Implementation of the Directions for Avoiding Complicity in Mistreatment by Foreign Entities: January 1, 2024 – December 31, 2024

Introduction

On 4 September 2019, the Chief of the Communications Security Establishment Canada (CSE) was provided directions on the implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA) from the Governor in Council (GiC). This report responds to the requirement under ACMFEA for CSE to report annually to the Minister of National Defence on the implementation of the Directions, including requirements related to:

1. the disclosure of information to any foreign entity that would result in a substantial risk^{Footnote 1} of mistreatment of an individual
2. the making of requests to any foreign entity for information that would result in a substantial risk of mistreatment of an individual
3. the use of information that is likely to have been obtained through the mistreatment of an individual by a foreign entity

In addition to reporting on the requirements listed in the Directions, CSE will continue to report on changes to internal policies and procedures, and the restriction of any arrangements with foreign entities due to concerns related to mistreatment.

This report covers the period of January 1, 2024, to December 31, 2024.

Information Sharing Practices and Governance

Background

CSE has the authority to engage in arrangements with foreign entities for the purpose of furthering its mandate, including the sharing of information. This sharing must comply with Canada's laws and legal obligations, Ministerial Orders, and CSE policies.

Mistreatment Risk Assessments (MRAs)

In accordance with ACMFEA, CSE employs a comprehensive methodology to assess the potential risk of mistreatment of individuals before sharing information with foreign entities. CSE conducts a general mistreatment risk analysis on information sharing activities to determine whether a Mistreatment Risk Assessment (MRA) is required. MRAs are informed by human rights reporting from both government sources and non-governmental organizations, as well as open source and classified reporting. When performing MRAs, CSE additionally:

• assesses the purpose of the information sharing
• verifies that there are mistreatment risk management measures in existing information sharing arrangements
• reviews CSE's internal records on the foreign entity under consideration
• consults other available Government of Canada (GC) assessments and reports related to the foreign entity
• assesses the anticipated effectiveness of risk mitigation measures
• evaluates a foreign entity's compliance with past assurances, based on available information

CSE officials assess whether the risk of mistreatment in exchanging particular information with a foreign entity is low, medium, high or substantial by considering the likelihood that action may be taken against an individual, and the potential overall impact of any such action.

Approval authorities for sharing information are commensurate with the level of risk determined by the MRA; as the risk level rises, so too does the level of the individual that may approve the sharing. A denial may happen at any level. All sharing requests elevated to the Chief (i.e., those that pose a substantial risk of mistreatment) are reported to the Minister of National Defence, the National Security and Intelligence Review Agency (NSIRA), and the National Security and Intelligence Committee of Parliamentarians (NSICOP). NSIRA's enabling legislation requires that it review the implementation of Directions issued under ACMFEA each calendar year, and NSICOP's mandate also allows it to review whether CSE conforms with Canadian laws, the Directions, and CSE's internal policies.

During this reporting period, no requests required a referral to the Chief for decision.

Updating Policies and Procedures

CSE’s internal MRA policies and processes remain consistent with the requirements of ACMFEA. In April 2024, CSE updated its internal rating system for evaluating the human rights conditions within a foreign nation to further account for the nuanced complexities within a given country. CSE’s relevant Standard Operating Procedures were also reviewed and updated in alignment with the revised rating system.

Arrangements

In the period covered by this report, CSE has not had to restrict its arrangements with any foreign entities due to mistreatment risk concerns.

Internal Compliance

In the period covered by this report, no internal compliance incidents related to the implementation of ACMFEA were reported to or discovered by CSE's internal compliance team.

Conclusion

The submission of this report fulfills CSE's requirement under section 7(1) of ACMFEA to submit a report to the Minister of National Defence before 1 March of each year on the implementation of the Directions during the previous calendar year.