Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Canada’s New National Cyber Security Strategy
On February 6, 2025, the Government of Canada introduced its new National Cyber Security Strategy (NCSS) to enhance the country's cyber resilience. The strategy emphasizes whole-of-society engagement and agile leadership, focusing on protecting Canadians and businesses, positioning Canada as a global leader in cyber technology, and improving capabilities to detect and disrupt cyber threats. This comprehensive approach aims to safeguard Canada's digital landscape and ensure a secure, resilient, and prosperous future for all Canadians.
Privacy Commissioners Comment on PowerSchool Cybersecurity Incident
In February 2025, the Alberta and Federal Privacy Commissioners released statements on the recent cybersecurity incident experienced by PowerSchool. The Alberta Privacy Commissioner noted that they received 31 breach notices from various Alberta educational institutions about unauthorized access to personal information. The Commissioners are currently reviewing any applicable breach notices and complaints received by their offices. The Commissioners encourage individuals to be vigilant, to contact the relevant educational institution that notified them with any questions, and to refer to the Commissioners’ websites for additional information about their privacy rights.
United States
Federal Trade Commission Updates Children’s Privacy Rule
On January 16, 2025, the Federal Trade Commission (“FTC”) announced updates to the Children’s Online Privacy Protection Rule, which will go into effect 60 days after publication in the Federal Register. The changes include requiring organizations to obtain parental consent for children to opt-in for targeted advertising, expanding the definition of personal information, and requiring organizations to limit the types and amount of personal data that they retain. Organizations with online operations that may impact children in the United States should keep an eye on these changes to ensure they comply.
New York Passes Health Information Privacy Act
In January 2025, the New York legislature passed the New York Health Information Privacy Act. This Act establishes a comprehensive framework for the processing of health data in New York State by regulated entities. Regulated entities are currently considered entities that control the processing of regulated health information and their service providers. The law is currently awaiting the Governor's signature and will likely take effect one year after the law is signed.
Europe
Joint Statement on Building Trustworthy Data Governance Frameworks to Encourage Development of Innovative and Privacy-Protective AI
At the AI Action Summit in Paris (February 6-11, 2025), data protection authorities from Australia, Ireland, France, Korea, and the UK signed a joint declaration to reaffirm their commitment to data governance that promotes innovative, privacy-protective AI.
This initiative aims to promote an artificial intelligence (AI) governance framework that offers legal certainty to stakeholders and guarantees to individuals, particularly in terms of transparency and respect for fundamental rights. The declaration highlights the many opportunities offered by AI in various fields such as innovation, research, the economy, and society. It also warns of several risks concerning the protection of personal data and privacy, discrimination and algorithmic bias, as well as misinformation and AI hallucinations.
To ensure AI complies with current regulations, the authorities recommend incorporating data protection principles right from the design stage of AI systems, implementing robust data governance and anticipating risk management.
EU Has Withdrawn the Proposal of E-Privacy Regulation
The EU Commission, in its work program for 2025, has decided to withdraw the proposal of e-privacy regulation since no agreement is expected from the co-legislators. Furthermore, the proposal is outdated in view of some recent legislation in both the technological and legislative landscapes.
Pseudonymized Data vs Anonymized Data
In its opinion, the Advocate General on case C‑413/23 P makes a distinction between pseudonymization and anonymization in the context where a party receives pseudonymized information. He reminded that pseudonymization is a process applied to personal data in order to ‘reduce the risks’ of a data set being correlated with the identity of a data subject and help controllers and processors to meet their data protection obligations.
When a party receives pseudonymized data, such data remains personal data. However, if the risk of identification is non-existent or insignificant, then data can legally escape classification as ‘personal data’. In other words, sometimes, pseudonymized data for one party can become anonymized data for the recipient party: it is necessary to determine whether the pseudonymization of the data at issue is sufficiently robust to conclude that the recipient party has reasonable means to identify individuals. In that case, pseudonymized data could be considered to be processing personal data.
In Case You Missed It!
The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.
- Cupid and Loyalty Programs: Data Relationships with Strings Attached
- Eight Tips to Smoothly Implement Your Biometric System
Where You Will Find Us
Members of our Privacy and Cybersecurity group will be speaking at or attending the following events in the coming months. Keep an eye out for our team and stop by to say hi!
- NetDiligence Cyber Risk Summit, Toronto – March 18-19, 2025
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
