Ottawa Unveils Sweeping Digital Safety Regime: What Bill C-34 Means For Digital Service Providers In Canada

In the wake of the recently announced Canadian AI strategy, Mark Carney’s Liberal government is beginning to lay the groundwork for a regulatory framework designed to build and maintain public trust. A key development is the introduction of Bill C-34, the Safe Social Media Act, tabled on June 10, 2026, by Minister of Canadian Identity and Culture Marc Miller.

The bill—part of a broader effort by Ottawa to strengthen oversight of the digital ecosystem, including the recent introduction of Bill C-36—would establish a new digital safety regime through the enactment of the Digital Safety Act (DSA) and the Digital Safety Commission of Canada Act.

In this article, we examine the key elements of Bill C-34 and what they could mean for organizations operating digital services in Canada, including new compliance obligations, age-verification requirements, enforcement risks, and areas where regulatory uncertainty remains.

Key takeaways

Comprehensive digital safety regime

Bill C-34 proposes a new regulatory framework for digital safety in Canada targeting operators of social media, chatbot, and online services, imposing general duties around child protection, transparency, content moderation, and accountability.

Social media ban for minors under 16

Operators of regulated social media services would be required to prevent registration by users under 16 through age-verification or age-estimation measures, with limited exemptions where adequate safeguards are demonstrated.

AI chatbot services are in scope

The bill extends to AI-powered chatbot services that simulate human-like relationships, requiring operators to implement emergency measures, mitigate harmful behaviors such as impersonation or fostering emotional dependence, and publish user guidelines.

Seven categories of harmful content

The DSA defines seven categories of harmful content—including non-consensual intimate images, child sexual exploitation material, cyberbullying of children, hatred, and terrorism—with certain content requiring takedown within 24 hours.

New regulator with broad powers

A new Digital Safety Commission of Canada (DSC) will be established with significant investigative, oversight, and regulation-making authority across at least 31 regulatory heads, and would also oversee private-sector privacy under companion Bill C-36.

Significant financial penalties

The enforcement regime includes AMPs of up to $10 million or 3% of gross global revenue and fines on indictment of up to $20 million or 5% of gross global revenue, with DSC orders enforceable through the Federal Court.

Much remains to be defined

Many critical details—including user-count thresholds, age-verification methods, and harmful content definitions—will be left to regulation, with summer consultations expected and Royal Assent unlikely before the end of 2026.

Context

Bill C-34 does not come as a surprise. Apart from the references to online safety found in the Canadian AI strategy, several legislative efforts have pointed in this direction for some time.

At the federal level, Bill C-63—which died on the Order Paper with the prorogation of Parliament in January 2025—already sought to regulate on online harms. Under that same Parliament, Senate Bill 210 sought to limit the exposure of young people to pornographic content through age-assurance methods.

At the provincial level, the idea of imposing a ban on social media platform access for minors has been generating considerable discussion for several months. These efforts are also part of a broader global context, where the safety of digital services—particularly for children—is the subject of increasing regulatory scrutiny.

Beyond the social media ban that is making headlines, the substantial Bill C-34 more broadly seeks to hold operators of online services, social media services, and chatbot services accountable (and to encourage self-regulation) from a “safety by design” perspective, with general duties that will be operationalized through the implementation of more specific mechanisms and practices.

While the bill outlines the contours of this responsibility and identifies several key measures, many limits and requirements remain to be defined.

Proposed regime

Targeted services and operators

The proposed DSA applies with respect to the following:

Operators of social media services

Persons who operate websites or applications accessible in Canada whose primary purpose is to facilitate interprovincial or international online communication among users by allowing them to access and share content, which includes adult content services and live-streaming services. The DSA does, however, have limited scope of application to private messaging features of social media services.

Operators of chatbot services

Persons who operate an artificial intelligence system that

1. communicates via the Internet;
2. is accessible through a website or application available to the public in Canada;
3. uses a natural language interface to provide, in a conversational manner, adaptive responses that could have been formulated by a human being to inputs made by a user;
4. can be used to simulate, through multiple interactions or during multiple sessions, lasting relationships similar to those formed among humans, including relationships that could resemble friendship, intimacy, or therapeutic support; and
5. creates content or responses that are not entirely preconceived by the system’s developer or the person who operates the system. However, chatbot services that exclusively serve a purpose prescribed by regulation could be excluded from the definition.

Operators of online services

Persons who operate a website or application, other than a social media service or a chatbot service, accessible in Canada via the Internet that allows users of the website or application to interact with it. The definition, however, excludes websites or applications whose primary purpose is

1. to facilitate the sale, listing, or advertising of goods or services; or
2. to provide access to directories, search results, maps, or navigation tools.

Important nuance: The requirements of the DSA will not automatically apply to all operators of these services. Operators will be subject to the DSA when their services constitute “regulated services,” that is, when the service (1) has a number of users equal to or greater than the significant number of users prescribed by regulation, or (2) is designated as a regulated service by regulation. With respect to regulated online services in particular, the services targeted will be those that, in the government’s view, pose a significant risk of harm to children.

Categories of harmful content

The proposed DSA targets seven categories of harmful content:

1. Intimate content communicated without consent (including sexualized deepfakes);
2. Content that sexually victimizes a child or revictimizes a survivor (including sexualized deepfakes);
3. Content that induces a child to harm themselves, including through self-mutilation, eating disorders, or suicide;
4. Content used to bully a child, meaning content communicated for the purpose of threatening, intimidating, or humiliating the child;
5. Content that foments hatred, meaning content that expresses detestation or vilification of an individual or group of individuals on the basis of a prohibited ground of discrimination;
6. Content that incites violence, including acts of physical violence against a person or acts causing damage to property;
7. Terrorism or violent extremism content, including the recruitment of persons and the provision of training, skills, or expertise for the purpose of facilitating or committing acts of terrorism or violent extremism.

Duties and requirements

In its current form, the DSA contemplates different tiers of requirements attached to general duties of child protection, transparency, accountability, or content moderation. Below is an overview of several key requirements.

For operators of all regulated services (social media, chatbot, and online services)

Duty to protect children

• Implement prescribed children-protective design features.
• Where there are reasonable grounds to suspect access to pornographic content, adopt effective and proportionate age-verification or age-estimation measures, taking into account privacy and freedom of expression. Additional mitigation measures may be established by regulation.

Duty to be transparent

• Retain records necessary to demonstrate compliance.
• Submit a digital safety plan outlining a number of prescribed elements, including compliance and risk assessment measures, mitigation strategies, criteria for notifying law enforcement in cases of serious harm risk, data on notifications or harmful content volumes, and which would be made public, subject to limited redactions.

For operators of chatbot services

Duty to act responsibly

• Implement measures to mitigate the risk of chatbots communicating harmful content.
• Deploy emergency measures requiring immediate interruption when a user expresses suicidal ideation or intent to cause harm, and to direct them to crisis intervention services with access to a human responder.
• Address harmful chatbot behaviours such as impersonation of humans or licensed professionals, manipulative techniques fostering emotional dependence or social withdrawal, or encouragement of self-harm.
• Publish user guidelines outlining the measures deployed.
• Implement tools and processes to flag situations the measures deployed are designed to prevent.
• Provide a designated contact to receive user concerns, direct users to appropriate resources, and offer guidance.

For operators of social media services

Duty to protect children

• Prevent registration by users under 16 by implementing effective and proportionate age-verification or age-estimation measures, taking into account privacy and freedom of expression. The prohibition would apply to regulated services within classes established by regulation, which may also prescribe specific measures. The regulator is empowered to grant exemptions, on application, where adequate safeguards are in place, as further detailed in regulations or guidance.

Duty to act responsibly

• Assess and mitigate risks related to the seven categories of harmful content.
• Publish user guidelines.
• Label synthetically generated content.
• Label content reasonably believed to have been amplified by automated activity.
• Provide clear mechanisms for users to block others and flag harmful content.
• Provide a designated contact for user concerns and guidance.
• Preserve for one year content related to violence, terrorism, or violent extremism that has been made inaccessible in Canada.

Duty to make certain content inaccessible

• Remove—within 24 hours or another prescribed period—content that sexually victimizes a child or revictimizes a survivor, or intimate content shared without consent, whether identified by the operator or flagged by a user. Affected users would need to be given an opportunity to make representations and request reconsideration.

Regulatory oversight

Creation of a new regulator

The Digital Safety Commission of Canada (DSC), established by the Digital Safety Commission of Canada Act, will be responsible for the administration and implementation of the DSA. The DSC would be composed of three to five full-time members appointed by the Governor in Council to serve renewable terms of up to five years. However, until the Chairperson and at least two other members are in office, the designated Chairperson alone constitutes the Commission and may exercise all of its powers under both acts, permitting early regulatory action while concentrating considerable authority in a single individual during the startup phase of the legislation.

Investigative and oversight powers

The DSC has broad investigative powers. It may summon witnesses, compel testimony under oath, administer oaths, and receive evidence (including evidence inadmissible in court). It is not bound by technical rules of evidence and is directed to proceed informally and expeditiously. The DSC may designate inspectors, issue compliance orders, and conduct hearings.

Regulation-making powers

The DSC holds substantial delegated authority through regulation-making power over at least 31 distinct heads, including design features for child protection, age-verification requirements, under-16 account restrictions, measures to mitigate exposure to pornographic content, harmful content mitigation measures, digital safety plan requirements, data access and accreditation criteria, and case management of complaints.

While the DSC has broad regulation-making authority, the Governor in Council retains authority over at least 19 key decision points, including: user-count thresholds that determine which services are “regulated” (thus subject to the Act); designation of specific services posing significant harm; specifying which services are subject to the under-16 social media access ban; specifying takedown time periods for certain content; defining “significant psychological or physical harm”; and cost-recovery charges that finance the DSC.

Complaints-handling and recourses

The DSC will receive submissions concerning harmful content on a regulated service, harmful chatbot behaviour, or operator non-compliance, as well as complaints that content on a regulated social media service constitutes child sexual abuse material (CSAM) or non-consensual intimate images (NCII).

Note: The DSC’s mandate is all the more expansive given that, under Bill C-36, which seeks to modernize the federal private-sector privacy framework, the DSC would also oversee private-sector privacy regulation—a role currently performed by the Office of the Privacy Commissioner of Canada.

Sanctions

Bill C-34 establishes a tiered enforcement regime administered by the DSC, including:

Compliance Orders

Where the DSC has reasonable grounds to believe an operator is contravening or has contravened the DSA, it may order the operator to take or refrain from taking any measure to ensure compliance. DSC orders may be filed with the Federal Court and enforced as orders of that court.

Undertakings

An operator (or person operating a social media, chatbot, or regulated online service) may at any time enter into an undertaking with the DSC.

Publication

The DSC may publish the names of violators and undertaking parties, including the facts, provisions contravened, and penalties. It may also require violators to self-publish a notice.

Administrative monetary penalties (AMPs)

AMPs may be imposed for various violations, including contraventions of the DSA or the DSC’s orders. The maximum AMP is the greater of $10 million or 3% of gross global revenue in the preceding financial year. However, a due diligence defense may be available.

Fines

Fines up to $20 million or 5% of gross global revenue, whichever is greater, may be imposed on indictment for offences, including contraventions of the DSC’s orders, and may go up to $15 million or 4% of gross global revenue, whichever is greater, on summary conviction.

Developments to monitor

On June 19, 2026, the House of Commons will adjourn for its summer recess. The government is expected to hold consultations over the summer ahead of Parliament’s return in fall 2026.

A number of complex and sensitive issues remain unresolved and will require careful consideration by both policymakers and stakeholders. For example, what forms of age verification or estimation should be required (such as facial recognition, identity document checks, or digital identity tools), particularly in light of associated privacy concerns? Similarly, where should the line be drawn in defining harmful content? While there is broad consensus on the risks posed by certain types of content, more marginal cases remain contested.

Given the breadth and complexity of the bill, it is unlikely to receive Royal Assent before the end of 2026. Even once enacted, the regime will remain incomplete until detailed regulations are adopted by both the federal government and the DSC.

The Canadian government nonetheless appears determined to move forward, despite the strained trade relations with the U.S. administration, which have previously led the government to reconsider certain digital regulatory frameworks. In several interviews, Minister Marc Miller has emphasized that the protection of children is non-negotiable.

Stay tuned for more updates on Bill C-34 from Gowling WLG’s Cyber Security and Data Protection team.

Read the original article on GowlingWLG.com