This is a third quick posting on some of issues I have been wondering about in the CSE Act, proposed by bill C-59. I have not reviewed all the submissions to the Commons national security committee (which have been often excellent and thoughtful). But I am not aware of any discussion so far on today’s topic: lining the CSE Act up with international law.
Here, my preoccupation is with active and defensive cyber operations, and not foreign intelligence collection. The latter raises arguably similar international law issues, but I have canvassed those elsewhere, in other contexts. (See here and here). (On this issue, I am in receipt of a new article from European colleagues examining this same question – which I look very much forward to reading.)
Nor do my remarks relate to CSE’s (cyber) participation in an armed conflict. Such involvement would, I assume, arise in an exercise of the CSE’s assistance mandate, in relation to the Canadian Armed Forces. There, an obvious concern is with CSE’s direct participation in hostilities, while an unprivileged belligerent (that is, something other than an armed force). This prospect raises real concerns under the laws of armed conflict. Not least: participating CSE employees could be targeted and prosecuted for their conduct, enjoying neither protected status or combatant’s immunity. But I hope to able to point readers to an excellent digest of those issues by a more expert analyst soon.
My focus here is on CSE’s autonomous active/defensive cyber mandate, anticipated in sections 19 and 20 of the proposed Act. And so, active cyber may involve activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.
That is a vast mandate, constrained by a caveat that the activities be outward facing from Canada and not cause (intentionally or by criminal negligence) death or bodily harm or willfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.
CSE is exempted from a narrow range of law
Cyber ops must be authorized by the defence minister (in the case of active cyber, blessed or requested by the foreign affairs minister). But the activity itself need not comply with “any other Act of Parliament or of any foreign state” (s.31; 30). As far as I can tell, this is the only carve-out pertaining to other legal regimes applicable to cyber ops. (If I am missing something, happy to be disabused.)
And the modest scope of this carve-out is what gives me pause. If it enacts this provision, Parliament authorizes violations of federal and foreign “Acts”, something it is free to do in a system based on parliamentary sovereignty.
CSE is not exempted from international law
Parliament is also free to authorize violations of Canada’s international law obligations. This does not relieve Canada of state responsibility in international law for such violations. But it does make it legally possible in domestic law to violate international law. But herein lies the rub. The Supreme Court has made it abundantly clear that Parliament is assumed to legislate in compliance with Canada’s international obligations, and that deviations from this presumption cannot be presumed. Instead, there must be “unequivocal legislative intent to default on an international obligation”. See Hape, para. 53.
This was the exact issue that ensnarled CSIS in the Re X decision on extraterritorial invasive surveillance. Parliament corrected that problem in bill C-44 (2015), by permitting the Federal Court to authorize warrants even in violation of foreign or “other” law. “Other” in the context might reasonably be construed as “international”, although it might be argued otherwise.
Strangely, the CSE Act does not do this. It does not replicate the CSIS bill C-44 formula of “foreign and other laws”. It reaches, at best, foreign “Acts” (that is, primary legislation). I do not see how this reference to “Acts” can be read to empower CSE to violate international law. (Indeed, I do not see it as unambiguously authorizing violations of other possible sources of foreign law – for instance, constitutional, common law or regulations or equivalents. But the international law issue is the big question, since it binds Canada). There is much international law indisputably applicable to Canada that is not codified or covered in foreign “Acts”. Indeed, it would be incongruous, indeed patently ridiculous, to assert that foreign “Acts” constitute the sum total of international obligations binding on Canada.
International law precludes extraterritorial exercise of enforcement jurisdiction
Accordingly, were I giving legal advice in relation to an active cyber operation, I would conclude that CSE cannot act, unless that cyber operation complies with international law. And that raises the big issue: international law precludes the exercise by a state of “enforcement jurisdiction” on the territory of another states, without its consent or some other permissive rule of international law. I have discussed here the application of the “enforcement jurisdiction” in a cyber context. Where it might exist will be debated, on the margins. But the more kinetic the impact of the active cyber, the more likely the violation of this norm.
(And I’d add that the permission to breach “Acts of Parliament” offers no different answer on this question. As Hape notes, customary international law – of which the bar on extraterritorial enforcement jurisdiction is a part – is considered part of the common law of Canada – and that is only displaced by statute. The CSE Act does not displace it. It does not displace any Canadian law other than “Acts of Parliament”.)
The result should be a real and significant fetter on exactly what sort of activity CSE can perform as part of its unilateral active/defensive cyber mandate.
I have no real issue with this as a policy choice – by disposition I am not tremendously keen on a state doing an end-run around established doctrines of international law using data streams where it cannot use corporeal bodies.
Was this a policy choice or a drafting issue?
My concern is, however, that the government may not have fully turned its mind to this issue in designing the CSE Act. Put another way, it may have drafted an outcome it does not intend to honour. If it really does think it has exempted CSE from the considerable strictures of international law, and CSE acts accordingly, CSE may have its own Re X moment. If its policy objective is a muscular cyber ops capacity, the government may wish to have Parliament speak on the international law issue in an amendment – because silence retains the full international law fetter.
(And if that weren’t enough, we need to look over our shoulders at this throw-away line from the Supreme Court in Hape: “Neither Parliament nor the provincial legislatures have the power to authorize the enforcement of Canada’s laws over matters in the exclusive territorial jurisdiction of another state.” We’ll assume that the Supreme Court did not mean to suggest that Parliament lacks jurisdiction – period – to authorize invasions of a foreign state’s sovereignty.)
It is true this kind of esoteric legal issue may never be adjudicated. But people have been saying things like that for years. I am still waiting for it to be true.