ARTICLE
2 July 2026

Fasken’s Noteworthy News: Privacy & Cybersecurity In Canada, The US, And The EU (June 2026)

F
Fasken

Contributor

Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada Privacy
Sam Delechantos’s articles from Fasken are most popular:
  • with readers working within the Retail & Leisure industries
Fasken are most popular:
  • within Law Department Performance topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives

Privacy & Cybersecurity in Canada, the US, and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

Federal Privacy Law Reform

On June 15, 2026, the federal government introduced Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA), a proposed federal privacy statute that will replace the existing Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-36 will receive first reading in Parliament. This marks the third time since 2020 that the federal government has attempted to reform the federal private-sector privacy regime.

If enacted, the PPCDA would introduce a more robust enforcement framework, including the power for the regulator to issue binding orders and impose administrative monetary penalties of up to CAD $10 million for non-compliance. The proposed legislation would also recognize privacy as a fundamental right, require organizations to establish privacy management programs and conduct privacy impact assessments, and impose enhanced transparency obligations in relation to the use of artificial intelligence. In addition, the PPCDA would establish a more sophisticated framework for de-identification that distinguishes it from anonymization, and grant individuals new rights, including rights to data deletion and data mobility, as well as a private right of action.

See our recent bulletin for further discussion.

Canadian Government Publishes Its National AI Strategy

Canada has released its new national AI strategy, AI for All, a five‑year plan designed to translate the country’s strong AI research base into broad economic and societal benefits while reinforcing trust and sovereignty. The strategy positions AI as a core driver of productivity, competitiveness, and public service transformation. It aims to significantly increase AI adoption across the economy, create up to 250,000 jobs by 2031, and generate substantial economic growth, while ensuring AI is developed and deployed responsibly.

From a privacy and data governance perspective, the strategy signals:

  • Modernization of federal privacy legislation, including stronger individual rights and enhanced protections for children’s data;
  • New online safety and AI risk frameworks, addressing harms such as misinformation, deepfakes, and algorithmic risks; and
  • An emphasis on trusted AI, including transparency measures and potential certification mechanisms.

New Federal Online Harms Legislation

The federal government has introduced Bill C-34, the Safe Social Media Act, which would enact a new Digital Safety Act to address online harms, particularly those that affect children. The proposed legislation would impose obligations on three regulated services: social media, AI chatbots and online services. Operators of these regulated services would be required to, among other things, implement safety-by-design features and age measures for pornographic content and meet certain record-keeping requirements for transparency. The Act would also impose age restrictions on certain social media services to prevent children under 16 years of age from having accounts on these services. A Digital Safety Commission of Canada would be created to oversee compliance with the Act.

Ontario Superior Court Awards $21.5 Million For Intrusion Upon Seclusion

The Ontario Superior Court of Justice has founda plastic surgeon and his company liable to a class of approximately 7,000 patients regarding his use of video surveillance cameras at a medical clinic.

The clinic was found to have operated surveillance cameras in multiple areas of the clinic, including reception and waiting rooms, hallways, staff areas, consultation and treatment rooms, the operating room, and post-operative recovery spaces.

The Court concluded, among other things, that in operating surveillance in private areas of the clinic without patient knowledge or consent: the defendants were negligent, breached their fiduciary duties to patients, and committed the tort of intrusion upon seclusion.

The Court awarded aggregate damages of $21.5 million for intrusion upon seclusion, along with $1 million in punitive damages. As claims for negligence and breach of fiduciary duty require proof of individual harm, the Court directed the parties to propose a process for adjudicating those claims on an individual basis.

First Decision on the Implementation of Obligations Pursuant to Act 25

In this decision (in French only), two prospective tenants challenged Gestion immobilière Vesta inc.’s personal information collection practices. The Commission d’accès à l’information du Québec (CAI) found that the company was collecting unnecessary information, including social insurance numbers. The CAI reaffirmed the data minimization principle (only information strictly necessary may be collected) and identified deficiencies in the company’s privacy policies and practices. In this context, the CAI ordered the company to cease excessive data collection and to implement and publish privacy policies compliant with Law 25, including a privacy policy, a governance framework, and the identification of a privacy officer.

CAI Five-Year Report

The 2026 five-year report (in French Only) of the CAI was tabled in the National Assembly on June 11, 2026. The Commission is closely examining the impact of technological developments—particularly artificial intelligence—on privacy and access to information. The legal framework has evolved to address these new realities, notably through the adoption of major legislation such as Law 25 and the Act respecting health and social services information. Entitled Transparency and Privacy: Protecting Democracy in the Digital Age, the report sets out numerous findings, and 74 recommendations organized around four main areas: (i) Access to documents held by public bodies; (ii) Protection of personal information; (iii) the Act respecting health and social services information; (iv) the powers of the CAI.

United States

Vermont Passes New Privacy Legislation

On May 29, 2026, the Vermont legislature passed the Vermont Data Privacy and Online Surveillance Act. The Act will apply to anyone who does business in the State of Vermont or offers products or services to Vermont residents and engages in the processing of personal data at certain thresholds stipulated within the Act. The bill was subsequently signed into law by the Vermont governor on June 16, 2026, and will take effect on January 1, 2028.

European Union

Commission Nationale de l’Informatique et des Libertés' (CNIL) Annual Report

The year 2025 (in French only) was notably marked by a significant increase in complaints received, an unprecedented total amount of fines, and a record number of personal data breach notifications.

Despite resource constraints, it continues to adapt, especially in response to the new AI Regulation, and is developing innovative tools for the public, including an app for teenagers.

G7 2026: CNIL Hosts the Data Protection and Privacy Authorities Roundtable in Paris

In the context of France’s G7 presidency in 2026 (in French only), the CNIL will host the annual meeting of the Data Protection Authorities Roundtable in Paris from June 23 to 26 (bringing together Germany, Canada, the United States, France, Italy, Japan, the United Kingdom, as well as the European Union). This meeting will take place in an international context characterized by the rapid growth of digital technologies, particularly artificial intelligence, and increasing expectations regarding the protection of personal data.

As part of the French presidency, several working groups will continue their work throughout the year and report on their progress:

  • Emerging technologies
  • Enforcement cooperation
  • Free flow of data EDPB Template for Data Breach Notification

EDPB Template for Data Breach Notification 

The European Data Protection Board (EDPB) has introduced a standard template for data breach notifications to simplify GDPR compliance and ensure consistency across the European Union. This template helps organizations and Data Protection Authorities (DPAs) structure and harmonize reporting, ensuring all required information under Article 33 General Data Protection Regulation is included.

The template is open for public consultation until August 5, 2026, after which the EDPB will set a timeline for its implementation across all DPAs.

In Case You Missed It!

The Fasken Privacy and Cybersecurity group published the following article recently, that might be of interest.

Awards

We are pleased to announce several of our lawyers were recognized in the Lexpert Special Edition: Technology 2026 guide. See the full list of everyone recognized here.

These recognitions reflect the strength of our teams across multiple specialties including Media and TelecommunicationsInformation TechnologyCommunicationsEmerging TechnologyPrivacy & Cybersecurity, and Intellectual Property.

About Fasken’s Privacy and Cybersecurity Group

As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by clients from all sectors. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.

There have been a lot of updates in privacy and cybersecurity in the last month. Read on to find out what they are.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More