Canada

Ontario IPC Publishes Guidelines for Third-Party Contracting

The Information and Privacy Commissioner of Ontario issued guidelines for public bodies regarding privacy and transparency in contracting with third-party service providers. According to the IPC, these guidelines aim to promote adequate accountability for records and personal information throughout the procurement process.

BC Supreme Court Allows Appeal on Data Breach Class Action

On July 4, 2024, the BC Supreme Court allowed an appeal of a decision from a Chambers judge that a privacy class action based on a third-party hacker cyber incident was bound to fail. The Supreme Court judge reasoned that it was at least arguable that a data custodian who fails to adequately safeguard personal information in a data breach is liable for the statutory tort of violation of privacy, depending on the applicant's reasonable expectation of privacy and the acts of the organization in failing to safeguard personal information. The matter was remitted back to trial court for certification.

Federal Privacy Commissioner Participates in Privacy Sweep, Finding Majority of Websites and Apps Use Deceptive Design to Influence Privacy Choices

The Office of the Privacy Commissioner of Canada (OPC) coordinated and participated in a sweep of more than 1,000 websites and mobile apps, alongside 25 other privacy authorities. Of the websites and apps reviewed, 97% used deceptive design patterns that may influence individuals into giving away more of their personal information online. 89% of privacy policies were long or used complex language. The OPC suggests that clearly presenting privacy choices, using neutral language, and reducing the number of clicks for a user to find privacy information, log out, or delete an account are all ways that organizations can help protect user privacy online.

Europe

EU-Japan Deal on Data Flows Enters Into Force

On July 1, 2024, the landmark deal on cross-border data flows between the EU and Japan entered into force. This is part of the EU-Japan Economic Partnership Agreement, which is designed to promote the free flow of data between countries and support international cooperation. The press release from the European Commission can be seen here.

Council of the European Union Agrees Position on GDPR Enforcement Rules

On June 13, 2024, the Council reached a consensus on a unified stance among member states regarding a new law aimed at enhancing collaboration between national data protection authorities in the enforcement of the General Data Protection Regulation (GDPR). Once this regulation is adopted, it will offer mechanisms to streamline the handling of cross-border complaints submitted by individuals or organizations, as well as any related investigations. This improvement is primarily due to the standardization of the criteria for the admissibility of cross-border actions. No matter where within the EU a citizen files a complaint concerning cross-border data processing, the admissibility will be evaluated based on the same set of information.

European Data Protection Board Publishes Documents for AI Auditing

On June 27, 2024, the European Data Protection Board published documents under the AI Auditing project, which aims to map, develop and pilot tools that help evaluate the GDPR compliance of AI systems and applications. These documents help organizations to understand and assess their data protection safeguards in the context of the new EU AI Act. These documents could be a reference point for any organizations looking to securely develop and deploy AI tools.

European Parliament Publishes Rules on Artificial Intelligence

On July 12, 2024, the European Parliament published a Regulation relating to the development and use of artificial intelligence. The text of the Regulation can be found here. The Regulation prescribes the measures to be taken by organizations when designing, deploying and using AI, and sets out what types of AI practices are prohibited, and which types of AI are "high risk" and subject to additional requirements. The Regulation also imposes obligations on EU member states to adopt measures to support innovation, such as setting up AI regulatory sandboxes. This Regulation applies to any providers who are placing AI on the market or putting into service AI systems in the EU, irrespective of whether those providers are based in the EU or another country. Organizations providing AI should be aware of any obligations they may have under this new Regulation.

