Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Federal Government Adopts New Directive on Privacy Impact Assessments for Federal Institutions
On October 11, 2024, the federal government issued a Directive on Privacy Practices aimed at standardizing privacy management and enhancing transparency in public reporting. This directive is focused on safeguarding personal information throughout its entire life cycle, encompassing its creation, collection, retention, usage, disclosure, and disposal by government institutions or third parties operating under contract or through information-sharing agreements or arrangements with the institutions.
However, a parliamentary committee has deemed this directive insufficient and has put forward 14 recommendations to the government, including the need to strengthen the Privacy Act, which applies to federal institutions. The Committee is urging the inclusion of an explicit legal requirement for federal institutions to conduct privacy impact assessments before implementing high-risk technological tools. This measure would ensure that the privacy implications of such tools are thoroughly evaluated and addressed prior to their adoption.
Senate Completes Second Reading of Canada’s Bill C-26 Respecting Cybersecurity
On October 23, 2024, the Senate of Canada completed the Second Reading of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. Originally tabled in June 2022, Bill C-26 is expected to introduce significant new cybersecurity requirements for federally regulated industries and new national security requirements for the telecommunications sector. With completion of the Second Reading, Bill C-26 is a step closer to becoming law. It will now undergo review by the Senate Committee on National Security, Defence and Veterans Affairs before being submitted for the Third (and final) Reading at the Senate. For more information about Bill C-26, please see Fasken’s 2022 bulletin here.
United States
Montana’s Consumer Privacy Law Takes Effect
On October 1, 2024, Montana’s Consumer Data Privacy Act came into effect, making Montana the latest state to have a comprehensive data privacy law. The new Act applies to persons who conduct business in Montana or who produce products or services targeting residents in Montana and either (1) process personal data of at least 50,000 Montana consumers, or (2) process personal data of at least 25,000 Montana consumers and derive over 25% of gross revenue from the “sale” of any personal data.
Europe
A Failure to Comply with the GDPR Does Not Systematically Lead to the Imposition of a Penalty
The Court of Justice of the European Union ("CJEU") reminds us that when a breach of personal data has been established, the supervisory authority is not required to exercise a corrective power, in particular the power to impose an administrative fine, where such action is not appropriate, necessary or proportionate to remedy the shortcoming found and to ensure that the regulation is fully enforced.
The CJEU has rendered a notable decision in case C-446/21 Schrems (Data communication to the general public). An online social network cannot use all personal data obtained for targeted advertising purposes without time limitations and without distinguishing the nature of the data. This is a practical application of the GDPR’s data minimization principle. Additionally, the disclosure of sexual orientation during a roundtable does not justify the use of other such data outside the platform for personalized advertising.
EDPB To Work Together with European Commission to Develop Guidance on Interplay between GDPR and DMA
This enhanced dialogue between the Commission’s services and the European Data Protection Board ("EDPB") will focus on the applicable obligations on digital gatekeepers under the Digital Markets Act ("DMA") that have a strong interplay with the GDPR, as there is a need to ensure the coherent application of the applicable regulatory frameworks. Developing a coherent interpretation of the DMA and GDPR while respecting each regulator’s competencies in areas where the GDPR applies and is referenced in the DMA is crucial to effectively implement the two regulatory frameworks and achieve their respective and complementary objectives.
Council of the European Union Adopts New Cybersecurity Requirements
On October 10, 2024, the Council of the European Union adopted a new regulation on cybersecurity requirements for products with digital elements with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market ("Cyber Resilience Act"). The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components, for example, ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.
EDPB Adopts Opinion on Processors, Guidelines on Legitimate Interest, Statement on Draft Regulation for GDPR Enforcement, and Work Programme 2024–2025
During its latest plenary, the EDPB adopted an Opinion on certain obligations following the reliance on processor(s) and sub-processor(s), Guidelines on legitimate interest, a Statement on laying down additional procedural rules for GDPR enforcement and the EDPB work programme 2024-2025.
- Opinion 22/2024 on certain obligations following the reliance on processor(s) and sub-processor(s): the EDPB considers, in particular, that:
- controllers should have the information on the identity (i.e., name, address, contact person) of all processors, sub-processors etc. readily available at all times so that they can best fulfil their obligations under Article 28 GDPR, regardless of the risk associated with the processing activity.
- the engagement of processors should not lower the level of protection for the rights of data subjects. The controller’s obligation to verify whether the (sub-) processors present ‘sufficient guarantees’ to implement the appropriate measures determined by the controller should apply regardless of the risk to the rights and freedoms of data subjects.
- while the initial processor should ensure that it proposes sub-processors providing sufficient guarantees, even in the context of the transfer of personal information between two processors, the ultimate decision on whether to engage a specific sub-processor and the pertaining responsibility, including with respect to verifying the guarantees, remains with the controller.
- the commitment for the processor to process personal data only on documented instructions from the controller, unless the processor is required to process by Union or Member State law to which the processor is subject recalling the general principle that contracts cannot override the law.
- Guidelines 1/2024 on the processing of personal data based on legitimate interest:
- The guidelines provide guidance on how the assessment of legitimate interest should be carried out in practice, including in a number of specific contexts (e.g., fraud prevention, direct marketing, information security, etc.) and on the relationship that exists between Article 6(1)(f) GDPR and a number of data subject rights under the GDPR.
- Statement 4/2024 on the recent legislative developments on the Draft Regulation laying down additional procedural rules for the enforcement of the GDPR
- The EDPB adopted a Statement following the amendments made by the European Parliament and the Council to the European Commission’s proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR. The Statement generally welcomes the modifications introduced by the European Parliament and the Council and recommends further addressing specific elements in order for the new regulation to achieve the objectives of streamlining cooperation between authorities and improving the enforcement of the GDPR.
EDPB Adopts Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
The EDPB adopted the final version of its Guidelines on Technical Scope of Article 5(3) of ePrivacy Directive in October 2024. In these Guidelines, the EDPB addresses the applicability of Article 5(3) to different technical solutions. The Guidelines expand upon Opinion 9/2014 of Article 29 Working Party on the application of ePrivacy Directive to device fingerprinting and aim to provide a clear understanding of the technical operations covered by Article 5(3) of the ePrivacy Directive.
In Case You Missed It!
The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.
Where You Will Find Us
Members of our Privacy and Cybersecurity group will be speaking at or attending the following events in the coming months. Keep an eye out for our team and stop by to say hi!
- BFUTR Summit 2024, Toronto – Nov 6-7, 2024
- CBA Privacy and Access Law Conference, Ottawa – Nov 7-8, 2024
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of 36 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU GDPR and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
