Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Federal Privacy Commissioner Seeks Court Order Requiring Pornhub Operator to Comply with Privacy Laws
Canada’s Privacy Commissioner filed an application with the Federal Court seeking an order to direct Aylo, an operator of pornographic websites, to comply with Canadian privacy laws. This comes one year after the Commissioner released its findings from an investigation into Aylo’s compliance with the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The investigation was prompted by a complaint from a woman whose ex-boyfriend uploaded intimate images of her without her consent. The Commissioner concluded that Aylo allowed sensitive content to be posted online without individuals’ meaningful consent and failed to provide a simple and effective process for individuals to have their content removed.
The Commissioner’s application states that Aylo’s practices still fail to ensure meaningful consent from individuals in videos on its sites, despite recent changes. Unlike the Commissioner, the Federal Court has the authority to impose binding orders on organizations to comply with PIPEDA.
Québec Privacy Commissioner Prohibits a Grocer From Implementing a Facial Recognition System
On February 18, 2025, the Commission d’accès à l’information du Québec (CAI) issued a decision (available in French only) regarding a supermarket’s proposed pilot project to implement facial recognition systems in certain stores. The project’s objective was to combat shoplifting and fraud by using surveillance cameras to capture images of individuals entering and exiting the establishments without consent. The CAI’s investigation raised concerns about the compliance of this biometric system with Québec’s private sector privacy law and the Act to Establish a Legal Framework for Information Technology. Consequently, the CAI prohibited the organization from implementing the proposed biometric database, citing violations of privacy rights and the need for strict adherence to legal standards when deploying such technologies.
Québec Privacy Commissioner Issues a Brief on the Use of AI in the Workplace
On February 21, 2025, the CAI published a brief on the use of AI in the workplace (available in French only) presented to the Québec Ministry of Labour earlier in January. It addresses the impact of AI and surveillance technologies in the workplace, emphasizing the need for proper regulation to protect employees’ personal information. The CAI acknowledges that, when deployed under favorable conditions, AI can offer benefits to both employers and employees, such as job creation and enhanced work experiences. However, the brief highlights concerns about the increasing use of surveillance technologies, including biometric systems like facial recognition and fingerprint scanning, which may infringe on employees’ privacy rights. The CAI calls for the establishment of clear guidelines, as well as enhanced transparency and assessments, to ensure that the implementation of AI and related technologies in the workplace respects the fundamental rights of employees.
Europe
Children and Generative AI
On February 18, 2025, the European Parliamentary Research Service published “At a Glance”, highlighting gaps in AI literacy and digital education for children despite EU protections like the Digital Services Act and AI Act. The EPRS calls for improved AI literacy, reduced digital divides, and common EU indicators to monitor AI’s impact on children.
Automated Credit Assessment: The Data Subject Is Entitled to an Explanation as to How the Decision Was Taken
In decision C203-22, the Court of Justice of the European Union (CJEU) stated that the explanation given should allow the data subject to comprehend and challenge the automated decision.
In Austria, a mobile telephone operator declined to enter into a contract with a customer due to her insufficient credit standing. The operator based this decision on an automated credit assessment conducted by Dun & Bradstreet Austria, a firm specializing in providing such evaluations.
According to the CJEU, the controller must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used, and how they have been used, in the automated decision-making. In order to meet the requirements of transparency and intelligibility, it could in particular be appropriate to inform the data subject of the extent to which a variation in the personal data taken into account would have led to a different result. By contrast, the mere communication of an algorithm does not constitute a sufficiently concise and intelligible explanation.
CJEU Clarifies Calculation of GDPR Fines for Undertakings
On February 13, 2025, the CJEU published a judgment in Case C-383/23, which clarified the methodology and scope of fine calculations for undertakings under the EU General Data Protection Regulation (GDPR).
The case involved ILVA A/S, a subsidiary of Lars Larsen Group. The CJEU decided that “undertaking” in GDPR Articles 83(4) to (6) should be aligned with EU competition law, specifically Article 101 and Article 102 of the Treaty on the Functioning of the European Union (TFEU). In this context, “undertaking” means an economic unit engaged in commercial activities regardless of its legal form. This includes companies, sole traders, and partnerships. As such, the CJEU ruled that the maximum fine must be based on the total worldwide annual turnover of the Lars Larsen Group, not just ILVA’s turnover. The CJEU emphasized that the fines should be effective, proportionate, and dissuasive.
In Case You Missed It!
The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.