On 28 January 2016 Canada’s Communications Security Establishment (CSE, formerly CSEC) admitted to the parliament that it had included Canadians’ metadata in its collection of foreign communications, which is prohibited in Canada by law.
In the annual report of its internal ombudsman Jean Pierre Plouffe, the CSE put the violation down to an “unintentional” software flaw, found back in 2013, that meant that Canadians’ metadata had not been properly minimised and said it had temporarily suspended metadata sharing with the rest of the Five Eyes while it found a solution to the problem.
The report found other, more fundamental, flaws with CSE’s handling of metadata, stating that the ministerial directive that governs the Canadian agency’s practices does not give sufficient guidance on aspects of how that information is collected, used and disclosed to partners. Concerns about the lack of strict guidelines in this area have been expressed repeatedly since Edward Snowden’s revelations exposed the extent of intelligence sharing among the Five Eyes, but the Canadian government has yet to commit to rectifying the issue.
The number of Canadians whose privacy rights have been infringed by errors and lax guidelines is unknown and, somewhat ironically, Canada’s Defence Minister Harjit Sajjan told journalists after the announcement that it would be impossible this without violating domestic privacy laws.