Legislation and Regulation

Many online threats are covered by existing civil and criminal law in Canada and other countries. In addition, many countries have specific legislation to deal with online crime. This section looks at Canadian and American laws that apply to cyber security.

Canadian legislation and regulation

The Criminal Code

Section 184: Interception of communications

Section 184 of the Criminal Code makes it illegal to intercept a private communication. This section states that every person who “intercepts a private communication” by means of “an electro-magnetic, acoustic, or mechanical device” is guilty of an indictable offence and can receive a prison sentence of up to five years (Criminal Code, 1985). Exceptions are made if the person originating the communication has given consent, if the interception is necessary to maintain the service, if the person is a peace officer and has been granted a warrant or if the person is acting on behalf of the government to identify an unauthorized transmission or prevent an unlawful act or bodily harm.

Section 342: Theft, forgery, etc. of credit cards and unauthorized use of a computer

Section 342 of the Criminal Code makes it illegal to steal, copy or falsify a credit card (whether online or off, though much online fraud does fall into this category) as well as to get access to a computer in order to commit a crime. This section states that:

  • Every person who steals, forges or falsifies, possesses, uses or traffics in a credit card they know to be obtained, made or altered is guilty of either an indictable or summary offense.
  • Any person who “makes, possesses, sells, offers for sale…distributes or makes available a device that is designed or adapted primarily to commit an offence under section 342.1” is liable for up to two years in prison.
  • A person who “fraudulently…uses, traffics in, or permits another person to use credit card data…that would enable a person to use a credit card or to obtain the services that are provided by the issuer of the credit card” could face up to 10 years in prison.

Sections 402 and 403: Identity theft and identity fraud 

These sections address the issue of identity theft [hyperlink to “identity theft” in Spam, Scams and Frauds section] and identity fraud [hyperlink to “identity fraud” in Spam, Scams and Frauds section], both of which are fairly common risks online. Section 402.2 of the Criminal Code states that everyone commits an offence “who knowingly obtains or possesses another person’s identity information” to be used to commit an indictable offence such as fraud, deceit or falsehood. Offering or selling such information is equally punishable by law and liable to a prison sentence of up to five years. Section 403 of the Criminal Code deals specifically with identity fraud and punishes the “fraudulent personation” of another person with a sentence of up to 10 years.

Fighting internet and Wireless Spam Act

The Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, more widely known as the Fighting internet and Wireless Spam Act (FISA), was implemented on December 15 of 2010.

The act consists of amendments to the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Telecommunications Act and the Personal Information Protection and Electronic Documents Act to strengthen provisions for fighting identity theft, phishing and spyware.[1] A more detailed look at the legislation as well as tips on how both Canadian individuals and business can fight spam is available at the government of Canada’s Fightspam website (http://fightspam.gc.ca/eic/site/030.nsf/eng/home).

Personal Information Protection and Electronic Documents Act 

PIPEDA, as it is generally known, sets out the rules under which any organization may collect personal information in Canada, as well as their obligations to protect any data they collect from being acquired by others. This Act only applies to private businesses and organizations (the Privacy Act covers how the federal government collects and handles personal information). Under PIPEDA, each person has five key rights: to see what information an organization has collected about them; to correct any incorrect information; to file a complaint with the organization or an industry association such as the Canadian Marketing Association; to file a complaint with the Office of the Privacy Commissioner; and, in certain cases, to take a complaint to the Federal Court of Canada.

Protecting Canadians from Online Crime Act

This Act added several new offenses to the Criminal Code, making it illegal to publish “an intimate image” without consent and giving judges the power to order both intimate images that had been shared without consent and hate propaganda from online systems. It also made it illegal to make, import, sell or distribute devices that will allow access to a telecommunication service or facility without paying a charge or to illegitimately access any computer or computer system. Both phishing and a variety of “hacking” behaviors, classed as “mischief in relation to computer data,” were also added to the Criminal Code. This Act also expanded police powers to access computer data as part of an investigation.

American legislation and regulation 

Like the internet, online crime is not limited by borders. In many cases, scammers are active in more than one country. Like the Criminal Code, American law also deals with cyber security issues, but there are some significant differences in how they approach it.

Computer Fraud and Abuse Act (United States Code, Title 18, Part 1, Chapter 47, s. 1030)

Title 18 of the United States Code, which deals with crimes and criminal procedure, does not give as much attention to cybersecurity as the Criminal Code of Canada. Only one section deals specifically with computer crime. Part 1, Chapter 47, section 1030 looks at fraud and related activity in connection with computers, prohibiting all unauthorized access of computers where the purpose of such access is to obtain information that is either restricted or confidential. Unauthorized access of any computer that is either in use by a government agency, belongs to a financial institution or contains material that could harm the United States is illegal, as is accessing a computer in order to damage it or to commit fraud or extortion.[2]

Electronic Communications Privacy Act

This Act makes it illegal for governments or their agents to intercept or store electronic communications without a warrant or similar authorization. It also forces Internet Service Providers (ISP) to make it possible for governments to perform electronic surveillance of their users, though this still requires a warrant. [3]

Cyber Security Enhancement Act

This Act allows ISPs to hand over their customers’ personal data to police and government agencies if they choose to do so and believe that the information relates to a crime. This means that if the ISP is willing to co-operate, police or government agencies may not need a warrant to get personal data.[4]

Federal Trade Commission’s OnGuard Online    

OnGuardOnline.gov is the U.S. federal government’s website to help people be safe, secure and responsible online. The Federal Trade Commission manages OnGuardOnline.gov, which provides information to help avoid scams and secure computers as well as tips to be smart and protect kids online.

European legislation and regulation 

ENISA (The European Union Agency for Cybersecurity)

This is the Union’s agency for “achieving a high level of cybersecurity across Europe.”[5] It was established in 2004 and was supplemented by the EU Cybersecurity act in 2019. The main objectives of the agency are: “contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.”[6]

EU Cybersecurity Act

This Act supplements the EU Agency for cybersecurity (ENISA) and establishes a certification framework for digital products, services and processes.[7] It also introduces “a certification framework for ICT products, services and processes.” Every company doing business in the EU will certify their ICT products only once in order to have them recognized across the European Union.[8]

GDPR (General Data Protection Regulation)

This regulation is parallel to Canada’s PIPEDA though it has significantly stricter regulations and stronger penalties. Even though it was drafted and passed within the European Union, the GDPR affects organizations around the world as long as they target or collect data from people in the EU. Put into effect on May 25, 2018, it “will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.” [9] If you violate the GDPR, the fines are very high with “two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.”[10]


[1] Industry Canada, (2011). Bill C-28: Canada’s Anti-Spam Legislation. http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00567.html

[2] May, M. (2004). Federal Computer Crime Laws http://www.sans.org/reading_room/whitepapers/legal/federal-computer-crime-laws_1446

[3] Ibid.

[4] Ibid.

[5] ENISA. (2020) About ENISA. Retrieved from https://www.enisa.europa.eu/about-enisa

[6] European Commission (2019). The EU Cybersecurity Act. Retrieved from https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act

[7] Ibid.

[8] Ibid.

[9] European Union (2018) What is GDPR, the EU’s new data protection law? Retrieved from https://gdpr.eu/what-is-gdpr/

[10] Ibid.