Privacy & Cybersecurity in Canada, the US, and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Review Launched into Federal Security Agencies’ Use of AI
Canada’s National Security and Intelligence Review Agency (NSIRA) has launched a review into how federal security agencies deploy and oversee artificial intelligence tools, including systems used for document translation and malware detection. The review will assess whether current governance frameworks adequately address emerging risks and evaluate how AI is defined, managed, and audited across agencies.
NSIRA has notified multiple federal ministers and the heads of CSIS, the RCMP, and the Communications Security Establishment, and may request documents, conduct interviews, and perform technical inspections as part of the process. The findings are expected to identify oversight gaps and inform future policy approaches to AI use in national security.
United States
New York Enacts California-Style AI Transparency Law for Large AI Companies
On December 19, 2025, New York Governor Kathy Hochul signed Responsible AI Safety and Education Act (RAISE Act). Taking effect on January 1, 2027, the RAISE Act is modelled after California’s Transparency in Frontier Artificial Intelligence Act and imposes obligations on AI developers with more than USD $500 million in revenue to adopt safety and security protocols and to share information with regulators. The RAISE Act also requires developers to report safety incidents within 72 hours and allows for monetary penalties of up to USD $30 million for violations.
European Union
CNIL Launches “FantomApp” to Support Safer Social Media Use by Minors
To help 10 to 15‑year‑olds use social networks more safely and responsibly, the Commission nationale de l’informatique et des libertés (CNIL), France’s data protection authority, is offering its application called “FantomApp.” Nine European data protection authorities have expressed interest in and supported the project, and the application will be translated into the language of each partner country.
This application allows users to:
- access tools and tutorials to protect their accounts and clean up their online presence (e.g., how to blur a photo); and
- get advice and content to help in case of problems (e.g., how to delete content or what to do in case of hacking).
This free and secure application does not collect any data (only the IP address, necessary for the functioning of the application, and the type of device used).
Renewal of the United Kingdom’s Adequacy Decisions
On December 21, 2025, the European Commission adopted two new adequacy decisions for the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other under the directive on data protection in the law enforcement sector. As a reminder, sunset clauses had been introduced in the previous decisions, which expired on December 27, 2025.
In accordance with the new decisions of the European Commission, transfers of personal data from the European Union to the United Kingdom can continue without specific safeguards. Through these decisions, the European Commission confirms that such data benefits from a level of protection substantially equivalent to that guaranteed under the GDPR.
€42 Million Fine Imposed on Free Mobile and Free by the CNIL (France)
On January 13, 2026, the CNIL issued two sanction decisions against the companies FREE MOBILE (
In October 2024, an attacker managed to infiltrate the companies’ IT system and access personal data relating to 24 million subscriber contracts, including banking details (IBAN). Following numerous complaints, the CNIL carried out an inspection that revealed breaches of several obligations under the GDPR, in particular the failure to ensure the security of personal data.
In case you missed it!
The Fasken Privacy and Cybersecurity Group recently shared the following thought leadership, which may be of interest.
About Fasken's Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by clients from all sectors. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
