Spy agency says it 'improperly' shared Canadians' data with international partners

Catharine Tunney · CBC News

· Posted: Jun 21, 2025 4:00 AM EDT | Last Updated: 9 minutes ago

One of Canada's quality agencies says it "improperly" shared accusation astir Canadians that it had obtained "incidentally" with planetary partners.

The Communications Security Establishment (CSE) shared immoderate details astir the incident aft the quality commissioner — the quasi-judicial presumption that reviews the cyber spy agency's activities — flagged the lawsuit successful his yearly study tabled successful Parliament earlier this week. 

CSE spokesperson Janny Bender Asselin told CBC News that past twelvemonth the bureau had to notify the defence minister "of an incidental wherever CSE improperly shared information."

"CSE identified an enactment where, betwixt 2020 and 2023, we shared immoderate accusation with planetary partners without decently removing Canadian accusation that had been acquired incidentally erstwhile targeting valid overseas quality targets," she said.

"CSE acted rapidly to incorporate the issue."

The CSE is considered 1 of Canada's intelligence crown jewels, liable for intercepting and analyzing foreign physics communications, launching cyber operations and defending the government's networks and captious infrastructure from attacks. 

Asselin said that included seeking assurances from CSE's trusted partners that the shared accusation was deleted.

"We proceed to update our policies and procedures to forestall reoccurrence," she said. 

CSE did not accidental however galore Canadians were impacted oregon to which countries the accusation was shared, citing operational security. 

Details were shared with Intelligence Commissioner Simon Noël, who raised it successful his precocious published report.

The commissioner is portion of the concatenation of support earlier CSE and its sister agency, the Canadian Security Intelligence Service (CSIS), tin spell up with definite intelligence-gathering and cybersecurity activities. 

CSE first needs to question permission from the curate of defence — known arsenic ministerial authorization — if the projected enactment would different interruption the instrumentality oregon perchance infringe connected the privateness interests of Canadians. 

Under the law, ministerial authorizations indispensable beryllium the activities are reasonable, indispensable and that measures are successful spot to support Canadians' privacy. 

The quality commissioner past provides a furniture of oversight and either signs disconnected connected the mission, approves with conditions oregon denies the petition outright.

Noël besides makes definite CSE remains compliant aft receiving the greenish airy and sticks to what was approved — which was not the lawsuit successful this information-sharing matter.

The commissioner's study doesn't see galore details, citing nationalist security. 

CSE says information shared betwixt 2020 and 2023

The lawsuit volition beryllium included successful CSE's own yearly report, which is expected later this month, said Asselin.

Noël's study said helium urged the quality bureau to beryllium arsenic transparent astir the incidental arsenic possible. 

It doesn't appear the individuals progressive were alerted, though CSE said it reported the incidental to its oversight and reappraisal bodies, including the Office of the Privacy Commissioner.

"The disclosure of this incidental involving CSE raises galore superior concerns," said Matt Malone, manager of the Canadian Internet Policy and Public Interest Clinic.

The University of Ottawa prof said the findings warrant galore of the fears raised by civilian nine groups astir the imaginable for inappropriate accusation successful the Liberal government's cybersecurity bill. The archetypal iteration of the measure died erstwhile the House prorogued earlier this year, and it was reintroduced by Prime Minister Mark Carney's authorities arsenic Bill C-8.

If passed, federally regulated industries would person to study cybersecurity incidents to CSE, meaning it would beryllium successful possession of much information.

"All of this bodes precise poorly for the authorities of privateness extortion successful Canada," Malone said. 

"Three of the 8 authorities bills introduced truthful acold successful this Parliament are highly privacy-corrosive."

In 2024, the accusation commissioner received 13 ministerial authorizations for reappraisal — 7 relating to CSE activities and six relating to CSIS activities. He approved the activities successful 11 authorizations, approved the activities with conditions successful 1 authorization and partially approved the activities successful the different authorization.