Privacy & Cybersecurity in Canada and the US

This is a monthly bulletin published by the National Privacy and Cybersecurity team at Fasken. The information contained herein includes noteworthy news, topics, discussions and cases in the privacy & cybersecurity landscape.

This Month's Noteworthy News

Anonymization in Quebec

The Commission d'acces a l'information du Quebec ("CAI") has created a "modernizing laws" section of its website, where it puts guidance documents and forms relevant to the amendments to the Québec Privacy Law. Corporations should be aware of this position put forward by the CAI. Specifically, the following statement appears in French in respect of anonymization (unofficial English translation).

As of September 22, 2023, applicable laws provide for the possibility of anonymizing personal information, an alternative to its destruction. However, public bodies and businesses must be able to anonymize this information according to generally accepted best practices and according to the criteria and procedures determined by government regulation. In the absence of government regulations, organizations and businesses will not be able to anonymize personal information.

Government of Canada Releases Guidelines on Protecting Youth Online

The Office of the Privacy Commissioner of Canada (OPC) and privacy regulators from across Canada have released two companion documents (accessible here) to support a recent joint resolution aimed at strengthening privacy protections for young people.

The resolution was adopted by federal, provincial and territorial privacy regulators. One document is focused on organizations addressing the principles set out in the resolution, like building in privacy by design features in their products. The other document is aimed at people who care for youths, and details how they can better protect youths in their care.

Cyberattacks Increasing in Canada

Ernst Young conducted their 2023 Global Cybersecurity Leadership Insights Study earlier in 2023. They published their findings in October 2023, emphasizing that although organizations are investing more in cybersecurity; attackers are also becoming more sophisticated, and attack surfaces are expanding. The number of cyberattacks are increasing around the global, and Canada is no exception. Corporations should keep a close eye on their cybersecurity program.

Biden Issues Executive Order to Regulate AI

The Biden-Harris Administration has issued an Executive Order aimed at managing the risks of artificial intelligence technologies. The Executive Order calls on organizations to adopt responsible practices for AI development; Congress to pass a bipartisan privacy law; and for developers of AI technology to share their safety results and other critical information with the US Government, to name a few. This Order follows quickly after the European Union passed its own AI legislation earlier in 2023 signalling that AI regulation is here to stay.

G7 Issues Statement on Hiroshima AI Process

On October 30, 2023 the G7 Leaders issued a Statement on the Hiroshima AI Process, reflecting the adoption of Guiding Principles and a Voluntary Code of Conduct for organizations developing advanced AI systems. The stated purpose of the Hiroshima AI Process is to "foster an open and enabling environment where safe, secure, and trustworthy AI systems are designed, developed, deployed, and used to maximize the benefits of the technology while mitigating its risks, for the common good worldwide, including in developing and emerging economies with a view to closing digital divides and achieving digital inclusion".

Quebec Guidelines – Criteria for Validity of Consent

On October 31, 2023 the Commission d'accès à l'information of Quebec released the final version of its guidelines on the Criteria for the Validity of Consent. Additional information and a link to the guidelines document is available here.

UK-US Data Bridge Approved

Following after the European Commission's decision to pass the EU-US Data Privacy Framework ("DPF"), the UK has now passed the Data Protection (Adequacy) (United States of America) Regulations 2023 (the "Regulations"). This regulation came into force on October 12, 2023, allowing organizations to more freely transfer data between the two countries. Both UK data exporters and US data importers that use the UK-US Data bridge will need to review and where necessary update their privacy policies, records of processing activates, contracts and other documents to ensure they are compliant with applicable data protection and data privacy law. The Framework and checklist is here.

In Case you Missed it!

The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.