ARTICLE
5 March 2026

Fasken's Noteworthy News: Privacy & Cybersecurity In Canada And The EU (February 2026)

F
Fasken

Contributor

Fasken logo
Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
Explore Firm Details
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates.
Worldwide Privacy
Julie Uzan-Naulin,Rémi Slama, LLM, and Dongwoo Kim
Your Author LinkedIn Connections
Julie Uzan-Naulin’s articles from Fasken are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Banking & Credit, Business & Consumer Services and Oil & Gas industries

Privacy & Cybersecurity in Canada and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

Declaration of Cooperation Between the Privacy Commissioner of Canada and the French Data Protection Authority (CNIL)

The Privacy Commissioner of Canada and the President of the CNIL signed a declaration of cooperation between the two authorities on the sidelines of the virtual meeting of the G7 data protection authorities on December 10, 2025.

This agreement aims to strengthen collaboration between the two authorities through joint research on emerging technologies and data protection issues, the sharing of best practices and investigative methods, the exchange of regulatory strategies, and the organization of workshops. The partnership is intended to deepen institutional and human ties while enhancing their shared understanding of new technologies, enabling both authorities to better address personal data protection challenges affecting citizens in Canada and France.

Competition Bureau Report on Data Portability

The Competition Bureau has released Your Data, Your Control, a report examining how data portability can enhance consumer choice and strengthen competition in Canada. The Bureau estimates that enabling consumers to securely transfer their data between service providers, using the insurance sector as a case study, could generate $1.1 to $3.8 billion in annual savings for Canadians.

The report highlights key factors for an effective data portability framework, including strong privacy protections, clear consent rules, high interoperability across digital platforms, and lessons from international models such as the EU, the UK, and Australia.

Office of the Privacy Commissioner of Canada Adds 'Neural Data' as Sensitive Information in Interpretation Bulletin

The Office of the Privacy Commissioner of Canada (the "OPC") has updated its Interpretation Bulletin on sensitive information to explicitly include neural data as a category of personal information that is generally considered sensitive and therefore warrants heightened protection. Neural data refers to information gathered by measuring the activity of an individual's nervous system through neurotechnology. As technology companies increasingly develop products capable of collecting and analyzing neural data, and with jurisdictions such as California already recognizing it as sensitive personal information, this minor revision signals the growing importance of addressing the privacy implications associated with the expanding use of neurotechnology.

Ontario and British Columbia Privacy Commissioners Release Guidelines for Use of AI Scribes in Healthcare

On January 28, 2026, Ontario and British Columbia privacy commissioners each released guidance on the use of AI scribes in the healthcare sector. The publications of the guidelines underscore growing recognition of the need to address privacy and AI governance risks related to the proliferation of AI scribes in the healthcare sector, especially following recent privacy incidents involving AI scribe tools in recent years.

Both Ontario and British Columbia commissioners provide guidance for proper use of AI scribes primarily grounded in health privacy law considerations, such as the need to limit collection of personal health information, obtaining express consent, ensuring accuracy through human oversight, and implementing strong security safeguards. The guidelines also address issues relating to due diligence and contract enforcement with service providers, as well as AI-specific concerns such as bias in the AI systems.

In terms of their differences, Ontario adopts a broader AI governance framework, covering system development, procurement, and organizational oversight through an AI governance committee, while British Columbia focuses more narrowly on practical compliance measures for healthcare providers.

European Union

A Mutual Adequacy Decision Between Brazil and the EU

On January 26, 2026, the European Commission and Brazil adopted mutual adequacy decisions, confirming that their levels of data protection are comparable. This will ensure that personal data can flow freely and securely between the EU and Brazil without the need for additional requirements, such as entering into standard contractual clauses.

Updated FAQs on the EU Data Act

On January 22, 2026, the Frequently Asked Questions (FAQs), designed to assist stakeholders in the implementation of the legal provisions, were updated to take into account the comments of the stakeholders. The updated version further clarifies key concepts such as data in scope, the roles and responsibilities of the data holders and users, and how the Act interacts with other EU data legislation.

EDPB-EDPS Joint Opinion 1/2026 on the Digital Omnibus on AI

The EDPB and the EDPS supportthe proposal's main goal of addressing certain implementation challenges of the AI Act to ensure its effective application. They note that joint guidelines on how the GDPR and the AI Act interact are currently being developed with the European Commission and are expected later this year. This work aligns with commitments made by the EDPB to further strengthen GDPR compliance and support responsible innovation in Europe.

Another objective of the proposal is to reduce administrative burdens for businesses, public administrations, and the general public. While the EDPB and EDPS agree with this aim, they emphasize that such efforts must not weaken the protection of individuals' fundamental rights, particularly personal data protection. They recall that earlier drafts of the AI Act already included amendments intended to reduce burdens without compromising rights. They stress the need for a careful balance: administrative simplification should not undermine fundamental rights in the context of AI. The EDPB and EDPS caution against reducing existing safeguards in the AI Act without carefully considering their impact on individuals' rights. In their Joint Opinion, they highlight specific areas that require further attention and provide recommendations to ensure that the final version of the proposal maintains strong fundamental-rights protections and offers greater legal certainty for all stakeholders.

EDPB-EDPS Joint Opinion on Digital Omnibus

On February 10, 2026, the EDPB and the EDPS adopted a joint opinion on the proposal for a regulation concerning the simplification of the digital legislative framework (Digital Omnibus).

The EDPB and EDPS welcome several proposed changes aimed at improving harmonization, consistency, and legal certainty while reducing unnecessary administrative burdens, such as the new definition of scientific research, the limited exception allowing the processing of special categories of data for biometric authentication, the higher thresholds and extended deadlines for data breach notifications and Data Protection Impact Assessments (DPIAs), and the creation of common templates and lists for breach notifications and DPIAs.

However, the EDPB and EDPS warn that some proposed changes could weaken data protection rights—especially by narrowing the definition of personal data—and create legal uncertainty. They acknowledge the rationale behind other amendments but call for clearer safeguards in areas such as AI, sensitive data processing, access rights, transparency, and automated decision making.

Regarding changes relating to the ePrivacy Directive, the EDPB and EDPS support simplifying rules to reduce consent fatigue but warn that splitting these rules across different laws could create legal uncertainty. They recommend stronger safeguards, including allowing contextual advertising, and stress that data‑protection authorities must have effective powers to enforce the new rules.

Finally, the EDPB and EDPS welcome efforts to clarify and streamline the Data Acquis, including integrating DGA and ODD rules into the Data Act. They emphasize that public bodies are not required to allow reuse of personal data and that, in emergencies, only pseudonymized data should be shared when anonymous data is insufficient. They also call for strong safeguards, transparency, proper oversight, clearer enforcement rules, and continued guidance from EU bodies to ensure consistent and responsible data sharing.

Proposal for a Regulation for the EU Cybersecurity Act

The Commission has introduced a new cybersecurity package designed to further reinforce the EU's overall cybersecurity resilience and capabilities. A central element of this initiative is the proposed revision of the EU Cybersecurity Act. The updated Act seeks to enhance cybersecurity capacity, improve resilience, and prevent fragmentation within the EU's digital single market. It also aims to strengthen the security of ICT supply chains across the EU.

In addition, the proposal introduces a more streamlined certification process to ensure that products made available to EU citizens are secure by design. It is intended to simplify compliance with existing EU cybersecurity requirements and bolster the role of ENISA, the EU Agency for Cybersecurity, in supporting Member States and EU institutions in addressing cybersecurity threats.

Report on Civil Law Rules Applicable to Smart Contracts

The European Commission has published a new report assessing whether civil law rules across the EU create obstacles to the deployment of smart contracts in the single market and evaluating the potential of smart‑contract‑based tools for personal data management. The study includes an economic analysis of smart contracts, a comparative review of civil law rules in 30 EEA countries, a technical feasibility assessment linking legal challenges to technical solutions, and an examination of how distributed ledger technologies and smart legal contracts could facilitate access to and sharing of personal data.

In case you missed it!

The Fasken Privacy and Cybersecurity group recently shared the following thought leadership, which may be of interest.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Julie Uzan-Naulin
Julie Uzan-Naulin
Photo of Rémi Slama, LLM
Rémi Slama, LLM
Photo of Dongwoo Kim
Dongwoo Kim
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More