Remarks to the Standing Committee on Public Safety and National Security – October 30, 2025

The Honourable Simon Noël, K.C., Intelligence Commissioner

(Check against delivery)

October 30, 2025

Thank you, Mr. Chair, and members for the invitation. I am accompanied today by Justin Dubois, Executive Director and General Counsel at the Office of the Intelligence Commissioner.

To place my comments on this Bill in context, it is useful to briefly explain what my role is as Intelligence Commissioner – which I will refer to as IC.

I approve, or do not approve, certain national security and intelligence activities proposed by the Communications Security Establishment (CSE) and Canadian Security Intelligence Service (CSIS) and authorized respectively by the Minister of National Defence and Minister of Public Safety.

My independent approval is necessary because the activities the Ministers authorize may be contrary to the law or breach the reasonable expectation of privacy of Canadians. Only with my approval can the activities then be conducted.

The role of the IC was created in 2019. Of particular relevance to this Bill, the mandate given to the IC by Parliament at that time includes enabling CSE to effectively respond to cyber incidents on federal systems and systems that have been designated as important to the Government of Canada. More specifically, one of my functions is to review ministerial authorizations that allow CSE to conduct cybersecurity activities on those systems.

My approval is necessary because the cybersecurity activities conducted by CSE lead to the collection of vast amounts of information, including information in which Canadians have a reasonable expectation of privacy. To be effective in conducting cybersecurity, CSE needs to collect this information. I only approve the ministerial authorization when I am satisfied that the Minister has struck a reasonable balance between the security of Canada and the privacy of Canadians. This includes ensuring that appropriate measures are in place to protect the privacy interests of Canadians.

Through my work as IC, I see the tremendous value of a national approach to cybersecurity. I remain of that view. Canada must have the necessary tools to protect our critical electronic systems. However, these tools must be accompanied by the appropriate safeguards and independent oversight.

In my view, there are elements of this Bill where independent oversight would improve the protection of these privacy interests. I will raise one that relates most closely to my role as IC.

This Bill aims to better protect our critical cyber systems. CSE is our national expert in cybersecurity and will, through this Bill, receive information on cyber incidents.

In my experience as IC, for CSE to analyze and understand a cyber incident, it must have access to information about the incident. There may be situations where this information is only technical in nature and sharing it with CSE raises no privacy concerns. However, to fully understand the cyber incident, other situations may require CSE to have access to information – including technical information – in which Canadians have a reasonable expectation of privacy. Technology and cyber threats evolve faster than legislation. The Bill should provide the flexibility to adapt accordingly and allow for the sharing of this information with appropriate oversight.

In the current system, prior to collecting this information, CSE is required to obtain a ministerial authorization and approval from the IC. Parliament chose to implement this process in 2019 to strike a balance between privacy and security.

Now, in 2025, the mechanism proposed in the Bill consists of adopting a regulation setting out what information about cyber incidents is to be shared with CSE, and how it is to be shared. As you know, there is no independent oversight of a regulation. One possible simple and effective oversight measure would be to require CSE to obtain an annual ministerial authorization that establishes a framework for how it uses and shares this information, which would then be subject to review and approval by the Intelligence Commissioner.

Effective cybersecurity is essential for Canadians. CSE must have access to the information it needs to conduct its excellent work – with the necessary oversight to allow for that access.

I support the Bill’s intent but believe that targeted additional safeguards that do not impose a heavy administrative burden on our agencies would increase Canadians’ confidence that these measures intended to protect them do not themselves unnecessarily intrude on their privacy.

I’ll be happy to answer any questions.