DLA Piper (Canada) LLP | View firm profile
Proposed penalties are significant: administrative monetary penalties of up to $10 million or 3% of gross global revenue (whichever is greater), and criminal fines of up to $20 million or 5% of gross global revenue for the most serious offences. For technology companies, venture capital investors, and businesses operating in the digital space, Bill C-34 signals a reinvigorated focus on Canada’s regulatory posture toward online platforms. While the bill remains at First Reading and will undergo significant parliamentary scrutiny, businesses would be well advised to begin assessing their exposure to these proposed obligations now; however, as we explain below, the scope of these obligations is largely unknown at this point and will be left to various regulations.
Overview and legislative context
The proposed legislation is structured in two parts. Part 1 enacts the Digital Safety Act, establishing the substantive regulatory framework, and Part 2 creates the Digital Safety Commission of Canada Act, a new, independent regulator charged with administering and enforcing the regime.
It is important to note that Bill C-34 is at First Reading only. It has not yet been debated in Parliament, referred to committee, or subjected to amendment. And like most new modern Canadian legislation, most of the implementation details are to be decided in regulations that have yet to be proposed, let alone promulgated. As a result, enactment of the proposed changes, even if passed by parliament quickly, is likely several years away.
Regulated services: Three categories and exclusions
The Digital Safety Act would establish a tiered regulatory framework that distinguishes among three categories of services:
Regulated social media services
Regulated social media services are defined as websites or applications accessible in Canada whose primary purpose is enabling interprovincial or international online communication that allows users to access and share content. Services must meet user-threshold numbers to be established by regulation. The category expressly includes adult content services and live streaming services.
Regulated chatbot services
Perhaps most notably, the legislation would create ‘regulated chatbot services’ as a distinct statutory category with tailored duties—an approach that, while building on earlier efforts in the EU, China, and several US states to regulate aspects of conversational AI, goes further than most existing frameworks in treating chatbot services as a separate class of regulated services with comprehensive, bespoke obligations within a broader digital safety regime.
Regulated online services
A residual category encompasses other online services that fall within categories established by regulation, provided they pose a “significant risk of harm to children.” This catch-all provision gives the government considerable flexibility to expand or revise the regime’s reach through regulation.
Exclusions
The bill expressly excludes:
- services whose primary purpose is the sale, listing, or advertisement of goods or services;
- directories;
- search results;
- maps and navigation tools;
- basic internet connectivity; and
- (notably) private messaging features.
- These carve-outs are significant for e-commerce platforms and messaging applications, though the boundaries may prove contentious in practice, given the modern way services operate.
Duties imposed on operators
The Digital Safety Act poses a number of duties on groups of operators in various buckets of to-be determined regulated services as set out below, though much of the detail on the scope of these duties will be determined on regulations yet to be proposed and application to real-world use cases.
Duty to protect children
All operators of regulated services would be required to integrate child-protection design features as specified by regulation and implement age-verification or age-estimation mechanisms for pornographic content. The bill requires that such measures be “effective” and “privacy-protective” (including a requirement to destroy verification data after the process is complete). Notably, measures must not “unreasonably limit expression,” signalling an awareness of the tension between safety and free expression that pervades the bill. These boundaries may prove difficult to navigate until clear precedents and regulations are set, and will require thorough consideration of attendant privacy considerations in setting such regulations.
Duty to act responsibly
Operators of regulated social media services or chatbot services would be required to implement measures that “are adequate to mitigate the risk” that users of the service will be exposed to or communicated harmful content on the service. They must implement adequate measures to mitigate user exposure to seven defined categories of harmful content (these are a carry-over from the government’s last attempt):
- Intimate content communicated without consent (including deepfakes);
- Content that sexually victimizes a child or revictimizes a survivor;
- Content that induces a child to harm themselves;
- Content used to bully a child;
- Content that foments hatred;
- Content that incites violence; and
- Terrorism or violent extremism content.
Particularly for operators of social media services, the adequacy of an operator’s measures will be assessed against multiple factors, including effectiveness, the size of the service, technical and financial capacity, non-discrimination, and other regulatory considerations. Operators must publish user guidelines with standards of conduct, provide tools for users to block other users and flag harmful content, label synthetic content (including deepfakes and AI-generated material), label content subject to automated bot amplification, make a resource person available to users, and preserve content involving incitement to violence or terrorism for one year after removal.
Again, all measures must not “unreasonably or disproportionately limit users’ expression.” This proportionality requirement will likely be a central point of contention in assessing compliance, but also create a lot of regulatory uncertainty.
As mentioned ,the obligations imposed on regulated chatbot services (as opposed to social media services) are among the bill’s most novel provisions. Operators must mitigate the risk of their service communicating harmful content and must address a list of specifically identified harmful behaviours. These provisions are discussed in greater detail below.
Duty to be transparent
All operators of regulated services must maintain compliance records and submit digital safety plans to the Commission and make these available publicly. These plans must include risk assessments, descriptions of mitigation measures, effectiveness assessments, information about content-moderation volumes, flagging statistics, details of research conducted, resources allocated to compliance, and an inventory of electronic data held by the service. Plans must be published publicly in an accessible format, though they must not contain personal information or information prejudicial to criminal investigations. Rather than require a duty to act (i.e., to report in the event of an incident that is offside their policy), this duty focuses on requiring operators to make their policies and internal statistics regarding events arising within those policies available to the public, which would presumably then be in a position to determine the obligations to report. For businesses, the publication requirement is particularly significant. Digital safety plans will effectively become public disclosures of a company’s risk assessment and safety practices, potentially creating both reputational exposure and a roadmap for enforcement or class actions where disclosed measures prove inadequate.
Duty to make certain content inaccessible
Where an operator identifies child sexual abuse material (CSAM) or non-consensual intimate content, the operator must make it inaccessible within 24 hours. Where a user flags such content, the operator must conduct an initial assessment within 24 hours and remove the content unless the flag is dismissed. A reconsideration process must be available to affected users, including the right to make representations.
The minimum-age restriction: Ambition meets uncertainty
Perhaps the most publicly prominent provision of Bill C-34 is its requirement that operators of regulated social media services prevent persons under age 16 from maintaining accounts. Operators must implement “adequate age-verification or age-estimation” measures to enforce this prohibition.
The provision is ambitious in scope but raises substantial questions about implementation. Age-verification technologies capable of reliably determining whether a user is under 16 (at scale, across millions of users, while simultaneously preserving privacy) remain an area of active technological development rather than settled practice. The bill itself acknowledges this tension: verification measures must be both “effective” and “privacy-protective,” and operators must destroy verification data after the process is complete. Whether existing technologies can satisfy all three requirements simultaneously is an open question.
Several design features of the bill temper its reach:
- First, the prohibition applies only to services specifically designated by the Governor in Council through regulation; it does not automatically capture every regulated social media service, and those it does capture will be unknown for some time;
- Second, the Digital Safety Commission may exempt operators that demonstrate they provide “adequate safeguards” for children, creating an alternative compliance pathway that may prove significant in practice;
- Third, section 129 mandates a ministerial review of the minimum-age provisions within three years of coming into force, an explicit legislative acknowledgment that the efficacy and appropriateness of these measures remain uncertain.
For businesses, the key questions are practical: Which services will be required to comply? How will the exemption process work? What sort of safeguards will the Commission deem adequate for children to be exempt from age verification? What level of accuracy will be required, and what false-positive rates (legitimate adult users incorrectly excluded) will be tolerated? Will children’s right to autonomy be respected in situations where the home or parent is not safe? These are areas to watch closely as the bill progresses through Parliament and as the Commission develops its regulatory guidance.
Chatbot-specific obligations
Bill C-34’s treatment of AI chatbot services is notable both for its specificity and for its forward-looking approach to a rapidly evolving technology. Regulated chatbot services face the following obligations:
Crisis intervention
If a user expresses suicidal ideation, an intention to self-harm, or an intention to cause death or serious bodily harm to another person, the chatbot service must immediately interrupt the interaction and direct the user to crisis intervention services. The bill specifies that the crisis service must connect the user to a human being who is available at the time the user is directed towards them—automated crisis responses alone will not suffice. This is almost certainly a direct response to the Tumbler Ridge shooting, the recency and public prominence of which undoubtedly affected this legislation.
Prohibition on harmful behaviours
Chatbot operators must mitigate behaviours including:
- Posing as a human being in circumstances likely to lead a user to mistake the chatbot for a human;
- Posing as a medical, legal, or other licensed professional and providing advice;
- Using manipulative engagement techniques to encourage emotional attachment, leading to social withdrawal;
- Encouraging self-harm, suicide, or acts causing death or serious bodily harm; and
- Other behaviours as specified in regulations
- These provisions represent a legislative response to well-publicised concerns about AI chatbots forming parasocial relationships with vulnerable users and about the potential for AI systems to provide harmful advice while appearing authoritative without the required training human professionals receive and are responsible for. They also raise important questions about how operators will be expected to balance user experience with compliance, particularly regarding the prohibition on “posing as a human being,” which may have broad implications for how chatbots are designed and marketed.
The Digital Safety Commission of Canada
Part 2 of Bill C-34 would establish the Commission as a new independent regulatory body. The Commission would be composed of three to five full-time members appointed by the Governor in Council, with renewable terms of up to five years on a staggered basis. Members must be Canadian citizens or permanent residents, and the Chairperson serves as the Chief Executive Officer.
The Commission’s proposed powers are extensive. It would summon witnesses, administer oaths, receive evidence, hold hearings, issue guidelines, and establish codes of conduct. It would consult with the Canadian Radio-television and Telecommunications Commission (CRTC), the Privacy Commissioner of Canada, and the Royal Canadian Mounted Police (RCMP) in exercising its functions. In making decisions, the Commission would be required to take into account freedom of expression, equality rights, privacy rights, and the needs of Indigenous peoples.
The Commission would also be empowered to accredit researchers to access electronic data from operators, subject to conditions regarding confidentiality for research related to the purposes of the Act, intellectual property, data security, and personal information protection. This research-access mandate is designed to address the persistent challenge of independent researchers being unable to study platform dynamics due to data access barriers.
The Commission would report annually to Parliament and would represent a significant expansion of Canada’s regulatory apparatus. It also raises important questions about coordination with existing regulators, particularly the CRTC and the Office of the Privacy Commissioner, as well as data privacy issues in relation to information sharing with the RCMP.
Enforcement and penalties
The enforcement provisions of Bill C-34 appear designed to ensure meaningful consequences for non-compliance; however, these amounts have been significantly reduced from the amounts previously proposed.
The Commission may impose administrative monetary penalties (AMPs) of up to the greater of $10 million or 3% of the gross global revenue of the operator and its affiliates. Continued violations are treated as separate violations for each day they persist. The stated purpose of AMPs is to promote compliance, not to punish, and a due diligence defence is available. Factors in determining penalty amounts include the nature and scope of the violation, compliance history, benefit obtained from non-compliance, ability to pay, and the purpose of the penalty.
For the most serious contraventions, criminal prosecution is available, however a due diligence defence is available. On indictment, operators face fines of up to the greater of $20 million or 5% of gross global revenue. On summary conviction, the maximum is $15 million or 4% of gross global revenue. For non-operators, penalties are lower but still substantial (up to $5 million or 1.5% on indictment; up to $3 million or 1% on summary conviction). Individual liability is capped at $50,000. Notably, no imprisonment is available for any offence under the Act. The scope and expectations of the due diligence defense will likely be tested on early reliance while the Act plays out.
The Commission could also issue compliance orders directing operators to take or refrain from specific actions, enforceable as Federal Court orders. The Governor in Council would be empowered to make regulations for charges payable by operators to fund the Commission’s activities, a cost-recovery model that places the financial burden of regulation on the regulated industry.
When might this happen and what does it all mean?
Once implemented, provisions of Bill C-34 would come into force on a day or days to be fixed by order of the Governor in Council. This flexible approach gives the government discretion to phase in different obligations over time, which may be particularly important for technically complex requirements such as age verification. Importantly, Bill C-34 is only at First Reading and will undergo further study before parliamentary committees, and potentially amendments, before it can be enacted. Once passed, significant details will involve regulatory implementation, such as the age-verification requirements, which will be subject of further consultation with stakeholders before coming into force. As a result, even if passed quickly, it may take years before all of the provisions come into force.
Still, the government is expected to push hard to pass this, its last attempt having failed, even if the details remain to be worked out. As proposed, Bill C-34 mandates a comprehensive ministerial review of the entire Act within three years of coming into force, and every five years thereafter. A separate, specific review of the minimum-age provisions would be required within three years. These review clauses signal an awareness that digital regulation must evolve with technology and that initial legislative choices may require correction.
Bill C-34 has implications for a broad range of technology companies, investors, and businesses with digital operations touching Canadian users:
- Platform operators: Social media companies, content-sharing platforms, and live streaming services meeting the (yet-to-be-defined) user thresholds will face comprehensive new obligations around content moderation, age verification, transparency reporting, and child protection.
- AI and chatbot developers: Companies deploying conversational AI services in Canada will need to implement crisis intervention protocols, human-disclosure mechanisms, and safeguards against manipulative engagement.
- Venture capital and investors: Due diligence on digital platform investments should now incorporate Canadian regulatory risk. The revenue-based penalty structure means that penalties scale with company size, creating potentially existential exposure for high-revenue, low-margin platforms.
- E-commerce and adjacent services: While the exclusions for sale/listing platforms and search services provide some comfort, businesses with algorithmic, social, AI, or user-generated components should carefully assess whether they fall within the regulated categories.
- All digital businesses: The bill’s reliance on regulations to define user thresholds, service categories, and specific obligations means that the full scope of the regime will only become clear over time. Ongoing monitoring is essential.
Bill C-34 represents Canada’s most ambitious attempt since Canada’s Anti-Spam Legislation to regulate the digital ecosystem. Its breadth (spanning social media, AI chatbots, and online services more broadly) and its enforcement mechanisms mean it must be carefully monitored.