Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the National Privacy and Cybersecurity team at Fasken. The information contained herein includes noteworthy news, topics, discussions and cases in the privacy & cybersecurity landscape. If you have any questions about any of the topics discussed, please reach out to our friendly Fasken Privacy and Cybersecurity team.
This Month's Noteworthy News
Canada
Quebec's New Legislation on Health Information to Come Into Effect on July 1, 2024
On June 12, 2024, Quebec's Minister of Health announced that on July 1st, 2024, some provisions of Quebec's new Act respecting health and social services information will come into effect. This will mark a significant change, facilitating smoother dissemination of health and social services information within the network while ensuring their protection. The legislation can be accessed on the Quebec National Assembly website.
Privacy Authorities for Canada and the UK Launch Joint Investigation Into 23andMe Data Breach
In late 2023, 23andMe faced a major data breach affecting nearly 7 million users. Hackers used credential stuffing to access accounts and obtain sensitive information such as names, family trees, and chromosomal data. This prompted a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the UK's Information Commissioner's Office (ICO). The investigation focuses on 23andMe's compliance with data protection regulations and their response to the breach, which included mandatory password resets and multi-factor authentication.
Federal Privacy Commissioner Releases Annual Report Highlighting Privacy Trends
The Office of the Privacy Commissioner of Canada submitted its 2023-2024 Annual Report to Parliament, titled Trust, innovation, and protecting the fundamental right to privacy in the digital age. The report describes the OPC's key activities and achievements to protect and promote Canadians' right to privacy. It also provides statistics about privacy complaints and breaches reported to the OPC. Notably, the statistics show that twice as many individuals were affected by breaches compared to the previous year, but for a similar number of reported incidents.
Ontario Government Introduces New "Enhancing Digital Security and Trust Act 2024"
On May 13, 2024, the Ontario government introduced Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, aimed at strengthening digital infrastructure and data privacy protections within public entities and services in Ontario. If passed, Schedule 1 of that Bill would enact the Enhancing Digital Security and Trust Act, 2024 (EDSTA), and Schedule 2 would enact changes to the Freedom of Information and Protection of Privacy Act (FIPPA). These changes represent a significant shift for public entities in Ontario, and is one to watch. Keep an eye out for our detailed bulletin on the content of the Bill.
Alberta's Privacy Commissioner Makes Recommendations on Revisions to Private Sector Privacy Act
The Alberta privacy commissioner issued a statement, along with recommendations for updating their Personal Information Protection Act. This Act places obligations on private organizations when they process personal information. The recommendations of the commissioner focus on bolstering individual protections and rights, and follows the path of other robust privacy laws, such as the EU GDPR. The commissioner recommends implementing additional rights, rules to protect children's data privacy, and greater enforcement mechanisms, among other things. This may be a sign of things to come, so stay tuned.
The Quebec CAI Has Updated Its Fact Sheets on Identity Checks
In order to raise awareness among citizens and businesses, the Commission in Quebec has produced a series of fact sheets designed to answer questions about identity documents. Identity documents are usually issued by government bodies and serve specific purposes. Although they can be used to confirm a person's identity in certain situations, laws limit the contexts in which they can be required. If your organization handles identity documents within its business, these fact sheets may be a helpful tool.
CAI_FIC_Pieces_ID_Entreprises.pdf (gouv.qc.ca) (Available in French Only)
CAI_FIC_Pieces_ID_Citoyens.pdf (gouv.qc.ca) (Available in French Only)
Federal Privacy Commissioner Launches Consultations on Age-Assurance Systems
On June 10, 2024, Canadian Privacy Commissioner Philippe Dufresne launched a consultation seeking public input on age assurance technologies, announced at the International Association of Privacy Professionals Canada Privacy Symposium in Toronto, with a deadline of September 10, 2024. This consultation will assess the suitability and privacy implications of various online user age verification methods, including age declaration, verification, and estimation, aimed at protecting younger users from inappropriate content. The feedback gathered will inform the Office of the Privacy Commissioner of Canada (OPC) in developing policies and regulations, with plans to produce a guidance document and hold additional consultations. The OPC intends to release a joint international statement of principles on age assurance later in the year, showcasing efforts to enhance online safety for youth while respecting privacy rights.
United States
Vermont Passes New Consumer Privacy Law
On May 11, 2024, the Vermont Legislature passed a new consumer privacy act, the Vermont Data Privacy Act. The Act follows many of its State predecessors in extending individual rights and imposing obligations on organizations related to the protection of personal data. However, the law also provides an individual private right of action to pursue organizations for misuse of their sensitive information. This Act will take effect on July 1, 2025, so organizations have a little time to prepare for compliance.
New York Passes Law Restricting Kids Access to Addictive Algorithmic Feeds
On June 7, 2024, the Stop Addictive Feeds Exploitation (SAFE) for Kids Act and New York Child Data Protection Act were passed in New York State. The text of the bill can be found here. The SAFE Act requires social media companies to restrict addictive feeds on their platforms for users under 18 years of age; prohibits the sending of notifications at certain times of the day; and requires age verification processes to be established by all organizations. The New York Child Data Protection Act will prohibit online sites from collecting, using, sharing or selling personal data of anyone under the age of 18, unless they receive informed consent or unless doing so is strictly necessary for the purpose of the website.
California Approves Neurorights Act to Protect Neural Data
In April 2024, the California Senate approved amendments to the California Consumer Privacy Act through Bill SB 1223. These amendments aim to provide greater protection for an individual's neural data from misuse by corporations. The Bill adds neural data to the definition of sensitive personal information under the CCPA and applies the same protections in law over its use as other sensitive personal information. The definition of 'neural data' has been proposed as "information that is generated by the measurement of the activity of an individual's central or peripheral nervous systems that can be processed by, or with the assistance of, neurotechnology".
Europe
Dutch Data Protection Authority Publishes Guidelines on Data Scraping
The guidelines clarify that data scraping is the automated collection and recording of information from web pages. It reminds us that when scraping personal data, organizations must be compliant with the General Data Protection Regulation (GDPR), such as having an adequate legal basis, complying with principles of processing personal data, and more broadly, with the whole GDPR.
You can read the guidelines here. (available in Dutch only)
EDPB Launches Its Data Protection Guide for Small Businesses
The Guide provides practical information to SMEs about GDPR compliance and benefits in an accessible and easily understandable language. It covers various aspects of the GDPR, from data protection basics, to data subject rights and measures to secure personal data. It contains videos, infographics, interactive flowcharts, and other practical materials to help SMEs on their way to becoming GDPR compliant.
EDPS Publishes Guidelines on Generative Artificial Intelligence and Personal Data for EU Institutions, Bodies and Agencies
On June 3, 2024, the European Data Protection Supervisor (EDPS) released guidelines for EU institutions, bodies and agencies on using generative AI while adhering to Regulation (EU) 2018/1725. These guidelines highlight core data protection principles, practical examples, and advice on identifying data processing activities, conducting impact assessments, and other key recommendations. Issued as part of the EDPS's role as an independent data protection authority, these guidelines aim to ensure EU institutions comply with relevant data protection laws. They are separate from the EDPS's role under the EU's Artificial Intelligence Act, for which a different strategy is being prepared.
French CNIL Publishes Recommendations for Use of Open Data on the Internet
Following a public consultation, the Commission Nationale de l'Informatique et des Libertés (CNIL) issued on June 12, 2024, its recommendations (Available in French Only) on open data and the reuse of data published on the Internet. These guidelines are designed to assist professionals in balancing their obligations and interests with the rights of individuals regarding their personal data.
In Case You Missed It!
The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.
Fasken was named Privacy Team of the Year at the 2024 PICCASO Awards Canada. The PICCASO Awards Canada are the first in North America, celebrating the excellence in Canadian privacy thought leadership, policy and practice.
Where You Will Find Us
Soleïca Monnier, from our Montreal office, discusses feedback on Law 25 in Québec, 6 months after most obligations came into effect, at the PolySecure podcast. Are you late? Listen to the podcast (Available in French Only) to discover the three types of business identified and find out which one you assimilate to.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.