Spy agency says it ‘improperly’ shared Canadians’ data with international partners

Canadian Intelligence Agency Improperly Shared Information with International Partners
Recently, one of Canada’s intelligence agencies, the Communications Security Establishment (CSE), admitted to “improperly” sharing information about Canadians with international partners. This disclosure came after the intelligence commissioner flagged the incident in his annual report to Parliament.
CSE spokesperson Janny Bender Asselin revealed that the agency had notified the defence minister about the incident where Canadian information was shared without being properly removed. The agency acknowledged that they had shared information with international partners between 2020 and 2023 without filtering out Canadian data obtained incidentally during the surveillance of foreign intelligence targets. However, CSE took immediate steps to contain the issue and sought assurances from the partners that the shared information was deleted.
The CSE plays a critical role in intercepting and analyzing foreign electronic communications, conducting cyber operations, and safeguarding the government’s networks and infrastructure from cyber threats. Asselin stated that the agency is continuously updating its policies and procedures to prevent similar incidents in the future.
Although the exact number of impacted Canadians and the countries involved were not disclosed due to operational security reasons, details of the incident were shared with the Intelligence Commissioner, Simon Noël. The commissioner’s role is to oversee and approve intelligence-gathering activities conducted by CSE and its counterpart, the Canadian Security Intelligence Service (CSIS).
CSE’s Oversight and Compliance
Before engaging in certain intelligence operations, CSE must obtain ministerial authorization from the defence minister to ensure legality and protection of Canadians’ privacy. The intelligence commissioner provides further oversight by reviewing and approving missions and ensuring compliance post-approval.
Noël’s report emphasized the importance of transparency in addressing the incident, and CSE is expected to include it in their upcoming annual report. While the individuals affected were not notified, CSE reported the incident to oversight bodies, including the Office of the Privacy Commissioner.
Matt Malone, director of the Canadian Internet Policy and Public Interest Clinic, expressed concerns about the incident’s implications on privacy protection in Canada. He highlighted the need for accountability and transparency in light of the reintroduction of the cybersecurity bill, Bill C-8.
Looking ahead, the information commissioner received 13 ministerial authorizations for review in 2024, indicating ongoing scrutiny of CSE and CSIS activities to uphold privacy standards and national security.