Privacy & Cybersecurity in Canada, the US and the EU

This is a monthly bulletin published by the National Privacy and Cybersecurity team at Fasken. The information contained herein includes noteworthy news, topics, discussions and cases in the privacy & cybersecurity landscape. If you have any questions about any of the topics herein, please reach out to our friendly Fasken Privacy and Cybersecurity team.

This Month's Noteworthy News

Artificial Intelligence Act: European Council and European Parliament Provisionally Agree on Deal

On February 2, 2024, the Council of Europe presidency and the European Parliament reached a provisional agreement on the proposed AI Act. The agreement addresses notably high-impact AI models and high-risk systems, introducing a revamped governance system with increased enforcement powers. Prohibitions are expanded, permitting law enforcement's use of remote biometric identification in public spaces with strict safeguards. Deployers of high-risk AI systems must conduct a fundamental rights impact assessment for enhanced protection. This marks a new step toward unified AI regulations in the European Union.

New Hampshire Passes Comprehensive Privacy Law

On January 18, 2024, the New Hampshire Senate passed a comprehensive privacy bill, which moves to the Governor's desk for signature. The law is the latest in a proliferation of US state privacy laws. If enacted, it becomes the 14th state privacy bill. The bill is substantially similar to the model implemented in the Washington Privacy Act. It is enforceable by the state AG and includes a discretionary 60-day cure period. The new law will take effect January 1, 2025.

Federal Canadian Privacy Commissioner Releases Strategic Plan

In January 2024, the Federal Office of the Privacy Commissioner released its strategic plan for 2024 to 2027 here. The 3 main focuses of the plan are (1) protecting and promoting privacy with maximum impact, (2) addressing and advocating for privacy in a time of technological change, and (3) championing children's privacy rights. Although not directly impacting organizations right now, these plans indicate the direction that regulators will take in the next few years. It is worthwhile for any organization that processes personal information to take note of these regulatory priorities.

Federal Trade Commission Bans Organization from Selling Consumer Location Data

On January 18, 2024, the Federal Trade Commission ("FTC") announced a proposed order that prohibits a data aggregator organization based in Texas from selling or licensing any precise location data of consumers. The organization has collected location information from a variety of sources, including its own apps and third-party apps for advertising purposes. The FTC determined that the organization failed to obtain informed consent, both directly and through third-party app partners. It also determined that the organization retained data too long (for 5 years), and ordered the organization to delete consumer data. The FTC's announcement can be found here.

Update on the Status of Canadian Adequacy for EU Transfers

On January 15, 2024, the European Commission ("Commission") published a report renewing Canada's adequacy status under the General Data Protection Regulation ("GDPR").

As a reminder, under the GDPR, transfer of personal information outside of the European Union is possible under certain conditions. Such a transfer is permitted if the Commission has decided that the recipient country ensures an adequate level of protection (GDPR, s. 45). Reviews of adequacy are generally conducted every 4 years.

The Canadian adequacy decision relates to personal data transferred from the EU to recipients subject to PIPEDA. There is no mention of the Quebec Act 25, and thus, any transfer from the EU to Quebec recipients will not benefit from the adequacy decision.

Indefinite Retention of Personal Data Not Allowed in EU

The Court of Justice of the European Union (CJEU) ruled on January 30, 2024, that the general and undifferentiated storage, until death, of biometric and genetic data of criminally convicted persons is contrary to Union law. The details of the case can be found here.

In addition, in the CJEU's view, EU law requires national legislation to require data controllers to check regularly whether data retention is still necessary and to grant data subjects the right to have their data erased if this is no longer the case.

In Case You Missed it!

The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.