Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Canadian Privacy Commissioners Release a Joint Resolution for Identifying and Mitigating Harms From Privacy-Related Deceptive Design Patterns
Canada’s privacy commissioners and ombudsmen have issued a joint resolution urging organizations to avoid the use of deceptive design patterns on their websites and mobile applications. These deceptive design patterns, also referred to as “dark patterns,” are employed to influence, manipulate, or coerce users into making decisions that compromise their privacy. This resolution was adopted during the annual meeting of Canada’s privacy commissioners, which took place in Toronto last October. It follows an investigation of websites and applications conducted by the Global Privacy Enforcement Network (GPEN).
Learn more by reading our recent bulletin titled Privacy-Protective Design for Websites and Apps: Lessons from the Federal Privacy Commissioner’s Report on Deceptive Design Patterns.
Global Privacy Authorities Issue Follow-Up Joint Statement on Data Scraping After Industry Engagement
The Privacy Commissioner of Canada and several global counterparts are highlighting how social media companies can better protect personal information in the context of mass scraping within social media platforms. The joint statement issued last year outlines key privacy risks associated with data scraping, i.e. the automated extraction of data from the web, including social media platforms and other websites that host publicly accessible personal information.
This follow-up joint statement lays out further expectations, including that organizations:
- Comply with privacy and data protection laws when using personal information, including from their own platforms, to develop artificial intelligence, large language models;
- Deploy a combination of safeguarding measures and regularly review and update them to keep pace with advances in scraping techniques and technologies; and
- Ensure that permissible data scraping for commercial or socially beneficial purposes is done lawfully and in accordance with strict contractual terms.
Quebec
A New President for the Quebec Commission d’accès à l’information
Me Lise Girard has been appointed (in French only) President of the Commission d’accès à l’information by the Quebec National Assembly. She took office on November 8.
Quebec Adopts Regulation Respecting the Management and Reporting of Information Security Incidents by Certain Financial Institutions and Credit Reporting Agents
Effective April 23, 2025, a new regulation will impact certain actors within Quebec’s financial sector. This regulation mandates the adoption of an information security incident management policy and the formal designation of an individual responsible for this process. Incidents that exceed a specified risk threshold must be reported to the Autorité des marchés financiers within 24 hours, followed by updates every three days and a final report within 30 days. Additionally, all incidents must be documented in a register maintained for five years. Non-compliance with these requirements may result in administrative penalties of $1,000 or $2,500 for organizations.
United States
The Consumer Financial Protection Bureau Issues Guidance on the Digital Surveillance of Employees
With the increase of digital and remote work, technology companies have developed tools to assist organizations with tracking, assessing and evaluating their employees online. Some employers monitor their employees’ sales interactions, their driving habits, the time they take to complete tasks, the number of messages sent, and the quantity and duration of meetings they attend. This information is used for decisions related to hiring and pay and managing employees more generally, including taking disciplinary action. This guidance specifies that organizations employing algorithmic tools and third-party consumer reports for employee evaluation must comply with the Fair Credit Reporting Act.
Europe
First Report Under the EU-U.S. Data Privacy Framework
The European Data Protection Board (“EDPB”) adopts its first report under the EU-U.S. Data Privacy Framework (“DPF”) and a statement on the recommendations on access to data for law enforcement authorities.
Regarding the DPF, it notes several developments:
- The U.S. Department of Commerce has implemented the certification process by developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities.
- The redress mechanism for EU individuals has been implemented, and comprehensive complaint-handling guidance has been published on both sides of the Atlantic.
Regarding recommendations on access to personal data by U.S. public authorities, the EDPB emphasized the effective implementation of safeguards introduced by Executive Order 14086 within the U.S. legal framework, including the principles of necessity and proportionality, as well as the new redress mechanism. Although it acknowledges that the elements of the redress mechanism are established, the European Commission must monitor the practical functioning of these various safeguards, such as the application of the principles of necessity and proportionality and future developments related to the U.S. Foreign Intelligence Surveillance Act.
Finally, the Board recommends that the next review of the EU-U.S. adequacy decision should take place within three years or less.
Competitors Can Sue Over Data Protection Violations
A German Federal Court of Justice asked the Court of Justice of the European Union (CJEU) if the GDPR permits national laws allowing competitors to sue for alleged GDPR violations. In its decision C-21/23 dated October 4, 2024 (ND v. DR), the CJEU ruled that the GDPR does not prevent national laws from enabling such legal actions as unfair commercial practices in civil courts.
In addition, the CJEU ruled that data entered by pharmacy customers when ordering online is health data under the GDPR, as it can indicate an individual’s health status.
New Product Liability Directive Taking Into Account AI
On November 18, 2024, the EU Directive 2024/2853 on liability for defective products took effect, replacing the 1985 Directive. This revision addresses legal gaps arising from advancements in artificial intelligence, circular economy models, and global supply chains. It clarifies the definition of “product” to ensure legal consistency and consumer protection. The new Product Liability Directive now also covers digital products, such as digital design documents and software, including AI systems. Additionally, developers or manufacturers of software, including providers of AI systems as defined by the AI Regulation (EU) 2024/1689, are regarded as manufacturers under the directive. As a result, they can be held accountable for damages caused by the use of their AI systems, even without a contractual relationship between the software manufacturer and the claimant.
In Case You Missed It!
Webinar
The Fasken Privacy and Cybersecurity group invites you to attend our upcoming annual privacy webinar, which will cover the latest developments in privacy and cybersecurity across North America and Europe.
Bulletin
The Fasken Privacy and Cybersecurity group recently published the following articles and provided the following training, which might be of interest.
Where You Will Find Us
Members of our Privacy and Cybersecurity group will be speaking at or attending the following events in the coming months. Keep an eye out for our team and stop by to say hi!
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offer a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.