Bill C‑8 Passes House Of Commons Following Substantive Amendments And Speaker’s Ruling

On March 26, 2026, Bill C‑8 (An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts) formally passed Third Reading in the House of Commons and proceeded to the Senate for First Reading.

This update follows our earlier bulletin, “Bill C‑8 Reboots Canada’s Cybersecurity Legislation for the Telecommunications Sector and Other Critical Infrastructure” (October 2025).

Bill C‑8, introduced to replace Bill C‑26 (which had died on the order paper at the end of the previous session of Parliament), establishes a mandatory cybersecurity framework for critical systems in Canada’s telecommunications, finance, energy, and transportation sectors. Although committee amendments added safeguards to address privacy and network‑integrity concerns, a March 25, 2026, ruling by the Speaker of the House (the “Speaker”) removed several measures that would have required prior judicial authorization for government orders.

Procedural Update: The Speaker’s Ruling on Judicial Oversight

During clause‑by‑clause study, the House Standing Committee on Public Safety and National Security (SECU) adopted three Conservative Party of Canada (“CPC”) amendments intended to introduce independent judicial oversight: CPC‑2 (requiring prior judicial authorization for security orders) and CPC‑5 and CPC‑15 (transferring authority over non‑disclosure orders to the judiciary).

On March 25, 2026, the Speaker ruled these amendments out of order on the basis that they exceeded the scope of the bill as adopted at Second Reading. The Speaker determined that transferring order‑making authority from the executive to the judiciary introduced “new concepts” not previously approved by the House. Consequently, the authority of the Minister and the Governor in Council to issue cybersecurity and secrecy orders has been restored in the version of the bill now before the Senate, leaving such orders subject only to after‑the‑fact judicial review.

Key Committee Amendments

Despite the procedural removal of prior judicial authorization, several substantive amendments adopted by SECU remain in the version of the bill now before the Senate.

Explicit Protections for Encryption and Lawful Expression: To address concerns that security powers could be used for surveillance or to weaken digital infrastructure, Bill C‑8 now includes “for greater certainty” provisions. Subsection 15.2(2.1) of the Telecommunications Act (“Act”) and subsection 20(1.1) of the Critical Cyber Systems Protection Act (“CCSPA”) explicitly state that the Minister or Governor in Council must not order the decoding of an encrypted private communication. Additionally, section 15.01 of the Act clarifies that “interference with or manipulation, disruption or degradation” of a system includes technical actions and excludes the effects of lawful expression, persuasion, or political debate.

Enhanced Privacy and Data Stewardship Obligations: Responding to recommendations from the Privacy Commissioner, the revised Bill requires the Minister and Governor in Council to consider “potential impacts on the privacy of Canadians” before issuing any security order under the Act. Further amendments introduce data‑stewardship obligations, requiring the government, other persons who collect or obtain personal information pursuant to security orders under the Act (such as telecommunications service providers), and designated operators under the CCSPA to dispose of personal information obtained or collected in connection with the new provisions introduced by Bill C-8 once it is no longer required: 1) in the case of the Act, for the purposes of a security order or regulations established under the Act; 2) in the case of the CCSPA, for the purposes for which it was collected or obtained; or 3) in either case, to verify compliance or in accordance with any requirement under the Privacy Act that applies to the information.

Safeguards for Individual Service Continuity: To prevent the potential misuse of security powers, subsection 15.2(1.1) was added to the Act to prohibit orders directing the suspension of service to an individual unless such a measure is strictly necessary to secure the system against a specified technical cybersecurity threat.

Impact on Regulated Entities

As amended, Bill C‑8 introduces several practical considerations for operators of federally regulated cyber systems:

• Administrative Monetary Penalties (Individuals): The maximum administrative monetary penalty under the CCSPA for an individual (such as a director or officer) has been reduced from $1,000,000 to $500,000 per violation.
• Regulatory Alignment: The Governor in Council is directed to ensure that regulations under the CCSPA are, to the extent possible, consistent with existing regulatory or standards‑based regimes, such as those developed by the North American Electric Reliability Corporation (NERC).
• Preservation of Privilege: A new provision (section 148) confirms that the CCSPA does not affect solicitor‑client privilege or professional secrecy in the context of audits or information‑sharing obligations.
• Transparency Mandates: While secrecy orders remain available under the Act, the Minister is now required to publish a summary of the annual report on the Department of Industry’s website within 10 days of it being tabled in Parliament.
• Mandatory Data Disposal: Designated operators and telecommunications service providers are now required to dispose of personal information collected or obtained under the new powers under Bill C-8 as described above (see sections 15.701 of the Act and 29.1 of the CCSPA).

Next Steps

Bill C-8 received First Reading in the Senate on March 26, 2026. Second Reading is expected in the coming weeks, after which the bill will be referred to committee for study.

Should the Senate adopt any amendments, the bill would be returned to the House of Commons for concurrence before proceeding to Royal Assent.

The amended Bill C-8 also includes a statutory requirement (section 17 of the Bill) for a mandatory ministerial review to be completed within five years of Royal Assent. This review will assess the effectiveness of the provisions enacted by Bill C-8 in addressing offences facilitated by cyber technology and may include recommendations for consequential amendments to other legislation, including the Criminal Code. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.