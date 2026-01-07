Privacy & Cybersecurity in Canada, the US and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

Call for Comments – Consultation on OPC Guidance Processes

The Office of the Privacy Commissioner of Canada (OPC) provides guidance to help organizations meet their privacy obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA). These materials explain how privacy regulations apply in practice, outline best practices for protection, identify potential risks, and clarify what the regulator expects. To ensure the guidance is as effective and user-friendly as possible, the OPC is currently inviting feedback on its development process, covering everything from format and presentation to content and the consultation approach.

Newest OPC Contributions Program Funding Cycle Targets Projects Focused on Online Gaming

The OPC has launched its 2026-2027 Contributions Program funding cycle with a call for proposals under the theme "Achievement unlocked: protecting privacy while online gaming." Gaming is an integral part of the entertainment landscape with nearly half of Canadian adults and 70% of Canadian teens regularly playing games online. To learn more about the privacy implications of gaming on individuals, the OPC is seeking proposals for projects that will advance knowledge related to the collection and use of personal data in the online gaming sphere.

United States

CISA Launches New Platform to Strengthen Industry Engagement and Collaboration

The Cybersecurity and Infrastructure Security Agency (CISA) has introduced its Industry Engagement Platform (IEP), designed to streamline communication and collaboration between CISA and private sector stakeholders, including vendors, researchers, and academia. The platform aims to simplify engagement processes, foster innovation, and enhance partnerships to address evolving cybersecurity challenges.

European Union

The EDPB Recommendations 2/2025 On the Legal Basis for Requiring the Creation of User Accounts on E-Commerce Websites Are Open for Public Consultation

On e-commerce websites, users are frequently required to create an online account before being able to access offers or purchase goods and services. Controllers generally justify the imposition of account creation for several reasons, such as to perform a sale, enable the subscription to services, grant access to exclusive offers to their users or facilitate the operational management of orders. While controllers in the e-commerce sector may have a commercial interest to require users to set up an account, the European Data Protection Board (EDPB) notes that such account creation may also expose data subjects to additional risks to their rights and freedoms.

In this document, the EDPB provides recommendations to the controllers operating in the e-commerce sector on the conditions under which they may lawfully require their users to create an account. In particular, these recommendations set out examples of situations in which mandatory creation of an account may or may not be necessary. For example, the EDPB finds that imposing the creation of an online user account can be justified only for a very limited set of purposes, such as offering a subscription service or providing access to exclusive offers. Finally, the EDPB notes that this "guest" mode is, in principle, the most privacy-protective option to enable purchases, in line with the obligation of data protection by design and by default.

The EDPB Report on Potential High-Risk AI Systems Across the EU Public Administration

The European Data Protection Supervisor (EDPS) has published its High-Risk AI Systems Mapping Report, offering an overview of how EU institutions currently use AI and identifying which systems may fall under the "high-risk" category of Annex III of the AI Act. While EU bodies increasingly deploy AI tools — with a strong prevalence of generative AI and many additional systems in the development pipeline — the EDPS notes that these technologies can raise significant concerns for individuals' rights and freedoms, particularly when used in sensitive contexts.

In this report, the EDPS provides guidance to EU institutions on how to assess their AI tools, distinguish between ordinary and potential high-risk systems, and understand the maturity and deployment environments of the technologies they use. The document highlights typical characteristics of potential Annex III systems, such as a higher proportion of internal-facing functions, more traditional machine-learning techniques, and limited use of profiling. Finally, the EDPS stresses that many AI tools used by EU bodies remain at early stages of maturity and that careful mapping, documentation, and risk assessment are essential steps toward ensuring compliance with the AI Act.

FAQs on the Cyber Resilience Act

The Cyber Resilience Act (Regulation (EU) 2024/2847) (CRA) establishes rules for the market availability of products with digital elements to ensure their cybersecurity. It sets essential requirements for the design, development, production, and vulnerability management processes of such products. Additionally, the Act outlines obligations for economic operators and provides guidelines for market surveillance and enforcement. This preliminary set of technical Frequently Asked Questions (FAQs), published approximately two years before the entry into application of the CRA, is designed to assist stakeholders in the implementation of the CRA.

GDPR Reform Package

The first General Data Protection Regulation (GDPR) reform package, published in the EU Official Journal on December 12, 2025, is an important step in the ongoing development of EU data protection rules and marks the start of the next phase in the GDPR framework. This Regulation aims to ensure that investigations in cases concerning cross-border processing are carried out in accordance with the principle of good administration, in particular that they are carried out impartially, fairly and within a reasonable time. The handling of complaints and the conduct of investigations in cases concerning cross-border processing includes the determination of whether a case concerns cross-border processing.

