Fasken Noteworthy Privacy & Cybersecurity News (January 2025)

Privacy & Cybersecurity in Canada, the US and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

BC Supreme Court Rules That BC PIPA Applies to Organizations Outside BC

In December 2024, the BC Supreme Court handed down its judgment in Clearview AI Inc. V Information and Privacy Commissioner for BC. The Supreme Court decided to uphold the decision of the Office of the Information and Privacy Commissioner (“OIPC”) made against Clearview AI, a US organization that provides facial recognition technology. Of note, the court determined that BC PIPA would apply to any organization with a “sufficient connection” with BC. This includes when an organization merely collects data from individuals in BC through the Internet. All organizations that operate a website that is accessible in BC must be aware of their obligations under BC PIPA and ensure that they are in compliance.

Europe

The General Court Orders the European Commission to Pay Damages to a Visitor to Its ‘Conference on the Future of Europe’ Website as a Result of the Transfer of Personal Data to the United States

A citizen living in Germany complained that the Commission had infringed his right to the protection of his personal data when, in 2021 and 2022, he visited the website of the Conference on the Future of Europe. Specifically, he had registered for the event through that website using the Commission’s EU Login authentication service, having selected the option of signing in using his social media account.

The Court considered that by allowing the registration through the social media hyperlink, the Commission created the conditions for the transmission of his IP address, i.e. personal data, to the undertaking established in the United States. At the time of that transfer, there was no Commission decision finding that the United States ensured an adequate level of protection for the personal data of EU citizens. Furthermore, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause. Therefore, the Commission did not comply with the conditions set by EU law for the transfer by an EU institution, body, office or agency of personal data to a third country.

Data Scraping: French Supervising Authority Fines KASPR €240 000

On December 5, 2024, the CNIL imposed a fine of 240,000 euros on KASPR, in particular, because it collected contact details of LinkedIn users who had previously masked them. The decision is based on the following failures.

• Failure to comply with the obligation to have a legal basis (Article 6 of the GDPR)
• Failure to comply with the obligation to define and respect a data retention period proportionate to the purpose of the processing (Article 5-1-e of the GDPR)
• Failure to comply with the obligation to provide transparency and information to individuals (Articles 12 and 14 of the GDPR)
• Failure to respect the right of access of individuals (Article 15 of the GDPR)

EDPB Adopts Pseudonymisation Guidelines

In its guidelines, the European Data Protection Board (“EDPB”) clarifies the definition and applicability of pseudonymisation and pseudonymised data and the advantages of pseudonymisation.

The guidelines provide two important legal clarifications:

• Pseudonymised data, which could be attributed to an individual by the use of additional information, remains information related to an identifiable natural person and is, therefore, still personal data. Indeed, if the data can be linked back to an individual by the data controller or someone else, it remains personal data.
• Pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis, can aid in securing compatibility with the original purpose, and can help organisations meet their obligations relating to the implementation of data protection principles, data protection by design and default and security.

In Case You Missed It!

The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.

• Prorogation’s Digital Impact: Canada’s Digital Bills Set to Die on the Order Paper

About Fasken’s Privacy and Cybersecurity Group

As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offer a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.