"Online Harms" is back

 

The proposed new online safety law expands its scope to AI chatbots, introduces strict age limits, and places regulatory oversight under a single Commission.

On June 10, 2026 the Minister of Canadian Identity and Culture Marc Miller tabled Bill C-34 in Parliament, called the “Safe Social Media Act”. This legislation follows Bill C-63 (called the “Online Harms Act”). While the stated purpose of promoting online safety and protecting children remains the same, the new bill introduces highly prescriptive regulatory changes and broadens the scope of the digital services it targets.

The new bill significantly expands the scope of regulated entities beyond traditional platforms. While it continues to apply to “regulated social media services”, it introduces two entirely new categories: “regulated chatbot services” (conversational AI systems) and “regulated online services” (interactive websites or applications deemed to pose a significant risk to children).

The most significant difference is the bill’s aggressive stance on age restrictions and verification. Unlike its predecessor, Bill C-34 explicitly imposes a strict minimum age of 16 to register or hold an account with a regulated social media service. Operators are required to implement adequate age-verification or age-estimation measures to enforce this ban. Furthermore, any regulated service that provides access to pornographic content is mandated to implement age-verification measures (over 18). To try to placate privacy concerns, the legislation includes parameters requiring that any personal information collected for age verification be destroyed once the verification is complete. However, it is clear that all users of regulated social media services in Canada will have to have their ages verified as a condition of having an account.

With respect to artificial intelligence, the bill introduces targeted obligations. Operators of regulated social media services have a specific duty to label synthetic content”—defined as AI-generated or mechanically altered audio or visual data that could be mistaken for authentic content. Chatbot operators are subject to new behavioral guardrails, requiring them to implement measures that prevent the AI from posing as a human being, masquerading as a licensed professional (such as a medical or legal expert), or encouraging self-harm.

One of the most notable changes to content moderation is the 24-hour fast-track takedown rule. If an operator discovers or is flagged about content that sexually victimizes a child or constitutes “intimate content communicated without consent” (which explicitly includes deepfakes), they must make that content completely inaccessible to all persons in Canada within 24 hours. (There is a limited ability for users to dispute these takedowns.) Operators are also required to be transparent about their operations by submitting comprehensive “digital safety plans” to the Commission and making redacted versions publicly available on their services.

The regulatory bureaucracy proposed under Bill C-63 has been streamlined, compared to the previous bill but its powers are immense. The independent Digital Safety Ombudsperson and the Digital Safety Office have been removed, leaving a centralized, highly powerful Digital Safety Commission of Canada to oversee and enforce the Act. (The role of the Commission will be expanded under the new privacy law to become the Digital Safety and Data Protection Commission of Canada.)

User complaint mechanisms have also shifted to an “exhaustion of recourse” model. A person in Canada cannot lodge a formal complaint regarding harmful content directly with the Commission unless they have first used their best efforts to seek recourse from the operator using the platform’s internal tools and reconsideration processes.

Possible penalties under the new regime are massive. If an operator contravenes the Act, fails to follow compliance orders, or makes false statements to an inspector, the Commission can issue notices of violation and severe administrative monetary penalties. The maximum penalty can reach the higher of $20,000,000 or 5% of the operator’s gross global revenue in the preceding financial year. Gross global revenue calculations will legally encompass all corporate affiliates within a consolidated group.

How all of this will play out in practice remains to be seen, as a massive amount of the substance of its application is left to regulations made by the government, and rules to be made by the new Digital Safety Commission.

(This summary was originally written for the Canadian Technology Law Association's newsletter.)