OSINT Legal & Jurisdictional Framework
BLUF
OSINT’s power rests on its exploitation of publicly available information — but “publicly available” is not a legal safe harbor. The legal constraints on OSINT practice vary by jurisdiction, target type, collection method, and the analyst’s institutional affiliation. What is legally permissible for a journalist in Germany differs from what is permissible for a US government contractor, a Brazilian civil-society researcher, or a corporate due-diligence firm in the UK. This guide maps the five major regulatory frameworks affecting OSINT practitioners globally, identifies the most significant legal risks by collection technique, and provides a jurisdiction-sensitive decision framework for operational OSINT work.
Three threshold questions that determine which legal constraints apply:
- Who is the analyst? Journalist, academic, government intelligence officer, corporate investigator, or independent practitioner? Institutional role determines available legal protections (journalist shield, research exemptions, intelligence authority).
- Who is the subject? EU resident (GDPR applies regardless of analyst location), public figure, private individual, corporate entity, or government body?
- What collection method? Passive observation of public data, authenticated-platform access, web scraping, or covert collection?
The answers determine the applicable legal framework. There is no universal “OSINT is legal” principle.
United States — CFAA and Parallel Statutory Framework
Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
The CFAA is the primary US statute governing unauthorized computer access. It criminalizes “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.”
Key ruling — Van Buren v. United States (SCOTUS 2021) [Fact]: The Supreme Court narrowed the CFAA’s “exceeds authorized access” prong. The Court held that the phrase means accessing a computer in a part of the system to which the user does not have access permission — not accessing a permitted system for an improper purpose. Practical effect: a user with legitimate access to a system who accesses data in areas they are authorized to access does not violate the CFAA, even if their purpose violates Terms of Service. This significantly reduced the risk of CFAA liability for ToS-based access.
Key ruling — hiQ Labs v. LinkedIn (9th Cir. 2022) [Fact]: The Ninth Circuit held that scraping publicly accessible LinkedIn profile data — data visible without authentication — does not constitute unauthorized access under the CFAA. The court reasoned that data on public-facing servers, accessible without a login, is not “protected” for CFAA purposes. This remains the strongest judicial authority for the CFAA legality of scraping public-facing websites — but note the outcome of the case as a whole: on remand the district court found (November 2022) that hiQ had breached LinkedIn’s User Agreement (ToS prohibiting scraping and fake profiles are enforceable as contract), and the parties then settled (December 2022) on a $500,000 stipulated judgment plus a permanent injunction barring hiQ from scraping LinkedIn. Takeaway: the public-data CFAA holding stands, but scraping a platform can still lose on breach-of-contract grounds. (Verify current status; consult counsel.)
Remaining CFAA risks:
- Accessing password-protected systems without authorization remains criminal — the hiQ ruling protects only public-facing data
- Exceeding authorized access by accessing restricted database sections remains criminal post-Van Buren
- Dark web access to criminal marketplaces may create CFAA exposure depending on how access is obtained
Stored Communications Act (SCA), 18 U.S.C. § 2701
The SCA prohibits unauthorized access to stored electronic communications — private messages, emails, and cloud-stored files. Unlike the CFAA, the SCA applies specifically to communications stored by service providers. Practical application: accessing someone’s private messages, even if technically obtainable via platform vulnerability, creates SCA exposure. Public posts are not SCA-protected.
Carpenter v. United States (SCOTUS 2018) — Location Data Trajectory
The Supreme Court held that warrantless government collection of persistent cell-site location information (CSLI) from telecommunications providers constitutes a Fourth Amendment search. The ruling applies to government actors, not private OSINT practitioners. Assessment: the holding establishes the direction of privacy jurisprudence — persistent location data, even when collected from third parties, carries Fourth Amendment protection. Commercial OSINT firms collecting mobile device location data as CAI (Commercially Available Information) from data brokers operate in a space that is now actively regulated, not merely a grey zone (see next paragraph). (Verify current status; consult counsel.)
Data Brokers and Commercially Available Information — Active Regulation
Assessment: the CAI/data-broker space has moved from “grey zone” toward active regulation on several fronts (status as of mid-2026; verify current and consult counsel):
- FTC v. Kochava: The FTC sued data broker Kochava in 2022 over sales of sensitive geolocation feeds; the matter reached a settlement (announced May 2026) permanently barring Kochava and its subsidiary from selling precise location data without affirmative express consent. Assessment: this signals enforcement appetite against brokers trading in sensitive location data.
- Protecting Americans’ Data from Foreign Adversaries Act (PADFAA, 2024): Effective 23 June 2024, this statute prohibits data brokers from selling or otherwise providing access to U.S. persons’ “personally identifiable sensitive data” (health, financial, genetic, biometric, geolocation, log-in credentials, government IDs, and more) to foreign adversaries (China, Russia, North Korea, Iran) or entities they control. FTC-enforced; penalties exceed $50,000 per violation. The FTC issued compliance-reminder letters to data brokers in early 2026.
- CFPB data-broker rulemaking: The CFPB issued a December 2024 proposed rule (“Protecting Americans from Harmful Data Broker Practices,” Regulation V under the FCRA) that would treat certain data brokers as consumer-reporting agencies. (Verify the rule’s current status — rulemakings can be withdrawn, revised, or finalized; consult counsel.)
Intelligence Community Legal Framework
For US government intelligence officers, a parallel statutory framework applies: FISA (Foreign Intelligence Surveillance Act) governs collection targeting foreign powers and their agents; EO 12333 governs overseas collection. These authorities are not available to non-government OSINT practitioners and create legal exposure for private actors who attempt to replicate them.
European Union — General Data Protection Regulation (GDPR)
Jurisdiction
Fact: GDPR (Regulation EU 2016/679) applies whenever the data subject is an EU resident — regardless of where the analyst is located. A Brazilian researcher using OSINT to profile an EU-resident politician processes GDPR-covered personal data. Jurisdictional reach is extraterritorial.
Six Lawful Bases for Processing (Article 6)
| Basis | Application to OSINT |
|---|---|
| Consent (Art. 6(1)(a)) | Impractical for OSINT — the subject is unaware of collection |
| Contract (Art. 6(1)(b)) | Not applicable to investigative OSINT |
| Legal obligation (Art. 6(1)(c)) | Applies where processing is required by law (compliance, AML) |
| Vital interests (Art. 6(1)(d)) | Emergency humanitarian contexts only |
| Legitimate interest (Art. 6(1)(f)) | Primary basis for OSINT — requires three-part balancing test |
| Public task (Art. 6(1)(e)) | Available to public authorities; limited for private analysts |
Legitimate Interest — the three-part test (Article 6(1)(f)):
- Purpose test: Is the purpose legitimate? Accountability journalism, academic research, and security intelligence are generally legitimate. Commercial competitive intelligence requires more careful framing.
- Necessity test: Is processing necessary for the purpose? If less intrusive means achieve the same result, the necessity test fails.
- Balancing test: Do the subject’s fundamental rights and freedoms override the legitimate interest? Public figures exercising public functions fail this test (their public conduct is fair game); private individuals generally pass it (their privacy interests prevail).
Special Category Data (Article 9)
Processing of special category data requires explicit consent or a specific exception. Special categories:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data (used for unique identification)
- Health data
- Sexual orientation or sex life
OSINT implications: A geolocation investigation that reveals an individual’s attendance at a religious service or political meeting processes special category data (religious beliefs, political opinions). Conflict-zone investigations that work with imagery of wounded or deceased individuals may process health data. These require careful legal justification beyond the standard legitimate interest basis.
EU AI Act — Facial Recognition and Scraped Images
Separate from GDPR, the EU AI Act (Regulation EU 2024/1689, in force 2024) directly constrains OSINT techniques that build or use facial-recognition capability. Its prohibited-practices provisions (Article 5) became applicable in February 2025 and include a ban on AI systems that create or expand facial-recognition databases through the untargeted scraping of facial images from the internet or CCTV footage (the “Clearview” prohibition) — directly relevant to any OSINT workflow that runs facial recognition against scraped images. Real-time remote biometric identification in public spaces is also banned save for narrow law-enforcement exceptions; transparency rules phase in from August 2026 and high-risk biometric-system rules from December 2027. The Act layers on top of GDPR Article 9 (biometric data as special category), not in place of it. (Verify current applicability dates and any national implementing measures; consult counsel.)
Journalism and Research Exemptions (Article 85)
EU Member States may provide exemptions for journalistic, academic, artistic, and literary purposes. The exemptions must be proportionate and include adequate safeguards. In practice:
- Professional journalists employed by recognized news organizations have the strongest Article 85 protection
- Independent researchers with institutional affiliation have intermediate protection
- Independent OSINT practitioners without institutional affiliation have the weakest position
Data Subject Rights
- Right of access (Art. 15): Subjects can request confirmation of what data is processed
- Right to erasure (Art. 17): Subjects can demand deletion — creates tension with OSINT archival and evidence preservation
- Right to object (Art. 21): Subjects can object to legitimate-interest processing — processor must demonstrate compelling grounds to continue
Practical note for OSINT practitioners: The right to erasure means that an OSINT investigation that processes personal data about EU residents creates an ongoing legal obligation. Evidence preservation requirements may conflict with erasure demands in accountability investigations — the Berkeley Protocol recommends coordinating with legal counsel before processing large personal-data datasets in accountability contexts.
United Kingdom — UK GDPR, Data Protection Act 2018, and the Data (Use and Access) Act 2025
(Section reviewed mid-June 2026. Law evolves; verify current status and consult counsel before relying on any point below.)
Post-Brexit, the UK operates under UK GDPR — a retained version of EU GDPR with UK-specific amendments — plus the Data Protection Act 2018. The substantive regime is functionally similar to EU GDPR for most OSINT purposes.
Data (Use and Access) Act 2025 (DUAA): The DUAA received Royal Assent on 19 June 2025. It does not replace the UK GDPR, the DPA 2018, or PECR, but amends them — commencing in stages 2–12 months after Royal Assent (exact dates set by commencement regulations, so check which provisions are live). Changes most relevant to OSINT practitioners: a more permissive automated-decision-making framework (with safeguards), and a codification that data-subject-access-request searches need only be “reasonable and proportionate.” It also amends Parts 3–4 of the DPA 2018 governing law-enforcement and intelligence-services processing. (Verify current commencement status; consult counsel.)
Key UK-specific elements:
- Journalism exemption (Section 26, DPA 2018): Explicitly extends exemptions to journalism where processing is carried out for the special purposes of journalism, academic, artistic, and literary work, with a reasonable belief of public interest.
- ICO enforcement: The Information Commissioner’s Office has issued high-profile fines. ICO has enforcement authority over processors handling UK residents’ data.
- EU↔UK adequacy (current as of mid-2026): The EU’s original 2021 adequacy decisions were due to sunset in June 2025; the Commission granted a six-month technical extension while it assessed the DUAA, then on 19 December 2025 renewed both adequacy decisions (GDPR and Law Enforcement Directive). The renewed decisions carry a six-year sunset clause expiring 27 December 2031, with a review after four years — so EU↔UK data continues to flow freely for now, but (Assessment) the sunset and ongoing review mean this status is not permanent. (Verify current status; consult counsel.)
Brazil — Lei Geral de Proteção de Dados (LGPD)
Fact: LGPD (Lei 13.709/2018) entered into force September 2020. The Autoridade Nacional de Proteção de Dados (ANPD) is the enforcement authority. LGPD is structurally modeled on GDPR with Brazilian-specific adaptations.
Key Provisions
Ten lawful bases (Article 7): LGPD provides ten bases, more numerous than GDPR’s six. Most relevant for OSINT:
- Legitimate interest (Article 7, IX): Available for the legitimate interests of the controller or third party. Less developed jurisprudence than GDPR — ANPD is in early enforcement stage.
- Journalistic and academic research (Article 7, V): Processing for journalistic, historical, scientific, or academic purposes is permitted with appropriate safeguards.
- Protection of credit (Article 7, X): Relevant for financial OSINT and credit investigation.
Security, national defense, and public safety exception (Article 4): Processing by public authorities for national security, defense, public security, and criminal investigation purposes is largely exempt from LGPD’s protective provisions. The scope of this exception is broader than GDPR equivalents.
Sensitive data (Article 11): Equivalent to GDPR special categories — racial/ethnic origin, religious belief, political opinion, health/sexual life, genetic/biometric data. Extra legal bases required.
ANPD enforcement (status as of mid-2026; verify current): ANPD began active enforcement in 2023–2024. Sanctions include warnings, fines (up to 2% of revenue in Brazil, capped at R$50M per violation), and suspension of processing activities. Since then the enforcement posture has matured materially: ANPD published a sanctions-dosimetria regulation (Regulation on the Calculation and Application of Administrative Sanctions) setting the methodology for fine calculation and classifying infractions as minor/medium/serious, and has updated its enforcement resolutions (e.g., Resolutions 1/2021 and 4/2023) and 2025–2026 regulatory agenda. Provisional Measure 1.317/2025 began converting the ANPD into an independent regulatory agency with functional, decision-making, and financial autonomy. Assessment: treat ANPD as a maturing, increasingly autonomous enforcer rather than a nascent one. (Verify current status; consult counsel.)
Relevance for Brazilian OSINT practitioners: Brazilian civil-society researchers, investigative journalists, and security analysts conducting OSINT on Brazilian subjects must comply with LGPD. The journalism exception (Article 7, V) provides meaningful protection for journalists with institutional affiliation; independent analysts face greater exposure.
Canada — PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organizations collecting personal information in the course of commercial activities. Key elements:
- Meaningful consent principle: Collection of personal information without consent requires a “legitimate business purpose” — OSINT collection for commercial intelligence, corporate due diligence, or competitive intelligence falls within this framework
- Privacy Commissioner of Canada: Advisory and investigative enforcement; no punitive fines (unlike GDPR/LGPD)
- Journalism exemption: The Privacy Act provides limited exemptions for journalistic purposes; PIPEDA’s commercial-activity scope limits its direct journalism application
- Relevance: Lower enforcement risk than GDPR/LGPD for most OSINT use cases; compliance is nonetheless required for Canadian-regulated organizations and for processing data about Canadian residents
Technique-Specific Legal Risk Matrix
| Technique | US | EU/GDPR | UK | Brazil/LGPD | Primary risk |
|---|---|---|---|---|---|
| Scraping public websites (no authentication) | Low (hiQ) | Medium (legitimate interest required) | Medium | Medium | ToS civil liability; GDPR if EU personal data processed |
| Scraping authenticated platforms | High (CFAA) | High | High | High | CFAA criminal exposure (US); GDPR controller obligations |
| WHOIS/DNS lookups | Negligible | Negligible | Negligible | Negligible | Public technical data; minimal personal-data content |
| Company registry lookups | Negligible | Negligible (statutory disclosures) | Negligible | Negligible | Regulatory-mandated public disclosure |
| EXIF metadata from public images | Low | Medium (location data = personal data under GDPR) | Medium | Medium | GPS coordinates are personal data; additional basis required |
| Leaked data analysis (Panama Papers type) | Medium (receipt risk) | Medium (special category data risk) | Medium | Medium | CFAA receipt of hacked data; GDPR processing of leaked personal data |
| Dark web passive research | Low | Medium | Medium | Medium | Infrastructure access; potential conspiracy risk in some jurisdictions |
| Social media monitoring (public accounts) | Low | Medium (aggregate profiling = personal data processing) | Medium | Medium | Aggregate profiling creates GDPR controller obligations |
| Cryptocurrency on-chain analysis | Low | Medium (pseudonymous ≠ anonymous under GDPR) | Medium | Low | GDPR treats blockchain addresses linked to identified persons as personal data |
| Physical surveillance | High | High | High | High | State tort law; Article 8 ECHR/LGPD equivalent privacy rights |
| Drone imagery of urban areas | High (FAA airspace) | High | High | Medium | Airspace regulations; GDPR if persons identifiable in footage |
| Facial recognition against scraped images | High | Very High (biometric special category) | Very High | High | BIPA (Illinois); GDPR Art. 9 explicit consent; EU AI Act Art. 5 bans untargeted scraping of facial images to build FR databases (applicable Feb 2025) |
Berkeley Protocol — Legal Standard for OSINT Evidence
The Berkeley Protocol on Digital Open Source Investigations (2022) establishes the legal-grade standard for OSINT evidence in international accountability proceedings (ICC, ICJ, UN bodies). Key legal requirements:
Evidence admissibility prerequisites:
- Chain of custody documentation: Every piece of evidence must have a documented collection chain from original source to submission, including collector identity, collection method, tool versions, and storage path
- Hash verification: Cryptographic hashing (SHA-256) of all evidence at collection time, with re-verification at every transfer point
- Metadata preservation: Original metadata (EXIF, creation timestamps, platform metadata) must be preserved in original form; analysis goes to derived copies only
- Source documentation: Original source URL, archive capture date (Wayback Machine or archive.today), and evidence that the source was public at the time of collection
International tribunal standards: ICC Rules of Evidence require that digital evidence be authenticated, that its chain of custody be established, and that its integrity be verifiable. Berkeley Protocol compliance maps directly onto these requirements — OSINT investigations that apply the Protocol’s standards produce evidence that is structurally admissible before international bodies.
The Platform Terms of Service Problem
Platform ToS impose contractual obligations broader than statutory law. After Van Buren and hiQ, ToS violations are generally not CFAA crimes for public-facing data. But ToS violations remain:
- Grounds for civil lawsuit (breach of contract): Platforms have sued scrapers — LinkedIn v. hiQ (after remand), Ticketmaster v. Prestige Entertainment — but large-scale litigation is resource-intensive and typically targets commercial competitors, not individual analysts
- Grounds for account ban and IP block: Immediate and near-certain consequence of detected scraping
- Grounds for platform-initiated takedown: For content hosted on platforms, ToS violations enable removal of both content and accounts
Practical implication: Professional-grade OSINT programs maintain dedicated collection infrastructure — separate accounts, API access where available, rotating proxies — to avoid burning research accounts on routine collection.
Operational Legal Decision Framework
Before executing any OSINT collection operation involving personal data:
- Identify the subject’s jurisdiction: EU resident → GDPR applies globally. Brazilian resident → LGPD applies globally. US resident → CFAA applies to method; Privacy Act to government actors only.
- Identify your legal basis: Journalist with institutional cover → journalism exemption available. Academic researcher → research exemption available. Independent practitioner → legitimate interest basis, apply three-part test.
- Assess the collection method: Public-facing web scraping → legally lower-risk (post-hiQ). Authenticated-platform access → higher CFAA/breach risk. Dark web → jurisdiction-dependent.
- Apply special category check: Does the data involve health, political opinion, religion, biometrics, sexual orientation? If yes, stronger legal basis required.
- Document the legal basis before collection begins. Post-hoc rationalization is not a legal defense.
Key Connections
Ethical complement: OSINT Ethics — legal permissibility and ethical permissibility are distinct standards; this note addresses both independently
Collection framework: OSINT | Open-Source Intelligence Manual
Verification standard: Source Verification Framework
Practitioner tradecraft: IIA Ch. 9 — Legal Exposure and Liability Management | IIA Ch. 8 — OPSEC
Sub-discipline legal exposure: Financial Intelligence (FININT: AML/KYC, beneficial ownership disclosure law) | Social Media Intelligence (SOCMINT: platform ToS, scraping law) | Cyber Threat Intelligence (CTI: CFAA, dark web, criminal infrastructure)
Sources & Authorities
This is not legal advice. Statutes, case law, and enforcement posture change — verify each authority as current and consult qualified counsel before relying. Currency tags below reflect the state of the law as cited in the body (reviewed mid-June 2026); they are starting points for re-verification, not warranties of current force.
United States — Statutes & Regulations
- Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 — primary unauthorized-access statute. [primary, authoritative] — verify current as of 2026-06-17.
- Stored Communications Act (SCA), 18 U.S.C. § 2701 — unauthorized access to stored electronic communications. [primary, authoritative] — verify current as of 2026-06-17.
- Protecting Americans’ Data from Foreign Adversaries Act (PADFAA), 2024 — effective 23 June 2024; bars data brokers from providing U.S. persons’ sensitive data to foreign adversaries; FTC-enforced, penalties >$50,000/violation. [primary, authoritative] — verify current as of 2026-06-17.
- CFPB data-broker rulemaking — December 2024 proposed rule “Protecting Americans from Harmful Data Broker Practices,” Regulation V under the FCRA (proposed; not final as cited). [primary, authoritative] — verify current status (may be withdrawn/revised/finalized) as of 2026-06-17.
- Foreign Intelligence Surveillance Act (FISA) — collection targeting foreign powers/agents (government actors only). [primary, authoritative] — verify current as of 2026-06-17.
- Executive Order 12333 — overseas collection authority (government actors only). [primary, authoritative] — verify current as of 2026-06-17.
- Biometric Information Privacy Act (BIPA), Illinois — biometric/facial-recognition consent regime. [primary, authoritative] — verify current as of 2026-06-17.
United States — Case Law
- Van Buren v. United States (SCOTUS 2021) — narrowed CFAA “exceeds authorized access” prong. [primary, authoritative] — verify current as of 2026-06-17.
- hiQ Labs v. LinkedIn (9th Cir. 2022; D. Ct. remand Nov. 2022; settlement Dec. 2022, $500,000 stipulated judgment + permanent injunction) — public-data scraping not unauthorized access under CFAA, but scraping can lose on breach-of-contract grounds. [primary, authoritative] — verify current as of 2026-06-17.
- Carpenter v. United States (SCOTUS 2018) — warrantless CSLI collection is a Fourth Amendment search (government actors). [primary, authoritative] — verify current as of 2026-06-17.
- FTC v. Kochava (filed 2022; settlement announced May 2026) — bars sale of precise location data without affirmative express consent. [primary, authoritative] — verify current as of 2026-06-17.
- Ticketmaster v. Prestige Entertainment — scraping/breach-of-contract litigation. [primary, authoritative] — verify current as of 2026-06-17.
European Union — Statutes & Regulations
- General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 — extraterritorial reach where data subject is an EU resident; Arts. 6 (lawful bases), 9 (special category), 15/17/21 (subject rights), 85 (journalism/research exemptions). [primary, authoritative] — verify current as of 2026-06-17.
- EU AI Act, Regulation (EU) 2024/1689 (in force 2024) — Art. 5 prohibited practices applicable Feb. 2025 (ban on untargeted scraping of facial images to build/expand FR databases; real-time remote biometric ID limits); transparency rules phase in from Aug. 2026, high-risk biometric rules from Dec. 2027. [primary, authoritative] — verify current applicability dates and national implementing measures as of 2026-06-17.
United Kingdom — Statutes & Regulations
- UK GDPR — retained EU GDPR with UK amendments. [primary, authoritative] — verify current as of 2026-06-17.
- Data Protection Act 2018 (DPA 2018) — incl. Section 26 journalism exemption; Parts 3–4 (law-enforcement / intelligence-services processing). [primary, authoritative] — verify current as of 2026-06-17.
- Data (Use and Access) Act 2025 (DUAA) — Royal Assent 19 June 2025; amends (does not replace) UK GDPR, DPA 2018, PECR; staged commencement 2–12 months post-assent. [primary, authoritative] — verify current commencement status of individual provisions as of 2026-06-17.
- Privacy and Electronic Communications Regulations (PECR) — amended by DUAA. [primary, authoritative] — verify current as of 2026-06-17.
- EU↔UK adequacy decisions — original 2021 decisions, six-month technical extension, renewed 19 Dec. 2025 (GDPR + Law Enforcement Directive) with six-year sunset to 27 Dec. 2031 (four-year review). [primary, authoritative] — verify current as of 2026-06-17.
Brazil — Statutes & Regulations
- Lei Geral de Proteção de Dados (LGPD), Lei 13.709/2018 — in force Sept. 2020; Arts. 4 (security/defense exception), 7 (ten lawful bases), 11 (sensitive data). [primary, authoritative] — verify current as of 2026-06-17.
- ANPD sanctions-dosimetria regulation (Regulation on the Calculation and Application of Administrative Sanctions) — fine-calculation methodology; infraction classes minor/medium/serious. [primary, authoritative] — verify current as of 2026-06-17.
- ANPD Resolutions 1/2021 and 4/2023 — enforcement resolutions. [primary, authoritative] — verify current as of 2026-06-17.
- Medida Provisória 1.317/2025 — converts ANPD into an independent regulatory agency (functional/decision-making/financial autonomy). [primary, authoritative] — verify current status (MPs require congressional conversion) as of 2026-06-17.
Canada — Statutes & Regulations
- Personal Information Protection and Electronic Documents Act (PIPEDA) — private-sector commercial-activity data protection; Privacy Commissioner of Canada (advisory/investigative, no punitive fines). [primary, authoritative] — verify current as of 2026-06-17.
- Privacy Act (Canada) — limited journalistic-purpose exemptions. [primary, authoritative] — verify current as of 2026-06-17.
International — Standards
- Berkeley Protocol on Digital Open Source Investigations (2022) — legal-grade evidentiary standard for OSINT in international accountability proceedings (chain of custody, SHA-256 hashing, metadata preservation, source documentation). [primary, authoritative] — verify current as of 2026-06-17.
- ICC Rules of Evidence — digital-evidence authentication, chain of custody, integrity verification requirements. [primary, authoritative] — verify current as of 2026-06-17.