An Analysis of Bill C-34: Canada’s Online Safety Bill (Part 3)

We are continuing our analysis of bill C-34. Today, we are into part 3 of our reading of this legislation.

Welcome to the third part of our analysis of bill C-34. For those of you who are only just now checking out this analysis, we already published part 1 which could be best described as a heck of a lot of punting things down for future regulations. I know others have already remarked about how much has just been left to future decisions and that’s what we’ve found as well. Things like what social media platforms are captured by the bill and when it is appropriate for an AI company to report activity to police were two examples of this early on in the bill.

Then there was part 2 which, from our perspective, saw the bill take a turn. It went from punting things to just plain guesswork about how technology works – not exactly something you’d expect in legislation in a general sense, but there it was. This was exceedingly obvious when the regulation of flagging material was copied from social media platforms and just randomly pasted into AI regulations. Another example is just telling social media platforms to just remove all the bad stuff without really guiding anyone on what constitutes something protected by free speech and what is considered “harmful”. This while offloading that responsibility to the very social media platforms that have been criticized heavily up to this point in time. It really was a great example of lawmakers who are trying to regulate things that they clearly have little to no understanding with.

So, today, we are continuing with part 3 of our analysis. As always, you can follow along with our reading of the text of the bill by reading it yourself here. As a number of my readers have already said, this is a huge bill that will give your mouse wheel quite a bit of exercise. So, if you’re brave enough to have a go at reading through it yourself, feel free.

Also, as always, I’m not pasting the entire legislation, but rather, the parts I found at least part way interesting. Then, I’m just offering my thoughts on those sections as well. Since we are part way through this legislation, I’ll point out that this analysis technically starts at Section 59. So, without further ado, enjoy!

Digital Safety Plan for Online Services

We begin this part with the nebulous “Regulated Online Services”. This contains the following:

Digital safety plan
59 (1) The operator of a regulated online service must submit a digital safety plan to the Commission in respect of each regulated online service that it operates. The digital safety plan must include the following information in respect of the period provided for in the regulations:

(a) information respecting the manner in which the operator complies with section 21, including

(i) a description of the design features that the operator integrates into the service under that section,

(ii) the operator’s assessment of the effectiveness of the measures, both individually and collectively, and

(iii) a description of the indicators that the operator uses to assess the effectiveness of the measures;

(b) information respecting the manner in which the operator complies with subsection 22(1);

(c) information respecting the manner in which the operator complies with the regulations made under paragraph 126(1)‍(d);

(d) information respecting any measures that the operator implements to protect children, other than those that it implements to fulfill its obligations under this Act;

(e) information respecting the criteria and processes, if any, that the operator applies to determine if the Royal Canadian Mounted Police — or another law enforcement agency — should be notified of the existence on the service of content that gives rise to reasonable grounds to suspect that there is a risk that an individual will commit an act that would cause death or serious bodily harm to another individual;

(f) if any law enforcement agencies were notified of the existence on the service of content described in paragraph (e), information respecting

(i) the number of such notifications,

(ii) the name of each law enforcement agency notified, and

(iii) the circumstances in which each was notified;

(g) information respecting the resources, including human resources, that the operator allocates in order to comply with sections 21 to 23, including information respecting the resources that the operator allocates to automated decision making;

(h) information respecting the measures implemented by the operator for the purposes of complying with its duties with respect to the service under An Act respecting the mandatory reporting of Internet child sexual abuse and exploitation material by persons who provide an Internet service;

(i) an inventory of all electronic data, other than the types of electronic data prescribed by regulations, that was used to prepare the information referred to in paragraphs (a) to (g) and (j); and

(j) any other information provided for by regulations.

Exclusion — personal information
(2) The operator must ensure that the digital safety plan does not contain any personal information.
For greater certainty
(3) For greater certainty, the digital safety plan must not contain any information that must not be disclosed under section 5 of An Act respecting the mandatory reporting of Internet child sexual abuse and exploitation material by persons who provide an Internet service.
Publication of plan
(4) The operator must make the digital safety plan publicly available on the service to which the plan relates in an accessible and easy-to-read format.

“Regulated online services” isn’t very well defined in this bill. This is because, as mentioned in a previous part, it’s a separate category to online services to AI chatbots and social media platforms. The descriptions were extremely vague to me and I honestly was drawing a blank on examples that would fit this bill. It was actually one of my readers who suggested that this may be in reference to something like Twitch which is probably a much better guess then I would’ve come up with. Whether or not it is in reference specifically to a site like that, I’m not entirely sure, but it might be accurate.

At any rate, those services seemingly have the same regulatory requirements in terms of submitting stuff to the government. Without having a good level of certainty who this is even talking about, it’s difficult for me to really determine how appropriate these regulations are. This is especially considered that these requirements were seemingly pasted over from the AI chatbots and the social media platforms section.

We then move on to Part 2 of the bill.

Research

Interestingly enough, there are provisions that might be of interest to researchers of social media. One section is this:

Accreditation
60 (1) The Commission may, on request and in accordance with the criteria set out in the regulations, accredit a person, other than an individual, for the purpose of giving that person access to the inventories of electronic data that are included in digital safety plans that have been submitted to the Commission under subsection 42(1), 58(1) or 59(1) if the Commission determines that

(a) the person’s primary purpose is to conduct research or engage in education activities; and

(b) the person conducts research that is, or engages in education activities that are, related to the purposes of this Act.

Access to inventories
(2) The Commission may give a person that is accredited under subsection (1) access to the inventories of electronic data referred to in that subsection.
Suspension or revocation of accreditation
(3) After giving an accredited person a reasonable opportunity to make representations, the Commission may suspend or revoke the accreditation if the Commission determines that the accredited person failed to comply with any condition under this Act that relates to the accreditation, to access to the inventories of electronic data or to access to the electronic data.

While this sounds like something that would open doors for researchers, the reality is that platforms actually do allow researchers to examine their platforms for scientific purposes. In fact, when the Online Streaming Act was being debated years ago, it was TikTok who openly invited politicians to come to TikTok so they could discuss how algorithms actually work. Sadly, some politicians refused because they would rather not have their personal beliefs about how social media works being challenged. I don’t know if any of those politicians actually took TikTok up on the offer, but I know some refused despite proclaiming that algorithms are a black box that needs transparency.

So, while this is a good provision to have, I’m not sure if that really changes much in practice.

Anyway, there are provisions as well talking about what researchers need to bring forward such as what they are researching about and credentials to name two things. It’s all fairly standard stuff as far as I could tell.

Public Reporting

We are now already into Part 3 and this apparently gets us to a rather juicy section. That just so happens to be the way in which people can report harmful content. One part of the bill says this:

Submissions from public
65 (1) A person in Canada may make submissions to the Commission respecting

(a) harmful content that is accessible on a regulated social media service, communicated by a regulated chatbot service to a user of the service or accessible on a regulated online service;

(b) harmful behaviour referred to in section 53 that is engaged in by a regulated chatbot service; or

(c) the measures taken by the operator of a regulated service to comply with its duties under this Act.

Operator informed of submissions
(2) The Commission may inform an operator of any submissions that it receives under subsection (1), in a manner that protects the identity of the person who made the submissions.

On the surface, this doesn’t look to be too bad and not a big deal, but what this actually is is a marked improvement over the 2021 version of the Online Harms bill. The 2021 version was basically part of the “consultation by notice” that the government was pushing at the time. In that version, any anonymous could report something thy consider to be “harmful” and it would automatically be presumed guilt and require the online service to take that content down within 24 hours or face multi-million dollar fines. That provision was a huge reason why I basically said at the time that if the Online Harms bill passes, then the Canadian internet shuts down entirely because no one survives that – at least, not legally.

With that context in mind, this provision shows that the Canadian government, in a super rare moment in any technology debate, actually listened to expert opinion and changed that. Now, it appears that there is a government body that takes complaints in and assesses their validity before going after online services. I don’t think it is controversial to say that this is a marked improvement over the prototype version of this legislation.

With that said, there’s still questions to raise here. How can people know that the government body is going to be accountable for their decisions? Is this system even going to be fair?

With respect with accountability, the legislation pretends to offer that by saying that reports can be published:

Information made public
(3) The Commission may make public information respecting any submissions that it receives under subsection (1), in a manner that protects the identity of the person who made the submissions and the regulated service in respect of which the submissions were made.

The key word here is “may”. So, it’s all entirely optional if they should or not. Yes, they have to anonymize the submission, but there is no requirement to divulge what they do on this front. Some people complain about the black box that is the algorithms, but I think the same criticism can be said about the black box of government who doesn’t want to disclose what they are doing.

On the upside, there is no requirement for the government to act on a complaint. That is something I’m OK with at least.

The rest of the bills section has to do with CSAM related complaints and I didn’t really see anything wrong with that part of the bill, so I’m moving on.

The Commission

Since we’ve been talking about “the commission”, I thought I’d quickly throw in this definition:

Commission means the Digital Safety Commission of Canada established by section 4 of the Digital Safety Commission of Canada Act.‍ (Commission)

In short, there is a whole new commission that this bill is trying to establish to handle all of this. So, this isn’t going to be handled by an existing regulator by any means. We’re dealing with a whole new arm of government. I thought I’d at least get that out of the way at least before delving into enforcement which is Part 4 of this bill.

Moving back to where we left off, we kick things off with this section:

Commission’s powers
73 In ensuring an operator’s compliance with this Act or investigating a complaint made under subsection 68(1), the Commission may, in accordance with any rules made under section 9 of the Digital Safety Commission of Canada Act,

(a) summon and enforce the appearance of persons before the Commission and compel them to give oral or written evidence on oath and to produce any documents or other things that the Commission considers necessary, in the same manner and to the same extent as a superior court of record;

(b) administer oaths;

(c) receive and accept any evidence or other information, whether on oath, by affidavit or otherwise, that the Commission sees fit, whether or not it would be admissible in a court of law; and

(d) decide any procedural or evidentiary question.

I don’t know about you, but to me, this sounds like judiciary style powers. This raises a big question for me: why do we have to create a whole new court style system when we already have an existing court system that can do things like make decisions, handle evidence, and hear from witnesses among other things? If we are venturing into the area of summoning people before this system, getting people to swear oaths, and handle evidence, then this sounds like something that would enter into the realm of civil or criminal court proceedings. I can see having a system in place that takes complaints from the public, but having this same system handle evidence like this? This doesn’t seem right to me.

What’s more, the idea that these hearings be made public was simply passed over and just left as an option to do so:

Hearing
75 (1) The Commission may hold a hearing, in accordance with any rules made under section 9 of the Digital Safety Commission of Canada Act, in connection with

(a) a complaint made under subsection 68(1); or

(b) any other matter relating to an operator’s compliance with this Act.

Private hearing
(2) A hearing under subsection (1) must be held in public, but the Commission may decide that it is to be held in private, in whole or in part, if the Commission considers that

(a) it would be in the public interest;

(b) it would be in the interest of victims of harmful content;

(c) it would be in the national interest, including if there is a risk of injury to Canada’s international relations, national defence or national security;

(d) a person’s privacy interest outweighs the principle that hearings be open to the public; or

(e) the following information may be disclosed:

(i) information that is a trade secret,

(ii) financial, commercial, scientific or technical information that is confidential and that is treated consistently in a confidential manner by the person to whose business or affairs it relates, or

(iii) information whose disclosure could reasonably be expected to

(A) result in material financial loss or gain to any person,

(B) prejudice the competitive position of any person, or

(C) affect contractual or other negotiations of any person.

I get that the Canadian court system is a bit different from the American system where the Canadian system is a lot more strict when it comes to cameras in the courts. At the same time, I’m not a huge fan of secret court hearings over top of everything else, either.

So, let’s try one scenario. Let’s say a complaint comes in to this Commission that says that Freezenet is publishing “harmful” content by posting reviews of first person shooter games. Someone like me could theoretically argue that, for one, there is no way that Freezenet meets the traffic requirements set out in the Act (God forbid this becomes an Act) as per Section 8. Second, a strong argument can be made that it is not harmful as the material in question not only discusses a work of fiction, but it doesn’t even show violent material in that particular review (not all reviews have first impression video’s associated with them).

Now, let’s say someone on this Commission says, “you know what? We’re going to prosecute Freezenet anyway because I didn’t like some of their comments as it relates to the Online News Act.” Now, the obvious arguments from me would be something along the lines of “The Online News Act is outside the purview of this commission and the reasoning has nothing to do with the original complaint. Further, this is a demonstration that there is a conflict of interest because someone making these decisions already has a personal opinion about Freezenet that impacts the persons judgment.”

Then, that person rendering these decisions says, “Well, I don’t like the attitude of Drew Wilson. I’m going to find Mr. Wilson guilty and decide that it is not in the public interest for anyone to speak of this decision. Therefore, no one is permitted to speak about this hearing ever.” It would go without saying that I would have a problem with this because my constitutional rights have been violated (ala due process and a fair trial). In order to fight against this, I would have to violate a secrecy order and pray that I’m still not somehow found guilty somewhere along the line for that.

I know this is a bit of an “out there” example, but it does highlight why these secret court hearings can become problematic. Sure, I could appeal something like this to the Supreme Court of Canada, but at this point, I’m burning through a heck of a lot of cash in representation alone just to have a fair trial at all.

Inspections

Included in this bill is a section about inspections. This section starts off with this:

Designation of inspectors
77 (1) The Commission may designate as inspectors persons or classes of persons that the Commission considers qualified for the purposes of verifying compliance or preventing non-compliance with this Act.
Certificate
(2) The Commission must provide every inspector with a certificate of designation. An inspector must, if requested to do so, produce their certificate to the person appearing to be in charge of any place that they enter.

In the context of this legislation, it sounds like the only ones would have to worry would be those behind the web services that are wrapped up into this legislation. So, AI companies, social media websites, and adult websites. So, unless there is something I’m missing here, I don’t think there is a scenario, under this bill, where an inspector would just come barging into a random persons home because they posted something that was considered “harmful” for instance. Instead, I think it is more like, for instance, a social media company hired a team of people to handle moderation and they would get investigated is it came to that.

With that said, if I am correct in thinking this, then, in practice, this actually narrows down the number places a potential inspection could theoretically happen. This is because things like moderation teams are known to be outsourced to places other than in Canada. There might be, say, offices that operate in Canada (such as TikTok which became a matter of debate a while back when the TikTok moral panic was in full swing), but I don’t know if there’s that many physical buildings operating within Canada that could be theoretically inspected.

The reason why I say buildings within Canada is the simple fact that jurisdiction tends to end once you physically reach the border. You’re not exactly going to be able to knock on a door in India and say that you have a Canadian warrant to search a premise. That’s because Canadian authorities would simply lack jurisdiction. This is not to say that authorities can’t be invited freely, but there wouldn’t really be any legal authority in terms of making your way into a location.

While this section does sound scary, I’m struggling to think of very many buildings in Canada that this could possibly be applied to. For instance, I think Meta has a building in Toronto and another one in Vancouver, but that’s about it.

What is interesting in this section is that this is the first time I’ve seen the topic of warrants crop up. that has to do with two sections. The first is this one:

Warrant to enter place
78 (1) An inspector may, if authorized by a warrant issued under subsection 79(1), enter any place for a purpose related to verifying compliance or preventing non-compliance with this Act.

The second one is this section:

Authority to issue warrant
79 (1) A justice of the peace may, on ex parte application, issue a warrant authorizing an inspector to enter a place, subject to any conditions specified in the warrant, if the justice of the peace is satisfied by information on oath that

(a) there are reasonable grounds to believe that there is in the place any document, information or other thing relevant to the purpose referred to in subsection 78(1); and

(b) entry to the place is necessary for that purpose.

Means of telecommunication
(2) An application for a warrant under subsection (1) may be submitted, and the warrant may be issued, by a means of telecommunication and section 487.‍1 of the Criminal Code applies for those purposes with any necessary modifications.
Use of force
(3) An inspector is not entitled to use force in executing a warrant unless the use of force has been specifically authorized in the warrant and the inspector is accompanied by a peace officer.

This is the first time I’ve seen any mention of court oversight and it seems to have to do with inspection of a physical building. This strikes me as pretty limited actual court oversight if you ask me.

Ruling Power

An interesting question here is what level of court would this Commission be? That is mentioned in this bill as well:

Enforcement of orders
82 (1) An order of the Commission made under this Act may be made an order of the Federal Court and is enforceable in the same manner as an order of that court.
Procedure
(2) An order may be made an order of the Federal Court by following the usual practice and procedure of that court or by filing a certified copy of the order with the registrar of that court.

So, it turns out, there is a level this sits at and it does skip a step or two. If I’m reading the chart on this government page correctly, there is the Federal Court of Appeal and the Supreme Court of Canada left if you’re thinking of appeals. Not exactly a huge amount of wiggle room to say the least.

Penalties

One of the things I was quite interested in was how the penalties was structured. A big reason was whether or not people who operate age verification services actually having the threat of penalties for, say, leaking personal information to a data broker or failing to secure personal information. That was a major flaw in Bill S-209 because there were no penalties at all for violating peoples privacy, just a finger wag and a “don’t do that again” comment.

The section starts off with this:

Violation
83 (1) Subject to the regulations, an operator commits a violation and is liable to an administrative monetary penalty if it

(a) contravenes a provision of this Act or the regulations;

(b) contravenes an order of the Commission;

(c) contravenes a requirement imposed by an inspector under section 80;

(d) contravenes an undertaking that it entered into with the Commission or a person authorized to enter into undertakings;

(e) contravenes a requirement imposed by the Commission under section 104 or subsection 106(2);

(f) obstructs or hinders the Commission, an inspector or a person authorized to issue a notice of violation, in the exercise of their powers or the performance of their duties and functions; or

(g) makes a false or misleading statement orally or in writing to the Commission, an inspector or a person authorized to issue a notice of violation, in the exercise of their powers or the performance of their duties and functions.

This sort of sounds promising, so let’s keep reading.

Person that operates a service
(2) Subject to the regulations, a person — other than an operator — that, through any means, operates a social media service, a chatbot service or an online service that is within a category of online services commits a violation and is liable to an administrative monetary penalty if the person

(a) contravenes section 9;

(b) contravenes a requirement imposed by an inspector under section 80;

(c) obstructs or hinders the Commission, an inspector or a person authorized to issue a notice of violation, in the exercise of their powers or the performance of their duties and functions; or

(d) makes a false or misleading statement orally or in writing to the Commission, an inspector or a person authorized to issue a notice of violation, in the exercise of their powers or the performance of their duties and functions.

So, nothing that impacts those who operate the age gating service so far. Just specifically directing the penalties at the platforms instead.

Then there is stacking:

Continued violation
84 A violation that is continued on more than one day constitutes a separate violation in respect of each day on which it is continued.

So, there is a multiplication factor involved at least. Let’s continue:

Maximum penalty
88 The maximum penalty for a violation is

(a) the greater of $10 million and 3% of the gross global revenue, in the financial year before the one in which the penalty is imposed, of the person that is believed to have committed the violation, in the case of a person that is not an individual; and

(b) the greater of $10 million and 3% of the gross global revenue, in the year before the one in which the penalty is imposed, of the person that is believed to have committed the violation, in the case of an individual.

Ouch, yeah that’s a swing and a miss as far as I can tell. Let’s look at one case example here. Earlier this year, Yoti got wrapped up in a massive privacy scandal. In that scandal, it was found that information was gathered about users that was well beyond the purpose of verifying age. This included telemetrics about the users device. What’s more, it was found that the company has a connection with a data broker as well.

So, with that in mind, let’s point out the obvious. Yoti is not an adult website operator. They are not a social media operator nor an AI operator. So, as far as I can tell, the penalty they would incur as a result of this activity is nothing. Correct me if I’m wrong, but I’m pretty sure they are let off the hook, here. So, this bill has the exact same problem as bill S-209 as far as penalties are concerned as far as I can tell.

There is offences related to violating an order of the Commission as well:

Offence — operators
107 (1) Every operator commits an offence that

(a) contravenes an order of the Commission;

(b) contravenes an undertaking that it entered into with the Commission or a person authorized to enter into undertakings;

(c) contravenes a requirement imposed by the Commission under section 104 or subsection 106(2);

(d) obstructs or hinders the Commission, an inspector or a person authorized to issue a notice of violation, in the exercise of their powers or the performance of their duties and functions; or

(e) makes a false or misleading statement orally or in writing to the Commission, an inspector or a person authorized to issue a notice of violation, in the exercise of their powers or the performance of their duties and functions.

Penalty
(2) Every operator that commits an offence under subsection (1) is liable,

(a) on conviction on indictment,

(i) to a fine of not more than 5% of the operator’s gross global revenue in the financial year before the one in which the fine is imposed or $20 million, whichever is greater, in the case of an operator that is not an individual, or

(ii) to a fine of not more than 5% of the operator’s gross global revenue in the year before the one in which the fine is imposed or $20 million, whichever is greater, in the case of an individual; or

(b) on summary conviction,

(i) to a fine of not more than 4% of the operator’s gross global revenue in the financial year before the one in which the fine is imposed or $15 million, whichever is greater, in the case of an operator that is not an individual, or

(ii) to a fine of not more than 4% of the operator’s gross global revenue in the year before the one in which the fine is imposed or $15 million, whichever is greater, in the case of an individual.

So, there are those penalties as well.

Conclusions

It probably isn’t a surprise that there are more very busted things in this bill. The reporting is definitely improved as it goes from “everyone is guilty upon accusation” to “report these issues to the government”. It’s more or less the difference between getting your head chopped off and getting punched in the head. Both are bad, but one is, well, less bad than the other. There are still the issues of secrecy where public access is optional for the Commission which is… not really an act of transparency by any means.

Probably the weirdest thing is the fact that the digital safety plans and report systems, which clearly were written with social media platforms in mind, were just lazily copied and pasted over to AI chatbots as well. It made the idea of reporting a post you see publicly on an AI chatbot a requirement kind of bizarre. As a result, it made it very clear that the Canadian government has no idea how technology generally works at all.

Of course, a big elephant in the room is the Commission acting as a sort of quasi-judicial system that is on the same level as the federal court (a step below the Federal Court of Appeal). If a case is up to the point of talking about civil remedies or criminal prosecution, Canada already has a court system. So, why not use that at that point? It doesn’t make sense that a much more secret court system be implemented just for things considered “harmful”.

Then there is the obvious red flag for me which is that age verification companies don’t seem to have any penalties should they get caught either leaking personal information, collecting more than they should, or improperly storing that information. There are penalties for social media platforms, porn websites, and AI chatbot companies, but not for third party age checking companies (again, correct me of I’m wrong, but I’m not seeing the legal path in this bill for financial penalties for such companies). I think that is a big glaring omission here and one that politicians refuse to fix as far as I can tell.

Anyway, I still got a heck of a lot of legislation to get through still, so stay tuned for part 4. We are getting down there, though, so this long journey if reading this bill is getting closer to completion, but there is still a bit of distance left to go. So, stay tuned for that.

Drew Wilson on Mastodon, Bluesky and Facebook.