This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
This month’s noteworthy news
CANADA TO REVIEW FEDERAL PRIVACY ACT
On April 2, 2026, the Treasury Board announced its review of the Federal Privacy Act, which governs how government institutions collect, use, and disclose personal information in Canada. The Treasury Board has made a policy paper with detailed proposals for the review available for comment and feedback until July 10, 2026.
Link: Government of Canada launches review of the Privacy Act - Canada.ca
CANADIAN PRIVACY COMMISSIONERS ISSUE JOINT FINDINGS INTO OPENAI’S CHATGPT
On May 6, 2026, Canada’s federal and provincial privacy commissioners (Alberta, British Columbia, and Québec) released findings from a joint investigation into OpenAI’s data practices, concluding that its ChatGPT models (GPT‑3.5 and GPT‑4) did not comply with core privacy obligations. More specifically, commissioners determined that OpenAI’s collection of personal information for AI training was overbroad and disproportionate, that consent mechanisms were invalid, and that disclosures lacked sufficient transparency. They further identified deficiencies relating to accuracy, access, correction, deletion, retention, and accountability obligations.
Overall, the findings underscore that Canadian organizations remain responsible for complying with privacy laws in connection with the collection, use, and disclosure of personal information in the training and deployment of generative AI systems.
PRIVACY COMMISSIONER ISSUES SECOND ADMINISTRATIVE MONETARY PENALTY
On April 23, 2026, the Office of the Information and Privacy Commissioner of Ontario (IPC) issued its second administrative monetary penalty under Ontario’s health privacy law. A hospital clerk was ordered to pay a $2,000 penalty for inappropriately accessing 436 patient records.
Link: PHIPA DECISION 334 - Information and Privacy Commissioner of Ontario
FEDERAL PRIVACY COMMISSIONER PUBLISHES GUIDANCE ON AGE ASSURANCE
On May 4, 2026, the Privacy Commissioner of Canada announced the publication of its guidance on age assurance, setting out when age assurance should or must be used, and what design features or privacy considerations should be addressed when using or designing age assurance systems. Organizations that operate applicable websites and online service providers are encouraged to review the guidance, along with age assurance developers.
UNITED STATES
COLORADO AMENDS ARTIFICIAL INTELLIGENCE LAW
On May 12, 2026, the Colorado legislature passed Senate Bill 26-189, which is an amended version of its previously passed Artificial Intelligence Act. This new law is focused more heavily on automated decision-making technology and comes into effect on January 1, 2027. The definition of automated decision-making technology is quite broad, applying to technology that processes personal data and uses computation to generate outputs (predictions, recommendations, classifications, rankings, or scores) that are used to make or assist decisions about individuals. Organizations using technologies that may be seen as engaging in some form of decision-making should make themselves familiar with the law prior to its effective date to ensure compliance.
Link: SB26-189 Automated Decision-Making Technology | Colorado General Assembly
CALIFORNIA PRIVACY PROTECTION AGENCY SETTLES WITH GENERAL MOTORS OVER PRIVACY BREACHES
On May 8, 2026, the California Privacy Protection Agency and the State’s District Attorneys announced their settlement with General Motors regarding its consumer data practices. The regulator first focused on General Motors' use of consumer data when reviewing the privacy practices of connected vehicles. Specifically, the regulator found that General Motors had allegedly sold consumer data without consent and retained personal data for longer than necessary. This case is the first to focus on the data minimization principle in the California Consumer Privacy Act (“CCPA”), and the California Privacy Protection Agency has indicated that it will not be the last. Organizations operating in California and potentially subject to the CCPA should consider their data minimization and retention practices, ensuring that all personal data is connected to a reasonable business purpose and has a defined retention period.
EUROPEAN UNION
DRAFT COMMISSION GUIDELINES ON THE CLASSIFICATION OF HIGH-RISK AI SYSTEMS
On May 19, 2026, the EU Commission published draft guidelines to help AI providers, deployers, and market authorities determine whether an AI system qualifies as “high-risk.” They explain key concepts for classification and provide practical examples of systems that should or should not be considered high-risk. While the examples cover many use cases, they are not exhaustive and may evolve over time.
An AI system is classified as high-risk in two situations:
- If it is used as a safety component (or is itself a product) regulated under EU harmonization laws and requires third-party conformity assessment.
- If it falls within specific high-risk use cases listed in Annex III of the AI Act.
THE EDPB HAS PUBLISHED GUIDELINES ON THE PROCESSING OF PERSONAL DATA FOR SCIENTIFIC RESEARCH PURPOSES
Scientific research is a core objective of the EU, promoting innovation, competitiveness, and the free circulation of knowledge and technology. It often relies on the processing of personal data, which has enabled major breakthroughs, especially with advances like artificial intelligence. While these developments create new opportunities, they also raise risks to fundamental rights and privacy. The GDPR provides a framework to support research while ensuring responsible data use and protecting individuals. To clarify its application, the EDPB issued guidelines to help researchers comply effectively.
In particular, the guidelines address the following questions: storage limitation, consent, public interest, legitimate interest, attribution of responsibility, etc.
The guidelines will be subject to public consultation until June 25, 2026.
EDPB APPROVES UPDATED EUROPRIVACY CRITERIA AND RECOGNIZES EUROPRIVACY AS A GDPR TRANSFER TOOL
In its Opinion 14/2026, the EDPB considers that the Europrivacy certification criteria are consistent with the GDPR and approves them. The EDPB will register the Europrivacy certification scheme in the public register of certification mechanisms and data protection seals.
In addition, in its Opinion 15/2026, the EDPB recognizes the Europrivacy certification criteria as a European Data Protection Seal to be used as a tool for transfers: data importers outside Europe who are not subject to the GDPR can now apply to the Europrivacy certification scheme for the transfers of data they receive.
Link: edpb_opinion_202614_europrivacy_en.pdf
About Fasken's Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by clients from all sectors. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
