Vol. 145, No. 26 — December 21, 2011

Registration

SOR/2011-292 December 6, 2011

AN ACT RESPECTING THE MANDATORY REPORTING OF INTERNET CHILD PORNOGRAPHY BY PERSONS WHO PROVIDE AN INTERNET SERVICE

Internet Child Pornography Reporting Regulations

P.C. 2011-1526 December 6, 2011

His Excellency the Governor General in Council, on the recommendation of the Minister of Justice, pursuant to section 12 of An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service (see footnote a), hereby makes the annexed Internet Child Pornography Reporting Regulations.

INTERNET CHILD PORNOGRAPHY REPORTING REGULATIONS

INTERPRETATION

Definitions

1. The following definitions apply in these Regulations.

“Act”
« Loi »

“Act” means An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service.

“designated organization”
« organisme désigné»

“designated organization” means the organization named in section 2.

“Internet address”
« adresse Internet »

“Internet address” means an Internet Protocol address or a Uniform Resource Locator.

“service provider”
« fournisseur de services »

“service provider” means a person who provides an Internet service to the public.

DESIGNATED ORGANIZATION

Designation of organization

2. For the purpose of section 2 of the Act, the designated organization is the Canadian Centre for Child Protection.

ROLE, FUNCTIONS AND ACTIVITIES OF DESIGNATED ORGANIZATION

Online Internet address reporting system

3. The designated organization must, for the purpose of receiving reports of Internet addresses under section 2 of the Act, maintain a secure online system that

  • (a) assigns each service provider a unique identifier for the purpose of making reports;
  • (b) allows a service provider to report only Internet addresses; and
  • (c) issues to a service provider, for each report they make, a receipt that indicates the incident number assigned to the report, the service provider’s name and unique identifier and the date and time of the report.

Analysis and communication of findings

4. As soon as feasible after receiving a report under section 2 of the Act, the designated organization must determine whether any material found at the reported Internet address appears to constitute child pornography and, if so,

  • (a) determine, if possible, the geographic location of the server that the reported Internet address points to and the geographic location of the server hosting the material that appears to constitute child pornography; and
  • (b) make available to every appropriate Canadian law enforcement agency by secure means
    1. (i) the reported Internet address,
    2. (ii) a description of any geographic location that the designated organization was able to determine under paragraph (a), and
    3. (iii) any other information in the designated organization’s possession that might assist the agency’s investigation.

Retention of records

5. For each report received in accordance with section 2 of the Act, the designated organization must retain the reported Internet address and a copy of the receipt issued under paragraph 3(c) for two years after the day on which the report is received.

Security measures

6. The designated organization must take reasonable measures to

  • (a) ensure its continued ability to discharge its role, functions and activities under the Act, including measures relating to the protection of its physical facilities and technical infrastructure, risk prevention and mitigation, emergency management and service resumption;
  • (b) protect from unauthorized access any information obtained or generated by the designated organization in the course of discharging its role, functions or activities under the Act; and
  • (c) ensure that all of its personnel have the necessary security clearance and training to discharge the designated organization’s role, functions and activities under the Act.

Incident: notification of Ministers

7. The designated organization must notify the Minister of Justice and the Minister of Public Safety and Emergency Preparedness within 24 hours of becoming aware of any incident that jeopardizes the designated organization’s ability to discharge its role, functions or activities under the Act.

Conflict of interest

8. The designated organization must take any measures necessary to avoid a conflict of interest in respect of its role, functions and activities under the Act, and must address any such conflict that does arise.

Annual report

9. The designated organization must, not later than June 30 of each year, submit to the Minister of Justice and the Minister of Public Safety and Emergency Preparedness a report on the discharge of its role, functions and activities under the Act for the 12-month period beginning on April 1 of the preceding year. The report must include

  • (a) the number of reports received under section 2 of the Act and, of those, the number that led the designated organization to make information available to a law enforcement agency under paragraph 4(b);

  • (b) a description of the measures that the designated organization had in place in accordance with section 6;

  • (c) a description of any incident referred to in section 7 that occurred and the steps taken in response to the incident;

  • (d) a description of the measures that the designated organization had in place in accordance with section 8, any conflict of interest that arose and the steps taken to address it; and

  • (e) any other information that may affect the designated organization’s current or future ability to discharge its role, functions or activities under the Act.

OBLIGATIONS OF SERVICE PROVIDERS

Method of reporting

10. For the purpose of section 2 of the Act, an Internet address must be reported by a service provider using the online system referred to in section 3.

Form and content of notification

11. For the purpose of section 3 of the Act, a notification from a service provider must be in writing and must include the following information:

  • (a) the child pornography offence that the service provider has reasonable grounds to believe is being or has been committed using their Internet service;

  • (b) a description of the material that appears to constitute child pornography, including its format;

  • (c) the circumstances under which the service provider discovered the alleged offence, including the date and time of discovery;

  • (d) a description of any other evidence relating to the alleged offence in the possession or control of the service provider; and

  • (e) contact information of the service provider’s representative for the purpose of investigating the matter.

Security measures for preserved data

12. A service provider that is required to preserve computer data under section 4 of the Act must retain a copy of that data in a secure offline location.

COMING INTO FORCE

S.C. 2011, c. 4

13. These Regulations come into force on the day on which An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service comes into force, but if they are registered after that day, they come into force on the day on which they are registered.

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Issue and objectives

Former Bill C-22, An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service (the Act), received Royal Assent on March 23, 2011. The Regulations are needed to establish a regulatory framework necessary to implement the Act.

The Regulations provide the mechanics for the providers of Internet service to discharge their duties under the Act.

Description and rationale

The Regulations, among other things, designate an organization (“designated organization”) for the purpose of receiving reports, and elaborate the role, functions and activities of that organization, and the manner in which those who provide Internet services to the public can discharge their obligations under the Act.

There are no costs associated with the Regulations. The Regulations, like the Act, are not controversial and are expected to be widely supported by all Parties, all key stakeholders and the Canadian public.

The Regulations provide the mechanism for implementing the obligations contained in the Act. Therefore, the Regulations may contribute to any positive impact that the Act may have in relation to the ability to detect potential child pornography offences — thus facilitating the identification, apprehension and prosecution of child pornography offenders — and the reduction in the availability of child pornography on the Internet. However, any such positive impact would result from the reporting and notifying obligations contained in the Act rather than from the mechanics contained in the Regulations.

The Act and the Regulations are expected to have a minimal economic impact on the businesses of persons who provide Internet services to the public. All of Canada’s major Internet Service Providers (ISPs) already voluntarily report child pornography when they encounter it and the Act will ensure that all those who provide Internet services to the public in Canada are held to the same standard. The Act specifically states that it does not require, or authorize, any individual or company to actively seek out incidences of child pornography. In other words, the Act does not require those who provide an Internet service to the public to monitor their networks for this type of material. The Regulations provide the mechanics for the providers to discharge their duties under the Act (i.e. how to make a report to a designated organization in accordance with section 2 of the Act, how to notify police in accordance with section 3, and how to safeguard evidence in accordance with section 4); and the Regulations do so in a manner that replicates as much as possible the current practices of those who provide Internet services to the public in Canada.

In summary, the Regulations

  • Name the Canadian Centre for Child Protection as the designated organization for receiving reports under section 2 of the Act;
  • Elaborate on the role, functions and activities of the designated organization, including with regard to
  • Receipt of reports made in accordance with section 2 of the Act,
  • Assessment of whether material that appears to be child pornography is found at the address mentioned in the report and, if so, assessing its geographic location,
  • Secure referral to law enforcement agencies,
  • Protection of information,
  • Security of the physical facility and technological infrastructure,
  • Human resources issues,
  • Mitigation of security breaches, emergencies and conflict of interest, and
  • Annual report to the ministers of Public Safety and Justice, and
  • Elaborate on the manner in which persons who provide Internet services to the public can discharge their obligations under the Act, including as it relates to making a report under section 2, making a notification under section 3, and preserving computer data under section 4.

The Regulations may impact on the coordination and cooperation with the Department of Public Safety, who is responsible for Canada’s National Strategy for the Protection of Children from Sexual Exploitation on the Internet. The Department of Public Safety has a contribution agreement with the Canadian Centre for Child Protection Inc., which is named in the Regulations as the designated agency to receive reports under the Act. Provincially, Alberta, Manitoba, Ontario, and Nova Scotia have also recently enacted legislation on mandatory reporting of child pornography (Manitoba and Nova Scotia’s legislation are in force, while Alberta and Ontario’s new legislation have been adopted but are not yet in force). The provincial statutes have been enacted under the provinces’ civil jurisdiction over child welfare and, in that regard, were crafted with a different scope. Both the Act and the Regulations have been designed to work with those provincial statutes.

While there are no international agreements or obligations dealing specifically with the issue of mandatory reporting of child pornography, the International Centre for Missing and Exploited Children (ICMEC) and INTERPOL have developed model legislation on child pornography and, since 2006, have been regularly surveying the legislation of all countries to assess who meets their established model (and its five criteria). The Act and the Regulations allow Canada to join the small group of eight countries (Australia, Belgium, Colombia, France, Italy, the Philippines, South Africa and the United States) that meet all five criteria.

The Act and the Regulations are linked to the Government’s ongoing commitment on the protection of children against sexual exploitation and form a deliverable under the National Strategy for the Protection of Children from Sexual Exploitation on the Internet.

Consultation

Provinces and territories were consulted generally prior to the Act being introduced, mainly through the Federal, Provincial and Territorial (FPT) Working Group on Cybercrime (CWG). In September 2008, FPT ministers responsible for Justice had agreed that Canada’s response to child pornography could be enhanced by federal legislation requiring those whose services could be used to facilitate the commission of online child pornography offences to report suspected material.

The FPT Working Group on Cybercrime released a consultation paper as well as conducted three public consultations with industry stakeholders as part of its study of the issue starting in 2007. The engagement of the private sector in that context has, to a great extent, contributed to the wholesale support of the legislative initiative that resulted in the Act. The Act is crafted in a manner that replicates as much as possible the current practices of Canada’s service provider community.

Implementation, enforcement and service standards

The timing for coming into force of the Act and Regulations has considered the ability of the designated organization’s (Canadian Centre for Child Protection [C3P]) to receive reports under section 2 of the Act. The C3P is currently Canada’s national tipline for online reporting of child sexual exploitation on the Internet.

Any prosecutions under this Act will be conducted by the Public Prosecution Service of Canada and it is not anticipated that this new responsibility will lead to a significant increase in its workload. Again, the focus of this Act is to increase reporting by creating a level playing field for all members of the service provider community.

Contact

Jean-François Noël
Counsel
Criminal Law Policy Section
Department of Justice
284 Wellington Street, East Memorial Building, Room 5042
Ottawa, Ontario
K1A 0H8
Telephone: 613-952-8355
Fax: 613-941-9310
Email: jean-francois.noel@justice.gc.ca

Footnote a
S.C. 2011, c. 4