Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Government of Canada Launches Consultation on Global Cross-Border Privacy Rules Certification
On March 26, 2025, the Government of Canada initiated a consultation to gather insights on implementing the certifications of the Global Cross-Border Privacy Rules (CBPR) Forum, specifically the Global CBPR System and the Privacy Recognition for Processors (PRP) Systems, with the aim “to help strengthen trust and ensure greater transparency in cross-border flows of personal information”. These systems aim to facilitate cross-border data flows by providing a framework for organizations to comply with privacy laws across multiple jurisdictions, specifically those of Global CBPR Forum members and associate jurisdictions. The consultation invites feedback from organizations regulated by PIPEDA or similar provincial laws, potential Global CBPR Forum-recognized Accountability Agents, and other interested stakeholders. Specifically, the consultation is looking for input on the benefits and challenges of implementing the CBPR and PRP Systems, the suitability of different Accountability Agent models, and measures to maximize the benefits of these systems in Canada. Stakeholders can submit feedback through an online consultation form by June 30, 2025.
Federal Privacy Commissioner Launches Breach Risk Self-Assessment Tool
In March 2025, the Federal Privacy Commissioner, Philippe Dufresne, launched an online tool for organizations and federal institutions to use when assessing whether a security breach is likely to create a real risk of significant harm to individuals. This tool can help organizations to determine whether notifications are required after a security breach occurs, and is readily available to organizations at the Office of the Privacy Commissioner of Canada’s website.
Europe
European Health Data Space Regulation Enters Into Force
Regulation (EU) 2025/327 on the European Health Data Space (the “Regulation”) was published in the Official Journal of the EU on March 5, 2025.
The EHDS Regulation aims to establish a common framework for the use and exchange of electronic health data across the EU. The Regulation improves individuals’ access to and control over their electronic health data (“EHD”) within their electronic health record (“EHR”). The definition of “primary use” of EHD is broad and includes healthcare provision and assessment, and the provision of medicinal products and devices. The Regulation also establishes a governance framework for the “secondary use” of EHD in areas including research, innovation and policymaking. Additionally, the regulation establishes a harmonised legal and technical framework for electronic health record (EHR) systems, fostering interoperability, innovation, and the smooth functioning of the internal market.
Toward a Simplification of the GDPR?
The EU Commission is working on a plan to simplify the law in order to "ease the burden" on smaller organizations while "preserving the underlying core objective of our GDPR regime," said Michael McGrath, the European commissioner overseeing data privacy laws, in recent remarks at an interview at the Center for Strategic and International Studies (CSIS). The aim is for smaller companies to spend less time and money complying with the complex legal and regulatory requirements imposed by European law.
In addition, Michael McGrath reminds us of the European Union’s objective to continue with the full implementation and enforcement of the Data Privacy Framework.
United States
Executive Order Preventing Access to Americans’ Bulk Sensitive Personal Data and Government Data Becomes Effective
The U.S. Department of Justice has finalized a rule implementing Executive Order 14117, aimed at preventing access to Americans’ bulk sensitive personal data and U.S. government-related data by countries of concern. Effective from April 8, 2025, with some requirements delayed until October 6, 2025, the rule prohibits and restricts certain transactions involving sensitive personal data between U.S. persons and specified foreign entities. The new framework restricts sensitive personal data, including biometric, genomic, financial, geolocation, and health data, as well as certain identifiers.
Violations can result in severe civil and criminal penalties: civil fines can reach up to USD $368,136 or twice the transaction amount, while criminal penalties can include fines up to USD $1,000,000 and/or imprisonment for up to 20 years. The rule mandates rigorous due diligence, security, and audit requirements, particularly for transactions with countries of concern such as China, Iran, North Korea, Cuba, and Russia. Organizations must update their compliance processes, including vendor due diligence and contract provisions, to align with the new regulations.
Updates to HIPAA Proposed for Implementation in 2025
For any organizations that process health information in the United States, the Health Insurance Portability and Accountability Act (“HIPAA”) is an important law to be familiar with. In December 2024, the Office for Civil Rights at the Department of Health and Human Services issued a notice of proposed rulemaking regarding changes to HIPAA. The proposed changes are intended to increase protections for electronic health information by imposing mandatory cybersecurity controls on organizations and accounting for the use of new technology tools, such as artificial intelligence, in healthcare. Consultations on the proposals were open until March 7, 2025, and all submissions are currently being considered.
California Privacy Regulator Settles With Honda Over Privacy Violations
The California Privacy Protection Agency (“CPPA”) has issued a statement announcing its first settlement with an organization, Honda, for their breach of the California Consumer Privacy Act. Allegedly, the investigation of Honda arose out of the CPPA’s review of certain data practices in connected vehicle manufacturers and related technologies. Honda was found to be breaching the CCPA by asking consumers for excessive amounts of personal information to opt out of the sale or sharing of their personal information and sharing information with ad tech companies without proper safeguards in place, among other things. Honda has agreed to pay a USD $632,500 fine and implement a new system for individuals to assert their privacy rights.
In Case You Missed It!
The Fasken Privacy and Cybersecurity group published the following articles recently that might be of interest.
- Driving New Standards: An Overview of Automated and Connected Vehicle Governance
- Tips on Implementing Effective Security Measures
Where You Will Find Us
Members of our Privacy and Cybersecurity group will be speaking at or attending the following events in the coming months. Keep an eye out for our team and stop by to say hi!
- IAPP Canada Privacy Symposium, Toronto – May 12-13, 2025.
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
