Bill C-13: Lawful Access and the Relationship Between Organizations, Cyber-bullying and the Protection of Privacy Rights
On December 9, 2014, Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act (Act) – also known as the Protecting Canadians from Online Crime Act –, received the royal assent. The Act will come into force on March 9, 2015.
The Act deals with the serious issues of online bullying, harassment and non-consensual circulation of intimate images and aims the protection of Canadians from cyber-bullying and other forms of Internet exploitation.
Significant amendment to the Criminal Code
The Act notably brought two significant amendments to the Criminal Code:
- The creation of a new offence of non-consensual distribution of intimate images as well as complementary amendments to authorize the removal of such images from the Internet, the recovery of expenses incurred to obtain their removal and the forfeiture of property used in the commission of the offence;
- New investigative powers (preservation demands, preservation orders and production orders) for law enforcement officers for the conduct of their investigation.
Following the coming into force of the Act on March 9, 2015, organizations must be aware that they might be subject to the application of the Act. Indeed, organizations such as Internet service providers, telecommunication service providers and financial institutions will have the obligation to comply with orders issued by the courts and demands issued by peace officers and even public officers. The extent of the powers granted by the Act is considerable given that the term “public officer” may include a large range of persons, including, namely, mayors, wardens, reeves, sheriffs and any federal or provincial officers whose duties include the enforcement of a federal or provincial law.
Threshold to obtain lawful access
The Act provides various legal thresholds for the use of the new investigative powers and procedures. The standard to issue demands or to obtain most of the orders created by the Act will be lowered to the “reasonable grounds to suspect” rather than the “reasonable grounds to believe” that an offence has been or will be committed that is usually required for those types of procedures. Lowering the standard means that law enforcement officers will be able to satisfy the threshold more easily. Indeed a suspicion standard requires less groundwork for law enforcement officers and fewer facts to be put before the judge reviewing requests for surveillance.
Preservation of computer data
The Act provides that at the early stages of their investigation, peace officers and even public officers may issue a preservation demand or seek a preservation order to compel a person to preserve computer data that are in their possession or control. The purpose of these procedures, which are both subject to the suspicion standard, is to avoid the destruction and deletion of such data before the granting of a production order or a search warrant.
The Act will allow a public officer or a peace officer to make a preservation demand directly to the person without having to obtain the authorization of the court. Depending on whether the commission of the offence is made pursuant to Canadian or foreign law, a preservation demand will expire after 21 or 90 days.
To grant a preservation order, a judge must be convinced that there are reasonable grounds to suspect that the computer data is in the person’s possession or control and will assist in the investigation of the offence. If granted, the order will expire after 90 days.
Production of transmission data and tracking data
Organizations may be subject to production orders or warrants forcing them to disclose transmission and tracking data. Through production orders, peace officers and public officers may obtain historical data and warrants allowing them to obtain real-time data. These procedures are subject to the suspicion standard. Computer data are not required to have previously been the subject of a preservation order for being disclosed by way of a production order.
Transmission data is data that relates to telecommunication functions (e.g. dialling, routing, addressing or signalling) and that is transmitted to identify, activate or configure a device, in order to establish or maintain access to a telecommunication service or is generated during the creation, transmission or reception of a communication and identifies certain information related to this communication (e.g. direction, date, time, duration, size, origin, destination or termination of the communication). Generally speaking, transmission data includes the IP addresses of the websites visited or the search terms used.
Tracking data is data that relates to the location of a transaction, individual or thing. The purpose of a production order and warrant is to obtain location information such as GPS coordinates utilized in devices, notably cellphones and vehicles.
However, transmission and tracking data are not related to the substance of the communication. To obtain such information, peace officers and public officers must apply for a general production order for which a judge must be satisfied that that there are reasonable grounds to believe that an offence has been or will be committed.
Financial institutions (as defined in section 2 of the Bank Act, or a person or entity referred to in section 5 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act) may be subject to a judicial order compelling them to prepare and produce a document setting out data that is in their possession or control. The required information may include:
- The account number of the person named in the order or the name of the person whose account number is specified in the order;
- the type of account;
- the status of the account; and
- the date on which the account was opened or closed.
Moreover, for the purpose of confirming the identity of the person, a financial institution may also be required to disclose the date of birth as well as current and any previous addresses of that person.
Failing to comply without lawful excuse to these orders and demands exposes persons and organizations to significant penalties. A person who contravenes to a preservation demand is subject to a fine up to $5,000 and a person, financial institution or entity that contravenes an order (preservation or production) is subject to a fine up to $250,000 and/or six months’ imprisonment.
Voluntary disclosure and immunity
The Act provides a criminal and civil immunity provision for persons who voluntarily preserve or provide computer data to a peace officer or a public officer. In its submission presented before the Standing Senate Committee, the Private Commissioner underlined his concerns regarding the ambiguity arising from voluntary disclosure.
Indeed, in R. v. Spencer (which dealt with the Personal Information Protection and Electronic Documents Act (PIPEDA)), the Supreme Court of Canada established that organizations cannot provide personal information in response to a warrantless search request if there is a reasonable expectation of privacy. An analysis of this case was made in a previous blog post.
Furthermore, Bill S-4, which contains amendments to the PIPEDA, would allow an organization, to proceed to reasonable disclosures to other organizations, without the knowledge or consent of an individual, of personal information. Such disclosures could be made for the purposes of preventing, detecting or suppressing fraud, protecting victims of financial abuse or investigating a breach of an agreement or a contravention of the laws of Canada or a province.
Even if the goals of the Act and Bill S-4 are commendable, the ambiguity arising from voluntary disclosure and lawful access may create confusion on the duties and obligations of organizations with respect to disclosure and access to personal information. Indeed, organizations should be aware that their actions may trigger potential penalties if they fail to compel with orders and demands. On the opposite, organizations also have the duty to protect their clients and employees’ privacy rights.
 S.C. 1991, c. 46.
 S.C. 2000, c. 17.
Daniel THERRIEN, Privacy Commissioner, “Submission to the Standing Senate Committee on Legal and Constitutional Affairs regarding Bill C-13, the Protecting Canadians from Online Crime Act”, November 19, 2015.
 2 S.C.R. 212.
 S.C. 2000, c. 5.
Bill C-13 Competition Act Criminal Code cyber attack cyber security cyber-bullying harassment online bullying