Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

National Security Act, 2017 (S.C. 2019, c. 13)

Full Document:  

Assented to 2019-06-21

PART 2Intelligence Commissioner (continued)

Coordinating Amendments (continued)

Marginal note:Bill C-22

  •  (1) Subsections (2) and (3) apply if Bill C-22, introduced in the 1st session of the 42nd Parliament and entitled the National Security and Intelligence Committee of Parliamentarians Act (referred to in this section as the “other Act”), receives royal assent.

  • (2) On the first day on which both section 2 of the other Act and section 50 of this Act are in force, the definition department in that section 2 is replaced by the following:

    department

    department means, except in subsection 25(2), a department named in Schedule I to the Financial Administration Act, a division or branch of the federal public administration — other than a review body or the office of the Intelligence Commissioner — set out in column I of Schedule I.1 to that Act, a corporation named in Schedule II to that Act, a parent Crown corporation as defined in subsection 83(1) of that Act or the Canadian Forces. (ministère)

  • (3) On the first day on which both section 21 of the other Act and section 50 of this Act are in force, section 24 of the Intelligence Commissioner Act is replaced by the following:

    Marginal note:Entitlement to reports

    24 The Commissioner is entitled to receive a copy of the following reports, or of a part of the reports, if the report or part in question relates to the Commissioner’s powers, duties or functions:

PART 3Communications Security Establishment

Communications Security Establishment Act

Marginal note:Enactment of Act

 The Communications Security Establishment Act is enacted as follows:

An Act to establish the Communications Security Establishment

Preamble

Whereas the protection of Canada’s national security and of the security of Canadians is a fundamental responsibility of the Government of Canada;

Whereas it is essential, to discharge that responsibility, for Canada to have a communications security establishment;

And whereas it is important that the communications security establishment carry out its activities in accordance with the rule of law and in a manner that respects the Canadian Charter of Rights and Freedoms;

Now, therefore, Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:

Short Title

Marginal note:Short title

1 This Act may be cited as the Communications Security Establishment Act.

Interpretation

Marginal note:Definitions

2 The following definitions apply in this Act.

Canadian

Canadian means a Canadian citizen, a permanent resident as defined in subsection 2(1) of the Immigration and Refugee Protection Act or a corporation incorporated or continued under the laws of Canada or a province. (Canadien)

Chief

Chief means the Chief of the Establishment appointed under section 8. (chef)

Commissioner

Commissioner means the Intelligence Commissioner appointed under subsection 4(1) of the Intelligence Commissioner Act. (commissaire)

entity

entity means a person, group, trust, partnership or fund or an unincorporated association or organization and includes a state or a political subdivision or agency of a state. (entité)

Establishment

Establishment means the Communications Security Establishment established under section 5. (Centre)

federal institution

federal institution includes any of the following institutions of Parliament or the Government of Canada:

  • (a) the Senate;

  • (b) the House of Commons;

  • (c) the Library of Parliament;

  • (d) the office of the Senate Ethics Officer, the office of the Conflict of Interest and Ethics Commissioner and the Parliamentary Protective Service;

  • (e) any federal court;

  • (f) any board, commission, council, other body or other office established to perform a governmental function by or under an Act of Parliament, or by or under the authority of the Governor in Council;

  • (g) a department as defined in section 2 of the Financial Administration Act;

  • (h) a Crown corporation established by or under an Act of Parliament; and

  • (i) any other body that is specified by an Act of Parliament to be an agent of Her Majesty in right of Canada or to be subject to the direction of the Governor in Council or a federal minister. (institutions fédérales)

foreign intelligence

foreign intelligence means information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group, as they relate to international affairs, defence or security. (renseignement étranger)

global information infrastructure

global information infrastructure includes electromagnetic emissions, any equipment producing such emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, that equipment, those systems or those networks. (infrastructure mondiale de l’information)

Minister

Minister means the Minister of National Defence or, if another federal minister is designated under section 4, that minister. (ministre)

publicly available information

publicly available information means information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase. It does not include information in respect of which a Canadian or a person in Canada has a reasonable expectation of privacy. (information accessible au public)

Review Agency

Review Agency means the National Security and Intelligence Review Agency established under section 3 of the National Security and Intelligence Review Agency Act. (Office de surveillance)

terrorist group

terrorist group has the same meaning as in subsection 83.01(1) of the Criminal Code. (groupe terroriste)

unselected

unselected, with respect to information, means that the information is acquired, for technical or operational reasons, without the use of terms or criteria to identify information of foreign intelligence interest. (non sélectionnée)

Principle

Marginal note:Principle

3 It is in the public interest to ensure that the Establishment may effectively carry out its mandate in accordance with the rule of law and, to that end, to expressly recognize in law a justification for persons who are authorized to carry out activities under this Act to, in the course of carrying out those activities, commit acts or omissions that would otherwise constitute offences.

Designation of Minister

Marginal note:Minister

4 The Governor in Council may, by order, designate any federal minister to be the Minister referred to in this Act.

Communications Security Establishment

Establishment and Organization

Marginal note:Establishment established

5 The Communications Security Establishment is established.

Marginal note:Minister is responsible

6 The Minister is responsible for the Establishment.

Marginal note:Head office

  • 7 (1) The head office of the Establishment is to be in the National Capital Region described in the schedule to the National Capital Act.

  • Marginal note:Other offices

    (2) The Chief may, with the approval of the Minister, establish other offices elsewhere in Canada.

Chief of the Communications Security Establishment

Marginal note:Appointment

  • 8 (1) The Governor in Council must appoint a Chief of the Communications Security Establishment to hold office during pleasure for a term not exceeding five years.

  • Marginal note:Reappointment

    (2) The Chief is eligible to be reappointed at the end of a term of office for a further term not exceeding five years.

  • Marginal note:Salary and expenses

    (3) The Chief is to be paid the salary that is fixed by the Governor in Council and is entitled to payments for reasonable travel and living expenses incurred in the exercise of his or her powers or the performance of his or her duties and functions while absent from his or her ordinary place of work.

  • Marginal note:Compensation

    (4) The Chief is deemed to be an employee for the purposes of the Government Employees Compensation Act and to be employed in the federal public administration for the purposes of any regulations made under section 9 of the Aeronautics Act.

  • Marginal note:Absence, incapacity or vacancy

    (5) If the Chief is absent or incapacitated or the office of Chief is vacant, the Minister may appoint another person to act as Chief, but must not appoint a person for a term of more than 90 days without the approval of the Governor in Council.

Marginal note:Chief’s powers, duties and functions

  • 9 (1) The Chief, under the direction of the Minister, has the management and control of the Establishment and all matters relating to it.

  • Marginal note:Rank of deputy head

    (2) The Chief has the rank and all the powers of a deputy head of a department.

  • Marginal note:Delegation by Chief

    (3) The Chief may delegate to any person any power, duty or function conferred on the Chief under this Act, except the power to delegate under this subsection.

Marginal note:Establishment’s powers, duties and functions

10 The powers, duties and functions of the Establishment may be exercised or performed by any person who is appointed to serve in the Establishment in a capacity appropriate to the exercise of the power or the performance of the duty or function.

Marginal note:Directions by Minister

  • 11 (1) The Minister may issue written directions to the Chief respecting the performance of the Chief’s duties and functions.

  • Marginal note:Statutory Instruments Act

    (2) Directions issued under subsection (1) are not statutory instruments within the meaning of the Statutory Instruments Act.

Human Resources

Marginal note:Personnel

  • 12 (1) The Chief has exclusive authority to

    • (a) appoint or lay off the Establishment’s employees, revoke their appointment or terminate their employment; and

    • (b) establish standards, procedures and processes governing staffing, including governing the appointment of employees, lay-off of employees, revocation of their appointment or termination of their employment otherwise than for cause.

  • Marginal note:Right of employer

    (2) Nothing in the Federal Public Sector Labour Relations Act is to be construed so as to affect the right or authority of the Chief to deal with the matters referred to in subsection (1).

Marginal note:Powers of the Chief

13 In exercising his or her authority under subsection 12(1), the Chief may

  • (a) determine the human resources requirements of the Establishment and provide for the allocation and effective utilization of human resources in the Establishment;

  • (b) provide for the classification of positions and of the Establishment’s employees;

  • (c) after consultation with the President of the Treasury Board, determine and regulate the pay to which the Establishment’s employees are entitled for services rendered, their hours of work and their leave and any related matters;

  • (d) after consultation with the President of the Treasury Board, determine and regulate the payments that may be made to the Establishment’s employees by way of reimbursement for travel or other expenses and by way of allowances in respect of expenses and conditions arising out of their employment;

  • (e) determine the learning, training and development requirements of the Establishment’s employees and fix the terms on which the learning, training and development may be carried out;

  • (f) provide for the awards that may be made to the Establishment’s employees for outstanding performance of their duties, for other meritorious achievement in relation to their duties or for inventions or practical suggestions for improvements;

  • (g) establish standards of discipline and set penalties, including termination of employment, suspension, demotion to a position at a lower maximum rate of pay and financial penalties;

  • (h) provide for the termination of employment, or the demotion to a position at a lower maximum rate of pay, of the Establishment’s employees for reasons other than breaches of discipline or misconduct;

  • (i) establish policies respecting the exercise of the powers granted by this section; and

  • (j) provide for any other matters, including terms and conditions of employment not otherwise specifically provided for in this section, that the Chief considers necessary for effective human resources management in the Establishment.

Marginal note:Negotiation of collective agreements

14 Before entering into collective bargaining with the bargaining agent for a bargaining unit composed of Establishment employees, the Chief must have the Establishment’s negotiating mandate approved by the President of the Treasury Board.

Mandate

Marginal note:Mandate

  • 15 (1) The Establishment is the national signals intelligence agency for foreign intelligence and the technical authority for cybersecurity and information assurance.

  • Marginal note:Aspects of the mandate

    (2) The Establishment’s mandate has five aspects: foreign intelligence, cybersecurity and information assurance, defensive cyber operations, active cyber operations and technical and operational assistance.

Marginal note:Foreign intelligence

16 The foreign intelligence aspect of the Establishment’s mandate is to acquire, covertly or otherwise, information from or through the global information infrastructure, including by engaging or interacting with foreign entities located outside Canada or by using any other method of acquiring information, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities.

Marginal note:Cybersecurity and information assurance

17 The cybersecurity and information assurance aspect of the Establishment’s mandate is to

  • (a) provide advice, guidance and services to help protect

    • (i) federal institutions’ electronic information and information infrastructures, and

    • (ii) electronic information and information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada; and

  • (b) acquire, use and analyse information from the global information infrastructure or from other sources in order to provide such advice, guidance and services.

Marginal note:Defensive cyber operations

18 The defensive cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to help protect

  • (a) federal institutions’ electronic information and information infrastructures; and

  • (b) electronic information and information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada.

Marginal note:Active cyber operations

19 The active cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.

Marginal note:Technical and operational assistance

20 The technical and operational assistance aspect of the Establishment’s mandate is to provide technical and operational assistance to federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence.

Marginal note:Designation

  • 21 (1) The Minister may, by order, designate any electronic information, any information infrastructures or any class of electronic information or information infrastructures as electronic information or information infrastructures — as the case may be — of importance to the Government of Canada.

  • Marginal note:Statutory Instruments Act

    (2) An order made under subsection (1) is not a statutory instrument within the meaning of the Statutory Instruments Act.

Activities

Marginal note:No activities — Canadians and persons in Canada

  • 22 (1) Activities carried out by the Establishment in furtherance of the foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada and must not infringe the Canadian Charter of Rights and Freedoms.

  • Marginal note:No activities — global information infrastructure in Canada or without authorization

    (2) Activities carried out by the Establishment in furtherance of the defensive cyber operations or active cyber operations aspects of its mandate

    • (a) must not be directed at any portion of the global information infrastructure that is in Canada; and

    • (b) must not be carried out except under an authorization issued under subsection 29(1) or 30(1).

  • Marginal note:Contravention of other Acts — foreign intelligence

    (3) Activities carried out by the Establishment in furtherance of the foreign intelligence aspect of its mandate must not contravene any other Act of Parliament — or involve the acquisition by the Establishment of information from or through the global information infrastructure that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada — unless they are carried out under an authorization issued under subsection 26(1) or 40(1).

  • Marginal note:Contravention of other Acts — cybersecurity and information assurance

    (4) Activities carried out by the Establishment in furtherance of the cybersecurity and information assurance aspect of its mandate must not contravene any other Act of Parliament — or involve the acquisition by the Establishment of information from the global information infrastructure that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada — unless they are carried out under an authorization issued under subsection 27(1) or (2) or 40(1).

Marginal note:Establishment’s activities

  • 23 (1) Despite subsections 22(1) and (2), the Establishment may carry out any of the following activities in furtherance of its mandate:

    • (a) acquiring, using, analysing, retaining or disclosing publicly available information;

    • (b) acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cybersecurity and information assurance activities on the infrastructure from which the information was acquired; and

    • (c) testing or evaluating products, software and systems, including testing or evaluating them for vulnerabilities.

  • Marginal note:Investment Canada Act

    (2) Despite subsection 22(1), in furtherance of its mandate the Establishment may analyse information for the purpose of providing advice to the Minister of Public Safety and Emergency Preparedness and to the Minister responsible for the administration of the Investment Canada Act with regard to that latter Minister’s powers and duties under Part IV.1 of that Act.

  • Marginal note:Cybersecurity and information assurance

    (3) Despite subsection 22(1), the Establishment may carry out any of the following activities in furtherance of the cybersecurity and information assurance aspect of its mandate:

    • (a) carrying out activities on information infrastructures to identify or isolate malicious software, prevent malicious software from harming those information infrastructures or mitigate any harm that malicious software causes to them; and

    • (b) analysing information in order to be able to provide advice on the integrity of supply chains and on the trustworthiness of telecommunications, equipment and services.

  • Marginal note:Information acquired incidentally

    (4) The Establishment may acquire information relating to a Canadian or a person in Canada incidentally in the course of carrying out activities under an authorization issued under subsection 26(1), 27(1) or (2) or 40(1).

  • Marginal note:Definitions

    (5) The following definitions apply in this section.

    incidentally

    incidentally, with respect to the acquisition of information, means that the information acquired was not itself deliberately sought and that the information-acquisition activity was not directed at the Canadian or person in Canada. (incidemment)

    infrastructure information

    infrastructure information means information relating to

    • (a) any functional component, physical or logical, of the global information infrastructure; or

    • (b) events that occur during the interaction between two or more devices that provide services on a network — not including end-point devices that are linked to individual users — or between an individual and a machine, if the interaction is about only a functional component of the global information infrastructure.

    It does not include information that could be linked to an identifiable person. (information sur l’infrastructure)

Marginal note:Measures to protect privacy

24 The Establishment must ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure of

  • (a) information related to them acquired in the course of the furtherance of the foreign intelligence and cybersecurity and information assurance aspects of the Establishment’s mandate; or

  • (b) publicly available information related to them acquired under paragraph 23(1)(a).

Marginal note:Technical and operational assistance activities

  • 25 (1) If the Establishment provides assistance in furtherance of the technical and operational assistance aspect of its mandate, then the Establishment, in the course of providing the assistance, has the same authority to carry out any activity as would have the federal law enforcement or security agency, the Canadian Forces or the Department of National Defence, as the case may be, if it were carrying out the activity, and is subject to any limitations imposed by law on the agency, the Canadian Forces or that Department, including requirements with respect to any applicable warrant.

  • Marginal note:Exemptions, protections and immunities

    (2) If the Establishment provides assistance in furtherance of the technical and operational assistance aspect of its mandate, then persons authorized to act on the Establishment’s behalf benefit from the same exemptions, protections and immunities as would persons authorized to act on behalf of the federal law enforcement or security agency, the Canadian Forces or the Department of National Defence, as the case may be, if those persons were carrying out the activity.

Authorizations

Foreign Intelligence and Cybersecurity Authorizations

Marginal note:Foreign Intelligence Authorizations

  • 26 (1) The Minister may issue a Foreign Intelligence Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the foreign intelligence aspect of its mandate.

  • Marginal note:Activities authorized

    (2) Activities and classes of activities that a Foreign Intelligence Authorization may authorize the Establishment to carry out may include any of the following:

    • (a) gaining access to a portion of the global information infrastructure;

    • (b) acquiring information on or through the global information infrastructure, including unselected information;

    • (c) installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;

    • (d) doing anything that is reasonably necessary to maintain the covert nature of the activity; and

    • (e) carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activity, authorized by the authorization.

Marginal note:Cybersecurity Authorizations — federal infrastructures

  • 27 (1) The Minister may issue a Cybersecurity Authorization to the Establishment that authorizes it, despite any other Act of Parliament, to, in the furtherance of the cybersecurity and information assurance aspect of its mandate, access a federal institution’s information infrastructure and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.

  • Marginal note:Cybersecurity Authorizations — non-federal infrastructures

    (2) The Minister may issue a Cybersecurity Authorization to the Establishment that authorizes it, despite any other Act of Parliament, to, in the furtherance of the cybersecurity and information assurance aspect of its mandate, access an information infrastructure designated under subsection 21(1) as an information infrastructure of importance to the Government of Canada and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.

Marginal note:Approval of Commissioner

  • 28 (1) An authorization issued under subsection 26(1) or 27(1) or (2) is valid when — if it is approved by the Commissioner under paragraph 20(1)(a) of the Intelligence Commissioner Act — the Commissioner provides the Minister with the written decision approving the authorization.

  • Marginal note:No activities until authorization valid

    (2) For greater certainty, no activity that is specified in an authorization issued under subsection 26(1) or 27(1) or (2) is authorized until the authorization is valid under subsection (1).

Cyber Operations Authorizations

Marginal note:Defensive Cyber Operations Authorizations

  • 29 (1) The Minister may issue a Defensive Cyber Operations Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the defensive cyber operations aspect of its mandate.

  • Marginal note:Minister of Foreign Affairs

    (2) The Minister may issue the authorization only if he or she has consulted the Minister of Foreign Affairs.

Marginal note:Active Cyber Operations Authorizations

  • 30 (1) The Minister may issue an Active Cyber Operations Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the active cyber operations aspect of its mandate.

  • Marginal note:Minister of Foreign Affairs

    (2) The Minister may issue the authorization only if the Minister of Foreign Affairs has requested the authorization’s issue or has consented to its issue.

  • Marginal note:Request or consent in writing

    (3) The request or consent of the Minister of Foreign Affairs may be oral, but in that case he or she must provide written confirmation of the request or consent to the Minister as soon as feasible.

Marginal note:Activities authorized

31 Activities and classes of activities that an authorization issued under subsection 29(1) or 30(1) may authorize the Establishment to carry out may include any of the following:

  • (a) gaining access to a portion of the global information infrastructure;

  • (b) installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;

  • (c) doing anything that is reasonably necessary to maintain the covert nature of the activity; and

  • (d) carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.

Marginal note:Prohibited conduct

  • 32 (1) In carrying out any activity under an authorization issued under subsection 29(1) or 30(1), the Establishment must not

    • (a) cause, intentionally or by criminal negligence, death or bodily harm to an individual; or

    • (b) wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.

  • Marginal note:Definition of bodily harm

    (2) In subsection (1), bodily harm has the same meaning as in section 2 of the Criminal Code.

Procedure

Marginal note:Applications for authorizations

  • 33 (1) The Minister may issue an authorization under subsection 26(1), 27(1) or (2), 29(1) or 30(1) only on the written application of the Chief.

  • Marginal note:Contents of application

    (2) The application must set out the facts that would allow the Minister to conclude that there are reasonable grounds to believe that the authorization is necessary and that the conditions for issuing it are met.

  • Marginal note:Written request of infrastructure owner or operator

    (3) If the application is for an authorization to be issued under subsection 27(2), the application must include the written request of the owner or operator of the information infrastructure to the Establishment to carry out the activity that would be authorized.

  • Marginal note:Minister of Foreign Affairs’ request or consent

    (4) If the application is for an authorization to be issued under subsection 30(1), the application must include the request or consent referred to in subsection 30(2) if it is in writing.

Marginal note:Conditions for authorizations

  • 34 (1) The Minister may issue an authorization under subsection 26(1), 27(1) or (2), 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe that any activity that would be authorized by it is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities.

  • Marginal note:Conditions for authorizations — foreign intelligence

    (2) The Minister may issue an authorization under subsection 26(1) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that

    • (a) any information acquired under the authorization could not reasonably be acquired by other means and will be retained for no longer than is reasonably necessary;

    • (b) any unselected information acquired under the authorization could not reasonably be acquired by other means, in the case of an authorization that authorizes the acquisition of unselected information; and

    • (c) the measures referred to in section 24 will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to international affairs, defence or security.

  • Marginal note:Conditions for authorizations — cybersecurity

    (3) The Minister may issue an authorization under subsection 27(1) or (2) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that

    • (a) any information acquired under the authorization will be retained for no longer than is reasonably necessary;

    • (b) the consent of all persons whose information may be acquired could not reasonably be obtained, in the case of an authorization to be issued under subsection 27(1);

    • (c) any information acquired under the authorization is necessary to identify, isolate, prevent or mitigate harm to

      • (i) federal institutions’ electronic information or information infrastructures, in the case of an authorization to be issued under subsection 27(1), or

      • (ii) electronic information or information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada, in the case of an authorization to be issued under subsection 27(2); and

    • (d) the measures referred to in section 24 will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to identify, isolate, prevent or mitigate harm to

      • (i) federal institutions’ electronic information or information infrastructures, in the case of an authorization to be issued under subsection 27(1), or

      • (ii) electronic information or information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada, in the case of an authorization to be issued under subsection 27(2).

  • Marginal note:Conditions for authorizations — defensive and active cyber operations

    (4) The Minister may issue an authorization under subsection 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that the objective of the cyber operation could not reasonably be achieved by other means and that no information will be acquired under the authorization except in accordance with an authorization issued under subsection 26(1) or 27(1) or (2) or 40(1).

Marginal note:Content of authorizations

35 An authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) must specify

  • (a) the activities or classes of activities that it authorizes the Establishment to carry out;

  • (b) the activities or classes of activities referred to in paragraph (a) that would otherwise be contrary to any other Act of Parliament;

  • (c) the persons or classes of persons who are authorized to carry out the activities or classes of activities referred to in paragraph (a);

  • (d) any terms, conditions or restrictions that the Minister considers advisable in the public interest, or advisable to ensure the reasonableness and proportionality of any activity authorized by the authorization;

  • (e) in the case of an authorization issued under subsection 26(1) or 27(1) or (2), any other terms, conditions or restrictions that the Minister considers advisable to protect the privacy of Canadians and of persons in Canada, including conditions to limit the use, analysis and retention of, access to, and the form and manner of disclosure of, information related to them;

  • (f) in the case of an authorization issued under subsection 26(1), whether the activities authorized include acquiring unselected information, and any terms, conditions or restrictions that the Minister considers advisable to limit the use, analysis and retention of, and access to, unselected information;

  • (g) the day on which the authorization is issued;

  • (h) the day on which the authorization expires; and

  • (i) anything else reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.

Marginal note:Period of validity of authorizations

  • 36 (1) An authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) may be valid for a period not exceeding one year.

  • Marginal note:Extension — foreign intelligence or cybersecurity

    (2) The Minister may extend the period of validity of an authorization issued under subsection 26(1) or 27(1) or (2) by up to a period not exceeding one year from the day referred to in paragraph 35(h).

  • Marginal note:No review by Commissioner

    (3) The Minister’s decision to extend a period of validity is not subject to review by the Commissioner under the Intelligence Commissioner Act.

  • Marginal note:Extension — authorization

    (4) The Minister must, as soon as feasible, notify the Commissioner of any extension of an authorization.

Repeal and Amendment

Marginal note:Significant change — Minister to be notified

  • 37 (1) If there is a significant change in any fact that was set out in the application for an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1), the Chief must notify the Minister of the change as soon as feasible.

  • Marginal note:Commissioner notified

    (2) If the Minister concludes that the change in the fact is significant and the authorization was issued under subsection 26(1) or 27(1) or (2), the Minister must notify the Commissioner of his or her conclusion.

  • Marginal note:Review Agency notified

    (3) If the Minister concludes that the change in the fact is significant and the authorization was issued under subsection 29(1) or 30(1), the Minister must notify the Review Agency of his or her conclusion.

Marginal note:Repeal of authorization

38 The Minister may repeal an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) at any time.

Marginal note:Amendment

  • 39 (1) The Minister may amend an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) if the Minister concludes that there has been a significant change in any fact that was set out in the application for the authorization.

  • Marginal note:Conditions for amendment

    (2) The Minister may amend an authorization only if he or she concludes that there are reasonable grounds to believe that, taking into account the significant change,

    • (a) the conditions referred to in subsections 34(1) and (2) are met, in the case of an authorization issued under subsection 26(1);

    • (b) the conditions referred to in subsections 34(1) and (3) are met, in the case of an authorization issued under subsection 27(1) or (2); or

    • (c) the conditions referred to in subsections 34(1) and (4) are met, in the case of an authorization issued under subsection 29(1) or 30(1).

  • Marginal note:Amendment takes effect on approval — foreign intelligence and cybersecurity

    (3) An amended authorization issued under subsection 26(1) or 27(1) or (2) continues to be valid in its unamended form until — if the amendment is approved by the Commissioner under paragraph 20(1)(a) of the Intelligence Commissioner Act — the Commissioner provides the Minister with the written decision approving the amendment.

  • Marginal note:Activities under amended authorization — foreign intelligence and cybersecurity

    (4) For greater certainty, an activity that is specified in an amended authorization issued under subsection 26(1) or 27(1) or (2) in respect of which the Commissioner has provided the Minister with the written decision approving the amendment is authorized only to the extent that it is carried out in accordance with the authorization as amended.

  • Marginal note:Activities under amended authorization — cyber operations

    (5) For greater certainty, an activity that is specified in an amended authorization issued under subsection 29(1) or 30(1) is authorized only to the extent that it is carried out in accordance with the authorization as amended.

Emergency Authorizations

Marginal note:Emergency Authorizations

  • 40 (1) If the Minister concludes that there are reasonable grounds to believe that the conditions referred to in subsections 34(1) and (2) or 34(1) and (3) are met but that the time required to obtain the Commissioner’s approval would defeat the purpose of issuing an authorization under subsection 26(1) or 27(1) or (2), as the case may be, the Minister may issue a Foreign Intelligence Authorization that authorizes the Establishment to carry out any activity referred to in section 26, or a Cybersecurity Authorization that authorizes the Establishment to carry out any activity referred to in subsection 27(1) or (2).

  • Marginal note:No review by Commissioner

    (2) The Minister’s decision to issue the authorization is not subject to review by the Commissioner under the Intelligence Commissioner Act.

  • Marginal note:Applications for authorizations

    (3) Subsections 33(1) to (3) apply to an application for an authorization issued under subsection (1), except that

    • (a) the application may be made orally; and

    • (b) the application must set out the facts that would allow the Minister to conclude that there are reasonable grounds to believe that the time required to obtain the Commissioner’s approval would defeat the purpose of issuing an authorization under subsection 26(1) or 27(1) or (2).

  • Marginal note:Written request of infrastructure owner or operator

    (4) For greater certainty, even if an application is made orally for an authorization that authorizes the Establishment to carry out any activity referred to in subsection 27(2), the request of the owner or operator of the information infrastructure to the Establishment to carry out the activity must be in writing.

Marginal note:Commissioner and Review Agency notified

41 The Minister must notify the Commissioner and the Review Agency of any authorization issued under subsection 40(1) as soon as feasible after issuing it.

Marginal note:Period of validity of authorizations

42 An authorization issued under subsection 40(1) may be valid for a period not exceeding five days.

Disclosure of Information

Marginal note:Canadian identifying information

43 The Establishment may disclose, to persons or classes of persons designated under section 45, information that could be used to identify a Canadian or a person in Canada and that has been used, analysed or retained under an authorization issued under subsection 26(1) or 40(1), if the Establishment concludes that the disclosure is essential to international affairs, defence, security or cybersecurity.

Marginal note:Cybersecurity and information assurance

  • 44 (1) The Establishment may disclose, to persons or classes of persons designated under section 45, information relating to a Canadian or a person in Canada that has been acquired, used or analysed in the course of activities carried out under the cybersecurity and information assurance aspect of its mandate, if the Establishment concludes that the disclosure is necessary to help protect

    • (a) federal institutions’ electronic information and information infrastructures; or

    • (b) electronic information and information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada.

  • Marginal note:Private communications

    (2) Information disclosed under subsection (1) may include an intercepted private communication as well as the existence of an intercepted private communication.

  • Marginal note:Definition of private communication

    (3) In subsection (2), private communication has the same meaning as in section 183 of the Criminal Code.

Marginal note:Designated persons or classes of persons

45 The Minister may, by order, designate persons and classes of persons for the purposes of section 43 and subsection 44(1).

Marginal note:Urgent circumstances

  • 46 (1) The Establishment may use and analyse information relating to a Canadian or a person in Canada if it has reasonable grounds to believe that there is an imminent danger of death or serious bodily harm to any individual and that the information will be relevant to the imminent danger.

  • Marginal note:Urgent circumstances — disclosure

    (2) The Establishment may disclose the information to any appropriate person if its disclosure may help prevent the death or serious bodily harm.

  • Marginal note:Minister and Review Agency notified

    (3) If the Establishment uses or analyses information under subsection (1), or discloses information under subsection (2), the Chief must notify the Minister in writing as soon as feasible, and the Minister must notify the Review Agency.

General Rules About Authorizations

Marginal note:Power exercised personally

47 The Minister must personally exercise the powers that are set out in subsections 26(1), 27(1) and (2), 29(1), 30(1), 36(2), 39(1) and 40(1).

Marginal note:Authorizations provided to Commissioner

  • 48 (1) The Minister must provide a copy of each authorization issued under subsection 26(1) or 27(1) or (2), or amended under subsection 39(1), to the Commissioner after issuing it or amending it, as the case may be, for the purposes of the Commissioner’s review and approval under the Intelligence Commissioner Act.

  • Marginal note:Notice of authorization or amendment

    (2) The copy of the authorization constitutes notice of the authorization or amendment for the purposes of the calculation of the time limit referred to in paragraph 20(3)(b) of that Act.

Marginal note:No civil or criminal liability

49 No person who acts in accordance with an authorization issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1) or who aids, in good faith, a person who they believe on reasonable grounds is acting in accordance with such an authorization incurs any criminal or civil liability for anything reasonably done further to the authorization.

Marginal note:Exclusion of Part VI of Criminal Code

50 Part VI of the Criminal Code does not apply in relation to an interception of a communication under the authority of an authorization issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1) or in relation to a communication so intercepted.

Marginal note:Crown Liability and Proceedings Act

51 No action lies under section 18 of the Crown Liability and Proceedings Act in respect of

  • (a) the use or disclosure under this Act of any communication intercepted under the authority of an authorization issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1); or

  • (b) the disclosure under this Act of the existence of such a communication.

Marginal note:Report

  • 52 (1) Within 90 days after the last day of the period of validity of an authorization issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1), the Chief must provide a written report to the Minister on the outcome of the activities carried out under the authorization.

  • Marginal note:Copy of report to Commissioner and Review Agency

    (2) The Minister must provide the Commissioner and the Review Agency with a copy of a report on the outcome of the activities carried out under an authorization issued under subsection 26(1), 27(1) or (2) or 40(1).

  • Marginal note:Copy of report to Review Agency

    (3) The Minister must provide the Review Agency with a copy of a report on the outcome of the activities carried out under an authorization issued under subsection 29(1) or 30(1).

Marginal note:Statutory Instruments Act

53 Authorizations issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1) and orders made under section 45 are not statutory instruments within the meaning of the Statutory Instruments Act.

Arrangements

Marginal note:Arrangements

  • 54 (1) The Establishment may enter into arrangements with entities that have powers and duties similar to the Establishment’s — including entities that are institutions of foreign states or that are international organizations of states or institutions of those organizations — for the purposes of the furtherance of its mandate, including for the purposes of sharing information with them or otherwise cooperating with them.

  • Marginal note:Approval of Minister after consultation

    (2) However, the Establishment may enter into an arrangement with institutions of foreign states, international organizations of states or institutions of those organizations only with the Minister’s approval, after the Minister has consulted the Minister of Foreign Affairs.

General

Marginal note:Prohibition on disclosure

  • 55 (1) It is prohibited, in a proceeding before a court, person or body with jurisdiction to compel the production of information, to disclose the identity of a person or entity that has assisted or is assisting the Establishment on a confidential basis, or any information from which the identity of such a person or entity could be inferred.

  • Marginal note:Exceptions

    (2) Subsection (1) does not apply when

    • (a) the information or identity is disclosed by the person or entity to their solicitor or, in Quebec, advocate in connection with a proceeding, if the information is relevant to that proceeding;

    • (b) the information or identity is disclosed to enable the Attorney General of Canada, a judge or a court hearing an appeal from, or a review of, an order of the judge to discharge their responsibilities under this section; or

    • (c) the information or identity is disclosed to the Commissioner or to the Review Agency.

  • Marginal note:Exception — consent

    (3) The identity of a person or entity that has assisted or is assisting the Establishment on a confidential basis, or any information from which the identity of such a person or entity could be inferred, may be disclosed in a proceeding referred to in subsection (1) if the person or entity and the Chief consent to the disclosure.

  • Marginal note:Application of other Acts

    (4) Sections 38 to 38.16 of the Canada Evidence Act, or sections 83 and 87 of the Immigration and Refugee Protection Act, as the case may be, apply to a proceeding referred to in subsection (1), with any necessary modifications.

  • Marginal note:Confidentiality — information

    (5) The judge must ensure the confidentiality of the following:

    • (a) the identity of any person or entity that has assisted or is assisting the Establishment on a confidential basis, and any information from which the identity of such a person or entity could be inferred; and

    • (b) information and other evidence provided in respect of an application under any provision referred to in subsection (4) if, in the judge’s opinion, its disclosure would be injurious to international relations, national defence or national security or would endanger the safety of any person.

  • Marginal note:Confidentiality — application

    (6) If, in the judge’s opinion, the disclosure of the fact that an application under any provision referred to in subsection (4) would result in the disclosure of an identity or information referred to in paragraph (5)(a), the judge must ensure the confidentiality of the application and all information related to it.

  • Marginal note:Order authorizing disclosure

    (7) The judge may, by order, authorize disclosure that the judge considers appropriate, subject to any conditions that the judge specifies, of the identity or information referred to in subsection (1) if, in the judge’s opinion,

    • (a) the person or entity is not a person or entity that has assisted or is assisting the Establishment on a confidential basis, or the information is not information from which the identity of such a person or entity could be inferred; or

    • (b) in the case of a proceeding that is a prosecution of an offence, the disclosure of the identity of a person or entity that has assisted or is assisting the Establishment on a confidential basis, or information from which the identity of such a person or entity could be inferred, is essential to establish the accused’s innocence and may be disclosed in the proceeding.

  • Marginal note:Order confirming prohibition

    (8) If the judge does not authorize disclosure under paragraph (7)(a) or (b), the judge must, by order, confirm the prohibition of disclosure.

  • Marginal note:When determination takes effect

    (9) An order of the judge that authorizes disclosure does not take effect until the time provided or granted to appeal the order has expired or, if the order is appealed, the time provided or granted to appeal a judgment of an appeal court that confirms the order has expired and no further appeal from a judgment that confirms the order is available.

  • Marginal note:Confidentiality on appeal

    (10) In the case of an appeal, subsections (5) and (6) apply, with any necessary modifications, to the court to which the appeal is taken.

  • Marginal note:Definition of judge

    (11) In this section, judge means the Chief Justice of the Federal Court or a judge of that Court designated by the Chief Justice to conduct hearings under any Act of Parliament for the protection of information.

Marginal note:Assistance or disclosure of information — no presumptions

56 The provision of assistance or the disclosure of information by the Establishment under this Act does not create a presumption

  • (a) that the Establishment is conducting a joint investigation or decision-making process with the entity to which assistance is provided or information is disclosed and therefore has the same obligations, if any, as the entity to disclose or produce information for the purposes of a proceeding; or

  • (b) there has been a waiver of any privilege, or of any requirement to obtain consent, for the purposes of any other disclosure of that information either in a proceeding or to an entity that is not a federal institution.

Marginal note:Access to Information Act

57 For the purposes of the Access to Information Act, if any record, as defined in section 3 of that Act, of any other government institution, as defined in that section, or of any other organization is contained in or carried on the Establishment’s information infrastructure on behalf of that institution or organization, the record is not under the Establishment’s control.

Marginal note:Privacy Act

58 For the purposes of the Privacy Act, if any personal information, as defined in section 3 of that Act, of any other government institution, as defined in that section, or of any other organization is contained in or carried on the Establishment’s information infrastructure on behalf of that institution or organization, the personal information is not held by the Establishment and is not under the Establishment’s control.

Marginal note:Annual Report

59 The Establishment must, within three months after the end of each fiscal year, publish an annual report on its activities during that fiscal year.

Regulations

Marginal note:Regulations

60 The Governor in Council may, on the recommendation of the Minister, make regulations for carrying out the purposes and provisions of this Act, including regulations

  • (a) respecting the management and control of the Establishment, including security on and around the Establishment’s premises, access to its premises, the search of persons on or around its premises and the search and seizure of items on or around its premises;

  • (b) respecting the measures referred to in section 24 to protect the privacy of Canadians and of persons in Canada; and

  • (c) amending the definition of any term defined in section 2 or subsection 23(5) or 44(3) to respond, directly or indirectly, to any technological change.

 

Date modified: