Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist you.
Canada
Alberta Introduces New Freedom of Information Laws
In November 2024, the Alberta government announced that it would repeal the Freedom of Information and Protection of Privacy Act ("FOIP Act") and introduce two separate acts in its place, titled the Protection of Privacy Act (“POPA”) and the Access to Information Act (“ATIA”). POPA and ATIA will still remain applicable to an array of public entities, including government departments, boards, agencies, municipalities, school boards, police services, as well as universities and colleges, and will introduce new changes to meet the privacy and information access demands of our digital era. Read Fasken’s bulletin here on Updates to Alberta’s Freedom of Information Law.
Ontario’s Public Sector Cyber Security Legislation Becomes Law
On November 25, 2024, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (“Bill 194”) passed Third Reading and received Royal Assent at the Legislative Assembly of Ontario. Bill 194 enacts the Enhancing Digital Security and Trust Act and introduces changes to the Freedom of Information and Protection of Privacy Act – which together create significant new obligations regarding privacy, cyber security, and use of artificial intelligence for Ontario’s public sector entities. Read Fasken’s bulletin on Bill 194 here: Ontario’s Public Sector Cyber Security Legislation Receives Royal Assent.
Federal Court of Appeal Rules on the Meaning of Meaningful Consent and Requirement to Safeguard Personal Information
Earlier this month, we published our bulletin on September’s Federal Court of Appeal decision in Canada (Privacy Commissioner) v Facebook, Inc., 2024 FCA. You can read it here: New Federal Court of Appeal Decision and its Implications for Meaningful Consent and Adequate Safeguarding of Personal Information.
The decision is one of only a handful by appeals courts that considers the core concepts in Canada’s federal private-sector privacy law, Personal Information Protection and Electronic Documents Act ("PIPEDA"). Specifically, the court:
- Establishes a “reasonable person” standard for evaluating meaningful consent under PIPEDA;
- Underscores that privacy statements alone may be insufficient to establish meaningful consent, particularly where the use or disclosure of personal information is for an unexpected purpose; and
- Highlights that contractual terms are not always sufficient for safeguarding personal information.
Europe
EDPB Clarifies Rules for Data Sharing With Third Country Authorities in New Guidelines
Organizations receive requests from public authorities in other countries to share personal data. The sharing of data can, for instance, be of help to collect evidence in the case of crime, to check financial transactions or approve new medications. Such organizations must comply with the GDPR, in particular with the transfers provisions and shall assess under which conditions they can lawfully respond to such requests (for example, on the basis of an international agreement). Note that the consultation is still ongoing.
EDPB Letter to the European Commission on Its Review of Its Eleven Adequacy Decisions Adopted Under Directive 95/46/EC
On January 15, 2024, the European Commission concluded its review of the eleven adequacy decisions adopted and considered that personal data transferred from the European Union (EU) to adequate countries continues to benefit from an adequate level of protection.
In his letter, the European Data Protection Supervisor ("EDPS") provides the Commission with methodological comments on certain aspects of his assessment that could have been described in greater detail: the rule of law, certain elements of the data protection framework (key concepts, lawfulness bases, rights of individuals, safeguards for automated decision-making, onward transfers, etc.), and access to and use of personal data by authorities in third countries. The EDPS considers that these aspects should be carefully monitored by the Commission in its future reassessments of the laws and practices of third countries and territories.
The EDPB Publishes a GDPR Opinion on Certain Data Protection Aspects Related to the Processing of Personal Data in the Context of AI Models
On December 18, 2024, the European Data Protection Board ("EDPB") published Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models.
In particular, it examines when AI models can be considered anonymous, how controllers can justify using legitimate interest as a legal basis for processing data during AI model development and deployment, and the consequences of unlawful data processing during development or deployment of AI models.
European Parliament Adopts Brief on Tackling Disinformation and the Risks of Generative AI
On December 12, 2024, the European Parliament adopted a brief addressing the issue of disinformation in the digital space. The document highlights the growing challenges posed by foreign manipulation, particularly from authoritarian actors, and the risks amplified by generative AI.
It outlines the EU's ongoing efforts to enhance information integrity, including legislative measures, collaborative initiatives, and the forthcoming "European democracy shield" to protect democratic processes and safeguard fundamental rights such as freedom of expression.
And Lastly, Some Holiday Cheer!
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of 36 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services across all industry sectors. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
