Overview of 2017–2018 Findings and Recommendations

During the 2017–2018 reporting year, the Commissioner submitted eight classified reports to the Minister on his reviews of CSE activities.

The seven reviews, and one study, were conducted under the Commissioner's authority:

• to ensure CSE activities are in compliance with the law – as set out in paragraph 273.63(2)(a) of the National Defence Act; and
• to ensure CSE activities carried out under a ministerial authorization are authorized – as set out in subsection 273.65(8) of the National Defence Act.

The Commissioner's office reviewed a matter that had been identified as needing a separate examination, following last year's review of CSE's information sharing and relationships with foreign entities outside of the Five Eyes. The office reviewed CSE's authorities and participation in a multilateral operational initiative.

The Commissioner's office also completed a study of CSE's operational use of internal social media-type platforms to acquire detailed knowledge of these activities as well as to identify any issues that may require follow-up review.

As in previous years, the Commissioner conducted annual reviews of ministerial authorizations for foreign signals intelligence and cyber defence activities, including a spot check examination of one-end Canadian communications (including private communications) acquired, used, retained and destroyed by CSE, and of CSE incidents and procedural errors related to privacy. The office completed both the 2015–2016 and 2016–2017 reviews of CSE disclosures of Canadian identity information. The 2015–2016 review had carried over into this year.

The Results

Each year, the Commissioner provides an overall statement on findings about the lawfulness of CSE activities. This past year, all CSE activities reviewed complied with the law.

As well, this year, the Commissioner made four recommendations to promote compliance with the law and strengthen privacy protection, including that:

1. in order to ensure clarity for any new activities involving information sharing with foreign entities, CSE conduct adequate assessments with respect to authorities and measures to protect the privacy of Canadians, prior to commencing the activity;
2. CSE take measures to ensure that all requests for the release of suppressed Canadian identity information stipulate both the lawful authority under which the information is being requested and a robust operational justification of the need to acquire that information, consistent with the requesting agency's mandate;
3. CSE clarify the language in the ministerial authorizations to accurately reflect the legal protection recognized and afforded to solicitor-client communications in Canadian law, and ensure consistency with language in policy and with practice, in both CSE's information technology security and foreign signals intelligence activities; and
4. CSE ensure that future ministerial authorization request memoranda to the Minister contain comprehensive information to describe and document contemplated CSE foreign signals intelligence ministerial authorization activities in a thorough manner, to better support the Minister when making a decision.