Introduction
On September 4, 2019, the Chief of the Communications Security Establishment (CSE) was provided directions on the implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA) from the Governor in Council (GiC). This report responds to the requirement under the ACMFEA for CSE to report annually to the Minister of National Defence on the implementation of the GiC’s written directions, specifically:
This report responds to the ACMFEA’s requirement for CSE to report annually to the MND regarding the implementation of the GiC’s written directions, specifically:
- the disclosure of information to any foreign entity that would result in a substantial risk Footnote 1 of mistreatment of an individual
- the making of requests to any foreign entity for information that would result in a substantial risk of mistreatment of an individual
- the use of information that is likely to have been obtained through the mistreatment of an individual by a foreign entity
In addition to the requirements listed in the GiC’s Directions, CSE will continue to report on changes to internal policies and procedures, and the restriction of any arrangements due to concerns related to mistreatment.
This report covers the period of January 1, 2022 to December 31, 2022.
CSE information sharing practices and operational governance
Background
CSE has the authority to engage in arrangements with foreign entities for the purpose of furthering its mandate, including the sharing of information. This sharing must comply with Canada’s laws and legal obligations, Ministerial Orders, and CSE policies.
Mistreatment Risk Assessments (MRAs)
In accordance with the ACMFEA, CSE employs a formal and comprehensive methodology to assess the potential risk of mistreatment of individuals before sharing information with foreign entities.
These classified Mistreatment Risk Assessments (MRAs) are informed by human rights reporting from both government sources and non-governmental organizations, as well as open source and classified reporting. When performing MRAs, CSE:
- assesses the purpose of the information sharing
- verifies there are mistreatment risk management measures in existing information sharing arrangements
- reviews CSE’s internal records on the foreign entity under consideration
- consults other available Government of Canada assessments and reports related to the foreign entity
- assesses the anticipated effectiveness of risk mitigation measures
- evaluates a foreign entity’s compliance with past assurances, based on available information
CSE officials assess whether the risk of mistreatment in exchanging particular information with a foreign entity is low, medium, high or substantial by considering the likelihood that action may be taken against an individual, and the potential overall impact of any such action.
Approval authorities for sharing information are commensurate with the level of risk determined by the MRA. Sharing requests can be escalated to a higher approval authority if necessary and a denial may happen at any level. All sharing requests elevated to the Chief (i.e., substantial risk of mistreatment) are reported to the Minister of National Defence, the National Security and Intelligence Review Agency (NSIRA), and the National Security and Intelligence Committee of Parliamentarians (NSICOP). External review bodies, including NSICOP and NSIRA, review whether CSE conforms with Canadian laws, the GiC’s Directions, and its own internal policies.
During this reporting period, no requests were elevated to the Chief for decision.
Updating policies and procedures
CSE’s internal MRA policies and processes are consistent with the requirements of ACMFEA.
Arrangements
In the period covered by this report, CSE has not had to restrict its arrangements with any foreign entity due to mistreatment risk concerns.
Internal compliance
One compliance incident was identified in 2022 where information sharing took place prior to conducting an MRA. The incident was mitigated within 60 minutes of its occurrence where the information was recalled, and a post factum MRA concluded that no substantial risk of mistreatment occurred. The incident was reviewed by CSE’s internal compliance program and found to be appropriately mitigated.
Conclusion
The details in this report demonstrate CSE’s implementation of ACMFEA from January 1, 2022 to December 31, 2022. This report fulfills the requirement of section 7(1) of the ACMFEA to submit a report to the Minister of National Defence on the implementation of the ACMFEA during the previous calendar year.