What some have telegraphed as Canada’s anti-cyberbullying has also afforded law enforcement agencies some new broad powers to obtain information from businesses about their customers and is set to come into force March 9.
The Protecting Canadians from Online Crime Act (the “Act”) received Royal Assent Dec. 9, 2014. While some have referred to the Act as Canada’s “cyberbullying law,” the Act is also intended to provide increased power to law enforcement agencies in their investigation of online activities. As a result of the broad powers afforded to law enforcement agencies, businesses that maintain information on behalf of others (including ISPs, banks, insurance companies and others) must be aware of the new compliance obligations. The provisions of the Act will come into force on March 9, 2015.
New cyberbullying offence
The Act attempts to address cyberbullying, which has become a serious issue and one that was cited in several high profile cases. In October 2012, Amanda Todd committed suicide after being blackmailed and threatened that topless pictures of her would be distributed on the Internet. In April 2013, Rehtaeh Parsons attempted suicide (and was later taken off life support) after she was bullied on the Internet with pictures of an alleged sexual assault.
It will now be an offence to knowingly publish, distribute, transmit, sell, make available or advertise an “intimate image” of a person without that person’s consent, where there was a reasonable expectation of privacy.
The Act also gives courts powers to order the offender to remove the image, forfeit their device and even stay off the Internet.
The Act also makes a number of amendments to the law aimed at preserving electronic evidence and allowing police officers to more quickly investigate past or possible future offences. For example, preservation demands or preservation orders can be directed at persons (including businesses that maintain information) to require the preservation of “computer data” evidence that is in the person or businesses’ possession or control and that is the subject of an investigation.
Similarly, the Act also gives police the ability to apply for a production order under which the officer can require a person to produce the information (including transmission and tracking data) that the person was required to preserve under a preservation order.
Some have expressed concern with these new broad lawful access powers given to the police as the orders can be given if they simply satisfy a judge that there are reasonable grounds to believe that an offence was or will be committed (a fairly low threshold).
Finally, it should also be noted that the Act provides immunity from criminal and civil liability to a person or business (including an ISP) who voluntarily preserves or produces data to a law enforcement officer, even without a preservation or production order.
What should businesses do to comply?
Organizations should consider reviewing and amending their privacy, information management, and data retention policies to ensure compliance with a preservation or production order. The policies should also outline which staff will be responsible for responding to such an order. In addition, these corporate policies should outline the circumstances in which the organization will make a voluntary disclosure of data to law enforcement.