Application of the Ministerial Direction: Avoiding Complicity in Mistreatment by Foreign Entities - November 2, 2018 – July 31, 2019
In November 2017, pursuant to subsection 273.62(3) of the National Defence Act, the Minister of National Defence issued a Ministerial Direction to the Communications Security Establishment (CSE) on Avoiding Complicity in Mistreatment by Foreign Entities (the 2017 Direction). This Direction was in force from November 2, 2017, until July 31, 2019, the eve of the coming-into-force of the CSE Act.
The Direction prohibits the disclosure of and request for information (collectively called “exchange of information”) that would result in a substantial riskFootnote 1 of mistreatment of an individual by a foreign entity, as well as certain uses of information that was likely obtained through the mistreatment of an individual by a foreign entity.
This report responds to the 2017 Direction requirement for CSE to report annually to the Minister of National Defence regarding the application of the Direction, including:
- any changes to internal policies and procedures related to the Direction;
- the restriction of any arrangements due to concerns related to mistreatment; and
- details on substantial risk cases where the Direction was engaged, including the number of cases.
This report covers the period starting on November 2, 2018, and ending on July 31, 2019, due to a change in the legal instruments under which CSE operates. It is CSE’s last report on its application of the 2017 Direction. All future reports will reflect the reporting requirements set out in the Avoiding Complicity in Mistreatment by Foreign Entities Act with regards to CSE’s implementation of the directions issued to the Chief of CSE by the Governor in Council.
Changes in Instruments, Legislation and Review Bodies
On June 21, 2019, the National Security Act (Bill C-59) received Royal Assent, which resulted in changes in CSE’s governing legislation, review bodies and reporting requirements.
National Security and Intelligence Review Agency Act (NSIRA Act): On July 12, 2019, with the coming into force of the NSIRA Act, the National Security and Intelligence Review Agency (NSIRA) became the review body responsible for reviewing CSE’s activities, including its compliance with the 2017 Direction. The Office of the CSE Commissioner (OCSEC) was previously responsible for reviewing CSE’s activities.
Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA): The ACMFEA came into force on July 13, 2019. On September 4, 2019, pursuant to the ACMFEA, the Governor in Council issued Directions to the ChiefFootnote 2. The ACMFEA and the new Directions are consistent with the 2017 Direction under which CSE had been operating and no adjustments to internal processes were required to ensure the organization’s compliance with the new Act and Directions. NSIRA continued as the body responsible for reviewing CSE’s activities, including its compliance with the ACMFEA.
Communications Security Establishment Act (CSE Act): The CSE Act came into force on August 1, 2019, and as of this date, all instruments issued to CSE under the National Defence Act (NDA) were no longer in force. Therefore, the 2017 Direction, issued to CSE under the NDA, was no longer in force as of August 1, 2019.
|November 2, 2017||June 21, 2019||July 13, 2019||August 1, 2019||September 4, 2019|
CSE Information Sharing Practices and Operational Governance
Sharing information with foreign entities helps CSE fulfill its mandate. Sharing must comply with Canada’s laws and legal obligations, Ministerial Directions, and CSE’s policies.
Mistreatment Risk Assessments (MRAs)
In accordance with the ACMFEA and the 2017 Direction, CSE employs a formal and comprehensive methodology to assess the potential risk of mistreatment of individuals before sharing information. These classified Mistreatment Risk Assessments (MRAs) are informed by human rights reporting from both government sources and non-governmental organizations, as well as open source and classified reporting. When performing MRAs, CSE:
- assesses the purpose of the information sharing;
- verifies there are mistreatment risk management measures in existing information sharing arrangements;
- reviews CSE’s internal records on the foreign entity under consideration;
- consults other available Government of Canada assessments and reports related to the foreign entity;
- assesses the anticipated effectiveness of risk mitigation measures; and
- evaluates a foreign entity’s compliance with past assurances, based on available information.
CSE officials assess whether the risk of exchanging information with a foreign entity is low, medium, high or substantial, considering the likelihood that action may be taken against an individual, and the potential overall impact of any such action.
Approval authorities for sharing information are commensurate with the level of risk determined by the MRA. Sharing requests can be escalated to a higher approval authority, if necessary, and a denial may happen at any level. All sharing requests elevated to the Chief for decision are reported to the Minister of National Defence and the National Security and Intelligence Committee of Parliamentarians (NSICOP). In addition, such requests were reported to OCSEC prior to July 12, 2019, and to NSIRA on or after July 12, 2019.
External review bodies, including NSICOP and OCSEC/NSIRA, can review whether CSE conforms and has conformed with Canadian laws and with the 2017 Direction.
Mistreatment Risk Assessments Elevated to the Chief
During this reporting period, no requests were elevated to the Chief for decision.
Updating Policies and Procedures
CSE’s internal policies and processes were established prior to the November 2017 Ministerial Direction: Avoiding Complicity in Mistreatment by Foreign Entities to align with the Direction and to ensure compliance with the 2011 Ministerial Directive to Operationalize the Framework for Addressing Risks in Sharing Information with Foreign Entities. In 2017, OCSEC concluded a Review of CSE Information Sharing Activities with Foreign Entities. In his 2016–2017 annual report tabled in Parliament, the CSE Commissioner stated that CSE’s activities complied with the law, and were consistent with the Framework and Ministerial Direction. CSE’s internal policies and processes remain consistent with the new ACMFEA and are now subject to review by NSIRA.
CSE’s ability to fulfill its foreign intelligence and information technology security mandates requires productive relations with foreign entities. CSE may enter into arrangements with institutions of foreign states or international organizations, for example, for the furtherance of its mandate, including for the purposes of sharing information or otherwise cooperating with them. The CSE Commissioner noted that “sharing information with foreign entities is an integral part of the mandates of Canadian law enforcement and intelligence agencies, including CSE”.
In the period covered by this report, CSE has not had to restrict its arrangements with any foreign entity due to mistreatment risk concerns.
- Footnote 1
As per the MD, the risk in exchanging information is considered substantial when there is a personal, present and foreseeable risk of mistreatment. The risk must be real and based on something more than theory or speculation. In most cases, the test for substantial risk will be satisfied when it is more likely than not that there will be mistreatment; however, in some cases, particularly where the risk is of severe harm, the “substantial risk” standard may be satisfied at a lower level of probability. Exchanging information when there is a substantial risk of mistreatment is prohibited.
- Footnote 2
The Directions are public and are available on CSE’s website at www.cse-cst.gc.ca/en/transparency-transparence/md-dm