Bill C-16: updates to Canada’s federal child sexual abuse and exploitation material reporting regime

• Bill C-16, the Protecting Victims Act, would redefine “Internet service” to clarify that the Mandatory Reporting Act applies to all types of Internet services, including online platforms, social media and other application-based services, and that providers with a “connection to Canada” must report child sexual abuse and exploitation material offences to law enforcement.
• The bill would require Internet service providers to include transmission data when reporting offences involving material that is “manifestly” child sexual abuse and exploitation material to law enforcement.
• It would also centralize mandatory notifications to a designated law enforcement body and extend the preservation period for computer data related to child sexual abuse and exploitation material offence reports from 21 days to one year.

The Government of Canada has introduced Bill C-16, the Protecting Victims Act,^[1] to “protect victims and survivors of sexual violence, gender-based violence, and intimate partner violence, and to keep our kids safe from predators.”^[2]

Bill C-16 proposes a broad range of criminal law reforms, including a suite of targeted amendments to An Act respecting the mandatory reporting of Internet child sexual abuse and exploitation material by persons who provide an Internet service (Mandatory Reporting Act)^[3] that clarify the Act’s scope of application and update law enforcement notification obligations relating to child sexual abuse and exploitation material^[4] (CSAEM) for online services.

Notably, Bill C-16 reprises key elements of the Mandatory Reporting Act amendment package previously proposed under Bill C-63 (the Online Harms Act), signaling the federal government’s intent to prioritize targeted CSAEM reforms over the development of a broader online harms regime.^[5]

The bill was introduced and received first reading in the House of Commons on December 9, 2025, and was ordered for second reading at the next sitting of the House.^[6]

Canada’s current mandatory reporting framework was established in 2011.^[7] Under the Mandatory Reporting Act, “Internet service” providers must

• report to the Canadian Centre for Child Protection (C3P) if advised of an Internet address where CSAEM may be available to the public^[8]
• notify a police officer and preserve related computer data for 21 days if they have reasonable grounds to believe their service is or has been used to commit a CSAEM offence^[9]

For further information on compliance obligations under the Mandatory Reporting Act, please contact the authors or subscribe to the Osler AccessPrivacy Knowledge Portal.

1. Scope and jurisdiction

A. Clarified definition of ‘Internet service’

The Mandatory Reporting Act currently defines an “Internet service” as “a service providing Internet access, Internet content hosting or electronic mail.”^[10]

The Act’s application was intended to apply to “all persons who provide an Internet service to the public”, such as content hosting services, social media platforms, search engines and email services.^[11] However, the Act has reportedly been “interpreted by many to apply to a narrow definition of Internet Service Providers.”^[12]

Bill C-16 seeks to clarify that the Act applies to “all types of internet services in Canada, including online platforms, social media, and other application-based services”^[13] by redefining “Internet services” to explicitly “include” services that

The Governor in Council would also be authorized to specify the services included in this definitionvia regulations.^[15]

If enacted, this amendment would provide greater clarity on the Act’s application and confirm that a wider range of platforms are in scope.

B. ‘Connection to Canada’

Historically, Canadian law enforcement has faced jurisdictional challenges when investigating online crimes and enforcing the Act — for example, where platforms with a presence in Canada are incorporated or have servers abroad.^[16]

Bill C-16 would introduce an express provision stating that law enforcement notification obligations apply to persons who provide Internet services to the public and have a “connection to Canada,” including because they

• are corporations incorporated in Canada or have their head office in Canada
• are partnerships or unincorporated associations or organizations with a head office in Canada^[18]

This provision would codify the jurisdictional reach of mandatory law enforcement notification obligations to include foreign-incorporated entities with digital infrastructure or headquarters in Canada.

2. Law enforcement notification and evidence-handling obligations

Bill C-16 also proposes changes to operational obligations regarding law enforcement notifications and related evidence handling.

A. Centralized reporting

Currently, providers may notify suspected CSAEM offences to an “officer, constable or other person employed for the preservation and maintenance of the public peace.”^[19] In other words, the Act currently allows reporting to any law enforcement across the country.^[20]

Bill C-16 would centralize mandatory notifications to a specific “law enforcement body designated by the regulations.”^[21] While the body would be determined by regulation, the RCMP has previously recommended designating the National Child Exploitation Crime Centre (NCECC) under the Act.^[22]

If enacted, this amendment would offer greater certainty for providers and would streamline the notification process by establishing a single point of contact, while potentially requiring some providers to update internal routing workflows to align with the new agency designation.

B. Mandatory ‘transmission data’

Where providers have “reasonable grounds to believe” that their service is being or has been used to commit a CSAEM offence, notifications to law enforcement must be in writing and must include prescribed information such as the CSAEM offence at issue, a description of the material that appears to be CSAEM and its format, and a description of any other relevant evidence.^[23]

Bill C-16 would introduce a new tier of notification requirements for material that is “manifestly” CSAEM. In such cases, providers would be required to include related transmission data^[24] that could assist in the investigation of the offence.^[25]

If enacted, providers would be required to distinguish between general suspected offences and “manifest” offences and establish processes for disclosing available transmission data for the latter.

C. One-year data preservation

The mandatory preservation period for computer data related to a law enforcement notification is currently 21 days.^[26]

Addressing concerns raised regarding the loss of evidence due to short retention periods,^[27] Bill C-16 would extend this period to one year after the day on which the notification is made.^[28]

This extension would require service providers to adjust data retention and destruction policies and practices to ensure that relevant evidence is preserved for the longer 12-month period.