Introduction
On September 4, 2019, the Chief of the Communications Security Establishment Canada (CSE) was provided Directions from the Governor in Council on the implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA). This report responds to the requirement under ACMFEA for CSE to report annually to the Minister of National Defence on the implementation of the Directions, including requirements related to:
- the disclosure of information to any foreign entity that would result in a substantial riskFootnote 1 of mistreatment of an individual
- the making of requests to any foreign entity for information that would result in a substantial risk of mistreatment of an individual
- the use of information that is likely to have been obtained through the mistreatment of an individual by a foreign entity
In addition to reporting on the requirements listed in the Directions, CSE will continue to report on changes to internal policies and procedures, and the restriction of any arrangements with foreign entities due to concerns related to mistreatment.
This report covers the period of January 1, 2025 to December 31, 2025.
Information sharing practices and governance
Background
CSE has the authority to engage in arrangements with foreign entities for the purpose of furthering its mandate, including the sharing of information. This sharing must comply with Canada’s laws and legal obligations, Ministerial Orders, and CSE policies.
Mistreatment Risk Assessments
In accordance with ACMFEA, CSE employs a comprehensive methodology to assess the potential risk of mistreatment of individuals before sharing information with foreign entities. CSE conducts a general mistreatment risk analysis on information sharing activities to determine whether a Mistreatment Risk Assessment (MRA) is required. MRAs are informed by human rights reporting from both government sources and non-governmental organizations, as well as open source and classified reporting. When performing MRAs, CSE additionally:
- assesses the purpose of the information sharing
- verifies that there are mistreatment risk management measures in existing information sharing arrangements
- reviews CSE’s internal records on the foreign entity under consideration
- consults other available Government of Canada (GC) assessments and reports related to the foreign entity
- assesses the anticipated effectiveness of risk mitigation measures
- evaluates a foreign entity’s compliance with past assurances, based on available information
CSE officials assess whether the risk of mistreatment in exchanging particular information with a foreign entity is low, medium, high or substantial by considering both the likelihood that action may be taken against an individual and the potential overall impact of any such action.
Approval authorities for sharing information are commensurate with the level of risk determined by the MRA. As the risk level rises, so too does the level of the individual that may approve the sharing. A denial may happen at any level. All sharing requests elevated to the Chief (i.e., those that pose a substantial risk of mistreatment) are reported to the Minister of National Defence, the National Security and Intelligence Review Agency (NSIRA), and the National Security and Intelligence Committee of Parliamentarians (NSICOP). NSIRA’s enabling legislation requires that it review the implementation of Directions issued under ACMFEA each calendar year, and NSICOP’s mandate also allows it to review whether CSE conforms with Canadian laws, the Directions, and CSE’s internal policies.
During this reporting period, no requests required a referral to the Chief for decision.
Updating policies and procedures
CSE’s internal MRA policies and processes remain consistent with the requirements of ACMFEA. In December 2025, CSE updated its internal process regarding MRAs for foreign cyber operations activities, in consultation with the Department of Justice, to remove a duplication in processes. Per the Communications Security Establishment Act, foreign cyber operations must not cause, intentionally or by criminal negligence, bodily harm to an individual. Operational teams are responsible for ensuring a bodily harm assessment has been completed prior to the conduct of a cyber operations activity. To meet CSE’s obligations under ACMFEA, an internal CSE policy team then reviews the bodily harm assessments for foreign cyber operations to ensure that it meets CSE’s ACMFEA obligations. Previously, MRAs and bodily harm assessments were always conducted as separate activities. With the update, provided that the bodily harm assessment is demonstrated to also meet ACMFEA obligations, a separate MRA is not required. CSE’s relevant policies, governance, and procedural documents for these activities are also being reviewed and updated. This updated process is in effect as of January 1, 2026.
Arrangements
In the period covered by this report, CSE has not had to restrict its arrangements with any foreign entities due to mistreatment risk concerns.
Internal compliance
In the period covered by this report, no internal compliance incidents related to the implementation of ACMFEA were reported to or discovered by CSE’s internal compliance team.
Conclusion
The submission of this report fulfills CSE’s requirement under section 7(1) of ACMFEA to submit a report to the Minister of National Defence before March 1 of each year on the implementation of the Directions during the previous calendar year.