Canada: Fasken Noteworthy Privacy & Cybersecurity News (March 2024)
Privacy & Cybersecurity Bulletin

Privacy & Cybersecurity in Canada, the US and the EU

This is a monthly bulletin published by the National Privacy and Cybersecurity team at Fasken. The information contained herein includes noteworthy news, topics, discussions and cases in the privacy & cybersecurity landscape. If you have any questions about any of the topics herein, please reach out to our friendly Fasken Privacy and Cybersecurity team.

This Month's Noteworthy News

Federal Trade Commission Issues Statement on Quietly Changing Your Privacy Policy

On February 13, 2024, the U.S. Federal Trade Commission ("FTC") issued guidance stating that companies who change their privacy policies quietly and without notice to consumers, primarily directed at collecting more information, may be engaging in unfair and deceptive practices. The FTC specifically called out changes to a privacy policy to permit the sharing of data for AI training and similar uses. This is a reminder to all organizations to carefully consider its collection, use and disclosure of personal information, whether consent has been obtained, and whether your privacy policy is accurate.

Draft Regulation for Anonymization in Québec

On December 20, 2023, the draft Regulation respecting the anonymization of personal information was published by the Government of Québec. The Regulation, as currently drafted, will apply to any person operating a private business in Québec, as well as to public bodies and professional orders in Québec. It echoes the introduction into Québec law, through Law 25, of the concept of "anonymization" and establishes the rules that must be followed to anonymize personal information in accordance with applicable laws, allowing the creation of output data that is no longer qualified as "personal information" and thus exempt from legislative restrictions in this regard. We invite you to read our Fasken bulletin on this topic, co-authored by Julie Uzan-Naulin, William Deneault-Rouillard and Jade Paquin-Robidoux.

Biden Issues Executive Order Relating to Sensitive Personal Information

On February 28, 2024, Biden issued an Executive Order restricting access by countries of concern to American's bulk sensitive personal data and US government data when such access would pose an unacceptable risk to the national security of the United States. The rationale for this Order focuses on how bulk individual sensitive information can be misused or manipulated by advancing technologies, especially by countries of concern to the United States. The Biden Administration hopes that this Order will help in preventing acts of espionage and blackmail against US citizens, and indicates a focus on the expanding utility of personal data to all kinds of organizations and state actors.

Québec Privacy Commissioner Updates their Website

On February 29, 2024, the Commission d'accès à l'information du Québec updated its website with improved useability and functionality. The site includes useful guidance from the Commissioner on compliance with the new Act. In the coming months, the Commissioner's team intends to enrich the content of the website, particularly with respect to Law 25. The new website address is here.

California Regulator Publishes Draft Risk Assessment Guidance and Automated Decision Making Regulations

In March 2024, the California Privacy Protection Agency published its draft guidelines on how organizations should assess the risk of processing US data under the California Consumer Privacy Act ("CCPA"). These guidelines are only in draft form, but provide an indication of what regulators will be looking for in organizations to comply with their ongoing requirements under the CCPA. As a reminder, organizations have had an obligation under the CCPA to conduct risk assessments relating to their processing of personal data. The draft guidelines and automated decision-making can be found here.

NIST Releases an Updated Cybersecurity Framework 2.0

On February 26, 2024, the National Institute of Standards and Technology ("NIST") updated its Cybersecurity Framework, which was originally published in 2014. The updated framework has broadened its scope to be applied to all organizations of varying cybersecurity maturity, and in different industries. The framework offers standards related to cyber governance and risk management, artificial intelligence, supply chain and third-party risk management, zero-trust architecture, and security for the Internet of Things. As an important standard that many organizations use to measure their cybersecurity compliance, organizations should become familiar with the updated framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.