Remarks to the Standing Senate Committee on National Security, Defence and Veterans Affairs - May 4, 2026

The Honourable Simon Noël, K.C., Intelligence Commissioner

(Check against delivery)

Thank you, Mr. Chair, and honourable members for the invitation. I am accompanied today by Justin Dubois, Executive Director and General Counsel at the Office of the Intelligence Commissioner.

I appeared before this committee to discuss Bill C-26, the previous version of this Bill. I remain of the view that Canada must have the necessary tools to protect our critical electronic systems, but that these tools must be accompanied by the appropriate safeguards and independent oversight. Bill C-8 is a useful tool and I support its objectives. However, I am of the view that independent oversight would strengthen the Bill. 

One of my duties as Intelligence Commissioner – which I will refer to as the IC – is to approve ministerial authorizations for cybersecurity activities. These authorizations grant CSE the permission to access and collect information from IT systems belonging to non-federal entities that have been designated as being of importance to the federal government. An example in the public domain are the IT systems of the governments of Nunavut, the Northwest Territories and the Yukon.

The reason why my approval is necessary is that for CSE to be effective in carrying out cybersecurity activities on those systems, it will inevitably have to collect information in which Canadians have a reasonable expectation of privacy. Parliament was therefore of the view that oversight was required. Before approving cybersecurity activities, I must determine that they are reasonable and proportionate, and that CSE has appropriate measures to protect information in which Canadians may have a privacy interest.

Under this Bill, regulations will set out what information designated operators will have to provide to CSE if it is a victim of a cybersecurity incident. CSE is our cybersecurity expert. It is in our national interest for CSE to have a more complete understanding of cyber incidents to respond more effectively. The information shared will have to be sufficient to provide CSE with a robust understanding of the incident. However, this is no independent oversight of a regulation.

In my experience as IC, even if CSE is only interested in receiving technical information to understand incidents, there may be cases where it must receive more than technical information. There may also be cases where technical information will touch on the privacy interests of Canadian. Indeed, in CSE’s written submissions before this committee, it confirms that data on cyber incidents can include information with a Canadian privacy interest. For example, IP addresses can be indicators of compromise shared to better understand cybersecurity incidents and the Supreme Court of Canada has confirmed that there can be privacy interests in IP addresses. It’s also important to remember that under this proposed legislation, the reporting of cyber incidents will be mandatory. Through CSE, the Government would be collecting this information.

I think it is necessary to collect information relating to cybersecurity incidents. CSE should receive the information it needs to be effective. However, I remain unconvinced that a regulation will guarantee that information shared following a cybersecurity incident will absolutely never engage privacy interests of Canadians. If that’s the case, the question for this committee is whether additional oversight is warranted. I would be happy to answer any questions.

I would be happy to answer any questions.