C-5914264-65-66-67-68Elizabeth II2015-2016-2017-2018-2019An Act to establish the Communications Security EstablishmentCommunications Security Establishment ActCommunications Security Establishment Act20198
16
20196
21
C-35.313, s. 762019[Enacted by section 76 of chapter 13 of the Statutes of Canada, 2019, in force August 1, 2019, see SI/2019-70.]PreambleWhereas the protection of Canada’s national security and of the security of Canadians is a fundamental responsibility of the Government of Canada;Whereas it is essential, to discharge that responsibility, for Canada to have a communications security establishment;And whereas it is important that the communications security establishment carry out its activities in accordance with the rule of law and in a manner that respects the Canadian Charter of Rights and Freedoms;Now, therefore, Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:Short TitleShort titleThis Act may be cited as the Communications Security Establishment Act.InterpretationDefinitionsThe following definitions apply in this Act.Canadian means a Canadian citizen, a permanent resident as defined in subsection 2(1) of the Immigration and Refugee Protection Act or a corporation incorporated or continued under the laws of Canada or a province. (Canadien)Chief means the Chief of the Establishment appointed under section 8. (chef)Commissioner means the Intelligence Commissioner appointed under subsection 4(1) of the Intelligence Commissioner Act. (commissaire)entity means a person, group, trust, partnership or fund or an unincorporated association or organization and includes a state or a political subdivision or agency of a state. (entité)Establishment means the Communications Security Establishment established under section 5. (Centre)federal institution includes any of the following institutions of Parliament or the Government of Canada:the Senate;the House of Commons;the Library of Parliament;the office of the Senate Ethics Officer, the office of the Conflict of Interest and Ethics Commissioner, the Parliamentary Protective Service and the office of the Parliamentary Budget Officer;any federal court;any board, commission, council, other body or other office established to perform a governmental function by or under an Act of Parliament, or by or under the authority of the Governor in Council;a department as defined in section 2 of the Financial Administration Act;a Crown corporation established by or under an Act of Parliament; andany other body that is specified by an Act of Parliament to be an agent of Her Majesty in right of Canada or to be subject to the direction of the Governor in Council or a federal minister. (institutions fédérales)foreign intelligence means information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group, as they relate to international affairs, defence or security. (renseignement étranger)global information infrastructure includes electromagnetic emissions, any equipment producing such emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, that equipment, those systems or those networks. (infrastructure mondiale de l’information)Minister means the Minister of National Defence or, if another federal minister is designated under section 4, that minister. (ministre)publicly available information means information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase. It does not include information in respect of which a Canadian or a person in Canada has a reasonable expectation of privacy. (information accessible au public)Review Agency means the National Security and Intelligence Review Agency established under section 3 of the National Security and Intelligence Review Agency Act. (Office de surveillance)terrorist group has the same meaning as in subsection 83.01(1) of the Criminal Code. (groupe terroriste)unselected, with respect to information, means that the information is acquired, for technical or operational reasons, without the use of terms or criteria to identify information of foreign intelligence interest. (non sélectionnée)2019, c. 13, s. 76 “2”2019, c. 13, s. 91PrinciplePrincipleIt is in the public interest to ensure that the Establishment may effectively carry out its mandate in accordance with the rule of law and, to that end, to expressly recognize in law a justification for persons who are authorized to carry out activities under this Act to, in the course of carrying out those activities, commit acts or omissions that would otherwise constitute offences.Designation of MinisterMinisterThe Governor in Council may, by order, designate any federal minister to be the Minister referred to in this Act.Communications Security EstablishmentEstablishment and OrganizationEstablishment establishedThe Communications Security Establishment is established.Minister is responsibleThe Minister is responsible for the Establishment.Head officeThe head office of the Establishment is to be in the National Capital Region described in the schedule to the National Capital Act.Other officesThe Chief may, with the approval of the Minister, establish other offices elsewhere in Canada.Chief of the Communications Security EstablishmentAppointmentThe Governor in Council must appoint a Chief of the Communications Security Establishment to hold office during pleasure for a term not exceeding five years.ReappointmentThe Chief is eligible to be reappointed at the end of a term of office for a further term not exceeding five years.Salary and expensesThe Chief is to be paid the salary that is fixed by the Governor in Council and is entitled to payments for reasonable travel and living expenses incurred in the exercise of his or her powers or the performance of his or her duties and functions while absent from his or her ordinary place of work.CompensationThe Chief is deemed to be an employee for the purposes of the Government Employees Compensation Act and to be employed in the federal public administration for the purposes of any regulations made under section 9 of the Aeronautics Act.Absence, incapacity or vacancyIf the Chief is absent or incapacitated or the office of Chief is vacant, the Minister may appoint another person to act as Chief, but must not appoint a person for a term of more than 90 days without the approval of the Governor in Council.Chief’s powers, duties and functionsThe Chief, under the direction of the Minister, has the management and control of the Establishment and all matters relating to it.Rank of deputy headThe Chief has the rank and all the powers of a deputy head of a department.Delegation by ChiefThe Chief may delegate to any person any power, duty or function conferred on the Chief under this Act, except the power to delegate under this subsection.Establishment’s powers, duties and functionsThe powers, duties and functions of the Establishment may be exercised or performed by any person who is appointed to serve in the Establishment in a capacity appropriate to the exercise of the power or the performance of the duty or function.Directions by MinisterThe Minister may issue written directions to the Chief respecting the performance of the Chief’s duties and functions.Statutory Instruments ActDirections issued under subsection (1) are not statutory instruments within the meaning of the Statutory Instruments Act.Human ResourcesPersonnelThe Chief has exclusive authority toappoint or lay off the Establishment’s employees, revoke their appointment or terminate their employment; andestablish standards, procedures and processes governing staffing, including governing the appointment of employees, lay-off of employees, revocation of their appointment or termination of their employment otherwise than for cause.Right of employerNothing in the Federal Public Sector Labour Relations Act is to be construed so as to affect the right or authority of the Chief to deal with the matters referred to in subsection (1).Powers of the ChiefIn exercising his or her authority under subsection 12(1), the Chief maydetermine the human resources requirements of the Establishment and provide for the allocation and effective utilization of human resources in the Establishment;provide for the classification of positions and of the Establishment’s employees;after consultation with the President of the Treasury Board, determine and regulate the pay to which the Establishment’s employees are entitled for services rendered, their hours of work and their leave and any related matters;after consultation with the President of the Treasury Board, determine and regulate the payments that may be made to the Establishment’s employees by way of reimbursement for travel or other expenses and by way of allowances in respect of expenses and conditions arising out of their employment;determine the learning, training and development requirements of the Establishment’s employees and fix the terms on which the learning, training and development may be carried out;provide for the awards that may be made to the Establishment’s employees for outstanding performance of their duties, for other meritorious achievement in relation to their duties or for inventions or practical suggestions for improvements;establish standards of discipline and set penalties, including termination of employment, suspension, demotion to a position at a lower maximum rate of pay and financial penalties;provide for the termination of employment, or the demotion to a position at a lower maximum rate of pay, of the Establishment’s employees for reasons other than breaches of discipline or misconduct;establish policies respecting the exercise of the powers granted by this section; andprovide for any other matters, including terms and conditions of employment not otherwise specifically provided for in this section, that the Chief considers necessary for effective human resources management in the Establishment.Negotiation of collective agreementsBefore entering into collective bargaining with the bargaining agent for a bargaining unit composed of Establishment employees, the Chief must have the Establishment’s negotiating mandate approved by the President of the Treasury Board.MandateMandateThe Establishment is the national signals intelligence agency for foreign intelligence and the technical authority for cybersecurity and information assurance.Aspects of the mandateThe Establishment’s mandate has five aspects: foreign intelligence, cybersecurity and information assurance, defensive cyber operations, active cyber operations and technical and operational assistance.Foreign intelligenceThe foreign intelligence aspect of the Establishment’s mandate is to acquire, covertly or otherwise, information from or through the global information infrastructure, including by engaging or interacting with foreign entities located outside Canada or by using any other method of acquiring information, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities.Cybersecurity and information assuranceThe cybersecurity and information assurance aspect of the Establishment’s mandate is toprovide advice, guidance and services to help protectfederal institutions’ electronic information and information infrastructures, andelectronic information and information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada; andacquire, use and analyse information from the global information infrastructure or from other sources in order to provide such advice, guidance and services.Defensive cyber operationsThe defensive cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to help protectfederal institutions’ electronic information and information infrastructures; andelectronic information and information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada.Active cyber operationsThe active cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.Technical and operational assistanceThe technical and operational assistance aspect of the Establishment’s mandate is to provide technical and operational assistance to federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence.DesignationThe Minister may, by order, designate any electronic information, any information infrastructures or any class of electronic information or information infrastructures as electronic information or information infrastructures — as the case may be — of importance to the Government of Canada.Statutory Instruments ActAn order made under subsection (1) is not a statutory instrument within the meaning of the Statutory Instruments Act.ActivitiesNo activities — Canadians and persons in CanadaActivities carried out by the Establishment in furtherance of the foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada and must not infringe the Canadian Charter of Rights and Freedoms.No activities — global information infrastructure in Canada or without authorizationActivities carried out by the Establishment in furtherance of the defensive cyber operations or active cyber operations aspects of its mandatemust not be directed at any portion of the global information infrastructure that is in Canada; andmust not be carried out except under an authorization issued under subsection 29(1) or 30(1).Contravention of other Acts — foreign intelligenceActivities carried out by the Establishment in furtherance of the foreign intelligence aspect of its mandate must not contravene any other Act of Parliament — or involve the acquisition by the Establishment of information from or through the global information infrastructure that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada — unless they are carried out under an authorization issued under subsection 26(1) or 40(1).Contravention of other Acts — cybersecurity and information assuranceActivities carried out by the Establishment in furtherance of the cybersecurity and information assurance aspect of its mandate must not contravene any other Act of Parliament — or involve the acquisition by the Establishment of information from the global information infrastructure that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada — unless they are carried out under an authorization issued under subsection 27(1) or (2) or 40(1).Establishment’s activitiesDespite subsections 22(1) and (2), the Establishment may carry out any of the following activities in furtherance of its mandate:acquiring, using, analysing, retaining or disclosing publicly available information;acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cybersecurity and information assurance activities on the infrastructure from which the information was acquired; andtesting or evaluating products, software and systems, including testing or evaluating them for vulnerabilities.Investment Canada ActDespite subsection 22(1), in furtherance of its mandate the Establishment may analyse information for the purpose of providing advice to the Minister of Public Safety and Emergency Preparedness and to the Minister responsible for the administration of the Investment Canada Act with regard to that latter Minister’s powers and duties under Part IV.1 of that Act.Cybersecurity and information assuranceDespite subsection 22(1), the Establishment may carry out any of the following activities in furtherance of the cybersecurity and information assurance aspect of its mandate:carrying out activities on information infrastructures to identify or isolate malicious software, prevent malicious software from harming those information infrastructures or mitigate any harm that malicious software causes to them; andanalysing information in order to be able to provide advice on the integrity of supply chains and on the trustworthiness of telecommunications, equipment and services.Information acquired incidentallyThe Establishment may acquire information relating to a Canadian or a person in Canada incidentally in the course of carrying out activities under an authorization issued under subsection 26(1), 27(1) or (2) or 40(1).DefinitionsThe following definitions apply in this section.incidentally, with respect to the acquisition of information, means that the information acquired was not itself deliberately sought and that the information-acquisition activity was not directed at the Canadian or person in Canada. (incidemment)infrastructure information means information relating to any functional component, physical or logical, of the global information infrastructure; orevents that occur during the interaction between two or more devices that provide services on a network — not including end-point devices that are linked to individual users — or between an individual and a machine, if the interaction is about only a functional component of the global information infrastructure.It does not include information that could be linked to an identifiable person. (information sur l’infrastructure)Measures to protect privacyThe Establishment must ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure ofinformation related to them acquired in the course of the furtherance of the foreign intelligence and cybersecurity and information assurance aspects of the Establishment’s mandate; orpublicly available information related to them acquired under paragraph 23(1)(a).Technical and operational assistance activitiesIf the Establishment provides assistance in furtherance of the technical and operational assistance aspect of its mandate, then the Establishment, in the course of providing the assistance, has the same authority to carry out any activity as would have the federal law enforcement or security agency, the Canadian Forces or the Department of National Defence, as the case may be, if it were carrying out the activity, and is subject to any limitations imposed by law on the agency, the Canadian Forces or that Department, including requirements with respect to any applicable warrant.Exemptions, protections and immunitiesIf the Establishment provides assistance in furtherance of the technical and operational assistance aspect of its mandate, then persons authorized to act on the Establishment’s behalf benefit from the same exemptions, protections and immunities as would persons authorized to act on behalf of the federal law enforcement or security agency, the Canadian Forces or the Department of National Defence, as the case may be, if those persons were carrying out the activity.AuthorizationsForeign Intelligence and Cybersecurity AuthorizationsForeign Intelligence AuthorizationsThe Minister may issue a Foreign Intelligence Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the foreign intelligence aspect of its mandate.Activities authorizedActivities and classes of activities that a Foreign Intelligence Authorization may authorize the Establishment to carry out may include any of the following:gaining access to a portion of the global information infrastructure;acquiring information on or through the global information infrastructure, including unselected information;installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;doing anything that is reasonably necessary to maintain the covert nature of the activity; andcarrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activity, authorized by the authorization.Cybersecurity Authorizations — federal infrastructuresThe Minister may issue a Cybersecurity Authorization to the Establishment that authorizes it, despite any other Act of Parliament, to, in the furtherance of the cybersecurity and information assurance aspect of its mandate, access a federal institution’s information infrastructure and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.Cybersecurity Authorizations — non-federal infrastructuresThe Minister may issue a Cybersecurity Authorization to the Establishment that authorizes it, despite any other Act of Parliament, to, in the furtherance of the cybersecurity and information assurance aspect of its mandate, access an information infrastructure designated under subsection 21(1) as an information infrastructure of importance to the Government of Canada and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.Approval of CommissionerAn authorization issued under subsection 26(1) or 27(1) or (2) is valid when — if it is approved by the Commissioner under paragraph 20(1)(a) of the Intelligence Commissioner Act — the Commissioner provides the Minister with the written decision approving the authorization.No activities until authorization validFor greater certainty, no activity that is specified in an authorization issued under subsection 26(1) or 27(1) or (2) is authorized until the authorization is valid under subsection (1).Cyber Operations AuthorizationsDefensive Cyber Operations AuthorizationsThe Minister may issue a Defensive Cyber Operations Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the defensive cyber operations aspect of its mandate.Minister of Foreign AffairsThe Minister may issue the authorization only if he or she has consulted the Minister of Foreign Affairs.Active Cyber Operations AuthorizationsThe Minister may issue an Active Cyber Operations Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the active cyber operations aspect of its mandate.Minister of Foreign AffairsThe Minister may issue the authorization only if the Minister of Foreign Affairs has requested the authorization’s issue or has consented to its issue.Request or consent in writingThe request or consent of the Minister of Foreign Affairs may be oral, but in that case he or she must provide written confirmation of the request or consent to the Minister as soon as feasible.Activities authorizedActivities and classes of activities that an authorization issued under subsection 29(1) or 30(1) may authorize the Establishment to carry out may include any of the following:gaining access to a portion of the global information infrastructure;installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;doing anything that is reasonably necessary to maintain the covert nature of the activity; andcarrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.Prohibited conductIn carrying out any activity under an authorization issued under subsection 29(1) or 30(1), the Establishment must notcause, intentionally or by criminal negligence, death or bodily harm to an individual; orwilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.Definition of bodily harmIn subsection (1), bodily harm has the same meaning as in section 2 of the Criminal Code.ProcedureApplications for authorizationsThe Minister may issue an authorization under subsection 26(1), 27(1) or (2), 29(1) or 30(1) only on the written application of the Chief.Contents of applicationThe application must set out the facts that would allow the Minister to conclude that there are reasonable grounds to believe that the authorization is necessary and that the conditions for issuing it are met.Written request of infrastructure owner or operatorIf the application is for an authorization to be issued under subsection 27(2), the application must include the written request of the owner or operator of the information infrastructure to the Establishment to carry out the activity that would be authorized.Minister of Foreign Affairs’ request or consentIf the application is for an authorization to be issued under subsection 30(1), the application must include the request or consent referred to in subsection 30(2) if it is in writing.Conditions for authorizationsThe Minister may issue an authorization under subsection 26(1), 27(1) or (2), 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe that any activity that would be authorized by it is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities.Conditions for authorizations — foreign intelligenceThe Minister may issue an authorization under subsection 26(1) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — thatany information acquired under the authorization could not reasonably be acquired by other means and will be retained for no longer than is reasonably necessary;any unselected information acquired under the authorization could not reasonably be acquired by other means, in the case of an authorization that authorizes the acquisition of unselected information; andthe measures referred to in section 24 will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to international affairs, defence or security.Conditions for authorizations — cybersecurityThe Minister may issue an authorization under subsection 27(1) or (2) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — thatany information acquired under the authorization will be retained for no longer than is reasonably necessary;the consent of all persons whose information may be acquired could not reasonably be obtained, in the case of an authorization to be issued under subsection 27(1);any information acquired under the authorization is necessary to identify, isolate, prevent or mitigate harm tofederal institutions’ electronic information or information infrastructures, in the case of an authorization to be issued under subsection 27(1), orelectronic information or information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada, in the case of an authorization to be issued under subsection 27(2); andthe measures referred to in section 24 will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to identify, isolate, prevent or mitigate harm tofederal institutions’ electronic information or information infrastructures, in the case of an authorization to be issued under subsection 27(1), orelectronic information or information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada, in the case of an authorization to be issued under subsection 27(2).Conditions for authorizations — defensive and active cyber operationsThe Minister may issue an authorization under subsection 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that the objective of the cyber operation could not reasonably be achieved by other means and that no information will be acquired under the authorization except in accordance with an authorization issued under subsection 26(1) or 27(1) or (2) or 40(1).Content of authorizationsAn authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) must specifythe activities or classes of activities that it authorizes the Establishment to carry out;the activities or classes of activities referred to in paragraph (a) that would otherwise be contrary to any other Act of Parliament;the persons or classes of persons who are authorized to carry out the activities or classes of activities referred to in paragraph (a);any terms, conditions or restrictions that the Minister considers advisable in the public interest, or advisable to ensure the reasonableness and proportionality of any activity authorized by the authorization;in the case of an authorization issued under subsection 26(1) or 27(1) or (2), any other terms, conditions or restrictions that the Minister considers advisable to protect the privacy of Canadians and of persons in Canada, including conditions to limit the use, analysis and retention of, access to, and the form and manner of disclosure of, information related to them;in the case of an authorization issued under subsection 26(1), whether the activities authorized include acquiring unselected information, and any terms, conditions or restrictions that the Minister considers advisable to limit the use, analysis and retention of, and access to, unselected information;the day on which the authorization is issued;the day on which the authorization expires; andanything else reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.Period of validity of authorizationsAn authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) may be valid for a period not exceeding one year.Extension — foreign intelligence or cybersecurityThe Minister may extend the period of validity of an authorization issued under subsection 26(1) or 27(1) or (2) by up to a period not exceeding one year from the day referred to in paragraph 35(h).No review by CommissionerThe Minister’s decision to extend a period of validity is not subject to review by the Commissioner under the Intelligence Commissioner Act.Extension — authorizationThe Minister must, as soon as feasible, notify the Commissioner of any extension of an authorization.Repeal and AmendmentSignificant change — Minister to be notifiedIf there is a significant change in any fact that was set out in the application for an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1), the Chief must notify the Minister of the change as soon as feasible.Commissioner notifiedIf the Minister concludes that the change in the fact is significant and the authorization was issued under subsection 26(1) or 27(1) or (2), the Minister must notify the Commissioner of his or her conclusion.Review Agency notifiedIf the Minister concludes that the change in the fact is significant and the authorization was issued under subsection 29(1) or 30(1), the Minister must notify the Review Agency of his or her conclusion.Repeal of authorizationThe Minister may repeal an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) at any time.AmendmentThe Minister may amend an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) if the Minister concludes that there has been a significant change in any fact that was set out in the application for the authorization.Conditions for amendmentThe Minister may amend an authorization only if he or she concludes that there are reasonable grounds to believe that, taking into account the significant change,the conditions referred to in subsections 34(1) and (2) are met, in the case of an authorization issued under subsection 26(1);the conditions referred to in subsections 34(1) and (3) are met, in the case of an authorization issued under subsection 27(1) or (2); orthe conditions referred to in subsections 34(1) and (4) are met, in the case of an authorization issued under subsection 29(1) or 30(1).Amendment takes effect on approval — foreign intelligence and cybersecurityAn amended authorization issued under subsection 26(1) or 27(1) or (2) continues to be valid in its unamended form until — if the amendment is approved by the Commissioner under paragraph 20(1)(a) of the Intelligence Commissioner Act — the Commissioner provides the Minister with the written decision approving the amendment.Activities under amended authorization — foreign intelligence and cybersecurityFor greater certainty, an activity that is specified in an amended authorization issued under subsection 26(1) or 27(1) or (2) in respect of which the Commissioner has provided the Minister with the written decision approving the amendment is authorized only to the extent that it is carried out in accordance with the authorization as amended.Activities under amended authorization — cyber operationsFor greater certainty, an activity that is specified in an amended authorization issued under subsection 29(1) or 30(1) is authorized only to the extent that it is carried out in accordance with the authorization as amended.Emergency AuthorizationsEmergency AuthorizationsIf the Minister concludes that there are reasonable grounds to believe that the conditions referred to in subsections 34(1) and (2) or 34(1) and (3) are met but that the time required to obtain the Commissioner’s approval would defeat the purpose of issuing an authorization under subsection 26(1) or 27(1) or (2), as the case may be, the Minister may issue a Foreign Intelligence Authorization that authorizes the Establishment to carry out any activity referred to in section 26, or a Cybersecurity Authorization that authorizes the Establishment to carry out any activity referred to in subsection 27(1) or (2).No review by CommissionerThe Minister’s decision to issue the authorization is not subject to review by the Commissioner under the Intelligence Commissioner Act.Applications for authorizationsSubsections 33(1) to (3) apply to an application for an authorization issued under subsection (1), except thatthe application may be made orally; andthe application must set out the facts that would allow the Minister to conclude that there are reasonable grounds to believe that the time required to obtain the Commissioner’s approval would defeat the purpose of issuing an authorization under subsection 26(1) or 27(1) or (2).Written request of infrastructure owner or operatorFor greater certainty, even if an application is made orally for an authorization that authorizes the Establishment to carry out any activity referred to in subsection 27(2), the request of the owner or operator of the information infrastructure to the Establishment to carry out the activity must be in writing.Commissioner and Review Agency notifiedThe Minister must notify the Commissioner and the Review Agency of any authorization issued under subsection 40(1) as soon as feasible after issuing it.Period of validity of authorizationsAn authorization issued under subsection 40(1) may be valid for a period not exceeding five days.Disclosure of InformationCanadian identifying informationThe Establishment may disclose, to persons or classes of persons designated under section 45, information that could be used to identify a Canadian or a person in Canada and that has been used, analysed or retained under an authorization issued under subsection 26(1) or 40(1), if the Establishment concludes that the disclosure is essential to international affairs, defence, security or cybersecurity.Cybersecurity and information assuranceThe Establishment may disclose, to persons or classes of persons designated under section 45, information relating to a Canadian or a person in Canada that has been acquired, used or analysed in the course of activities carried out under the cybersecurity and information assurance aspect of its mandate, if the Establishment concludes that the disclosure is necessary to help protectfederal institutions’ electronic information and information infrastructures; orelectronic information and information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada.Private communicationsInformation disclosed under subsection (1) may include an intercepted private communication as well as the existence of an intercepted private communication.Definition of private communicationIn subsection (2), private communication has the same meaning as in section 183 of the Criminal Code.Designated persons or classes of personsThe Minister may, by order, designate persons and classes of persons for the purposes of section 43 and subsection 44(1).Urgent circumstancesThe Establishment may use and analyse information relating to a Canadian or a person in Canada if it has reasonable grounds to believe that there is an imminent danger of death or serious bodily harm to any individual and that the information will be relevant to the imminent danger.Urgent circumstances — disclosureThe Establishment may disclose the information to any appropriate person if its disclosure may help prevent the death or serious bodily harm.Minister and Review Agency notifiedIf the Establishment uses or analyses information under subsection (1), or discloses information under subsection (2), the Chief must notify the Minister in writing as soon as feasible, and the Minister must notify the Review Agency.General Rules About AuthorizationsPower exercised personallyThe Minister must personally exercise the powers that are set out in subsections 26(1), 27(1) and (2), 29(1), 30(1), 36(2), 39(1) and 40(1).Authorizations provided to CommissionerThe Minister must provide a copy of each authorization issued under subsection 26(1) or 27(1) or (2), or amended under subsection 39(1), to the Commissioner after issuing it or amending it, as the case may be, for the purposes of the Commissioner’s review and approval under the Intelligence Commissioner Act.Notice of authorization or amendmentThe copy of the authorization constitutes notice of the authorization or amendment for the purposes of the calculation of the time limit referred to in paragraph 20(3)(b) of that Act.No civil or criminal liabilityNo person who acts in accordance with an authorization issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1) or who aids, in good faith, a person who they believe on reasonable grounds is acting in accordance with such an authorization incurs any criminal or civil liability for anything reasonably done further to the authorization.Exclusion of Part VI of Criminal CodePart VI of the Criminal Code does not apply in relation to an interception of a communication under the authority of an authorization issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1) or in relation to a communication so intercepted.Crown Liability and Proceedings ActNo action lies under section 18 of the Crown Liability and Proceedings Act in respect ofthe use or disclosure under this Act of any communication intercepted under the authority of an authorization issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1); orthe disclosure under this Act of the existence of such a communication.ReportWithin 90 days after the last day of the period of validity of an authorization issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1), the Chief must provide a written report to the Minister on the outcome of the activities carried out under the authorization.Copy of report to Commissioner and Review AgencyThe Minister must provide the Commissioner and the Review Agency with a copy of a report on the outcome of the activities carried out under an authorization issued under subsection 26(1), 27(1) or (2) or 40(1).Copy of report to Review AgencyThe Minister must provide the Review Agency with a copy of a report on the outcome of the activities carried out under an authorization issued under subsection 29(1) or 30(1).Statutory Instruments ActAuthorizations issued under subsection 26(1), 27(1) or (2), 29(1), 30(1) or 40(1) and orders made under section 45 are not statutory instruments within the meaning of the Statutory Instruments Act.ArrangementsArrangementsThe Establishment may enter into arrangements with entities that have powers and duties similar to the Establishment’s — including entities that are institutions of foreign states or that are international organizations of states or institutions of those organizations — for the purposes of the furtherance of its mandate, including for the purposes of sharing information with them or otherwise cooperating with them.Approval of Minister after consultationHowever, the Establishment may enter into an arrangement with institutions of foreign states, international organizations of states or institutions of those organizations only with the Minister’s approval, after the Minister has consulted the Minister of Foreign Affairs.GeneralProhibition on disclosureIt is prohibited, in a proceeding before a court, person or body with jurisdiction to compel the production of information, to disclose the identity of a person or entity that has assisted or is assisting the Establishment on a confidential basis, or any information from which the identity of such a person or entity could be inferred.ExceptionsSubsection (1) does not apply whenthe information or identity is disclosed by the person or entity to their solicitor or, in Quebec, advocate in connection with a proceeding, if the information is relevant to that proceeding;the information or identity is disclosed to enable the Attorney General of Canada, a judge or a court hearing an appeal from, or a review of, an order of the judge to discharge their responsibilities under this section; orthe information or identity is disclosed to the Commissioner or to the Review Agency.Exception — consentThe identity of a person or entity that has assisted or is assisting the Establishment on a confidential basis, or any information from which the identity of such a person or entity could be inferred, may be disclosed in a proceeding referred to in subsection (1) if the person or entity and the Chief consent to the disclosure.Application of other ActsSections 38 to 38.16 of the Canada Evidence Act, or sections 83 and 87 of the Immigration and Refugee Protection Act, as the case may be, apply to a proceeding referred to in subsection (1), with any necessary modifications.Confidentiality — informationThe judge must ensure the confidentiality of the following:the identity of any person or entity that has assisted or is assisting the Establishment on a confidential basis, and any information from which the identity of such a person or entity could be inferred; andinformation and other evidence provided in respect of an application under any provision referred to in subsection (4) if, in the judge’s opinion, its disclosure would be injurious to international relations, national defence or national security or would endanger the safety of any person.Confidentiality — applicationIf, in the judge’s opinion, the disclosure of the fact that an application under any provision referred to in subsection (4) would result in the disclosure of an identity or information referred to in paragraph (5)(a), the judge must ensure the confidentiality of the application and all information related to it.Order authorizing disclosureThe judge may, by order, authorize disclosure that the judge considers appropriate, subject to any conditions that the judge specifies, of the identity or information referred to in subsection (1) if, in the judge’s opinion,the person or entity is not a person or entity that has assisted or is assisting the Establishment on a confidential basis, or the information is not information from which the identity of such a person or entity could be inferred; orin the case of a proceeding that is a prosecution of an offence, the disclosure of the identity of a person or entity that has assisted or is assisting the Establishment on a confidential basis, or information from which the identity of such a person or entity could be inferred, is essential to establish the accused’s innocence and may be disclosed in the proceeding.Order confirming prohibitionIf the judge does not authorize disclosure under paragraph (7)(a) or (b), the judge must, by order, confirm the prohibition of disclosure.When determination takes effectAn order of the judge that authorizes disclosure does not take effect until the time provided or granted to appeal the order has expired or, if the order is appealed, the time provided or granted to appeal a judgment of an appeal court that confirms the order has expired and no further appeal from a judgment that confirms the order is available.Confidentiality on appealIn the case of an appeal, subsections (5) and (6) apply, with any necessary modifications, to the court to which the appeal is taken.Definition of judgeIn this section, judge means the Chief Justice of the Federal Court or a judge of that Court designated by the Chief Justice to conduct hearings under any Act of Parliament for the protection of information.Assistance or disclosure of information — no presumptionsThe provision of assistance or the disclosure of information by the Establishment under this Act does not create a presumptionthat the Establishment is conducting a joint investigation or decision-making process with the entity to which assistance is provided or information is disclosed and therefore has the same obligations, if any, as the entity to disclose or produce information for the purposes of a proceeding; orthere has been a waiver of any privilege, or of any requirement to obtain consent, for the purposes of any other disclosure of that information either in a proceeding or to an entity that is not a federal institution.Access to Information ActFor the purposes of the Access to Information Act, if any record, as defined in section 3 of that Act, of any other government institution, as defined in that section, or of any other organization is contained in or carried on the Establishment’s information infrastructure on behalf of that institution or organization, the record is not under the Establishment’s control.Privacy ActFor the purposes of the Privacy Act, if any personal information, as defined in section 3 of that Act, of any other government institution, as defined in that section, or of any other organization is contained in or carried on the Establishment’s information infrastructure on behalf of that institution or organization, the personal information is not held by the Establishment and is not under the Establishment’s control.Annual ReportThe Establishment must, within three months after the end of each fiscal year, publish an annual report on its activities during that fiscal year.RegulationsRegulationsThe Governor in Council may, on the recommendation of the Minister, make regulations for carrying out the purposes and provisions of this Act, including regulationsrespecting the management and control of the Establishment, including security on and around the Establishment’s premises, access to its premises, the search of persons on or around its premises and the search and seizure of items on or around its premises;respecting the measures referred to in section 24 to protect the privacy of Canadians and of persons in Canada; andamending the definition of any term defined in section 2 or subsection 23(5) or 44(3) to respond, directly or indirectly, to any technological change.RELATED PROVISIONS
— 2019, c. 13, s. 77DefinitionsThe following definitions apply in sections 78 to 82.former department means the portion of the federal public administration known as the Communications Security Establishment. (ancien ministère)new department means the Communications Security Establishment as established by section 5 of the Communications Security Establishment Act. (nouveau ministère)
— 2019, c. 13, s. 78ChiefThe Chief of the Communications Security Establishment holding office immediately before the coming into force of section 76 continues in office for the remainder of the term for which he or she was appointed.EmployeesNothing in the Communications Security Establishment Act is to be construed as affecting the status of an employee who, immediately before the coming into force of section 76, occupied a position in the former department, except that the employee, on the coming into force of that section, occupies that position in the new department.
— 2019, c. 13, s. 79Transfer of appropriationsAny amount that is appropriated, for the fiscal year in which section 76 comes into force, by an appropriation Act based on the Estimates for that year for defraying the federal public administration’s charges and expenses for the former department that is unexpended on the day on which that section comes into force is deemed, on that day, to be an amount appropriated for defraying the federal public administration’s charges and expenses for the new department.Transfer of powers, duties and functionsIf a power, duty or function is vested in or exercisable by the former department’s Chief or an employee of the former department under any Act, order, rule, regulation or direction, or any contract, lease, licence or other document, that power, duty or function is vested in or is exercisable by the new department’s Chief or an employee of the new department.
— 2019, c. 13, s. 80Ministerial authorizationsAn authorization that was issued under subsection 273.65(1) or (3) of the National Defence Act before the day on which section 76 comes into force and is valid on that day continues to be valid for the period specified in it or, if it was renewed before that day, for the period specified in the renewal.RepealThe Minister may repeal an authorization referred to in subsection (1) at any time.
— 2019, c. 13, s. 81ArrangementsAny arrangement entered into by the former department before the day on which section 76 comes into force continues in accordance with its terms.
— 2019, c. 13, s. 82ReferencesA reference to the former department in any of the following is deemed to be a reference to the new department:Schedule I to the Access to Information Act under the heading “Other Government Institutions”;Schedules I.1, V and VI to the Financial Administration Act;the schedule to the Privacy Act under the heading “Other Government Institutions”;the schedule to the Security of Information Act;Schedule 3 to the Security of Canada Information Disclosure Act;the National Security and Intelligence Review Agency Act; andthe Intelligence Commissioner Act.Other referencesUnless the context requires otherwise, every reference to the former department in any Act of Parliament, other than an Act referred to in subsection (1), or in any order, regulation or other instrument made under an Act of Parliament is deemed to be a reference to the new department.Deputy headThe designation of a person as deputy head of the former department in any order of the Governor in Council made under section 55 of the National Security and Intelligence Review Agency Act is deemed to be a designation of the Chief of the new department as deputy head of that department.