Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Alberta Court Rules Portions of Alberta’s Personal Information Protection Act as Unconstitutional
The Court of King’s Bench of Alberta recently published its decision regarding the judicial review of an Alberta Information and Privacy Commissioner’s decision that concluded Clearview’s data scraping practices were in breach of the Alberta Personal Information Protection Act (PIPA). The Court determined that although Clearview is subject to the Alberta PIPA, certain sections of PIPA and the PIPA Regulations limit Charter rights regarding the use of online publications and images, and thus the Court struck the wording in PIPA’s regulations that referenced "publications" for the purposes of publicly available information as including “magazines, books, and newspapers”. In the court’s view, the simple reference to “publication” now means that publicly available information includes personal information “that has been intentionally made public” by the individual. This decision indicates that organizations may collect, use, and disclose personal information without consent that individuals make publicly available on the internet, which excludes a broader set of publicly available information from PIPA’s consent requirements than was previously allowed by the Commissioner under PIPA. However, such activities must be for a reasonable purpose. In the case of Clearview, the Court upheld the Commissioner's decision that the organization's purpose was not reasonable and thus was in breach of PIPA.
BC Privacy Commissioner Publishes Guidance on Requesting Records for Deceased Individuals
In early May 2025, the BC Privacy Commissioner published new guidance on how individuals can request access to records containing personal information about deceased individuals. This guidance is focused on requests made under the Freedom of Information and Protection of Privacy Act, which relates to public sector entities.
BC Privacy Commissioner Investigates City’s Use of High-Resolution Cameras
On May 7, 2025, the BC Privacy Commissioner announced that they are investigating the City of Richmond’s pilot project to install high-resolution cameras at specific intersections across the city. The Privacy Commissioner will review the project to ensure the collection, use, and disclosure of personal information by the city, when using these cameras, complies with the Freedom of Information and Protection of Privacy Act.
Federal Privacy Commissioner Launches Consultation on Children’s Privacy Code
On May 12, 2025, the Federal Privacy Commissioner launched an exploratory consultation on the development of a children’s privacy code in Canada. The consultation period is open for anyone to submit feedback until August 5, 2025. The Office of the Privacy Commissioner invites all advocacy groups, businesses, educators, and other interested parties to contribute their thoughts during the consultation period to help shape this new code.
Europe
Intention to Simplify the GDPR
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter addressed to the European Commission, regarding the upcoming proposal on the simplification of record-keeping obligations under the GDPR. The EDPB and EDPS shared that, at this stage, they could express preliminary support for this targeted simplification initiative, bearing in mind that it would not affect the obligation of controllers and processors to comply with other GDPR obligations.
Nevertheless, the EDPB and EDPS have asked the Commission to better evaluate the impact on the organizations subject to this change, to assess whether the draft proposal ensures a proportionate and fair balance between the protection of personal data and the interests of organizations with fewer than 500 employees.
Guidelines on Processing Personal Data Through Blockchains
The European Data Protection Board (EDPB) has adopted guidelines on the processing of personal data through blockchain technologies. A blockchain is a distributed digital ledger system that can confirm transactions and establish who owned a digital asset (such as cryptocurrency) at a given time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.
In its guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data. The guidelines highlight the importance of implementing technical and organizational measures at the earliest stages of the design of the processing. The EDPB also clarifies that the roles, responsibilities, and obligations of the different actors in blockchain-related processing of personal data should be assessed during the design phase.
The guidelines will be subject to public consultation until June 9, 2025.
United States
Federal Trade Commission Publishes Final Children’s Privacy Rule Amendments
On April 22, 2025, the United States Federal Trade Commission published final amendments to the Children’s Online Privacy Protection Rule. The amendments will go into effect on or about June 21, 2025, with organizations expected to comply with the changes by April 22, 2026. Any organization processing children’s personal data in the United States should familiarize itself with the updated Rule and ensure it takes steps to come into compliance by the deadline.
U.S. “Take It Down” Act to Be Signed into Law
In April 2025, the U.S. House of Representatives passed the Federal bipartisan Take It Down Act, which criminalizes the publication of non-consensual intimate imagery online, and requires social media and similar websites to remove such content within 48 hours of being notified by a victim. The Act also criminalizes the publication of AI-generated images, such as deepfakes. This is the first Act to treat this issue as a criminal matter at a Federal level in the United States.
California Privacy Protection Agency Requires Clothing Retailer to Pay Fine in Relation to Privacy Practices
In May 2025, the California Privacy Protection Agency (CPPA) finalized its investigation into a national clothing retailer’s privacy practices. The CPPA issued a decision requiring the retailer to overhaul its privacy practices and to pay a fine of US$345,178 for breaching the California Consumer Privacy Act (CCPA). The CPPA determined that the retailer was not processing consumer opt out requests, was collecting excessive personal information, and was engaging in unnecessary identity verification practices. This decision followed after the CPPA warned companies in 2024 that they were expected to comply with the CCPA, or else risk substantial fines. Any companies doing business in California should ensure they are in compliance with applicable privacy laws.
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
