Fasken’s Noteworthy News: Privacy & Cybersecurity In Canada, The US, And The EU (March 2026)

Privacy & Cybersecurity in Canada, the US, and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

Federal Bill C‑22 Tabled in Parliament

On March 12, 2026, the Government of Canada tabled Bill C‑22, titled An Act respecting lawful access. Bill C‑22 reintroduces the federal government’s proposed lawful‑access framework following the removal of similar provisions from Bill C‑2. While the bill narrows certain warrantless access powers and introduces additional oversight mechanisms, it would still expand law enforcement and national security agencies’ access to information and impose new regulatory and technical obligations on telecommunications providers and other electronic service providers.

For a detailed analysis of Bill C‑22 and its implications, see our recent bulletin.

OPC Issues New Decision on Retention and Anonymization

On March 5, 2026, the Office of the Privacy Commissioner of Canada (“OPC”) released a new findings report following an investigation into Loblaw Companies Ltd.’s (“Loblaw”) handling of personal information after members deleted their PC Optimum Loyalty Program accounts.

The OPC found that while Loblaw had processes to receive deletion requests, it failed to respond to some individuals in a timely manner. Although this aspect of the complaint was resolved after Loblaw implemented some procedural improvements, the OPC emphasized that organizations must be able to effectively and promptly address privacy-related challenges raised by individuals.

More significantly, the OPC concluded that Loblaw did not demonstrate that personal information retained after account closure was sufficiently anonymized. The decision underscores that anonymization must eliminate any serious possibility of re identification and requires ongoing risk assessment as technologies evolve, referencing the OPC’s 2023 investigation on collection and use of de-identified mobility data by Public Health Agency of Canada. The OPC recommended that Loblaw either delete the retained data or obtain an independent third party assessment of its anonymization practices.

Global Joint Statement on AI-Generated Imagery and Privacy Protection

On February 23, 2026, the OPC, joined by approximately 60 international and domestic data protection and privacy authorities, issued a joint statement addressing the privacy implications of AI-generated images and videos.

The statement highlights fundamental privacy principles intended to guide organizations that develop or deploy AI content-generation systems. In particular, it emphasizes the need to protect individuals, including children, from potential harms associated with the creation and dissemination of non-consensual content, including intimate imagery generated through artificial intelligence.

The signatories encourage organizations to proactively engage with regulators and to integrate robust safeguards at the design stage of these technologies. They stress that AI systems capable of generating visual content should be developed and used in a manner that respects individuals’ privacy, dignity, safety, and other fundamental rights. The joint statement also reflects increasing regulatory attention to the risks posed by generative AI tools, particularly where such technologies may facilitate the creation of misleading or harmful imagery without the consent of the individuals depicted.

United States

White House Issues Executive Order on Cybercrime and US Cyber Strategy

On March 6, 2026, the White House issued an Executive Order “Combating Cybercrime, Fraud and Predatory Schemes Against American Citizens” along with publication of the Trump Administration’s Cyber Strategy. The Executive Order makes clear that cybercrime is pervasive and must be addressed by government. It presents a federal strategy to combat groups responsible for cybercrimes, such as ransomware, business email compromise and online fraud schemes, and directs federal agencies to coordinate on prosecution and enforcement of these crimes. In addition to the Executive Order, the new Cyber Strategy also clearly lays out the focus of the US government on preventing cybercrime and securing critical systems.

Federal Trade Commission Publishes Policy Statement Regarding Age Verification Technologies in Compliance With COPPA

On February 25, 2026, the Federal Trade Commission (“FTC”) issued a policy statement announcing that it will not bring enforcement action under the Children’s Online Privacy Protection Rule (“COPPA Rule”) against websites and online services that collect, use and disclose personal information for the sole purpose of determining a user’s age via age verification technologies, as long as these businesses comply with certain conditions. These conditions are set out in the policy statement for any businesses interested in whether they fall within this exemption.

California Privacy Protection Agency Fines Sports Media Company $1.1 Million Over Privacy Violations

On March 3, 2026, the California Privacy Protection Agency (“CPPA”) issued its decision against PlayOn Sports regarding its breach of privacy laws in California. PlayOn’s platform is used by US schools to sell digital tickets to high school sporting events, theater performances, and homecoming and prom dances. The CPPA’s decision included a requirement for PlayOn to pay a fine of USD$1.1 million and to change its business practices to comply with privacy laws. Among the violations, the platform required users to agree to tracking technologies while using the platform, without providing a sufficient opt-out. The information regarding a user’s visit to the platform was then used for targeted advertising purposes. The CPPA determined that these practices were not in compliance with privacy laws. Businesses should be aware of their obligations under California privacy laws when operating within the state.

European Union

Clarification of the Notions of Anonymization and Pseudonymization in France

Decision No. 498628 (in French Only), issued on February 13, 2026, by the French Conseil d’État clarifies and reaffirms a fundamental principle: pseudonymization does not make data anonymous.

According to the Conseil d’État, data can be considered anonymized through pseudonymization only if the risk of identification is insignificant, meaning that such identification would be practically impossible—particularly because it would require a disproportionate amount of time, cost, and manpower.

In this case, with the data available to the applicants, it is possible to trace care pathways and identify patients and their medical conditions. Such individualization within the dataset required little time and few resources, notably the use of commonly available spreadsheet software and the nomenclature provided by the companies to associate alphanumeric codes with information about patients, the medical procedures performed, and prescribed treatments. The examples cited in the challenged decision show that the risk of re‑identification is high, particularly when prescribed treatments are rare and when relying on information otherwise held by the companies—such as data identifying healthcare professionals—or on third‑party data, including geolocation data, which may increase this risk. Finally, the fact that the companies themselves do not perform any data inference has no impact on the assessment of the possibilities for identifying individuals based on these data.

In other words, following a concrete assessment of the risk of data re‑identification, it was established that pseudonymization could be lifted using reasonable means.

In Case You Missed It!

Members of our Privacy and Cybersecurity group published the following articles recently, that might be of interest.

• Bill C‑22: The Lawful Access Act reintroduces lawful access in Parliament after the Government of Canada’s abortive attempt to do so in Bill C-2, the Strong Borders Act

• Navigating 2026: Key Trends Shaping the Technology Sector

Where you will find us

Members of our Privacy and Cybersecurity group will be speaking at or attending the following event in the coming months. Keep an eye out for our team and stop by to say hi!

• NetDiligence Cyber Risk Summit Toronto – April 8-9, 2026

About Fasken's Privacy and Cybersecurity Group

As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by clients from all sectors. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.

There have been a lot of updates in privacy and cybersecurity in the last month. Read on to find out what they are.