Privacy and Cybersecurity in Canada, the United States and the EU
This is a month-to-month publication printed by Fasken’s National Privacy and Cybersecurity workforce. The info contained herein contains noteworthy information, subjects, discussions, and instances within the areas of privateness and cybersecurity. If you’ve got any questions concerning the subjects mentioned, please contact our pleasant Fasken Privacy and Cybersecurity workforce.
This month’s scorching information
Canada
Quebec’s new well being info legislation will come into impact on July 1, 2024
On June 12, 2024, the Quebec Minister of Health introduced that some provisions of Quebec’s new Act on Health and Social Services Information will come into power on July 1, 2024. This is a significant change that may facilitate a smoother dissemination of well being and social providers info throughout the community and guarantee its safety. The Act is offered on the Quebec National Assembly’s web site.
In late 2023, 23andMe confronted a significant information breach affecting almost seven million customers. Hackers used credential stuffing to realize entry to accounts and acquire delicate info, together with names, family tree, and chromosome information. This prompted a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the UK’s Information Commissioner’s Office (ICO). The investigation focuses on 23andMe’s compliance with information safety rules and its response to the breach, together with compelled password resets and multi-factor authentication.
Federal Privacy Commissioner releases annual report highlighting privateness developments
The Office of the Privacy Commissioner of Canada has tabled its 2023-2024 Annual Report to Parliament, entitled Protecting Trust, Innovation and Fundamental Rights of Privacy in a Digital Age. The report describes the OPC’s key actions and accomplishments to guard and promote the privateness rights of Canadians. It additionally gives statistics on privateness complaints and breaches reported to the OPC. Notably, the statistics present that the variety of people affected by breaches is twice as excessive because the earlier yr, whereas the variety of reported incidents is analogous.
Ontario Government Introduces New “Enhancing Digital Security and Trust Act of 2024”
On May 13, 2024, the Ontario authorities launched Bill 194, the Enhance Cybersecurity and Building Trust within the Public Sector Act, 2024, which goals to strengthen digital infrastructure and information privateness protections in Ontario’s public businesses and providers. If handed, Schedule 1 to the invoice would enact the Digital Security and Trust Enhancement Act, 2024 (EDSTA), and Schedule 2 would enact adjustments to the Freedom of Information and Protection of Privacy Act (FIPPA). These adjustments signify vital adjustments for Ontario’s public businesses and are price noting. Stay tuned for an in depth bulletin on the invoice’s contents.
Alberta Privacy Commissioner Recommends Changes to Private Sector Privacy Act
The Alberta Privacy Commissioner has launched a press release with suggestions for amendments to the Personal Information Protection Act. The act imposes obligations on non-public organizations that course of private info. The Commissioner’s suggestions concentrate on strengthening protections and rights for people, and observe the route of different robust privateness legal guidelines such because the EU GDPR. The Commissioner’s suggestions embrace extra rights, guidelines to guard kids’s information privateness, and implementing stronger enforcement mechanisms. This could also be an indication of issues to come back, so keep tuned.
Quebec CAI has up to date its reality sheet on id verification
To elevate consciousness among the many public and companies, the Quebec Commission has developed a collection of reality sheets answering questions on id playing cards. Identity playing cards are sometimes issued by authorities businesses and are used for particular functions. Although id playing cards can be utilized to confirm an individual’s id in sure circumstances, the legislation limits the circumstances by which id playing cards are required. If your group offers with id playing cards inside its operations, these reality sheets could also be a great tool.
CAI_FIC_Pieces_ID_Entreprises.pdf (gouv.qc.ca) (French solely)
CAI_FIC_Pieces_ID_Citoyens.pdf (gouv.qc.ca) (French solely)
America
Federal Privacy Commissioner launches session on age assure system
On June 10, 2024, Canadian Privacy Commissioner Philippe Dufresne spoke on the International Association of Privacy Professionals Canadian Privacy Symposium in Toronto, launching a session to solicit public enter on age assurance know-how, with a deadline of September 10, 2024. The session will assess the suitability and privateness affect of varied on-line person age verification strategies, together with age declaration, verification and estimation, geared toward defending youthful customers from inappropriate content material. The collected suggestions will assist the Office of the Privacy Commissioner of Canada (OPC) develop insurance policies and rules, and can develop steerage paperwork and conduct extra consultations. The OPC plans to publish a world joint assertion of ideas on age assurance later this yr, outlining its efforts to reinforce on-line security for younger individuals whereas respecting their privateness rights.
Vermont Passes New Consumer Privacy Law
On May 11, 2024, the Vermont General Assembly handed a brand new client privateness legislation, the Vermont Data Privacy Act. The act follows lots of the state’s predecessors in increasing particular person rights and imposing obligations on organizations associated to defending private information. However, the act additionally gives people with a civil proper of motion to pursue organizations for misuse of confidential info. The act goes into impact on July 1, 2025, so organizations have a while to arrange for compliance.
New York passes legislation limiting kids’s entry to addictive algorithmic feeds
On June 7, 2024, the New York State handed the Prevent Addictive Feed Exploitation Act (SAFE) and the New York State Child Data Protection Act. The invoice textual content could be discovered right here. The SAFE Act requires social media firms to limit addictive feeds on their platforms for customers underneath the age of 18, prohibits sending notifications at sure occasions of the day, and requires all organizations to determine an age verification course of. The New York State Child Data Protection Act prohibits on-line websites from accumulating, utilizing, sharing, or promoting private information of customers underneath the age of 18 except knowledgeable consent is obtained or strictly crucial for the web site’s functions.
California Approves NeuroRights Bill to Protect Neurodata
In April 2024, the California Senate authorised amendments to the California Consumer Privacy Act via SB 1223. These amendments purpose to supply better safety for people’ neurodata from misuse by firms. The invoice provides neurodata to the CCPA’s definition of delicate private info, giving its use the identical authorized protections as different delicate private info. The proposed definition of “neurodata” is “info that’s generated by measuring the exercise of a person’s central or peripheral nervous system and that may be processed by or with the help of neurotechnology.”
Europe
The pointers make clear that information scraping is the automated assortment and recording of knowledge from net pages. It’s vital to notice that when scraping private information, organizations should adjust to the General Data Protection Regulation (GDPR), together with having an applicable authorized foundation, adhering to the ideas for processing private information, and extra broadly complying with the GDPR as a complete.
The pointers can be found right here (Dutch solely).
EDPB Releases Data Protection Guide for Small and Medium-Sized Enterprises
This information gives small and medium-sized companies with sensible info on GDPR compliance and advantages in accessible, easy-to-understand language. It covers numerous facets of GDPR, from the fundamentals of information safety to information topic rights and measures to guard private information. It contains movies, infographics, interactive flowcharts and different sensible materials to assist small and medium-sized companies adjust to GDPR.
EDPS publishes pointers for EU establishments, organisations and authorities businesses on generative synthetic intelligence and private information
France’s CNIL points suggestions on using open information on the Internet
For those that missed it!
The Fasken Privacy and Cybersecurity Group just lately printed the next article which we discovered attention-grabbing:
Fasken has been named Privacy Team of the Year on the 2024 PICCASO Awards Canada. The PICCASO Awards Canada is the primary of its form in North America and celebrates excellence in privateness thought management, coverage and follow in Canada.
Our Location
In this PolySecure podcast, Soleïca Monnier from our Montreal workplace discusses suggestions on Quebec’s Law 25, six months after a lot of the obligations got here into power. Still lagging behind? Listen to the podcast (French solely) to search out out which of the three enterprise varieties we recognized applies to you.