On December 9, 2014, Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act, also known as the Protecting Canadians from Online Crime Act (Act), received royal assent. The Act, sometimes colloquially referred to as Canada’s cyberbullying law, was originally introduced in the House of Commons on November 20, 2013, and will come into force on March 9, 2015.
Although this legislation does introduce provisions concerning cyberbullying, it does much more than that. Most notably, the Act contains provisions that concern entities that possess or control computer data or certain financial data, such as internet service providers (ISPs), telecommunications service providers (TSPs) and financial institutions. These provisions have been the subject of various bills over the years that have been proposed by both liberal and conservative governments. In all cases, these bills failed to become law, primarily due to controversy surrounding their proposed increases in powers given to law enforcement conducting investigations of online activities (these bills were often referred to as “lawful access” bills). In particular, the Act reintroduces several provisions of Bill C-30, the Protecting Children from Internet Predators Act; the federal government’s last attempt at lawful access legislation.
According to many commentators, the current Act, by combining both cyberbullying and lawful access concepts into a single piece of legislation, has served to reduce public controversy as legislating to attack the increasing problem of cyberbullying is a popular proposition. As well, the lawful access measures contained in the Act are a far cry from those much more robust powers that were being proposed for law enforcement in the earlier lawful access bills. For instance, Bill C-30 provided for warrantless mandatory disclosure of basic subscriber information, a controversial provision that did not resurface in the current Act. Nevertheless, the Act has still served as a bit of a lightning rod for controversy in the media and with the public.
THE ACT AT A GLANCE
The Act provides for two main amendments to the Criminal Code:
- A new offence of non-consensual distribution of intimate images (referred to as the cyberbullying section), making it an offence to knowingly publish an intimate image of a person, knowing that he or she did not provide consent or being reckless regarding the person’s lack of consent. These provisions also give courts the complementary power to order removal of the image and forfeiture of the device used in the offence.
- New investigative powers (preservation demands, preservation orders and production orders) that allow law enforcement officers to collect electronic evidence relating to individuals that are the subject of an investigation.
STANDARD TO GAIN LAWFUL ACCESS
Lawful access generally refers to the interception of communications and the search and seizure of information carried out by law enforcement agencies pursuant to legal authority. Generally speaking, police and other governmental authorities are only permitted to intercept communications and search and seize information, including computer data, if they have authority from a judge to do so, usually in the form of a warrant.
Prior to the Act’s passage into law, warrants for the search and seizure of computer data were only granted when a judge was satisfied that the peace officer or public officer had “reasonable grounds to believe” that an offence had been committed. The Act changes that threshold for various orders relating to computer data, transmission data and tracking data to one of “reasonable grounds for suspicion”—a lower standard.
PRESERVATION OF COMPUTER DATA
Notably, the Act creates new preservation demands and orders for computer data both subject to the lower threshold of “reasonable grounds for suspicion” as discussed above.
These provisions allow a peace officer or a public officer to make a preservation demand or to apply to a judge for a preservation order to have a person preserve computer data in their control or possession to ensure that it is not deleted before a production order or a search warrant is obtained.
The preservation demand is made directly to the person by a peace officer or public officer without the authority of a judge’s order and expires after 21 or 90 days depending on whether the offence is committed under Canadian or foreign laws.
The preservation order is a judge’s order forcing the person to preserve the computer data sought. To grant a preservation order, the judge must be satisfied that the peace officer or public officer intends to or has applied for a warrant to obtain the document with the relevant computer data. The preservation order, if granted, expires after 90 days.
PRODUCTION OF TRANSMISSION DATA AND TRACKING DATA
The Act also creates new production orders regarding transmission data and tracking data. A production order is a judicial order requiring a person to disclose the relevant computer data that may or may not have been the subject of a preservation order.
Transmission data is metadata that relates to telecommunication functions such as dialing or routing, and identifies a device in order to establish or maintain access to a telecommunication service, or is generated during the creation, transmission or reception of a communication and identifies certain characteristics of the communication (such as the date, time, duration, origin, etc.) and does not reveal the substance of the communication. Examples of transmission data include IP addresses of websites visited or search terms used.
Tracking data is information that relates to the location of a transaction, individual or thing. Tracking data utilizes the GPS functions of a device, such as a cellphone or vehicular GPS. With respect to both transmission and tracking data, peace officers or public officers can obtain the historical data through a production order and real-time data through a warrant.
If a peace officer or public officer wishes to obtain the disclosure of the substance of the communication—which neither the transmission nor the tracking data reveals—they must apply for a general production order, which requires the judge to be satisfied that there are reasonable grounds to believe (rather than suspect) that an offence was or will be committed.
PRODUCTION OF FINANCIAL DATA
A judge may order that a financial institution (as defined at section 2 of the Bank Act or a person or entity referred to in section 5 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act) prepare and produce a document with the following information in their possession or control:
- The account number of the person or the name of the person attached to an account number
- The type or status of an account
- The date on which it was opened or closed.
In addition, the judge or justice may order that the financial institution disclose the date of birth, current address and previous addresses of the person in order to confirm the identity of the person.
The potential penalties for contravening any of the abovementioned demands or orders are significant. A person who contravenes a preservation demand is subject to a fine of up to C$5,000 and a person, financial institution or entity that contravenes an order (whether a preservation or production) without lawful excuse may be liable for a fine up to C$250,000 or six months’ imprisonment.
Further, the Act provides immunity from criminal and civil liability to a person (such as a TSP, ISP or financial institution) who voluntarily preserves or provides data to a law enforcement official that such person is not prohibited by law from preserving or disclosing, as applicable.
We note that the provision providing criminal and civil liability to the person who voluntarily discloses data may be challenged due to privacy considerations. The Supreme Court of Canada has previously established in R. v. Spencer that private-sector entities cannot hand over information in which there is a reasonable expectation of privacy to law enforcement upon simple request and without judicial authority.
Organizations should also be aware that Bill-S4, the Digital Privacy Act, contains related amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) regarding voluntary disclosure. The bill, which has been referred to committee before its second reading at the House of Commons, includes controversial provisions that would allow organizations to disclose personal information to other organizations without consent if such disclosure were reasonable for the purposes of investigating a breach of an agreement or contravention of the laws of Canada or a province, or for the purposes of detecting, suppressing or preventing fraud.