Protecting privacy is vital in our free and democratic society. We understand that, given our work, CSE has a particular responsibility to protect Canadian privacy, and we take it very seriously.
Privacy law and CSE
CSE is prohibited by law from targeting the private information of Canadians or any person in Canada.
We don’t ask our allies to do anything on our behalf that is not legal for us to do.
This is spelled out in the CSE Act. It is also enshrined in the Canadian Charter of Rights and Freedoms, the Privacy Act and the Criminal Code.
But the story does not end there.
Since we live in a global, interconnected world, what happens when, in the course of fulfilling our legal mandate, we incidentally intercept a Canadian private communication? For example, a foreign terrorist turns out to be communicating with someone in Canada, or a foreign hacker sends a malicious email to a Government of Canada department?
The CSE Act recognizes this may happen and requires the Minister of National Defence to authorize any activities that have Canadian privacy implications.
To issue an Authorization, the Minister must be satisfied that the activities are reasonable, necessary and proportionate, and that appropriate privacy protections are in place.
Furthermore, before a foreign intelligence or cyber security Authorization can come into effect, it must be approved by the Intelligence Commissioner. The Commissioner is a retired superior court judge independent of CSE. If the Commissioner is not satisfied with the Minister’s conclusions, the Authorization cannot proceed.
Finally, if a Canadian’s communication is incidentally intercepted, CSE must and does take steps to protect the privacy of that Canadian.
CSE’s privacy policies
CSE’s operational practices are designed to protect Canadian privacy by laying out detailed procedures for the acquisition, use, retention, and destruction of information about Canadians.
For example, in the case where CSE intercepts the communication of a foreign terrorist abroad who happens to be exchanging information with someone in Canada, the intercept must first be assessed to determine whether it qualifies as foreign intelligence.
If the intercept is not considered to be foreign intelligence, it is deleted.
If the intercept is deemed to be foreign intelligence, CSE must document and closely monitor the use of this information.
Strict retention limits and automated destruction schedules are in place as additional protections.
Access to such information is limited to the employees who need it to do their jobs.
To make sure our staff fully understand and abide by our operational policies, we regularly train, test and verify their knowledge and compliance.
If an employee does not pass the mandatory tests, they are denied access to CSE’s operational systems.
Employees are also required to attend mandatory legal briefings provided by the Department of Justice.
Privacy and international partners
Canada has close intelligence relationships with the United States, the United Kingdom, Australia and New Zealand. These ties date back to the Second World War. Read more about our history here.
Canada benefits immeasurably from this intelligence alliance, which is commonly known as the “Five Eyes”.
People sometimes ask if we use this intelligence alliance to get around the law forbidding us from targeting Canadian communications.
The answer is, no.
We do not ask our international partners to do anything on our behalf that is not legal for us to do.
It is important to note that the CSE Act does allow CSE to disclose information to other entities, including international partners, but only if:
- the Minister of National Defence has designated the entity as one we can share information with, and;
- the disclosure is essential for international affairs, defence, security or cyber security.