Last week Canada enacted an amendment to its copyright law which requires Internet services to retain access logs of customers in order to process piracy notices. This mandatory data retention puts the privacy of VPN users at risk, and as a result Canadian providers are considering pulling out of the country.

A few days ago it became a legal requirement for Canadian ISPs to forward copyright infringement notices to their subscribers.

As a result of the new copyright law amendments, which also apply to VPN services, providers now have to retain logs of their subscribers’ IP-addresses or face high penalties.

Specifically, the law requires a broad range of Internet services to “retain records that will allow the identity of the person to whom the electronic location belongs to be determined, and do so for six months….”

Failing to retain logs and forward these notices may result in “statutory damages in an amount that the court considers just, but not less than $5,000 and not more than 10,000…”

The new rules also apply to BTGuard, a well-known Canadian VPN and proxy service that claims to keep no logs. Concerned that the new data retention requirements would force a change in this policy, several customers asked the provider for clarification.

Responding to these requests BTGuard assured its customers that its logging policy remains unchanged. However, BTGuard may discontinue its Canadian servers in the near future.

“Rest assured that we are committed to our customers’ privacy. As stated in our privacy policy, we do not log our customers’ usage or IPs and never will,” one customer was told by BTGuard.

“It’s possible that this legislation will require us to discontinue our servers in Canada, but we will find a solution and our services will continue where it’s legal to be anonymous without causing you any inconvenience,” the company added.

In a separate request we asked BTGuard for a comment on how the new law will affect its business. In a short comment we were informed that they are still exploring their options and that no final decision has been made yet.

“We still guarantee privacy. Our servers in Canada might be closed, but we are still exploring our options,” BTGuard’s Jared told TF.

Other providers are prepared to take similar measures. While the text of the law suggests that VPN providers are covered (something that’s also confirmed by one of Canada’s top copyright scholars), many are still uncertain about the exact impact it will have.

TunnelBear informed us that they are still investigating if they are indeed covered by the new legislation. If they are, the company will take its business elsewhere.

“Despite our investigation and legal consultations, it remains unclear whether or not VPN companies are included in the bill. We have brought on legal counsel to continue to investigate,” TunnelBear says.

“If it is determined that TunnelBear is required to comply with C11 if we retain operations in Canada, we will swiftly move our operations to a more privacy friendly region. At no point, under any circumstances will TunnelBear log the activity of our users,” TunnelBear adds.

For TunnelBear the issue is less urgent than for others though, as the company doesn’t allow torrent traffic on its servers.

While the changes may reduce piracy somewhat, it also negatively affects people’s privacy. And with the new data retention requirements Canada has certainly become an unattractive location for VPNs and other privacy services.

—

Update: Several sources in the know have offered TF additional analyses to clear up some the confusion. Below are some of the most relevant comments regarding VPN providers.

1. There is disagreement to what extent VPNs are seen as a “means of telecommunication.” This description could be fought by VPN providers which would then mean that they are not bound to section 41.25(1)(a). For now, this remains undecided.

2. Section 41.26(1)(b) requires to retain data for six months from the moment a notice is received so “the identity of the person to whom the electronic location belongs to be determined.” This includes the IP-address/timestamp linking the infringement to a specific customer, but no other “logs” are required.

3. If a VPN doesn’t hold any information that can link an IP-address to a specific customer they have to explain that to the copyright holder. 41.26(3) suggests that this could lead to potential legal action.