Overview of 2016–2017 Findings and Recommendations

During the 2016–2017 reporting year, the Commissioner submitted nine classified reports to the Minister on his reviews of CSE activities.

The reviews, and one study, were conducted under the Commissioner's authority:

• to ensure CSE activities are in compliance with the law – as set out in paragraph 273.63(2)(a) of the National Defence Act (NDA); and
• to ensure CSE activities carried out under a ministerial authorization are authorized – as set out in subsection 273.65(8) of the National Defence Act.

The first review examined the sharing of CSE's information with foreign entities other than the Five Eyes, in particular, the risk assessments conducted for deciding whether or not to send information to, or solicit information from, a foreign entity when doing so could substantially risk the mistreatment of an individual.

One review looked at CSE's collection activities in exceptional circumstances, such as, when CSE is obliged to acquire and report information involving Five Eyes nationals to support intelligence requirements that may not be satisfied otherwise.

Another review examined CSE's cyber defence metadata activities. This was the third and final part of a comprehensive review of CSE's metadata activities.

The Commissioner's office also completed a study of cyber threat information-sharing and -accessing activities between CSE's foreign signals intelligence and information technology security branches in order to acquire detailed knowledge of these activities as well as to identify any issues that may require follow-up review.

As in previous years, the Commissioner conducted annual reviews of ministerial authorizations for foreign signals intelligence and cyber defence, including spot check examinations of one-end Canadian communications (including private communications) acquired, used, retained and destroyed by CSE, and of CSE incidents and procedural errors related to privacy. The annual review of CSE disclosures of Canadian identity information will carry over into 2017–2018.

The results

Each year, the Commissioner provides an overall statement on findings about the lawfulness of CSE activities. This past year, all CSE activities reviewed complied with the law.

As well, this year, the Commissioner made five recommendations to promote compliance with the law and strengthen privacy protection, including that:

1. memoranda of understanding with foreign entities clearly specify CSE legal authorities and restrictions, including that CSE cannot receive, under its foreign signals intelligence mandate, information from the foreign entities acquired through activities that may have been directed at a Canadian or any person in Canada;

2. CSE issue overarching policy guidance to establish baseline measures for information exchanges with foreign entities;

3. CSE apply caveats consistently to all exchanges with foreign entities and that CSE use appropriate systems to record all information released;

4. because of the technical characteristics of certain communications technology, CSE reporting to the Minister on private communications contain additional information to better describe the private communications and explain the extent of privacy invasion – the current manner in which CSE counts the private communications provides a distorted view of the number of Canadians or persons in Canada that are involved in (i.e., are the other end of) CSE interceptions to obtain foreign intelligence under ministerial authorizations; and

5. because of the quasi-constitutional nature of solicitor-client privileged communications, CSE always seek and obtain written legal advice from Justice Canada concerning the retention or use of an intercepted solicitor-client privileged communication.