OTTAWA, June 13, 2013 /CNW/ - The Honourable Robert Décary, Q.C.,
Communications Security Establishment Commissioner, believes that
public discussion would benefit from additional information about how
he verifies whether CSEC complies with the law and protects the privacy
of Canadians in the conduct of its activities.
As Communications Security Establishment Commissioner, a position
established under the National Defence Act, I strive to strike a balance between — on the one hand — the
government's need for foreign signals intelligence and IT security
services, and — on the other hand — the need to ensure compliance with
the law and the protection of the privacy of Canadians. Through the
public annual reports, I also strive to provide assurance to Canadians
with respect to their privacy.
Since my appointment, I have sought to clarify and explain more fully
what my office and I do and how we do it, to help ensure that public
discussion is based on fact. While it is not for me to disclose
operational information of the Communications Security Establishment
Canada (CSEC), I do encourage the government to be as transparent as
possible. Every reasonable person recognizes, however, there are very
real constraints imposed by national security and the Security of Information Act.
I am completely independent and operate at arms-length from the
government. I have all the powers of a Commissioner under Part II of
the Inquiries Act, including the power of subpoena, to access and review any information
held by CSEC. We have secure offices on-site at CSEC. My employees have
unobstructed access to CSEC systems, observe CSEC analysts first hand
to verify how they conduct their work, interview them, and test
information obtained against the contents of CSEC's databases.
Under the National Defence Act, CSEC is specifically required to protect the privacy of Canadians in
the execution of its duties. Similarly, it is required to protect the
privacy of Canadians in accordance with other laws, including the Canadian Charter of Rights and Freedoms, the Privacy Act, and the Criminal Code. The Minister of National Defence has provided further specific
direction to the Chief of CSEC, regarding how he expects the agency
will protect the privacy of Canadians in fulfilling its duties. The
Chief has further elaborated and provided guidance to staff, through
various internal policies, regarding the procedures and practices that
must be followed.
When reviewing CSEC's activities — including any CSEC use or retention
of metadata — for compliance, I assess them against all three factors:
legal requirements; ministerial expectations; and internal policy
controls. If I believe a law, ministerial direction or policy is not
adequate, I make a recommendation to the Minister to address the
I verify that CSEC does not direct its foreign signals intelligence
collection and IT security activities at Canadians — wherever they
might be in the world — or at any person in Canada. CSEC is prohibited
from requesting an international partner to undertake activities that
CSEC itself is legally prohibited from conducting.
It is well understood that Canadian federal law enforcement and security
agencies may lawfully investigate Canadians. When these organizations
request the assistance of CSEC, I verify that CSEC complies with any
limitations imposed by law on the agency to which CSEC is providing
assistance, for example, any conditions imposed by a judge in a
Given the structure of the international telecommunications environment,
it is possible that CSEC may, while targeting a foreign entity located
outside Canada, with a ministerial authorization, unintentionally
intercept a communication that originates or terminates in Canada,
which is a "private communication" as defined by the Criminal Code. I monitor and examine the small number of private communications
unintentionally intercepted by CSEC and verify how CSEC treats these
In the case of metadata, I verify that it is collected and used by CSEC
only for purposes of providing intelligence on foreign entities located
outside Canada and to protect information infrastructures of importance
to the government. I have reviewed CSEC metadata activities and have
found them to be in compliance with the law and to be subject to
comprehensive and satisfactory measures to protect the privacy of
Canadians. However, given that these activities may impact the privacy
of Canadians, I had already approved, prior to recent events, the start
of a specific review relating to these activities.
Additionally, in its reports, and in other information CSEC shares with
its domestic and international partners, CSEC must render impossible
the identification of Canadians, and I verify that this is done. As
noted in my report last year, I have found that CSEC does take measures
to protect the privacy of Canadians in what it shares with its domestic
and international partners. For example, CSEC suppresses Canadian
identity information in what is shared with its international partners.
CSEC applies the same privacy rules to information acquired from
domestic and international partners, and I verify that these rules are
followed. In addition, open and ongoing discussion between the partners
helps to limit the potential to affect the privacy of Canadians.
Furthermore, I examine any operational incidents that did or could have
an impact on the privacy of Canadians to ensure that CSEC has addressed
them and to identify any systemic issues about compliance with the law
or the protection of the privacy of Canadians that should be the
subject of follow-up review.
I provide the results of my reviews, in classified reports, to the
Minister of National Defence, who is accountable to Parliament for
CSEC. I am also required to submit an unclassified report to the
Minister on my activities each year, which the Minister must then table
in Parliament. My latest report is completed and I submitted it to the
A necessary element of my mandate also includes informing the Minister
of any activities that I believe might present, or have the potential
to present, a risk of non-compliance. If I find that CSEC did not
comply with the law, I have the authority and the duty to report it to
the Minister and to the Attorney General of Canada.
A number of my reports have included recommendations aimed at
strengthening CSEC practices that contribute to compliance and
incorporate measures that protect the privacy of Canadians. Some
Commissioners' recommendations have resulted in CSEC suspending certain
activities to re-examine how the activities are conducted. I closely
monitor CSEC's implementation of my recommendations.
CSEC has accepted and implemented or is working to address the vast
majority of recommendations made by my predecessors and me.
Recommendations are made to proactively prevent possible privacy risks.
In the context of ongoing and future reviews, my office will continue
to seek ways in which CSEC compliance, and the privacy protections
afforded to Canadians, can be further strengthened.
The Commissioner's website is www.ocsec-bccst.gc.ca.
SOURCE: Office of the Communications Security Establishment Commissioner
For further information:
J. William Galbraith
Office of the CSE Commissioner