Protecting Canadians From Online Crime Act Becomes Law, Impacts Employers
- On March 9, 2015, the Protecting Canadians from Online Crime Act (Act) comes into force.
- The Act updates Canada’s Criminal Code to make the distribution of intimate images on the Internet without consent a crime.
- The Act expands the powers of law enforcement agencies investigating online activities and creates new compliance obligations for certain employers.
On Dec. 9, 2014, Bill C-13, the Protecting Canadians from Online Crime Act (Act) received royal assent. The Act, which has been labelled Canada’s cyber bullying law, will come into force on March 9, 2015.
True to its name, the Act introduces new provisions to Canada’s Criminal Code concerning cyber bullying, but it also increases the power of law enforcement agencies to obtain electronic information related to the investigations of crimes.
Going forward, employers that maintain electronic information on behalf of others must be aware of new compliance obligations created by the Act.
Cyber Bullying Provisions
Under the Act, it will now be an offence to knowingly publish, distribute, transmit, sell, make available or advertise intimate images of an individual without his or her consent in electronic mediums, where there is reasonable expectation of privacy.
To help prevent cyber bullying, the Act empowers courts to:
- Order the removal of intimate images from the Internet;
- Order the forfeiture of the computer, cell phone or other device used to commit cyber bullying;
- Provide for reimbursement to victims for the costs incurred from removing the intimate image from the Internet; and
- Issue orders to prevent an individual from distributing intimate images.
Amendment to Lawful Access Standard
Of greater concern to most employers are the changes to lawful access the Act introduces. “Lawful access” generally refers to an investigative technique used by law enforcement agencies and national security agencies that involves the interception of private communications and the seizing of information where authorized by law.
The Act changes the threshold necessary for obtaining lawful access related to the search and seizure of computer, transmission and tracking data. Prior to the passage of the Act, orders for the search and seizure of computer data were granted only if a judge determined that law enforcement officers had “reasonable grounds to believe” that an offence had been committed.
The Act lowers the legal threshold for lawful access by now requiring that only a “reasonable ground for suspicion” be demonstrated prior to a judge issuing an order. Under this new lower threshold, some legal experts predict that law enforcement agencies will have an easier time gaining access to employers’ electronic data.
Preservation of Computer Data
The Act provides law enforcement agencies with two new tools that they may utilize in investigating crimes, preservation demands and preservation orders.
Preservation demands and orders require employers to preserve computer data in their control or possession to ensure that it is not deleted before a production order or search warrant is obtained.
Preservation demands can be made by law enforcement officers directly to the person or employer without the authority of a judge. Preservation demands expire after 21 or 90 days, depending on whether the offense is committed under Canadian or foreign laws.
A preservation order is an order issued by a judge requiring a person or employer to preserve the computer data sought by a law enforcement officer or public officer. Preservation orders expire 90 days after they are granted.
It should be noted that preservation demands and orders differ from general data retention requirements. General data retention requirements dictate that employers collect and store data for a particular period of time for all subscribers, regardless of whether they are subject to an investigation. In contrast, a preservation demand or order relates only to a particular telecommunication or person, in the context of an investigation.
New Types of Production Orders
The Act also creates new production orders related to transmission data and tracking data that employers must contend with.
For the purposes of the Act and production orders, “transmission data” is a specific set of metadata that indicates the origin, destination, date, time, duration, type and volume of a telecommunication, but does not include the actual content of the telecommunication. Examples of transmission data include IP addresses of websites visited or search terms used.
“Tracking data” is information that relates to the location of a thing or individual.
The new production orders created by the Act allow law enforcement agencies to obtain transmission or tracking data that is already in an employer’s possession at the time of the order. Employers that are issued a production order must produce the transmission or tracking data requested or face penalties.
Production of Financial Data
The Act also imposes additional obligations on financial institutions. Judges may now order financial institutions to prepare and produce documents with the following information in their possession or control:
- The account number of the person or the name of the person attached to an account specified in an order;
- Information related to the type of account the person named in the order holds;
- The status of the individual’s account; and
- The date on which the account was opened or closed.
Additionally, judges may order that financial institutions disclose the date of birth, current address and previous addresses or the person identified in order to confirm his or her identity.
Employers should note that the Act provides immunity from criminal and civil liability to employers that voluntarily preserve or produce data to law enforcement officers, even if the officer does not have a preservation or production order.
Penalties for failing to comply with the Act’s requirements are stiff. Individuals or employers that violate a preservation demand may be fined up to $5,000. Penalties for violating the terms of a preservation or production order are harsher. An individual, employer or financial institution that violates the terms of a preservation or production order may face fines up to $250,000 or six months of imprisonment.
Impact on Employers
In light of the new obligations created by the Act, employers should review and, if necessary, amend their privacy, information management and data retention policies to ensure compliance with potential preservation or production orders. Employers’ policies should outline the procedure for responding to preservation demands, preservation orders and production demands and make clear which staff members are responsible for responding to demands and orders.
© 2015 Zywave, Inc. All rights reserved.