Antoine Guilmain
Associé
Co-chef, Groupe national Cybersécurité et protection des données
Article
10
In the wake of the recently announced Canadian AI strategy, Mark Carney’s Liberal government is beginning to lay the groundwork for a regulatory framework designed to build and maintain public trust. A key development is the introduction of Bill C-34, the Safe Social Media Act, tabled on June 10, 2026, by Minister of Canadian Identity and Culture Marc Miller.
The bill—part of a broader effort by Ottawa to strengthen oversight of the digital ecosystem, including the recent introduction of Bill C-36—would establish a new digital safety regime through the enactment of the Digital Safety Act (DSA) and the Digital Safety Commission of Canada Act.
In this article, we examine the key elements of Bill C-34 and what they could mean for organizations operating digital services in Canada, including new compliance obligations, age-verification requirements, enforcement risks, and areas where regulatory uncertainty remains.
Bill C-34 proposes a new regulatory framework for digital safety in Canada targeting operators of social media, chatbot, and online services, imposing general duties around child protection, transparency, content moderation, and accountability.
Operators of regulated social media services would be required to prevent registration by users under 16 through age-verification or age-estimation measures, with limited exemptions where adequate safeguards are demonstrated.
The bill extends to AI-powered chatbot services that simulate human-like relationships, requiring operators to implement emergency measures, mitigate harmful behaviors such as impersonation or fostering emotional dependence, and publish user guidelines.
The DSA defines seven categories of harmful content—including non-consensual intimate images, child sexual exploitation material, cyberbullying of children, hatred, and terrorism—with certain content requiring takedown within 24 hours.
A new Digital Safety Commission of Canada (DSC) will be established with significant investigative, oversight, and regulation-making authority across at least 31 regulatory heads, and would also oversee private-sector privacy under companion Bill C-36.
The enforcement regime includes AMPs of up to $10 million or 3% of gross global revenue and fines on indictment of up to $20 million or 5% of gross global revenue, with DSC orders enforceable through the Federal Court.
Many critical details—including user-count thresholds, age-verification methods, and harmful content definitions—will be left to regulation, with summer consultations expected and Royal Assent unlikely before the end of 2026.
Bill C-34 does not come as a surprise. Apart from the references to online safety found in the Canadian AI strategy, several legislative efforts have pointed in this direction for some time.
At the federal level, Bill C-63—which died on the Order Paper with the prorogation of Parliament in January 2025—already sought to regulate on online harms. Under that same Parliament, Senate Bill 210 sought to limit the exposure of young people to pornographic content through age-assurance methods.
At the provincial level, the idea of imposing a ban on social media platform access for minors has been generating considerable discussion for several months. These efforts are also part of a broader global context, where the safety of digital services—particularly for children—is the subject of increasing regulatory scrutiny.
Beyond the social media ban that is making headlines, the substantial Bill C-34 more broadly seeks to hold operators of online services, social media services, and chatbot services accountable (and to encourage self-regulation) from a “safety by design” perspective, with general duties that will be operationalized through the implementation of more specific mechanisms and practices.
While the bill outlines the contours of this responsibility and identifies several key measures, many limits and requirements remain to be defined.
The proposed DSA applies with respect to the following:
Persons who operate websites or applications accessible in Canada whose primary purpose is to facilitate interprovincial or international online communication among users by allowing them to access and share content, which includes adult content services and live-streaming services. The DSA does, however, have limited scope of application to private messaging features of social media services.
Persons who operate an artificial intelligence system that
Persons who operate a website or application, other than a social media service or a chatbot service, accessible in Canada via the Internet that allows users of the website or application to interact with it. The definition, however, excludes websites or applications whose primary purpose is
Important nuance: The requirements of the DSA will not automatically apply to all operators of these services. Operators will be subject to the DSA when their services constitute “regulated services,” that is, when the service (1) has a number of users equal to or greater than the significant number of users prescribed by regulation, or (2) is designated as a regulated service by regulation. With respect to regulated online services in particular, the services targeted will be those that, in the government’s view, pose a significant risk of harm to children.
The proposed DSA targets seven categories of harmful content:
In its current form, the DSA contemplates different tiers of requirements attached to general duties of child protection, transparency, accountability, or content moderation. Below is an overview of several key requirements.
The Digital Safety Commission of Canada (DSC), established by the Digital Safety Commission of Canada Act, will be responsible for the administration and implementation of the DSA. The DSC would be composed of three to five full-time members appointed by the Governor in Council to serve renewable terms of up to five years. However, until the Chairperson and at least two other members are in office, the designated Chairperson alone constitutes the Commission and may exercise all of its powers under both acts, permitting early regulatory action while concentrating considerable authority in a single individual during the startup phase of the legislation.
The DSC has broad investigative powers. It may summon witnesses, compel testimony under oath, administer oaths, and receive evidence (including evidence inadmissible in court). It is not bound by technical rules of evidence and is directed to proceed informally and expeditiously. The DSC may designate inspectors, issue compliance orders, and conduct hearings.
The DSC holds substantial delegated authority through regulation-making power over at least 31 distinct heads, including design features for child protection, age-verification requirements, under-16 account restrictions, measures to mitigate exposure to pornographic content, harmful content mitigation measures, digital safety plan requirements, data access and accreditation criteria, and case management of complaints.
While the DSC has broad regulation-making authority, the Governor in Council retains authority over at least 19 key decision points, including: user-count thresholds that determine which services are “regulated” (thus subject to the Act); designation of specific services posing significant harm; specifying which services are subject to the under-16 social media access ban; specifying takedown time periods for certain content; defining “significant psychological or physical harm”; and cost-recovery charges that finance the DSC.
The DSC will receive submissions concerning harmful content on a regulated service, harmful chatbot behaviour, or operator non-compliance, as well as complaints that content on a regulated social media service constitutes child sexual abuse material (CSAM) or non-consensual intimate images (NCII).
Note: The DSC’s mandate is all the more expansive given that, under Bill C-36, which seeks to modernize the federal private-sector privacy framework, the DSC would also oversee private-sector privacy regulation—a role currently performed by the Office of the Privacy Commissioner of Canada.
Bill C-34 establishes a tiered enforcement regime administered by the DSC, including:
Where the DSC has reasonable grounds to believe an operator is contravening or has contravened the DSA, it may order the operator to take or refrain from taking any measure to ensure compliance. DSC orders may be filed with the Federal Court and enforced as orders of that court.
An operator (or person operating a social media, chatbot, or regulated online service) may at any time enter into an undertaking with the DSC.
The DSC may publish the names of violators and undertaking parties, including the facts, provisions contravened, and penalties. It may also require violators to self-publish a notice.
AMPs may be imposed for various violations, including contraventions of the DSA or the DSC’s orders. The maximum AMP is the greater of $10 million or 3% of gross global revenue in the preceding financial year. However, a due diligence defense may be available.
Fines up to $20 million or 5% of gross global revenue, whichever is greater, may be imposed on indictment for offences, including contraventions of the DSC’s orders, and may go up to $15 million or 4% of gross global revenue, whichever is greater, on summary conviction.
On June 19, 2026, the House of Commons will adjourn for its summer recess. The government is expected to hold consultations over the summer ahead of Parliament’s return in fall 2026.
A number of complex and sensitive issues remain unresolved and will require careful consideration by both policymakers and stakeholders. For example, what forms of age verification or estimation should be required (such as facial recognition, identity document checks, or digital identity tools), particularly in light of associated privacy concerns? Similarly, where should the line be drawn in defining harmful content? While there is broad consensus on the risks posed by certain types of content, more marginal cases remain contested.
Given the breadth and complexity of the bill, it is unlikely to receive Royal Assent before the end of 2026. Even once enacted, the regime will remain incomplete until detailed regulations are adopted by both the federal government and the DSC.
The Canadian government nonetheless appears determined to move forward, despite the strained trade relations with the U.S. administration, which have previously led the government to reconsider certain digital regulatory frameworks. In several interviews, Minister Marc Miller has emphasized that the protection of children is non-negotiable.
Stay tuned for more updates on Bill C-34 from Gowling WLG’s Cyber Security and Data Protection team.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.
Gowling WLG est un cabinet juridique international constitué des membres de Gowling WLG International Limited, une société à responsabilité limitée par garanties enregistrée en Angleterre, ainsi que leurs affiliés respectifs. Les membres et affiliés constituent des entités autonomes et indépendantes. Gowling WLG International Limited promeut, facilite et coordonne les activités de ses membres, mais ne fournit pas elle-même de services aux clients. Pour en savoir davantage sur notre structure, consultez notre page Avis juridique.
© 2026 Gowling WLG Tous droits réservés