https://www.parl.ca/DocumentViewer/en/45-1/bill/C-8/first-reading
Bill C-8 requires critical infrastructure companies (telecoms, banks, etc.) to report any “significant” cyber incidents to the government. Yet these incidents often involve massive personal data breaches (names, addresses, transactions, behavioural patterns). The bill imposes no obligation to inform affected individuals, nor does it grant them any right to challenge how their data is used by the state.
The Minister may unilaterally amend cybersecurity standards through regulations, bypassing Parliament entirely. This means potentially intrusive technical requirements—such as real-time access to system logs, mandatory local data storage, or backdoor access—could be imposed without democratic scrutiny or public consultation.
A company that reports an incident risks inspections, compliance orders, and fines if deemed “non-compliant.” The result? Incentives push firms to conceal breaches rather than disclose them. Citizens remain uninformed, while the government amasses detailed knowledge of systemic vulnerabilities—without sharing that information or being held accountable.
By amending the Telecommunications Act to formally include “security” as a legal objective, the government gains a permanent lever to impose technical rules on internet service providers. Over time, this could justify measures such as mandatory metadata retention, traffic filtering, or blocking of services—all in the name of cybersecurity.
The Canadian Centre for Cyber Security (CCCS) is granted expanded powers but remains directly subordinate to the Minister—not an independent body. There is no specialized tribunal, no parliamentary commissioner, and no legal avenue for individuals to seek redress if their data is compromised or misused under this framework.