ARTICLE
2 December 2025

Fasken's Noteworthy News: Privacy & Cybersecurity In Canada, The US And The EU (November 2025)

F
Fasken

Contributor

Fasken logo
Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
Explore Firm Details
Lexpert Firm Profile
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates.
Canada Privacy
Julie Uzan-Naulin and Heather Whiteside
Your Author LinkedIn Connections
Julie Uzan-Naulin’s articles from Fasken are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in Canada
  • with readers working within the Banking & Credit, Oil & Gas and Law Firm industries

Privacy & Cybersecurity in Canada, the US and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

OPC Joins 2025 Global Privacy Enforcement Network Sweep Focused on the Protection of Children's Privacy

The Office of the Privacy Commissioner of Canada (OPC) is among more than 30 data protection and privacy authorities from around the world that will examine websites and mobile applications commonly used by children as part of a Global Privacy Enforcement Network privacy sweep taking place in November. Regulators will examine whether websites and mobile applications that are known to be used by children, or that cater to them, collect children's data, are transparent about their privacy practices, have age-assurance mechanisms in place, and employ privacy-protective controls to limit the collection of children's personal information. The results of the sweep will be compiled and published in a report in the coming months.

Ontario Privacy Commissioner Provides Updated Privacy Impact Assessment Guide

The Information and Privacy Commissioner of Ontario (IPC) has updated its Privacy Impact Assessment (PIA) Guide to assist public-sector institutions in complying with new obligations under Ontario's Freedom of Information and Protection of Privacy Act. As of July 1, 2025, institutions must complete a written PIA before collecting personal information to evaluate privacy and security risks and outline prevention and mitigation steps, unless a regulatory exception applies. The updated PIA Guide provides institutions with step-by-step advice on how to conduct a PIA from beginning to end.

New De-identification Guidelines in Ontario

The IPC has updated its De-identification Guidelines for Structured Data to help organizations innovate and maximize the benefits of data while safeguarding individual privacy. The updated guidelines offer practical tools like step-by-step processes and checklists, case studies, and a glossary of terms. In particular, the new guidelines are intended to address growing trends and concerns, such as interoperability.

National Cybersecurity Consortium Announces C$20.9M in Funding for Privacy and Cyber Projects

On October 22, the National Cybersecurity Consortium (NCC) announced C$20.9 million in funding for 31 Canadian projects focused on cybersecurity and privacy, representing C$40.6 million in ecosystem activity. These initiatives aim to advance training, commercialization, and research and development to strengthen Canada's cyber resilience.

United States

California Enacts Digital Age Assurance Act to Strengthen Online Safety for Children

On October 13, 2025, California Governor Gavin Newsom signed the Digital Age Assurance Act (AB 1043) into law. The Act introduces new age verification requirements for operating system providers and app stores, effective January 1, 2027. Covered entities must provide an accessible interface at account setup to collect a user's birth date or age and transmit an age bracket signal to app developers via a secure API.

The law aims to reduce risks associated with online tracking and inappropriate content by shifting age assurance responsibilities to operating systems rather than individual apps. Violations can result in fines of up to US$7,500 per child for intentional breaches.

European Union

Interplay Between theAI Actand the EU Digital Legislative Framework

The Artificial Intelligence Act (AI Act), adopted in June 2024, is the world's first comprehensive regulatory framework for AI. It sits at the centre of the EU's broader digital rulebook, alongside the General Data Protection Regulation (GDPR), the Data Act, the Digital Services Act (DSA), the Digital Markets Act (DMA), the Cyber Resilience Act (CRA), and the NIS2 Directive. Together, these laws aim to promote safety, trust, and competitiveness in Europe's digital economy. However, questions arise about how they interact and whether their combined effect strengthens or burdens the EU's AI ecosystem. The full EU Parliament report examines how the AI Act interrelates with other EU digital instruments and how their cumulative obligations affect innovation, coherence, and competitiveness in Europe's AI market. It preludes to the Digital Omnibus package (see below).

Towards a Simplification of the GDPR?

The European Commission is preparing a new phase in the EU's digital governance. Known as Digital Omnibus, this package aims to simplify overly complex regulations and strengthen consistency among major texts adopted since 2020 on data, cybersecurity, and artificial intelligence. In particular, regarding cookies, the European Commission has proposed that the processing of personal data on and from user terminals – such as phones and computers – be governed only by the GDPR. This would replace the current dual regime, which involves both the GDPR and the ePrivacy Directive and electronic communications.

Behind the technical objective, the challenge is, of course, political: to consolidate European digital sovereignty. Over the past five years, the European Union has produced a series of structural texts, starting with the GDPR for the protection of personal data, the Data Governance Act and the Data Act to regulate data sharing, the Digital Markets Act (DMA) and the Digital Services Act (DSA) to regulate large platforms, not to mention the Cyber Resilience Act and the AI Act, the world's first framework for artificial intelligence.

EDPB Adopts Opinion on Brazil Adequacy

During its latest plenary, the European Data Protection Board (EDPB) adopted an opinion on the European Commission's draft decision on the adequate level of protection of personal data in Brazil. The opinion, requested by the Commission, assesses whether Brazil's data protection framework and its rules on government access to EU-transferred personal data offer safeguards essentially equivalent to those in EU law. The Board positively notes the close alignment with EU legislation and the case law of the Court of Justice of the EU (CJEU). It also evaluates whether these safeguards are effectively implemented.

Once adopted, the decision will ensure that personal data can flow freely from Europe to Brazil and that individuals can retain control over their data.

Interplay Between GDPR and DMA

Following the guidelines on the interplay between the GDPR and DSA (see our previous newsletter) the European Commission and the EDPB have adopted joint guidelines regarding the interplay between the GDPR and the Digital Markets Act (DMA).

These Guidelines on the interplay between the DMA and the GDPR aim to ensure that the DMA and the GDPR are interpreted and applied in a compatible manner, enabling a coherent application that achieves their respective objectives, in line with relevant CJEU case law. A consistent and coherent interpretation of the DMA and the GDPR should mutually reinforce and maximize the achievement of the respective objectives of the two frameworks, while fully respecting the protection of the fundamental right to data protection as enshrined in Union law.

Extension of the UK's Adequacy Decisions: EDPB Adopts Opinions

The EDPB has adopted two opinions on the European Commission's draft decisions to extend the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive (LED) until December 2031.*

Requested by the Commission under Art. 70(1)(s) GDPR and Art. 51(1)(g) LED, the opinions address the proposed six-year extension of the UK adequacy decisions, currently set to expire in December 2025.

About Fasken's Privacy and Cybersecurity Group

As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by clients from all sectors. Our group is recognized as a leader in the field, earning accolades such as the PICCASO 'Privacy Team of the Year' award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Julie Uzan-Naulin
Julie Uzan-Naulin
Photo of Heather Whiteside
Heather Whiteside
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More