Internet Child Pornography Reporting Regulations

On December 6, 2011, the Internet Child Pornography Reporting Regulations were registered in the Canada Gazette and came into force. The goal of the regulations is to establish a framework necessary to implement the mechanics for the designated organizations receiving reports and service providers who report to discharge their duties under An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service.

On December 8, 2011, the federal Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service (formerly Bill C-22) came into force. The new legislation aims to protect children from online sexual exploitation, by requiring suppliers of Internet services to the public to:

• Report tips they receive regarding websites where child pornography may be publicly available to the Canadian Centre for Child Protection
• Notify police and safeguard evidence if they believe that a child pornography offence has been committed using an Internet service that they provide

More details on obligations under the Act can be found in my previous blog post.

So what does the Regulations say?

Purpose of regulations

Designated organization and service providers both have obligations under the Act. The Regulations state how these obligations should be completed (i.e., how to make a report to a designated organization in accordance with the Act, how to notify police in accordance with section 3 of the Act and how to safeguard evidence in accordance with section 4 of the Act.

Obligations of designated organization

The Regulation officially names the Canadian Centre for Child Protection (C3P) as the designated organization for receiving reports under the Act. The C3P is currently Canada’s national tip line for online reporting of child sexual exploitation on the Internet.

The regulation:

Describes what is required for having a secure online system. The designated organization must, for the purpose of receiving reports of Internet addresses under the Act, maintain a secure online system that a) assigns each service provider a unique identifier for the purpose of making reports; b) allows a service provider to report only Internet addresses; and c) issues to a service provider, for each report they make, a receipt that indicates the incident number assigned to the report, the service provider’s name and unique identifier and the date and time of the report.

Elaborates on the role, functions and activities of the designated organization. The designated organization must take reasonable measures to:

a) Ensure its continued ability to discharge its role, functions and activities under the Act, including measures relating to the protection of its physical facilities and technical infrastructure, risk prevention and mitigation, emergency management and service resumption;

b) Protect from unauthorized access any information obtained or generated by the designated organization in the course of discharging its role, functions or activities under the Act; and

c) Ensure that all of its personnel have the necessary security clearance and training to discharge the designated organization’s role, functions and activities under the Act.

Requires analysis and communication of findings. As soon as feasible after receiving a report required under the Act, the designated organization must determine whether any material found at the reported Internet address appears to constitute child pornography and, if so:

a) Determine, if possible, the geographic location of the server that the reported Internet address points to and the geographic location of the server hosting the material that appears to constitute child pornography; and

b) Make available to every appropriate Canadian law enforcement agency by secure means:

(i) The reported Internet address,

(ii) A description of any geographic location that the designated organization was able to determine under paragraph a), and

(iii) Any other information in the designated organization’s possession that might assist the agency’s investigation.

Describes what is required for retention of records. For each report received, the designated organization must retain the reported Internet address and a copy of the receipt issued for two years after the day on which the report is received.

Clarifies what to do if there is a breach, incident or conflict of interest, and how to notify the minister. The designated organization must notify the Minister of Justice and the Minister of Public Safety and Emergency Preparedness within 24 hours of becoming aware of any incident or breach that jeopardizes the designated organization’s ability to discharge its role, functions or activities under the Act. In addition, the designated organization must take any measures necessary to avoid a conflict of interest in respect of its role, functions and activities under the Act, and must address any such conflict that does arise.

Describes the requirement for annual reporting. The designated organization must, not later than June 30 of each year, submit to the Minister of Justice and the Minister of Public Safety and Emergency Preparedness a report on the discharge of its role, functions and activities under the Act for the 12-month period beginning on April 1 of the preceding year. The report must include:

a) The number of reports received under the Act and, of those, the number that led the designated organization to make information available to a law enforcement agency;

b) A description of the measures that the designated organization had in place

c) A description of any incident referred in the Act that occurred and the steps taken in response to the incident;

d) A description of the measures that the designated organization had in place in accordance with the Act, any conflict of interest that arose and the steps taken to address it; and

e) Any other information that may affect the designated organization’s current or future ability to discharge its role, functions or activities under the Act.

Obligations of service providers

The regulation elaborates on the manner in which persons who provide Internet services to the public can discharge their obligations under the Act, including as it relates to making a report, making a notification and preserving computer data under the Act.

Method of reporting. For the purpose of the Act, an Internet address must be reported by a service provider using the online system set up by the designated organization the C3P. The notification from a service provider must be in writing and must include the following information:

a) The child pornography offence that the service provider has reasonable grounds to believe is being or has been committed using their Internet service;

b) A description of the material that appears to constitute child pornography, including its format;

c) The circumstances under which the service provider discovered the alleged offence, including the date and time of discovery;

d) A description of any other evidence relating to the alleged offence in the possession or control of the service provider; and

e) Contact information of the service provider’s representative for the purpose of investigating the matter.

Security measures to protect data. A service provider that is required to preserve computer data must retain a copy of that data in a secure offline location.

Enforcement

Any prosecutions under this Act are conducted by the Public Prosecution Service of Canada.

This post is co-authored with Christina Catenacci LL.B