Pursuant to subsection 3(1) of the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA), the Governor in Council (GiC), on the recommendation of the Minister of National Defence (MND), provided DirectionsFootnote 1 to the Chief of the Communications Security Establishment (CSE). These directions, issued on September 4, 2019, address the disclosure of, request for, and use of information that would result in the substantial riskFootnote 2 of mistreatment of an individual by a foreign entity.
This report responds to the ACMFEA’s requirement for CSE to report annually to the MND regarding the implementation of the GiC’s written directions, specifically:
- the disclosure of information to any foreign entity that would result in a substantial risk of mistreatment of an individual;
- the making of requests to any foreign entity for information that would result in a substantial risk of mistreatment of an individual; and
- the use of information that is likely to have been obtained through the mistreatment of an individual by a foreign entity.
This is CSE’s third report on its implementation of the GiC’s Directions. Prior to September 4, 2019, CSE was guided by the 2017 Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities and reportedFootnote 3 on its application. For greater transparency and consistency, and in addition to the requirements listed in the GiC’s Directions, CSE will continue to report on changes to internal policies and procedures, and the restriction of any arrangements due to concerns related to mistreatment.
This report covers the period of January 1, 2021 to December 31, 2021.
There were no notable changes to CSE information sharing practices and operational governance between this and the 2020 reporting period.
CSE Information Sharing Practices and Operational Governance
CSE has the authority to engage in arrangements with foreign entities, for the purposes of furthering its mandate, including the sharing of information. This sharing must comply with Canada’s laws and legal obligations, Ministerial Orders, and CSE’s policies.
Mistreatment Risk Assessments (MRAs)
In accordance with the ACMFEA, CSE employs a formal and comprehensive methodology to assess the potential risk of mistreatment of individuals before sharing information with foreign entities. These classified Mistreatment Risk Assessments (MRAs) are informed by human rights reporting from both government sources and non-governmental organizations, as well as open source and classified reporting. When performing MRAs, CSE:
- assesses the purpose of the information sharing;
- verifies there are mistreatment risk management measures in existing information sharing arrangements;
- reviews CSE’s internal records on the foreign entity under consideration;
- consults other available Government of Canada assessments and reports related to the foreign entity;
- assesses the anticipated effectiveness of risk mitigation measures; and
- evaluates a foreign entity’s compliance with past assurances, based on available information.
CSE officials assess whether the risk of exchanging particular information with a foreign entity is low, medium, high or substantial, by considering the likelihood that action may be taken against an individual, and the potential overall impact of any such action.
Approval authorities for sharing information are commensurate with the level of risk determined by the Mistreatment Risk Assessment. Sharing requests can be escalated to a higher approval authority, if necessary, and a denial may happen at any level. All sharing requests elevated to the Chief (i.e., substantial risk of mistreatment) are reported to the Minister of National Defence, the National Security and Intelligence Review Agency (NSIRA), and the National Security and Intelligence Committee of Parliamentarians (NSICOP). External review bodies, including NSICOP and NSIRA, review whether CSE conforms with Canadian laws, the GiC’s Directions and its own internal policies.
During this reporting period, no requests were elevated to the Chief for decision.
Updating Policies and Procedures
CSE’s internal MRA policies and processes are consistent with the requirements of ACMFEA.
In the period covered by this report, CSE has not had to restrict its arrangements with any foreign entity due to mistreatment risk concerns.
An administrative compliance incident was identified in 2021 which involved the sharing of information assessed as low risk. It has been reviewed by CSE’s compliance team and the incident mitigated by the operational area.