Skip to main content
PLITICAL
DATA

Communications Security Establishment Act

An Act to establish the Communications Security Establishment

Canada (Federal)· C-35.3· 279 sections· current to 2019-08-01In force
See how this Act changed View amendment graphOfficial consolidated text
Policy areas
Digital, Telecom & MediaJustice & the LawPublic Safety & SecurityDemocratic Institutions & Elections

Bills that amended this Act0

No published amendment links yet for this Act.

Sections279

  • 1Short title

    This Act may be cited as the Communications Security Establishment Act.

  • 2Definitions

    The following definitions apply in this Act.

  • 2[p2]

    Canadian means a Canadian citizen, a permanent resident as defined in subsection 2(1) of the Immigration and Refugee Protection Act or a corporation incorporated or continued under the laws of Canada or a province. (Canadien)

  • 2[p3]

    Chief means the Chief of the Establishment appointed under section 8. (chef)

  • 2[p4]

    Commissioner means the Intelligence Commissioner appointed under subsection 4(1) of the Intelligence Commissioner Act. (commissaire)

  • 2[p5]

    entity means a person, group, trust, partnership or fund or an unincorporated association or organization and includes a state or a political subdivision or agency of a state. (entité)

  • 2[p6]

    Establishment means the Communications Security Establishment established under section 5. (Centre)

  • 2[p7]

    federal institution includes any of the following institutions of Parliament or the Government of Canada:

  • 2[p7](a)

    the Senate;

  • 2[p7](b)

    the House of Commons;

  • 2[p7](c)

    the Library of Parliament;

  • 2[p7](d)

    the office of the Senate Ethics Officer, the office of the Conflict of Interest and Ethics Commissioner, the Parliamentary Protective Service and the office of the Parliamentary Budget Officer;

  • 2[p7](e)

    any federal court;

  • 2[p7](f)

    any board, commission, council, other body or other office established to perform a governmental function by or under an Act of Parliament, or by or under the authority of the Governor in Council;

  • 2[p7](g)

    a department as defined in section 2 of the Financial Administration Act;

  • 2[p7](h)

    a Crown corporation established by or under an Act of Parliament; and

  • 2[p7](i)

    any other body that is specified by an Act of Parliament to be an agent of Her Majesty in right of Canada or to be subject to the direction of the Governor in Council or a federal minister. (institutions fédérales)

  • 2[p17]

    foreign intelligence means information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group, as they relate to international affairs, defence or security. (renseignement étranger)

  • 2[p18]

    global information infrastructure includes electromagnetic emissions, any equipment producing such emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, that equipment, those systems or those networks. (infrastructure mondiale de l’information)

  • 2[p19]

    Minister means the Minister of National Defence or, if another federal minister is designated under section 4, that minister. (ministre)

  • 2[p20]

    publicly available information means information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase. It does not include information in respect of which a Canadian or a person in Canada has a reasonable expectation of privacy. (information accessible au public)

  • 2[p21]

    Review Agency means the National Security and Intelligence Review Agency established under section 3 of the National Security and Intelligence Review Agency Act. (Office de surveillance)

  • 2[p22]

    terrorist group has the same meaning as in subsection 83.01(1) of the Criminal Code. (groupe terroriste)

  • 2[p23]

    unselected, with respect to information, means that the information is acquired, for technical or operational reasons, without the use of terms or criteria to identify information of foreign intelligence interest. (non sélectionnée)

  • 3Principle

    It is in the public interest to ensure that the Establishment may effectively carry out its mandate in accordance with the rule of law and, to that end, to expressly recognize in law a justification for persons who are authorized to carry out activities under this Act to, in the course of carrying out those activities, commit acts or omissions that would otherwise constitute offences.

  • 4Minister

    The Governor in Council may, by order, designate any federal minister to be the Minister referred to in this Act.

  • 5Establishment established

    The Communications Security Establishment is established.

  • 6Minister is responsible

    The Minister is responsible for the Establishment.

  • 7Head office
  • 7(1)

    The head office of the Establishment is to be in the National Capital Region described in the schedule to the National Capital Act.

  • 7(2)Other offices

    The Chief may, with the approval of the Minister, establish other offices elsewhere in Canada.

  • 8Appointment
  • 8(1)

    The Governor in Council must appoint a Chief of the Communications Security Establishment to hold office during pleasure for a term not exceeding five years.

  • 8(2)Reappointment

    The Chief is eligible to be reappointed at the end of a term of office for a further term not exceeding five years.

  • 8(3)Salary and expenses

    The Chief is to be paid the salary that is fixed by the Governor in Council and is entitled to payments for reasonable travel and living expenses incurred in the exercise of his or her powers or the performance of his or her duties and functions while absent from his or her ordinary place of work.

  • 8(4)Compensation

    The Chief is deemed to be an employee for the purposes of the Government Employees Compensation Act and to be employed in the federal public administration for the purposes of any regulations made under section 9 of the Aeronautics Act.

  • 8(5)Absence, incapacity or vacancy

    If the Chief is absent or incapacitated or the office of Chief is vacant, the Minister may appoint another person to act as Chief, but must not appoint a person for a term of more than 90 days without the approval of the Governor in Council.

  • 9Chief’s powers, duties and functions
  • 9(1)

    The Chief, under the direction of the Minister, has the management and control of the Establishment and all matters relating to it.

  • 9(2)Rank of deputy head

    The Chief has the rank and all the powers of a deputy head of a department.

  • 9(3)Delegation by Chief

    The Chief may delegate to any person any power, duty or function conferred on the Chief under this Act, except the power to delegate under this subsection.

  • 10Establishment’s powers, duties and functions

    The powers, duties and functions of the Establishment may be exercised or performed by any person who is appointed to serve in the Establishment in a capacity appropriate to the exercise of the power or the performance of the duty or function.

  • 11Directions by Minister
  • 11(1)

    The Minister may issue written directions to the Chief respecting the performance of the Chief’s duties and functions.

  • 11(2)Statutory Instruments Act

    Directions issued under subsection (1) are not statutory instruments within the meaning of the Statutory Instruments Act.

  • 12Personnel
  • 12(1)

    The Chief has exclusive authority to

  • 12(1)(a)

    appoint or lay off the Establishment’s employees, revoke their appointment or terminate their employment; and

  • 12(1)(b)

    establish standards, procedures and processes governing staffing, including governing the appointment of employees, lay-off of employees, revocation of their appointment or termination of their employment otherwise than for cause.

  • 12(2)Right of employer

    Nothing in the Federal Public Sector Labour Relations Act is to be construed so as to affect the right or authority of the Chief to deal with the matters referred to in subsection (1).

  • 13Powers of the Chief

    In exercising his or her authority under subsection 12(1), the Chief may

  • 13(a)

    determine the human resources requirements of the Establishment and provide for the allocation and effective utilization of human resources in the Establishment;

  • 13(b)

    provide for the classification of positions and of the Establishment’s employees;

  • 13(c)

    after consultation with the President of the Treasury Board, determine and regulate the pay to which the Establishment’s employees are entitled for services rendered, their hours of work and their leave and any related matters;

  • 13(d)

    after consultation with the President of the Treasury Board, determine and regulate the payments that may be made to the Establishment’s employees by way of reimbursement for travel or other expenses and by way of allowances in respect of expenses and conditions arising out of their employment;

  • 13(e)

    determine the learning, training and development requirements of the Establishment’s employees and fix the terms on which the learning, training and development may be carried out;

  • 13(f)

    provide for the awards that may be made to the Establishment’s employees for outstanding performance of their duties, for other meritorious achievement in relation to their duties or for inventions or practical suggestions for improvements;

  • 13(g)

    establish standards of discipline and set penalties, including termination of employment, suspension, demotion to a position at a lower maximum rate of pay and financial penalties;

  • 13(h)

    provide for the termination of employment, or the demotion to a position at a lower maximum rate of pay, of the Establishment’s employees for reasons other than breaches of discipline or misconduct;

  • 13(i)

    establish policies respecting the exercise of the powers granted by this section; and

  • 13(j)

    provide for any other matters, including terms and conditions of employment not otherwise specifically provided for in this section, that the Chief considers necessary for effective human resources management in the Establishment.

  • 14Negotiation of collective agreements

    Before entering into collective bargaining with the bargaining agent for a bargaining unit composed of Establishment employees, the Chief must have the Establishment’s negotiating mandate approved by the President of the Treasury Board.

  • 15Mandate
  • 15(1)

    The Establishment is the national signals intelligence agency for foreign intelligence and the technical authority for cybersecurity and information assurance.

  • 15(2)Aspects of the mandate

    The Establishment’s mandate has five aspects: foreign intelligence, cybersecurity and information assurance, defensive cyber operations, active cyber operations and technical and operational assistance.

  • 16Foreign intelligence

    The foreign intelligence aspect of the Establishment’s mandate is to acquire, covertly or otherwise, information from or through the global information infrastructure, including by engaging or interacting with foreign entities located outside Canada or by using any other method of acquiring information, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities.

  • 17Cybersecurity and information assurance

    The cybersecurity and information assurance aspect of the Establishment’s mandate is to

  • 17(a)

    provide advice, guidance and services to help protect

  • 17(a)(i)

    federal institutions’ electronic information and information infrastructures, and

  • 17(a)(ii)

    electronic information and information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada; and

  • 17(b)

    acquire, use and analyse information from the global information infrastructure or from other sources in order to provide such advice, guidance and services.

  • 18Defensive cyber operations

    The defensive cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to help protect

  • 18(a)

    federal institutions’ electronic information and information infrastructures; and

  • 18(b)

    electronic information and information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada.

  • 19Active cyber operations

    The active cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.

  • 20Technical and operational assistance

    The technical and operational assistance aspect of the Establishment’s mandate is to provide technical and operational assistance to federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence.

  • 21Designation
  • 21(1)

    The Minister may, by order, designate any electronic information, any information infrastructures or any class of electronic information or information infrastructures as electronic information or information infrastructures — as the case may be — of importance to the Government of Canada.

  • 21(2)Statutory Instruments Act

    An order made under subsection (1) is not a statutory instrument within the meaning of the Statutory Instruments Act.

  • 22No activities — Canadians and persons in Canada
  • 22(1)

    Activities carried out by the Establishment in furtherance of the foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada and must not infringe the Canadian Charter of Rights and Freedoms.

  • 22(2)No activities — global information infrastructure in Canada or without authorization

    Activities carried out by the Establishment in furtherance of the defensive cyber operations or active cyber operations aspects of its mandate

  • 22(2)(a)

    must not be directed at any portion of the global information infrastructure that is in Canada; and

  • 22(2)(b)

    must not be carried out except under an authorization issued under subsection 29(1) or 30(1).

  • 22(3)Contravention of other Acts — foreign intelligence

    Activities carried out by the Establishment in furtherance of the foreign intelligence aspect of its mandate must not contravene any other Act of Parliament — or involve the acquisition by the Establishment of information from or through the global information infrastructure that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada — unless they are carried out under an authorization issued under subsection 26(1) or 40(1).

  • 22(4)Contravention of other Acts — cybersecurity and information assurance

    Activities carried out by the Establishment in furtherance of the cybersecurity and information assurance aspect of its mandate must not contravene any other Act of Parliament — or involve the acquisition by the Establishment of information from the global information infrastructure that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada — unless they are carried out under an authorization issued under subsection 27(1) or (2) or 40(1).

  • 23Establishment’s activities
  • 23(1)

    Despite subsections 22(1) and (2), the Establishment may carry out any of the following activities in furtherance of its mandate:

  • 23(1)(a)

    acquiring, using, analysing, retaining or disclosing publicly available information;

  • 23(1)(b)

    acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cybersecurity and information assurance activities on the infrastructure from which the information was acquired; and

  • 23(1)(c)

    testing or evaluating products, software and systems, including testing or evaluating them for vulnerabilities.

  • 23(2)Investment Canada Act

    Despite subsection 22(1), in furtherance of its mandate the Establishment may analyse information for the purpose of providing advice to the Minister of Public Safety and Emergency Preparedness and to the Minister responsible for the administration of the Investment Canada Act with regard to that latter Minister’s powers and duties under Part IV.1 of that Act.

  • 23(3)Cybersecurity and information assurance

    Despite subsection 22(1), the Establishment may carry out any of the following activities in furtherance of the cybersecurity and information assurance aspect of its mandate:

  • 23(3)(a)

    carrying out activities on information infrastructures to identify or isolate malicious software, prevent malicious software from harming those information infrastructures or mitigate any harm that malicious software causes to them; and

  • 23(3)(b)

    analysing information in order to be able to provide advice on the integrity of supply chains and on the trustworthiness of telecommunications, equipment and services.

  • 23(4)Information acquired incidentally

    The Establishment may acquire information relating to a Canadian or a person in Canada incidentally in the course of carrying out activities under an authorization issued under subsection 26(1), 27(1) or (2) or 40(1).

  • 23(5)Definitions

    The following definitions apply in this section.

  • 23(5)[p97]

    incidentally, with respect to the acquisition of information, means that the information acquired was not itself deliberately sought and that the information-acquisition activity was not directed at the Canadian or person in Canada. (incidemment)

  • 23(5)[p98]

    infrastructure information means information relating to It does not include information that could be linked to an identifiable person. (information sur l’infrastructure)

  • 23(5)[p98](a)

    any functional component, physical or logical, of the global information infrastructure; or

  • 23(5)[p98](b)

    events that occur during the interaction between two or more devices that provide services on a network — not including end-point devices that are linked to individual users — or between an individual and a machine, if the interaction is about only a functional component of the global information infrastructure.

  • 24Measures to protect privacy

    The Establishment must ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure of

  • 24(a)

    information related to them acquired in the course of the furtherance of the foreign intelligence and cybersecurity and information assurance aspects of the Establishment’s mandate; or

  • 24(b)

    publicly available information related to them acquired under paragraph 23(1)(a).

  • 25Technical and operational assistance activities
  • 25(1)

    If the Establishment provides assistance in furtherance of the technical and operational assistance aspect of its mandate, then the Establishment, in the course of providing the assistance, has the same authority to carry out any activity as would have the federal law enforcement or security agency, the Canadian Forces or the Department of National Defence, as the case may be, if it were carrying out the activity, and is subject to any limitations imposed by law on the agency, the Canadian Forces or that Department, including requirements with respect to any applicable warrant.

  • 25(2)Exemptions, protections and immunities

    If the Establishment provides assistance in furtherance of the technical and operational assistance aspect of its mandate, then persons authorized to act on the Establishment’s behalf benefit from the same exemptions, protections and immunities as would persons authorized to act on behalf of the federal law enforcement or security agency, the Canadian Forces or the Department of National Defence, as the case may be, if those persons were carrying out the activity.

  • 26Foreign Intelligence Authorizations
  • 26(1)

    The Minister may issue a Foreign Intelligence Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the foreign intelligence aspect of its mandate.

  • 26(2)Activities authorized

    Activities and classes of activities that a Foreign Intelligence Authorization may authorize the Establishment to carry out may include any of the following:

  • 26(2)(a)

    gaining access to a portion of the global information infrastructure;

  • 26(2)(b)

    acquiring information on or through the global information infrastructure, including unselected information;

  • 26(2)(c)

    installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;

  • 26(2)(d)

    doing anything that is reasonably necessary to maintain the covert nature of the activity; and

  • 26(2)(e)

    carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activity, authorized by the authorization.

  • 27Cybersecurity Authorizations — federal infrastructures
  • 27(1)

    The Minister may issue a Cybersecurity Authorization to the Establishment that authorizes it, despite any other Act of Parliament, to, in the furtherance of the cybersecurity and information assurance aspect of its mandate, access a federal institution’s information infrastructure and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.

  • 27(2)Cybersecurity Authorizations — non-federal infrastructures

    The Minister may issue a Cybersecurity Authorization to the Establishment that authorizes it, despite any other Act of Parliament, to, in the furtherance of the cybersecurity and information assurance aspect of its mandate, access an information infrastructure designated under subsection 21(1) as an information infrastructure of importance to the Government of Canada and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it, in the circumstances described in paragraph 184(2)(e) of the Criminal Code, from mischief, unauthorized use or disruption.

  • 28Approval of Commissioner
  • 28(1)

    An authorization issued under subsection 26(1) or 27(1) or (2) is valid when — if it is approved by the Commissioner under paragraph 20(1)(a) of the Intelligence Commissioner Act — the Commissioner provides the Minister with the written decision approving the authorization.

  • 28(2)No activities until authorization valid

    For greater certainty, no activity that is specified in an authorization issued under subsection 26(1) or 27(1) or (2) is authorized until the authorization is valid under subsection (1).

  • 29Defensive Cyber Operations Authorizations
  • 29(1)

    The Minister may issue a Defensive Cyber Operations Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the defensive cyber operations aspect of its mandate.

  • 29(2)Minister of Foreign Affairs

    The Minister may issue the authorization only if he or she has consulted the Minister of Foreign Affairs.

  • 30Active Cyber Operations Authorizations
  • 30(1)

    The Minister may issue an Active Cyber Operations Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the active cyber operations aspect of its mandate.

  • 30(2)Minister of Foreign Affairs

    The Minister may issue the authorization only if the Minister of Foreign Affairs has requested the authorization’s issue or has consented to its issue.

  • 30(3)Request or consent in writing

    The request or consent of the Minister of Foreign Affairs may be oral, but in that case he or she must provide written confirmation of the request or consent to the Minister as soon as feasible.

  • 31Activities authorized

    Activities and classes of activities that an authorization issued under subsection 29(1) or 30(1) may authorize the Establishment to carry out may include any of the following:

  • 31(a)

    gaining access to a portion of the global information infrastructure;

  • 31(b)

    installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;

  • 31(c)

    doing anything that is reasonably necessary to maintain the covert nature of the activity; and

  • 31(d)

    carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.

  • 32Prohibited conduct
  • 32(1)

    In carrying out any activity under an authorization issued under subsection 29(1) or 30(1), the Establishment must not

  • 32(1)(a)

    cause, intentionally or by criminal negligence, death or bodily harm to an individual; or

  • 32(1)(b)

    wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.

  • 32(2)Definition of bodily harm

    In subsection (1), bodily harm has the same meaning as in section 2 of the Criminal Code.

  • 33Applications for authorizations
  • 33(1)

    The Minister may issue an authorization under subsection 26(1), 27(1) or (2), 29(1) or 30(1) only on the written application of the Chief.

  • 33(2)Contents of application

    The application must set out the facts that would allow the Minister to conclude that there are reasonable grounds to believe that the authorization is necessary and that the conditions for issuing it are met.

  • 33(3)Written request of infrastructure owner or operator

    If the application is for an authorization to be issued under subsection 27(2), the application must include the written request of the owner or operator of the information infrastructure to the Establishment to carry out the activity that would be authorized.

  • 33(4)Minister of Foreign Affairs’ request or consent

    If the application is for an authorization to be issued under subsection 30(1), the application must include the request or consent referred to in subsection 30(2) if it is in writing.

  • 34Conditions for authorizations
  • 34(1)

    The Minister may issue an authorization under subsection 26(1), 27(1) or (2), 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe that any activity that would be authorized by it is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities.

  • 34(2)Conditions for authorizations — foreign intelligence

    The Minister may issue an authorization under subsection 26(1) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that

  • 34(2)(a)

    any information acquired under the authorization could not reasonably be acquired by other means and will be retained for no longer than is reasonably necessary;

  • 34(2)(b)

    any unselected information acquired under the authorization could not reasonably be acquired by other means, in the case of an authorization that authorizes the acquisition of unselected information; and

  • 34(2)(c)

    the measures referred to in section 24 will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to international affairs, defence or security.

  • 34(3)Conditions for authorizations — cybersecurity

    The Minister may issue an authorization under subsection 27(1) or (2) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that

  • 34(3)(a)

    any information acquired under the authorization will be retained for no longer than is reasonably necessary;

  • 34(3)(b)

    the consent of all persons whose information may be acquired could not reasonably be obtained, in the case of an authorization to be issued under subsection 27(1);

  • 34(3)(c)

    any information acquired under the authorization is necessary to identify, isolate, prevent or mitigate harm to

  • 34(3)(c)(i)

    federal institutions’ electronic information or information infrastructures, in the case of an authorization to be issued under subsection 27(1), or

  • 34(3)(c)(ii)

    electronic information or information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada, in the case of an authorization to be issued under subsection 27(2); and

  • 34(3)(d)

    the measures referred to in section 24 will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to identify, isolate, prevent or mitigate harm to

  • 34(3)(d)(i)

    federal institutions’ electronic information or information infrastructures, in the case of an authorization to be issued under subsection 27(1), or

  • 34(3)(d)(ii)

    electronic information or information infrastructures designated under subsection 21(1) as being of importance to the Government of Canada, in the case of an authorization to be issued under subsection 27(2).

  • 34(4)Conditions for authorizations — defensive and active cyber operations

    The Minister may issue an authorization under subsection 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe — in addition to the matters referred to in subsection (1) — that the objective of the cyber operation could not reasonably be achieved by other means and that no information will be acquired under the authorization except in accordance with an authorization issued under subsection 26(1) or 27(1) or (2) or 40(1).

  • 35Content of authorizations

    An authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) must specify

  • 35(a)

    the activities or classes of activities that it authorizes the Establishment to carry out;

  • 35(b)

    the activities or classes of activities referred to in paragraph (a) that would otherwise be contrary to any other Act of Parliament;

  • 35(c)

    the persons or classes of persons who are authorized to carry out the activities or classes of activities referred to in paragraph (a);

  • 35(d)

    any terms, conditions or restrictions that the Minister considers advisable in the public interest, or advisable to ensure the reasonableness and proportionality of any activity authorized by the authorization;

  • 35(e)

    in the case of an authorization issued under subsection 26(1) or 27(1) or (2), any other terms, conditions or restrictions that the Minister considers advisable to protect the privacy of Canadians and of persons in Canada, including conditions to limit the use, analysis and retention of, access to, and the form and manner of disclosure of, information related to them;

  • 35(f)

    in the case of an authorization issued under subsection 26(1), whether the activities authorized include acquiring unselected information, and any terms, conditions or restrictions that the Minister considers advisable to limit the use, analysis and retention of, and access to, unselected information;

  • 35(g)

    the day on which the authorization is issued;

  • 35(h)

    the day on which the authorization expires; and

  • 35(i)

    anything else reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.

  • 36Period of validity of authorizations
  • 36(1)

    An authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) may be valid for a period not exceeding one year.

  • 36(2)Extension — foreign intelligence or cybersecurity

    The Minister may extend the period of validity of an authorization issued under subsection 26(1) or 27(1) or (2) by up to a period not exceeding one year from the day referred to in paragraph 35(h).

  • 36(3)No review by Commissioner

    The Minister’s decision to extend a period of validity is not subject to review by the Commissioner under the Intelligence Commissioner Act.

  • 36(4)Extension — authorization

    The Minister must, as soon as feasible, notify the Commissioner of any extension of an authorization.

  • 37Significant change — Minister to be notified
  • 37(1)

    If there is a significant change in any fact that was set out in the application for an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1), the Chief must notify the Minister of the change as soon as feasible.

  • 37(2)Commissioner notified

    If the Minister concludes that the change in the fact is significant and the authorization was issued under subsection 26(1) or 27(1) or (2), the Minister must notify the Commissioner of his or her conclusion.

  • 37(3)Review Agency notified

    If the Minister concludes that the change in the fact is significant and the authorization was issued under subsection 29(1) or 30(1), the Minister must notify the Review Agency of his or her conclusion.

  • 38Repeal of authorization

    The Minister may repeal an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) at any time.

  • 39Amendment
  • 39(1)

    The Minister may amend an authorization issued under subsection 26(1), 27(1) or (2), 29(1) or 30(1) if the Minister concludes that there has been a significant change in any fact that was set out in the application for the authorization.

  • 39(2)Conditions for amendment

    The Minister may amend an authorization only if he or she concludes that there are reasonable grounds to believe that, taking into account the significant change,

  • 39(2)(a)

    the conditions referred to in subsections 34(1) and (2) are met, in the case of an authorization issued under subsection 26(1);

  • 39(2)(b)

    the conditions referred to in subsections 34(1) and (3) are met, in the case of an authorization issued under subsection 27(1) or (2); or

  • 39(2)(c)

    the conditions referred to in subsections 34(1) and (4) are met, in the case of an authorization issued under subsection 29(1) or 30(1).

  • 39(3)Amendment takes effect on approval — foreign intelligence and cybersecurity

    An amended authorization issued under subsection 26(1) or 27(1) or (2) continues to be valid in its unamended form until — if the amendment is approved by the Commissioner under paragraph 20(1)(a) of the Intelligence Commissioner Act — the Commissioner provides the Minister with the written decision approving the amendment.

  • 39(4)Activities under amended authorization — foreign intelligence and cybersecurity

    For greater certainty, an activity that is specified in an amended authorization issued under subsection 26(1) or 27(1) or (2) in respect of which the Commissioner has provided the Minister with the written decision approving the amendment is authorized only to the extent that it is carried out in accordance with the authorization as amended.

  • 39(5)Activities under amended authorization — cyber operations

    For greater certainty, an activity that is specified in an amended authorization issued under subsection 29(1) or 30(1) is authorized only to the extent that it is carried out in accordance with the authorization as amended.

  • 40Emergency Authorizations
  • 40(1)

    If the Minister concludes that there are reasonable grounds to believe that the conditions referred to in subsections 34(1) and (2) or 34(1) and (3) are met but that the time required to obtain the Commissioner’s approval would defeat the purpose of issuing an authorization under subsection 26(1) or 27(1) or (2), as the case may be, the Minister may issue a Foreign Intelligence Authorization that authorizes the Establishment to carry out any activity referred to in section 26, or a Cybersecurity Authorization that authorizes the Establishment to carry out any activity referred to in subsection 27(1) or (2).

  • 40(2)No review by Commissioner

    The Minister’s decision to issue the authorization is not subject to review by the Commissioner under the Intelligence Commissioner Act.

  • 40(3)Applications for authorizations

    Subsections 33(1) to (3) apply to an application for an authorization issued under subsection (1), except that

  • 40(3)(a)

    the application may be made orally; and

  • 40(3)(b)

    the application must set out the facts that would allow the Minister to conclude that there are reasonable grounds to believe that the time required to obtain the Commissioner’s approval would defeat the purpose of issuing an authorization under subsection 26(1) or 27(1) or (2).

  • 40(4)Written request of infrastructure owner or operator

    For greater certainty, even if an application is made orally for an authorization that authorizes the Establishment to carry out any activity referred to in subsection 27(2), the request of the owner or operator of the information infrastructure to the Establishment to carry out the activity must be in writing.

  • 41Commissioner and Review Agency notified

    The Minister must notify the Commissioner and the Review Agency of any authorization issued under subsection 40(1) as soon as feasible after issuing it.

  • 42Period of validity of authorizations

    An authorization issued under subsection 40(1) may be valid for a period not exceeding five days.

  • 43Canadian identifying information

    The Establishment may disclose, to persons or classes of persons designated under section 45, information that could be used to identify a Canadian or a person in Canada and that has been used, analysed or retained under an authorization issued under subsection 26(1) or 40(1), if the Establishment concludes that the disclosure is essential to international affairs, defence, security or cybersecurity.

  • 44Cybersecurity and information assurance
  • 44(1)

    The Establishment may disclose, to persons or classes of persons designated under section 45, information relating to a Canadian or a person in Canada that has been acquired, used or analysed in the course of activities carried out under the cybersecurity and information assurance aspect of its mandate, if the Establishment concludes that the disclosure is necessary to help protect