Publication

What’s the Harm? 10 Key Facts About Canada’s Proposed Online Harms Act

Published:

April 30, 2024

Author(s):

• David Fraser

Share

Print

Bill C-63, if passed, will create the hotly anticipated Online Harms Act to regulate certain online platforms, create new Criminal Code of Canada offences and restore “communication of hate speech” to the Canadian Human Rights Act. Tabled on February 26, 2024, Bill C-63 follows a 2021 proposal and consultation process and accompanying technical paper and was roundly criticized as problematic in a number of ways – but principally with respect to the Charter of Rights and Freedoms right to freedom of expression. The government subsequently created an expert advisory panel to assist to compile feedback. Three years later, Bill C-63 looks very different from the original proposal and consultation. Here are 10 key facts about Canada’s proposed Online Harms Act and its impact on regulated social media services.

1. Focused Application

Instead of going after a very long list of online operators, the Online Harms Act will be much more focused on social media companies. However, the federal Minister of Justice can add entities and types of entities to the scope of the Act by regulation. In the meantime, the Act will apply to social media companies that meet a particular threshold that the regulations (which aren’t yet available) will set out, and defines “social media service” as, “a website or application that is accessible in Canada, the primary purpose of which is to facilitate interprovincial or international online communication among users of the website or application by enabling them to access and share content.” The Act’s definition also expressly includes:

• An adult content service: a social media service focused on enabling its users to access and share pornographic content.

• A live streaming service: a social media service focused on enabling its users to access and share content by live stream.

The Act expressly excludes social media services that don’t permit a user to communicate to the public and carves private messaging features out of its scope.

2. New Bureaucracy

Like the proposed Personal Information and Data Protection Tribunal Act, the Online Harms Act will create a whole new regulatory structure for managing and enforcing the Act that includes the:

• Digital Safety Commission. The regulator under the Act.
• Digital Safety Ombudsperson. An advocate for members of the public.
• Digital Safety Office. The administrative support for both the Commission and the Ombudperson.

3. Operator’s Duty to Act Responsibly

The Online Harms Act will impose “a duty to act responsibly” on regulated service operators with respect to seven categories of designated “harmful content” by implementing processes and mitigation measures that the Digital Safety Commissioner must approve.

“Harmful Content”. Much of the Act will turn on the question: what is “harmful content”? The Act includes seven different categories of content:

• Intimate content communicated without consent.
• Content that sexually victimizes a child or revictimizes a survivor.
• Content that induces a child to harm themselves.
• Content used to bully a child.
• Content that instigates hatred.
• Content that incites violence.
• Content that incites violent extremism or terrorism.‍

The Act defines each category. Notably, the definition of “intimate content communicated without consent” in the Act is broader than that in the Criminal Code related to the non-consensual distribution of intimate images. In particular, the Act’s definition is expanded to include intimate “deepfakes”: images depicting a person in an explicit manner that are either modifications of existing photographs or videos or are completely synthetic as the result of someone’s imagination or with use of artificial intelligence.

Special Treatment. While there are seven categories of “harmful content”, the Act treats two categories – intimate content communicated without consent and content that sexually victimizes a child or revictimizes a survivor – differently. This is an apparent response to the general critique of the 2021 consultation and the nonconsensual distribution of intimate images and depictions of child sexual abuse are already illegal in Canada and generally easier to identify. But the other five categories of “harmful content” raise greater freedom of expression concerns. The measures required in relation to the remaining five categories are open-ended.

Flagging & Blocking. The Act will require regulated service operators to put in place a flagging mechanism so users can flag any harmful content – but requires they take specific action in relation to intimate content communicated without consent and content that sexually victimizes a child or revictimizes a survivor:

• If there are reasonable grounds to believe flagged content fits into either the intimate content communicated without consent or the content that sexually victimizes a child or revictimizes a survivor category of harmful content, the operator must review it within 24 hours.

• Upon that review, the operator can only immediately dismiss the flag if it’s trivial, frivolous, vexatious or made in bad faith, or has already been dealt with – a low threshold. Otherwise, the default requires the operator to block the content and make it inaccessible to people in Canada.

• If they block, the operator must give notice to both the user that posted the content and the user that flagged it and give them an opportunity to make representations according to a timeline set out in the regulations (again, which aren’t yet available).

• Based on those representations, the operator must decide whether there are reasonable grounds to believe the content falls into either the intimate content communicated without consent or the content that sexually victimizes a child or revictimizes a survivor category of harmful content. If so, the operator must make the content inaccessible to persons in Canada and continue to make it inaccessible. This suggests an obligation to prevent the content from being reposted.

• There is a reconsideration process, which is largely a repeat of the original flag and review process, after which it can be escalated to the Commission.

The Act doesn’t mandate a process to addressing the other categories of harmful content. Presumably an operator will need to elaborate on that process in its digital safety plan.

Resource Person. Service operators must also make a “resource person” available to users to hear concerns, direct them to resources and give guidance on the use of those resources.

4. Mandatory Digital Safety Plan

Each regulated service operator must submit a “digital safety plan” to the Digital Safety Commission for approval.

Plan Contents. The required contents of the plan are extensive and requires the operator to set out what it does to comply with the Act, including:

• All the measures used to protect children.
• Preventing harmful content.
• Statistics about flags and takedowns by category of harmful content.
• Resources the operator has allocated to comply with the Act.
• Information respecting content other than “harmful content” (as defined in the Act) the operator moderated and had reasonable grounds to believe posed a “risk of significant psychological or physical harm.”
• Information about complaints, concerns heard and any research the operator has undertaken related to safety on their platform.
• And, of course, “any other information provided for by regulations.”

The operator must also publish most of this on its platform.

Access By Accredited Organizations. The Digital Safety Commission can accredit organizations (not individuals) to access electronic data in digital safety plans that are submitted to the Commission but aren’t required to be published. To be accredited, the organization must be conducting research, education, advocacy or awareness activities related to the Act’s purposes. The Commission can grant access to this non-public data and suspend or revoke accreditation if the accredited organization doesn’t comply with the accreditation conditions. Accredited organizations can also request access to electronic data in digital safety plans from regulated service operators and the Commission can order that the operator provide the data. However, this access is only allowed for research projects related to the Act‘s purposes. This is another area where the parameters are left to the as yet unavailable regulations. There is no explicit requirement that the accredited researcher have their research approved by a Canadian research ethics board.

5. Digital Safety Commission Complaints Process

Any person in Canada can make a complaint to the Commission that content on a regulated service is intimate content communicated without consent or sexually victimizes a child or revictimizes a survivor. Upon receipt, the Commission must conduct an initial assessment of the complaint and handle it as per the process in the Act – a process that lacks many of the traditional fairness or natural justice safeguards.

Triviality Test. The threshold for an immediate takedown order is a low one: if the Commission is of the opinion the complaint is trivial, frivolous, vexatious, made in bad faith, or has otherwise been dealt with, it must dismiss it. But if the Commission decides – without any substantial consideration of the merits of the complaint – it’s not a non-trivial complaint, it must:

• Make an immediate takedown order.
• Give the regulated service operator notice of the complaint.
• Make an order requiring the operator to, without delay, make the content inaccessible to all persons in Canada until the Commission gives notice to the operator of its final decision.

User Information. The operator must ask the user that posted the content whether they consent to the provision of their contact information to the Commission. If the user consents, the operator must provide the contact information to the Commission – but  it seems unlikely that many users, who are effectively accused of sharing illegal content, will consent to their information being shared with the Commission. If the user doesn’t consent, the Commission’s review will proceed without the user’s input.

Representations. Only at this point must the Commission give the complainant and the user an opportunity to make representations respecting whether the content fits into either the intimate content communicated without consent or sexually victimizes a child or revictimizes a survivor categories of harmful content.

Final Decision. Again, the threshold is low. The Commission must then decide whether there are “reasonable grounds to believe” the content fits into one of these two categories of harmful content – that’s it. If it decides there are such reasonable grounds the Commission must issue an order that the content be made permanently inaccessible to all persons in Canada. In contrast, a criminal court would be required to consider whether the content fits the definition beyond a reasonable doubt; a civil court would have to consider whether the content fits the definition on a balance of probabilities.

6. The Digital Safety Commission’s Vast Powers

The Commission’s investigative and penalizing powers are broad – and have teeth.

Powers. The Commission has the power to:

• Summon and enforce the appearance of persons before the Commission and compel them to give oral or written evidence on oath and produce any documents or other things the Commission considers necessary, in the same manner and to the same extent as a court.

• Administer oaths.

• Receive and accept any evidence or other information the Commission sees fit – whether it would be admissible in a court or not.

• Decide any procedural or evidentiary question.

Hearing. It’s entirely in the Commission’s discretion to determine when a hearing is appropriate. If it does holds a hearing, it’s required to hold it in public – unless it isn’t. The Act sets out several circumstances in which the Commission can hold a hearing, in whole or in part, behind closed doors.

Rules of Evidence. While investigating and holding hearings, the Commission isn’t bound by the traditional legal or technical rules of evidence that apply to courts and many administrative tribunals: the Commission is required to “deal with all matters that come before it as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit.” This raises further concerns about due process and procedural fairness, especially given the Commission’s punitive powers.

Compliance Orders. The Act will give the Commission broad powers to issue “compliance orders” – without the requirement of a hearing or a clear path for appeals under the Act. To grant a compliance order, all the Commission needs is “reasonable grounds to believe” a regulated service operator has contravened the Act. The operator gets no opportunity to hear the concerns, make submissions or respond before the Commission decides whether to issue an order. And what the Commission can order is largely without limits: it can make an order requiring the operator to take – or to stop – any measure to ensure compliance.

7. Enormous Penalties

The penalty for contravening such a Commission’s compliance order is enormous: up to the greater of $25M or 8% of the regulated service operator’s global revenue – an amount that could be in the billions considering large social media companies’ 2023 revenues.

8. Designated Inspectors

The Digital Safety Commission has the authority to designate “inspectors” who the Commission considers qualified for the purposes of verifying compliance or preventing non-compliance with the Act. Inspectors have authority to enter and search any premises other than a dwelling without a warrant – and without notice.

Powers. Once in the business’s premises, an inspector can:

• Examine, copy in whole or in part or take for examination or copying any document or information.

• Examine and take for examination any other thing.

• Use or cause to be used any computer system at the place to examine any document or information.

• Reproduce, cause to be reproduced or take for examination any document or information.

• Use or cause to be used any copying equipment or means of telecommunication at the place to make copies of or transmit any document or information.

Assistance. Inspectors can require any person in charge of the premises to assist them and provide documents, information and any other thing. And inspectors can bring along anybody else they think is necessary to help them exercise their powers or perform their duties and functions.

Obligation. The Act will also include a separate, standalone power for an inspector to order anyone to provide information or documents or to access information or documents for a purpose related to verifying compliance or preventing non-compliance with the Act.

9. Age-Appropriate Design Code

Regulated operators might also be required to comply with “design features” set out in the Act. The Act will require regulated service operators to integrate into their service any design features respecting the protection of children, like age-appropriate design, set out in its regulations. This obligation gives the government the power to regulate potentially huge changes to or required elements of an online service – and could hint at a mandatory “age appropriate design code”. The basis for these requirements aren’t yet known, but before developing the U.K.’s age-appropriate design code, the U.K. Information Commissioner’s Office carried out massive amounts of consultation, research and discussion.

10. Changes to Other Laws

In addition to implementing the Online Harms Act, Bill C-63 will amend the Criminal Code and the Canadian Human Rights Act, changes that have largely taken over all discussion of the Bill both online and in the media due to their controversial nature.

Hate Crime. Bill C-63 would amend the Criminal Code to create a new hate crime, “offence motivated by hatred”, and to impose harsher penalties for hate propaganda offences.

Discrimination. Bill C-63 would also amend the Canadian Human Rights Act to effectively reinstate “communication of hate speech” as a discriminatory practice. This would give aggrieved individuals the right to file a complaint with the Canadian Human Rights Commission which, in turn, can impose monetary penalties of up to $20,000. However, these changes concern user-to-user communication and not social media platforms, broadcast undertakings, or telecommunication service providers.

Mandatory Reporting. Bill C-63 further introduces amendments to the existing An Act Respecting the Mandatory Reporting of Internet Child Pornography by Persons who Provide an Internet Service related to the mandatory reporting of child sexual abuse materials. The amendments clarify the definition of “internet service” to include access, hosting and interpersonal communication like email. Any person providing an “internet service” to the public must send all notifications to a designated law enforcement body. Additionally, the amendments would extend the preservation period for data related to an offence and where the materials at issue are “manifestly child pornography”, the service provider will be required to include more information in its report.

Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection & Cyber Security Team @ McInnes Cooper to discuss how to prepare to comply with the Online Harms Act.

Share

Print