plain language, stating “the types of personal information in relation to which the party carries out its activities” and explaining “using illustrative examples, how the party carries out its activities in relation to personal information.” These transparency requirements represent positive steps toward helping Canadians understand how their data is used in the political process.

However, the bill also includes a provision stating that “a registered party … cannot be required to comply with an Act of a province or territory that regulates activities in relation to personal information … unless the party’s policy … provides otherwise.” This clause raises questions about the interoperability of federal and provincial privacy frameworks, particularly as provinces continue to strengthen their own privacy legislation.

Considerations for the Digital Trust Economy

Privacy protection is a cornerstone of digital trust and civic confidence in democratic institutions. As Canadians increasingly engage with political processes through digital channels, the handling of personal information by political parties becomes more consequential. The data collected, ranging from contact information to political preferences and engagement patterns, requires robust safeguards that align with contemporary privacy standards.

Some stakeholders have raised questions about how these amendments align with evolving privacy standards across jurisdictions and sectors. One analysis suggests the changes could create “a regime where parties are held to standards far below those governing businesses, governments, and national security agencies.” While political parties operate in a unique context with constitutional dimensions around freedom of expression and association, the question of appropriate oversight mechanisms merits thoughtful examination.

Provincial privacy commissioners and data protection authorities have developed significant expertise in overseeing privacy practices across various sectors. The relationship between federal electoral processes and provincial privacy frameworks presents both jurisdictional complexities and opportunities for collaborative governance approaches.

DIACC Recommendations

As a multi-stakeholder organization focused on digital identity and trust, DIACC offers the following recommendations to strengthen Bill C-4 while maintaining its economic relief objectives:

  1. Establish Independent Oversight: Consider establishing an oversight role for the Office of the Privacy Commissioner of Canada regarding federal political parties’ handling of personal information, with appropriate investigative and enforcement mechanisms that respect the unique context of democratic processes.
  2. Maintain Baseline Provincial Standards: Amend the provision to ensure federal political parties remain subject to applicable provincial privacy laws as a baseline, while allowing parties to adopt higher standards voluntarily. This would maintain consistency with the principle of cooperative federalism and avoid creating a privacy protection gap.
  3. Align with Modern Privacy Principles: Ensure party privacy policies align with the core principles of PIPEDA and contemporary provincial privacy legislation, including consent, purpose limitation, data minimization, accuracy, and accountability.
  4. Implement Transparency and Reporting: Require federal political parties to publish annual transparency reports detailing the types and volumes of personal information collected, purposes of use, data retention periods, and any third-party sharing arrangements.
  5. Enable Technical Interoperability: Encourage alignment with recognized privacy frameworks such as the Pan-Canadian Trust Framework (PCTF) to facilitate consistent privacy practices across federal and provincial jurisdictions and sectors.
  6. Conduct Privacy Impact Assessments: Require political parties to conduct and publish privacy impact assessments when implementing new data collection technologies or significantly changing data handling practices.
  7. Establish a Review Mechanism: Include a mandatory parliamentary review provision within three years to assess the effectiveness of these amendments and their alignment with evolving privacy standards and technologies.
  8. Enhance Public Education: Support Elections Canada in developing public education resources to help Canadians understand their privacy rights in the political context and how to exercise control over their personal information.

DIACC encourages ongoing consultation between federal and provincial authorities, privacy commissioners, political parties, and civil society stakeholders throughout the implementation of these amendments. Strong privacy safeguards and economic relief need not be mutually exclusive; both are essential to building a resilient digital economy and maintaining trust in Canadian institutions.

By strengthening the privacy provisions in Part 4 while maintaining the essential economic relief measures in other parts of the bill, Parliament can demonstrate that protecting Canadians’ personal information and supporting their economic well-being are complementary priorities.

Joni Brennan
President, DIACC