An Analysis of Bill C-34: Canada’s Online Safety Bill (Part 4 – Final)

Welcome to another instalment of our analysis of Bill C-34. We continue with part 4 of our analysis.

The long meandering road to read through this legislation is continuing. Yes, as of this writing, there are four parts including this one, but the legislation is so absurdly long, there was very good reason to split into this many parts. While I was half expecting to read a pretty broken bill, I wasn’t exactly expecting it to be broken quite like this.

Previously, we started this analysis with part 1. That part of the bill contained a lot of apparent punting of key information. Whether that was punting which platforms would be regulated, when it is appropriate for an AI company to send in a police report, and other things. It was shocking how many details were simply being left for later regulation.

We then moved on to part 2 where the legislation went from punting random things to later regulations to just copying all the social media regulations and applying it to AI chatbots afterwards. It was kind of obvious when the legislation was requiring AI chatbots to have a flagging system for other users posts so that other users could report bad behaviour. Nice to know that ignorance from seen during the Bill C-11 debate is alive and well… I guess.

After that, we got to part 3 and we got to see not only all the age verification and online harms nastiness, but also the whole secret court-like order stuff as well. this with an apparent side of letting the age gate companies slip through the regulatory gaps. It’s the exact same problem as bill S-209 where personal information could be sold, leaked, or hacked and there would be no consequences of that.

Anyway, we are moving on to part 4 of our analysis today. As always, if you want to follow along with what we are reading, you can check out the original text of the bill here. For clarity purposes this part starts on section 113 (yes, there are over 100 sections in this massive bill). Also, as per typical, this is not legal advice nor can I say with 100% certainty that everything in this analysis is accurate. It’s just an ordinary person reading this legislation. I’m only putting up snippets that I thought were relevant and worth commenting on, not pasting the entire bill. Feel free to comment on anything I missed or clarifications you might have on things. With that said, let’s get into this next part of the bill.

Commission Reports

One of the things I wasn’t necessarily seeing much of is the transparency of the Commission. So, it was interesting to see this crop up at this later point:

Content of annual report
117 (1) A report referred to subsection 21(1) of the Digital Safety Commission of Canada Act must contain information respecting

(a) any complaints that the Commission received under subsection 68(1), presented in a manner that protects the identity of the complainants;

(b) any orders made under paragraph 68(6)‍(b) or subsection 69(5) or 81(1);

(c) any inspections conducted under this Act; and

(d) any agreements or arrangements that the Commission enters into under section 120.

Additional information
(2) The report must also contain any information related to this Act that the Minister requests.

So, there is an annual report that is put together. Does something like that get released to the public? As it turns out, the answer is “yes” if my reading of this is accurate:

Additional reports
118 (1) The Minister may request a report from the Commission on any matter within the Commission’s mandate under this Act.
Tabling
(2) The Minister must cause each report made under subsection (1) to be laid before each House of Parliament on any of the first 15 days on which that House is sitting after the Minister receives the report.

Generally speaking, when something is tabled in the House of Commons, then it is made public. For instance, Bill C-34 was tabled in the House of Commons. As a result, it was published online for anyone to read. Unless there is something I’m missing, it seems like the same sort of thing will happen with these reports.

How much is actually in the report remains unclear to me (like, is it just bare bones statistics or is the nature of the content also brought up?) I know that privacy legislation does play a role in how much is released as well, so how far anonymization would ultimately end up going remains unclear to me. It’s probably something I won’t know until an actual report is tabled. I know this because of this follow-up section:

Confidential or personal information
119 (1) A report referred to in subsection 118(1) must not contain personal information or information that is designated as confidential under subsection 114(1) or (2).
Annual report
(2) A report referred to in subsection 21(1) of the Digital Safety Commission of Canada Act must not contain information that is designated as confidential under subsection 114(1) or (2).

Costs

A surprisingly interesting section is tacked on to this bill. That has to do with who pays for all of this. The answer, it turns out, is the services getting regulated:

Regulations
125 (1) The Governor in Council may, for the purpose of recovering all or a portion of any costs incurred by the Commission in relation to the exercise of its powers or the performance of its duties and functions under this Act, make regulations respecting

(a) charges that are payable by the operator of a regulated service;

(b) the manner of calculating those charges and the manner of their payment; and

(c) the circumstances in which an operator is exempted from the payment of any charges based on the operator’s ability to pay.

Additional information
(2) The Commission may require an operator to provide to the Commission any information that it considers necessary for the purposes of determining the operator’s gross global revenue and ability to pay.
Classes
(3) Regulations made under subsection (1) may establish classes of regulated services.

This… could be problematic. Based on part 1 of our analysis, it’s unclear which platforms are even going to be part of this bill. Still, if it’s anything like the Online News Act (which only went after Meta and Google), then this could become a weakness with trade with the US. So, if the bill ultimately only goes after American business, that could give rise to a CUSMA complaint. It really would mirror the hot water Canada found itself in with not just the Online News Act, but also the Online Streaming Act and the effectively defunct Digital Services Tax.

Obviously, I said “could” in the last paragraph. I say that not just because it’s unclear who the heck is even being regulated under this bill, but also because of the politics going around right now. After all, Trump did say that he was considering tearing up the agreement altogether, thus rendering this issue moot. While some are arguing that Trump is only doing that as a negotiating tactic, the reality is that Trump is stupid enough to do it as well. I mean, just look at the US involvement in Iran to find out just how stupid this current presidency is. Now, how things ultimately shake out from a blunder like that remains unclear, but it would get messy pretty quick (who knows? Maybe the Canadian government can quickly bring back the Canadian Wheat Board should Trump do that, taking advantage of the chaos in the process).

Anyway, I’m not entirely sure how well that provision is going to go over with the US, but I’m not sure how warmly it’s going to be received.

The Great Regulatory Punt

Part 1 mentioned multiple sections that were getting punted for future regulations. In the next section, we are seeing a huge example of what is getting punted for said future regulations. Don’t let your mouth dry out when being astonished at this list:

Commission
126 (1) The Commission may make regulations

(a) respecting the information that must be provided under section 9;

(b) respecting, for the purpose of section 21, design features for the protection of children, including account options for children, parental controls and other age-appropriate design features;

(c) specifying requirements for the purpose of paragraphs 22(2)‍(e) and 27(2)‍(e);

(d) specifying, for the purpose of section 23, measures to mitigate the risk that children who use the regulated service will be exposed to pornographic content on the service;

(e) respecting the duty under section 25 to keep records, including the length of time for which the records must be kept and the types of records that are not required to be kept;

(f) specifying, for the purpose of subsection 28(1), measures to prevent persons under the age of 16 from being able to have an account with, or being otherwise registered with, a regulated social media service;

(g) respecting the factors referred to in paragraphs 32(2)‍(a) to (d) and 37(2)‍(a) to (e);

(h) respecting factors that the Commission must take into account under paragraphs 32(2)‍(e) and 37(2)‍(f) and subsection 68(3);

(i) respecting measures that operators must implement under sections 33, 38, 50, 52 and 54;

(j) respecting the guidelines referred to in sections 34 and 55, including the duty under each of those sections to make the guidelines publicly available;

(k) respecting the tools referred to in section 35, including the duty under that section to make those tools available to users;

(l) respecting the tools and processes referred to in subsection 36(1) and section 56, including the duty under that subsection and section to implement those tools and processes;

(m) respecting the criteria that apply to synthetic content for the purposes of subsection 37(1);

(n) respecting the duty under section 39 to label harmful content;

(o) respecting the duty under sections 40 and 57 to make a resource person available to users and the manner in which the resource person fulfills their role;

(p) respecting the duty under section 41 to preserve harmful content;

(q) respecting the duty under subsections 42(1), 58(1) and 59(1) to submit a digital safety plan, including the time within which and the manner in which it must be submitted and the period to which it must relate;

(r) respecting the information required under paragraphs 42(1)‍(a) to (p), 58(1)‍(a) to (m) and 59(1)‍(a) to (i), including the manner in which the information must be organized in a digital safety plan;

(s) respecting information required under paragraphs 42(1)‍(q), 58(1)‍(n) and 59(1)‍(j);

(t) respecting the duty under subsections 42(4), 58(4) and 59(4) to make a digital safety plan publicly available, including the time within which and the manner in which it must be made publicly available;

(u) respecting the duty under sections 43 to 46 to make certain content inaccessible to persons in Canada, the making of representations under subsections 45(1) and 46(2) and requests for reconsideration under subsection 46(1);

(v) specifying types of behaviour for the purpose of paragraph 53(e);

(w) prescribing types of electronic data for the purpose of paragraph 59(1)‍(i);

(x) respecting the accreditation of persons under subsection 60(1), including

(i) conditions that apply to persons who are accredited, and

(ii) criteria and procedures for the suspension or revocation of an accreditation;

(y) respecting access to inventories of electronic data given under subsection 60(2), including the conditions to which access is subject, including with respect to confidentiality, data security and the protection of personal information;

(z) respecting requests made under section 61 for access to electronic data, orders made under that section and access to electronic data granted under those orders;

(z.‍1) respecting conditions with respect to confidentiality, intellectual property, data security and the protection of personal information under which access to electronic data is granted under orders made under section 61 and any other conditions under which that access is granted;

(z.‍2) respecting the revocation or amendment of orders under section 62, including requests and determinations made under that section;

(z.‍3) respecting the case management of complaints made under subsection 68(1) and the transmission, preservation and treatment of content that is the subject of a complaint and any information related to that content;

(z.‍4) respecting an operator’s duties under subsections 68(7) and (8) and 69(6); and

(z.‍5) respecting the manner in which a person is to publish the notice referred to in subsection 106(2).

Yes, you saw that right. They actually ran out of letters in the alphabet talking about what is getting left for future regulations! I also learned today how they handle additional sections when they run out of letters.

So, what kinds of age verification systems should be put in place? That’s for future regulations. What information should be stored and for how long? That’s for future regulations to decide. What tools should be made available for users? That’s for future regulations to decide. What’s the criteria for identifying AI generated content? That’s for future regulations to decide. What are the duties for the designated person from the platforms? That’s for future regulations to decide. What kinds of data should be put forward for their digital safety plan? That’s for future regulations to decide. When it comes to accrediting a researcher to analyze social media platforms, what specific credentials are being looked for to obtain that accreditation? That’s for future regulations to decide. What are the duties for the operator when a complaint is received? That’s for future regulations to decide. Punt, punt, punt, punt, and punt some more.

Now, legislation can take years to pass – assuming that legislation passes at all. What this legislation proposes is also having a debate on what the duties are for everyone involved after this becomes law. If you think this bill’s legislative process is going to be slow, just wait until this section plays out:

Publication of proposed regulations
(2) Subject to subsection (3), a copy of each regulation that the Commission proposes to make under subsection (1) must be published in the Canada Gazette and operators and other interested persons must be given a reasonable opportunity to make representations to the Commission with respect to the proposed regulation.
Single publication required
(3) A proposed regulation is not required to be published more than once whether or not it is altered or amended after publication as a result of representations made by operators or other interested persons as provided for under subsection (2).

Oh, and, by the way, it’s not just the Commission that is making these decisions. There’s also decisions being made by the governor in council as well:

Governor in Council
127 (1) The Governor in Council may make regulations

(a) specifying, for the purposes of subsection 2(7), a purpose that an artificial intelligence system exclusively serves;

(b) respecting the meaning of the expression “significant psychological or physical harm” for the purposes of paragraphs 42(1)‍(l) and (n) and 58(1)‍(k);

(c) providing for a period for the purposes of subsection 43(2); and

(d) providing for a period for the purposes of subsection 44(5).

So, even more is being punted down the road to a different regulatory process altogether. Isn’t that fun?

Oh yeah, and one more thing. When does this legislation come into force assuming it receives royal assent?

Coming into Force
Order in council

130 The provisions of this Act come into force on a day or days to be fixed by order of the Governor in Council.

Yup, we’re even punting the coming into force process down to future regulations. I’m seriously at the point of saying “how many fingers am I holding up?” and half expecting the answer to start with “The Commission may make regulations…”

This is just downright comical it’s so bad.

Rest of the Bill

The legislation then goes on to talk about how it coordinated with Bill C-16 and the fact that the Commission is going to be formally called the “Digital Safety Commission of Canada”. From there, it talks about the composition of the Commission with the following:

Composition
10 The Commission consists of three to five full-time members to be appointed by the Governor in Council to hold office during good behaviour. The Governor in Council may remove a member at any time for cause.
Term of office
11 Members are to hold office for renewable terms of not more than five years that will ensure, to the extent possible, the end in any one calendar year of the terms of office of not more than half of the members.

Conclusions

So, what we got out of this was that there is going to be an annual report. How much information is put into this remains to be seen. There is the fact that it’s the web services that are regulating that is apparently paying for it which could become a trade issue depending on how it’s implemented. After that, there is the punting of pretty much any kind of detail down to future regulations (be it the Commission or the Governor in Council). Then there is the bombshell that the bill doesn’t even know when it’s coming into force.

This is just… bad. I was expecting some level of ignorance in the text of the bill, but I wasn’t expecting it to be as bad as it was.

Anyway, that is my analysis on this legislation. I hope you enjoyed it. If you made it this far, congratulations. It’s been a long and winding road.

Again, if you are interested in reading the other parts, here they are, once again:

• Part 1
• Part 2
• Part 3

If you want a fast link to the bill itself, here you go.

Otherwise, I hope you enjoyed my reading of the legislation. It took a while to get through, but we made it to the end. Feedback is most certainly welcome as this is an absurdly complex bill.

Drew Wilson on Mastodon, Bluesky and Facebook.