Privacy & Cybersecurity in Canada, the US, and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Ontario Commissioner Publishes Handbook for Small Health Organizations
The Information and Privacy Commissioner of Ontario ("IPC") recently published a Privacy Management Handbook for Small Health Care Organizations, which provides resources and guidance for health information custodians to develop and implement privacy management programs that comply with Ontario's Personal Health Information Protection Act ("PHIPA"). The handbook is intended for solo practitioners, small group clinics, and operators of small healthcare facilities, and includes practical advice on privacy policies, procedures, and controls, as well as links to other IPC resources.
Federal Bill C-2 Tabled in Parliament
A number of Federal Bills were introduced in Parliament in June 2025, including Bill C-2, which affects individual privacy in Canada. Bill C-2 is titled “An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures”. Bill C-2 proposes new measures to ensure Canada maintains a “strong border”, which includes some provisions that grant law enforcement agencies broader “lawful access” powers to individual information, devices and belongings.
For a detailed analysis of the bill’s implications, see our recent bulletin.
Quebec Commissioner to Stop Publishing Names of Organizations That Experience Security Breaches
On May 27, 2025, the Quebec Commission d’accès à l’information announced (in French only) that it will cease to publish the names of organizations that report a privacy breach. Since the inception of Quebec’s mandatory breach reporting regime, the Commission has taken various approaches, ranging from disclosing the names of organizations to journalists who make access to information requests, to most recently, proactively disclosing a quarterly list of names and dates of reports. This latest move from the Commission aligns with other commissioners in Canada. The federal commissioner is bound to confidentiality by the Personal Information Protection and Electronic Documents Act, whereas the Alberta commissioner ceased its longstanding practice of issuing public breach notification decisions where the organization has otherwise complied with Alberta's Personal Information Protection Act.
Alberta Commissioner Issues Report Regarding Processing of Access to Information Requests
On May 8, 2025, the Information and Privacy Commissioner of Alberta published a report on their investigation into the practices of government entities in processing and responding to access to information requests under the Alberta Freedom of Information and Protection of Privacy Act (“FOIP Act”). The report found that the adopted practices and interpretations of many public bodies were non-compliant with the FOIP Act, including requiring applicants to limit the number of topics in an access request to one, and placing limitations on the timeframe of the search for records. Any public body within Alberta should review the report to determine whether it is in compliance with the FOIP Act.
Alberta Commissioner Issues Notice of Changes to Review Processes Under the Access to Information Act
On June 4, 2025, the Information and Privacy Commissioner of Alberta published a notice outlining the changes of process that will occur mid-June after the FOIP Act is replaced by the Access to Information Act and Protection of Privacy Act. This notice focuses on the changes that will be implemented by the Information and Privacy Commissioner’s office regarding their review processes for settlements and inquiries. A number of Practice Notes have also been issued by the Information and Privacy Commissioner to assist public entities and applicants in navigating these new process changes.
Federal Privacy Commissioner Tables Annual Report in Parliament
On June 5, 2025, the Privacy Commissioner of Canada, Philippe Dufresne, tabled an annual report in Parliament, highlighting the progress made on his office’s strategic priorities to prioritize privacy as a fundamental right. The report considers significant privacy trends, such as the continued adoption of artificial intelligence, the risks of harm caused by data breaches, and the importance of ensuring the safety of young people online. The report also sets out the Commissioner’s priorities for the coming year.
Federal Privacy Commissioner Publishes Investigation Reports into a Number of Public Bodies Under the Privacy Act
On June 5, 2025, the Office of the Privacy Commissioner of Canada published their findings on six different investigations into the actions of certain federal institutions under the federal Privacy Act. The investigations included: (i) the Department of National Defence’s refusal to disclose personal information of a deceased individual, (ii) the loss of an unencrypted USB device by the RCMP, (iii) the disclosure of an adopted child’s name to their biological mother by the CRA, (iv) CRA’s application of paragraph 22(1)(b) to refuse access to personal information, (v) the denial of access to a child’s personal information by IRCC, and (vi) whether the measures to anonymize sensitive polygraph records mitigated the impacts of a National Security and Intelligence Review Agency review.
Europe
The European Data Protection Board (EDPB) Publishes Final Version of Guidelines on Data Transfers to Third Country Authorities
The EDPB has adopted the final version of the guidelines on data transfers to third-country authorities. In its guidelines, the EDPB zooms in on Article 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities (i.e., authorities from non-European countries).
The EDPB explains that judgements or decisions from third country authorities cannot automatically be recognized or enforced in Europe. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In case where there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered in exceptional circumstances and on a case by case basis.
United States
President Trump Issues Executive Order on Cybersecurity
On June 6, 2025, President Trump issued an Executive Order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144". This Order generally amends prior orders made by the Biden and Obama administrations, by (i) directing that existing federal government regulations and policy focus on securing third-party software supply chains, quantum cryptography, artificial intelligence, and Internet of Things devices and (ii) focusing on cybersecurity-related sanctions authorities on “foreign” persons.
New Jersey Governor Proposes Regulations Under the New Jersey Data Privacy Act (“NJDPA”)
On June 2, 2025, the New Jersey Governor proposed new regulations under the NJDPA to expand the obligations on businesses operating in New Jersey and process personal information, and to provide guidance. The regulations generally follow a similar format to other US State laws, such as the California Consumer Privacy Act. However, the regulations focus on artificial intelligence more closely than other State laws. The regulations impose requirements for organizations to obtain consent from individuals to use their data for training AI, and to provide additional disclosures and notices around their use of AI.
In Case You Missed It!
The Fasken Privacy and Cybersecurity group recently published the following article, which may be of interest.
- Bill C-2: Strong Borders Act Introduces Lawful Access and Data Disclosure Regime
- Update: Phase 1 Launch of the Canadian Program for Cyber Security Certification for Canadian Defence Contractors
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
