Privacy & Cybersecurity in Canada, the US, and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
IPC Releases Updated De-Identification Guidelines for Structured Data
The Information and Privacy Commissioner (IPC) of Ontario has updated and expanded its de-identification guidelines for structured data. This update of the IPC’s globally recognized guidelines, originally released in 2016, provides practical steps to help organizations maximize the benefits of data while protecting privacy. These guidelines offer practical tools, step-by-step processes, and checklists to help organizations de-identify and use data responsibly, with a focus on minimizing re-identification risk and balancing privacy with the benefits of data sharing for research and innovation.
Federal Privacy Commissioner Renews Call for Legislative Reform
On October 6, 2025, the Privacy Commissioner of Canada called for modernizing federal privacy laws during an appearance before the House of Commons ETHI Committee. The remarks emphasized the need for a regulatory framework that supports innovation while strengthening privacy protections, signaling continued momentum toward legislative reform.
Bill C-8 Moves Forward to Strengthen Cybersecurity in Critical Infrastructure
On October 3, 2025, Bill C-8 advanced to committee stage in the House of Commons. The bill proposes mandatory cybersecurity obligations for operators of critical infrastructure and expands government powers to address national security risks in the telecommunications sector (see Fasken’s October 2025 bulletin here). If passed, the legislation will introduce new compliance requirements and significant penalties under the proposed Critical Cyber Systems Protection Act.
Privacy Commissioner Supports Bill on Age Assurance for Online Content
On October 2, 2025, the Privacy Commissioner of Canada voiced support for Bill S-209 during an appearance before the Senate Legal and Constitutional Affairs Committee. The bill, titled the Protecting Young Persons from Exposure to Pornography Act, would make it an offence to make pornographic material available online to individuals under 18 and require privacy-protective age assurance measures. The Commissioner’s remarks emphasized the importance of safeguarding youth privacy while enabling responsible digital regulation, aligning with his broader priority of strengthening children’s privacy rights.
Nova Scotia to Replace Public Sector Access and Privacy Laws
The government of Nova Scotia has proposed a bill to update its access to information and privacy laws, which have not been revised in 25 years. The new Freedom of Information and Protection of Privacy Act will consolidate relevant legislation into a single framework, to take effect on April 1, 2027.
The bill outlines several changes:
- The Information and Privacy Commissioner will become an officer of the legislature, increasing its independence.
- Privacy oversight will extend to municipalities and villages.
- Mandatory breach notification will be required if a privacy breach presents significant risk of harm to individuals.
- Fines for violations under the act will be raised.
The Quebec CAI’s Annual Report for 2024-2025 has Been Published
The Commission's 2024-2025 annual activity and management report (in French only) was tabled today in the National Assembly. Here are some highlights, including initiatives to optimize the Commission's services that are currently underway. For example:
- A single form: Starting in fall 2025, users will have a central access point for several forms from the Commission's website home page. The single form will allow users to better identify their needs and simplify the process of filing appeals with the Commission.
- A pilot project for early case management within the judicial section is underway and will also be presented in fall 2025.
- A review of complaint handling procedures.
International
Global Privacy Regulators Sign Joint Statement on Building a Data Governance Framework for Trustworthy AI
Following the Global Privacy Assembly (September 15-19, 2025), twenty data protection authorities (“DPAs”), including the Office of the Privacy Commissioner of Canada (the “OPC”), signed the “Joint Statement on Building Trustworthy Data Governance Frameworks to Encourage Development of Innovative and Privacy-protective AI” (the “Joint Statement”). The Joint Statement emphasizes the role of DPAs in shaping data governance to address challenges raised by AI and lists several commitments, such as clarifying legal bases for AI data processing and information sharing, and establishing appropriate security measures. The Joint Statement signals the intent of DPAs such as the OPC to play a greater role in shaping AI regulations.
Cybersecurity Awareness Month
October is Cybersecurity Awareness Month, a global reminder to strengthen digital resilience. With growing regulatory momentum and the rise of AI-driven risks, cybersecurity is more critical than ever. From privacy legislation updates to evolving threat landscapes, our Fasken team is here to help you stay informed, compliant, and secure.
Europe
European Commission Publishes Draft Guidance Detailing How to Report Serious Incidents Involving High-risk AI Systems
Following the release of the European Commission’s draft guidance on Article 73 of the AI Act, providers of high-risk AI systems now have clearer directions on how to report serious incidents. The document defines what constitutes a “serious” incident — from harm to individuals to major disruptions of critical infrastructure — and sets strict reporting timelines of up to 48 hours. It also clarifies how these obligations interact with existing frameworks such as the GDPR, NIS2, and DORA, marking an important step toward a coordinated and transparent AI incident reporting regime in the EU.
In case you missed it!
The Fasken Privacy and Cybersecurity group recently shared the following thought leadership, which may be of interest.
- First Health Privacy Fine Issued in Ontario: Practical Lessons for the Health Sector
- Bill C-8 Reboots Canada’s Cybersecurity Legislation for the Telecommunications Sector and Other Critical Infrastructure
- This past September, Fasken was honoured to participate in ALL IN 2025, Canada’s largest artificial intelligence event, which brought together more than 4,000 experts and business decision-makers from 40 countries. Our partner Jocelyn Auger moderated the plenary session entitled "Cybersecurity in the AI Age: Risks and Strategies for Businesses," featuring executives from Flare, Minerva, Private AI and CyberEco. This strategic discussion highlighted how AI is transforming cybersecurity practices, including governance, organizational resilience and proactive risk management.
Where you will find us
Members of our Privacy and Cybersecurity group will be speaking at or attending the following events in the coming months. Keep an eye out for our team and stop by to say hi!
- CBA Privacy and Access Law Conference, Ottawa – Nov 6-7, 2025
- BFUTR Summit 2024, Toronto – Nov 6-7, 2025
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
