Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

Communications Security Establishment Act (S.C. 2019, c. 13, s. 76)

Act current to 2024-03-06 and last amended on 2019-08-01. Previous Versions

Activities

Marginal note:No activities — Canadians and persons in Canada

  •  (1) Activities carried out by the Establishment in furtherance of the foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada and must not infringe the Canadian Charter of Rights and Freedoms.

  • Marginal note:No activities — global information infrastructure in Canada or without authorization

    (2) Activities carried out by the Establishment in furtherance of the defensive cyber operations or active cyber operations aspects of its mandate

    • (a) must not be directed at any portion of the global information infrastructure that is in Canada; and

    • (b) must not be carried out except under an authorization issued under subsection 29(1) or 30(1).

  • Marginal note:Contravention of other Acts — foreign intelligence

    (3) Activities carried out by the Establishment in furtherance of the foreign intelligence aspect of its mandate must not contravene any other Act of Parliament — or involve the acquisition by the Establishment of information from or through the global information infrastructure that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada — unless they are carried out under an authorization issued under subsection 26(1) or 40(1).

  • Marginal note:Contravention of other Acts — cybersecurity and information assurance

    (4) Activities carried out by the Establishment in furtherance of the cybersecurity and information assurance aspect of its mandate must not contravene any other Act of Parliament — or involve the acquisition by the Establishment of information from the global information infrastructure that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada — unless they are carried out under an authorization issued under subsection 27(1) or (2) or 40(1).

Marginal note:Establishment’s activities

  •  (1) Despite subsections 22(1) and (2), the Establishment may carry out any of the following activities in furtherance of its mandate:

    • (a) acquiring, using, analysing, retaining or disclosing publicly available information;

    • (b) acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cybersecurity and information assurance activities on the infrastructure from which the information was acquired; and

    • (c) testing or evaluating products, software and systems, including testing or evaluating them for vulnerabilities.

  • Marginal note:Investment Canada Act

    (2) Despite subsection 22(1), in furtherance of its mandate the Establishment may analyse information for the purpose of providing advice to the Minister of Public Safety and Emergency Preparedness and to the Minister responsible for the administration of the Investment Canada Act with regard to that latter Minister’s powers and duties under Part IV.1 of that Act.

  • Marginal note:Cybersecurity and information assurance

    (3) Despite subsection 22(1), the Establishment may carry out any of the following activities in furtherance of the cybersecurity and information assurance aspect of its mandate:

    • (a) carrying out activities on information infrastructures to identify or isolate malicious software, prevent malicious software from harming those information infrastructures or mitigate any harm that malicious software causes to them; and

    • (b) analysing information in order to be able to provide advice on the integrity of supply chains and on the trustworthiness of telecommunications, equipment and services.

  • Marginal note:Information acquired incidentally

    (4) The Establishment may acquire information relating to a Canadian or a person in Canada incidentally in the course of carrying out activities under an authorization issued under subsection 26(1), 27(1) or (2) or 40(1).

  • Marginal note:Definitions

    (5) The following definitions apply in this section.

    incidentally

    incidentally, with respect to the acquisition of information, means that the information acquired was not itself deliberately sought and that the information-acquisition activity was not directed at the Canadian or person in Canada. (incidemment)

    infrastructure information

    infrastructure information means information relating to

    • (a) any functional component, physical or logical, of the global information infrastructure; or

    • (b) events that occur during the interaction between two or more devices that provide services on a network — not including end-point devices that are linked to individual users — or between an individual and a machine, if the interaction is about only a functional component of the global information infrastructure.

    It does not include information that could be linked to an identifiable person. (information sur l’infrastructure)

Marginal note:Measures to protect privacy

 The Establishment must ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure of

  • (a) information related to them acquired in the course of the furtherance of the foreign intelligence and cybersecurity and information assurance aspects of the Establishment’s mandate; or

  • (b) publicly available information related to them acquired under paragraph 23(1)(a).

Marginal note:Technical and operational assistance activities

  •  (1) If the Establishment provides assistance in furtherance of the technical and operational assistance aspect of its mandate, then the Establishment, in the course of providing the assistance, has the same authority to carry out any activity as would have the federal law enforcement or security agency, the Canadian Forces or the Department of National Defence, as the case may be, if it were carrying out the activity, and is subject to any limitations imposed by law on the agency, the Canadian Forces or that Department, including requirements with respect to any applicable warrant.

  • Marginal note:Exemptions, protections and immunities

    (2) If the Establishment provides assistance in furtherance of the technical and operational assistance aspect of its mandate, then persons authorized to act on the Establishment’s behalf benefit from the same exemptions, protections and immunities as would persons authorized to act on behalf of the federal law enforcement or security agency, the Canadian Forces or the Department of National Defence, as the case may be, if those persons were carrying out the activity.

Authorizations

Foreign Intelligence and Cybersecurity Authorizations

Marginal note:Foreign Intelligence Authorizations

  •  (1) The Minister may issue a Foreign Intelligence Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the foreign intelligence aspect of its mandate.

  • Marginal note:Activities authorized

    (2) Activities and classes of activities that a Foreign Intelligence Authorization may authorize the Establishment to carry out may include any of the following:

    • (a) gaining access to a portion of the global information infrastructure;

    • (b) acquiring information on or through the global information infrastructure, including unselected information;

    • (c) installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;

    • (d) doing anything that is reasonably necessary to maintain the covert nature of the activity; and

    • (e) carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activity, authorized by the authorization.

Marginal note:Cybersecurity Authorizations — federal infrastructures

  •  (1) The Minister may issue a Cybersecurity Authorization to the Establishment that authorizes it, despite any other Act of Parliament, to, in the furtherance of the cybersecurity and information assurance aspect of its mandate, access a federal institution’s information infrastructure and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.

  • Marginal note:Cybersecurity Authorizations — non-federal infrastructures

    (2) The Minister may issue a Cybersecurity Authorization to the Establishment that authorizes it, despite any other Act of Parliament, to, in the furtherance of the cybersecurity and information assurance aspect of its mandate, access an information infrastructure designated under subsection 21(1) as an information infrastructure of importance to the Government of Canada and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.

Marginal note:Approval of Commissioner

  •  (1) An authorization issued under subsection 26(1) or 27(1) or (2) is valid when — if it is approved by the Commissioner under paragraph 20(1)(a) of the Intelligence Commissioner Act — the Commissioner provides the Minister with the written decision approving the authorization.

  • Marginal note:No activities until authorization valid

    (2) For greater certainty, no activity that is specified in an authorization issued under subsection 26(1) or 27(1) or (2) is authorized until the authorization is valid under subsection (1).

Cyber Operations Authorizations

Marginal note:Defensive Cyber Operations Authorizations

  •  (1) The Minister may issue a Defensive Cyber Operations Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the defensive cyber operations aspect of its mandate.

  • Marginal note:Minister of Foreign Affairs

    (2) The Minister may issue the authorization only if he or she has consulted the Minister of Foreign Affairs.

Marginal note:Active Cyber Operations Authorizations

  •  (1) The Minister may issue an Active Cyber Operations Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the active cyber operations aspect of its mandate.

  • Marginal note:Minister of Foreign Affairs

    (2) The Minister may issue the authorization only if the Minister of Foreign Affairs has requested the authorization’s issue or has consented to its issue.

  • Marginal note:Request or consent in writing

    (3) The request or consent of the Minister of Foreign Affairs may be oral, but in that case he or she must provide written confirmation of the request or consent to the Minister as soon as feasible.

Marginal note:Activities authorized

 Activities and classes of activities that an authorization issued under subsection 29(1) or 30(1) may authorize the Establishment to carry out may include any of the following:

  • (a) gaining access to a portion of the global information infrastructure;

  • (b) installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;

  • (c) doing anything that is reasonably necessary to maintain the covert nature of the activity; and

  • (d) carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.

Marginal note:Prohibited conduct

  •  (1) In carrying out any activity under an authorization issued under subsection 29(1) or 30(1), the Establishment must not

    • (a) cause, intentionally or by criminal negligence, death or bodily harm to an individual; or

    • (b) wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.

  • Marginal note:Definition of bodily harm

    (2) In subsection (1), bodily harm has the same meaning as in section 2 of the Criminal Code.

Procedure

Marginal note:Applications for authorizations

  •  (1) The Minister may issue an authorization under subsection 26(1), 27(1) or (2), 29(1) or 30(1) only on the written application of the Chief.

  • Marginal note:Contents of application

    (2) The application must set out the facts that would allow the Minister to conclude that there are reasonable grounds to believe that the authorization is necessary and that the conditions for issuing it are met.

  • Marginal note:Written request of infrastructure owner or operator

    (3) If the application is for an authorization to be issued under subsection 27(2), the application must include the written request of the owner or operator of the information infrastructure to the Establishment to carry out the activity that would be authorized.

  • Marginal note:Minister of Foreign Affairs’ request or consent

    (4) If the application is for an authorization to be issued under subsection 30(1), the application must include the request or consent referred to in subsection 30(2) if it is in writing.

Marginal note:Conditions for authorizations

  •  (1) The Minister may issue an authorization under subsection 26(1), 27(1) or (2), 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe that any activity that would be authorized by it is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities.

  • Marginal note:Conditions for authorizations — foreign intelligence

    (2) The Minister may issue an authorization under subsection 26(1) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that

    • (a) any information acquired under the authorization could not reasonably be acquired by other means and will be retained for no longer than is reasonably necessary;

    • (b) any unselected information acquired under the authorization could not reasonably be acquired by other means, in the case of an authorization that authorizes the acquisition of unselected information; and

    • (c) the measures referred to in section 24 will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to international affairs, defence or security.

  • Marginal note:Conditions for authorizations — cybersecurity

    (3) The Minister may issue an authorization under subsection 27(1) or (2) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that

    • (a) any information acquired under the authorization will be retained for no longer than is reasonably necessary;

    • (b) the consent of all persons whose information may be acquired could not reasonably be obtained, in the case of an authorization to be issued under subsection 27(1);

    • (c) any information acquired under the authorization is necessary to identify, isolate, prevent or mitigate harm to

      • (i) federal institutions’ electronic information or information infrastructures, in the case of an authorization to be issued under subsection 27(1), or

      • (ii) electronic information or information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada, in the case of an authorization to be issued under subsection 27(2); and

    • (d) the measures referred to in section 24 will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to identify, isolate, prevent or mitigate harm to

      • (i) federal institutions’ electronic information or information infrastructures, in the case of an authorization to be issued under subsection 27(1), or

      • (ii) electronic information or information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada, in the case of an authorization to be issued under subsection 27(2).

  • Marginal note:Conditions for authorizations — defensive and active cyber operations

    (4) The Minister may issue an authorization under subsection 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that the objective of the cyber operation could not reasonably be achieved by other means and that no information will be acquired under the authorization except in accordance with an authorization issued under subsection 26(1) or 27(1) or (2) or 40(1).

 

Date modified: