Stay informed with the latest insights and updates

We are at the mid-year point of 2025 and the privacy landscape in Canada continues to evolve. This article highlights Canada’s top five notable developments in the privacy space in 2025 so far.

The Ontario Superior Court refused to certify a proposed class action against the Ministry of Children, Community and Social Services arising from an ODSP privacy breach. The court found that the facts as pleaded could not support the requisite intent or actionable harm for the causes of action advanced.

While 2024 has come to an end, global efforts to regulate artificial intelligence (“AI”) and privacy are only getting started. As technology continues to evolve, legislators are becoming increasingly aware of the need to reform their privacy laws. This article highlights Canada’s top five notable developments in the privacy space in 2024.

This new legislation, the Strengthening Cyber Security and Building Trust in the Public Sector Act, introduces critical cybersecurity and AI requirements by amending FIPPA and introducing the EDSTA. The bill mandates Privacy Impact Assessments, strengthens the IPC's regulatory power, and demands transparency and accountability in AI usage. This article is intended to provide the highlights of Bill 194 for institutions to proactively prepare by strengthening compliance processes, enhancing cybersecurity measures, and understanding the implications of this legislation.

Two recent BC Court of Appeal decisions revive support for Canadian data breach class actions after the viability of such proceedings was recently stifled by a trio of decisions by the Ontario Court of Appeal.

Privacy regulators across Canada are signalling an increased focus on a particular risk area: namely, reliance on service providers. This article explores various key developments. 

Canadian organizations implementing artificial intelligence products to process personal information are currently working in a vacuum, with no definitive standards or frameworks to guide them. However, a recent report by Ontario's IPC provided recommendations for ensuring the privacy-protective adoption of such technologies.

After experiencing a cyber attack, organizations tend to keep a tight grip on incident-related information, often by asserting some sort of legal privilege. In LifeLabs LP v. Information and Privacy Commr. (Ontario), a panel of the Divisional Court of Ontario’s Superior Court of Justice found that legal privileges asserted by LifeLabs did not apply to, among other things the forensic investigation report prepared by a third-party cybersecurity consultant.

In R v. Bykovets, the Supreme Court found that there is a reasonable expectation of privacy in IP addresses and, as such, law enforcement need judicial pre-authorization to obtain access to them. This article provides a brief overview of the SCC’s decision and discusses important considerations under Canadian privacy law when determining the extent to which a business may disclose personal information to law enforcement without consent.

On February 2, 2024, the Supreme Court of Canada ruled that Ontario Premier Doug Ford’s mandate letters issued to his cabinet ministers in 2018 are exempt from public disclosure.

This article examines how existing law and upcoming legal reforms can be applied to address AI revenge porn. So far, the law has been slow to respond, though federal AI legislation on the horizon aims to regulate organizations that develop AI systems and make them available for use.

As another year has come to an end and we have already embarked on a new year, we take this opportunity to reflect on a number of significant changes to Canadian privacy law. From promising developments to proposed legislation to a groundbreaking investigation, there is much to review as we head into 2024. This article reviews the top five recent developments we encountered this year.

On December 7, 2023, the Office of the Privacy Commissioner of Canada released an article with nine principles intended to guide developers, providers and organizations to properly navigate the development and use of generative artificial intelligence. Privacy concerns arise where the AI is trained on data sets that include personal information.

Generative AI tools like ChatGPT, Cohere, and DALL-E2 are popular tools that allow organizations to generate images, text, sounds and creative content based on a prompt. While these tools can provide practical benefits such as improved efficiency and productivity, they raise privacy risks which are important to mitigate.

The Federal Court of Appeal recently upheld the ruling of the Federal Court wherein it was held that the Personal Information Protection and Electronic Documents Act (PIPEDA) should apply to Google’s search engine results, as they have a commercial interest in it by way of ads and also connecting two players.

Redirecting bank wire transfers has become an increasingly common method of fraud, frequently perpetuated through hacking or otherwise impersonating individuals representing a business. In the aftermath, there is often dispute about who bears responsibility for the financial loss: the company that mistakenly sent funds to the wrong bank, or the company whose email was hacked.

In a matter of months, generative AI has been adopted ravenously by the public, thanks to programs like ChatGPT. The increasing use (or proposed use) of generative AI by organizations has presented a unique challenge for regulators and governments across the globe. This article summarizes some of the key legislation or proposed legislation around the world that tries to strike the balance between fostering innovation while mitigating risks associated with the technology.

On April 4, 2023, Canada’s Privacy Commissioner, Philippe Dufresne, launched an investigation into OpenAI after having received a complaint alleging the collection, use and disclosure of personal information without consent.

Facial recognition technology has become increasingly popular among businesses for various applications, including security, marketing, and customer service. However, with the widespread adoption of this technology, there are growing concerns over its potential impact on privacy, human rights, and data protection.

In this article, we focus on the importance of data security diligence, tips for the diligence process, and mitigation strategies for companies that have identified risks and wish to proceed with the deal. We also discuss the need to assess and quickly remediate any flaws in a target company’s data security posture following a transaction.

The U.S. National Institute of Standards and Technology recently released version 1.0 of its Artificial Intelligence Risk Management Framework. The goal of the framework is to provide a voluntary, rights-preserving, sector- and use-case agnostic guide for AI actors to implement in order to promote trustworthy and responsible AI systems.

In the wake of various high-profile security breaches, now may be a good time for businesses to re-acquaint themselves with the applicable Canadian statutory framework for the protection of personal information, as well as implement or update policies and procedures around breach detection and notification.

2022 was an eventful year for privacy law in Canada. The Canadian privacy landscape saw significant changes, as stakeholders at all levels recognized the need to keep up with a data-driven world. This article summarizes the top five recent developments that businesses and stakeholders should be aware of.

The Court of Appeal for Ontario recently considered and definitively determined the issue of whether organizations that collect and store personal information about individuals for commercial purposes can be held liable for the tort of “intrusion upon seclusion” if they fail to take adequate steps to protect the information from third-party “hackers”.

Having gained substantial leadership experience as a privacy officer, what follows in this article is the perspective the author gained in these unique and essential roles. Each mandate, while quite different in practice, harvested similar lessons that I believe every practitioner working in the privacy sector should adopt to maximize their effectiveness within their organization. The following are seven key lessons every privacy officer or practitioner should know.

On September 22, 2022, the first set of amendments from Bill 64 will come into force. Although most amendments will come into force in September 2023, below we highlight significant changes in force this September.

Mobile applications have become synonymous with organizations’ outreach initiatives. The recent joint investigation by federal and provincial privacy authorities into the Tim Hortons app emphasizes the need for companies to consider Canadian privacy laws when designing their apps.

Shalom Cumbo-Steinmetz and Alina Butt discuss key takeaways from a recent Divisional Court decision overturning certification in a data breach class action involving private health information.

Ronak Shah and George Boynton Payne discuss a growing trend among organizations to include privacy and data governance metrics and disclosure as part of their environmental, social and governance (ESG) reporting framework, and highlight practical steps an organization can take to move beyond a traditional regulatory compliance approach to privacy and security.

The common law tort of intrusion upon seclusion continues to develop, as does its use in the class action context. Chloe Snider and Hala Abdul Ghani explore four recent decisions that demonstrate a shift in the use of this tort in large data breach cases.

On December 14, 2021, the British Columbia, Alberta and Quebec privacy regulators issued separate legally binding orders directing Clearview AI to comply with recommendations made in their recent Report of Findings coauthored with the Office of the Privacy Commissioner of Canada. Ellen Xu explores the practices that gave rise to the investigation against Clearview and the recommendations with which Clearview has been ordered to comply.

On November 1, 2021, the new law governing privacy in the People's Republic of China (PRC) came into effect. The Personal Information Protection Law (PIPL) contains substantive privacy obligations and has the potential to significantly impact organizations operating both within and outside of the PRC. Nicholas Wall provides an overview of PIPL's scope of application, central principles and restrictions on cross-border transfers.

Although there are no current signs of Bill C-11 (Digital Charter Implementation Act, 2020) being revived in Parliament, the re-election of the Liberal government suggests that it is only a matter of time before it is reintroduced in some form. To prepare for this event, this commentary analyzes one of the more controversial aspects of Bill C-11: its obligations for the disposal of personal information.

The ONCA’s affirmation of the Superior Court decision in Wakeling illustrates some of the basic components and considerations of the tort of intrusion upon seclusion.

An introductory welcome to the 2021-2022 Season from the Privacy and Access to Information Law Section Chair, Jaime Cardy.

On May 19th, 2021 Canada’s Federal, Provincial and Territorial Privacy Commissioners released a joint statement on the privacy implications of Covid-19 vaccine passports. Vaccine passports may offer substantial public benefits; however, in exchange for access to these benefits, individuals will be required to disclose personal health information. As a result, the Commissioners emphasize the importance of addressing privacy considerations from the outset.

In the session “PHIPA in the Age of Digital Health,” panelists Mary Jane Dykeman (INQ Law), Anita Fineberg (Anita Fineberg & Associates Inc), Daniel Girlando (Borden Ladner Gervais LLP), and Erica Zarkovich (LifeLabs), discussed the recent amendments to the Personal Health Information Protection Act, 2004 (PHIPA), and emerging issues in digital health.

Sarah Nasrullah, Co-Newsletter Editor of the Privacy Executive, interviewed Molly Reynolds, the Chair of the Privacy and Access to Information Law Section.

In a recent decision, the Grand Traverse Circuit Court in the State of Michigan (No. 349230, LC No. 18-034553-CE), the court found that the use of a drone to photograph a couple’s home infringed their “reasonable expectation of privacy."

Courts in Ontario and Alberta have recently issued several significant decisions in privacy class actions. These two decisions followed the prevailing trend of the dismissal of privacy class actions in Canada, in which courts have generally found that there is no evidence of harm, or that the information at issue did not rise to a level that would support the finding of a reasonable expectation of privacy, or both.

In November 2020, the federal government introduced Bill C-11 (The Digital Charter Implementation Act). The proposed bill would overhaul Canada’s existing federal private sector privacy law PIPEDA with a modernized replacement known as the Consumer Privacy Protection Act.

On January 6, 2021, WhatsApp announced that it would update its Privacy Policy to help it better integrate with other Facebook products, making sharing information with Facebook mandatory for WhatsApp users. This prompted many responses online calling for users to leave WhatsApp and to use more “privacy friendly” messaging apps, such as Telegram and Signal. This article discusses the impact of WhatsApp's new Privacy Policy on Canadian users.

On December 9, twin U.S. lawsuits against Facebook were launched that will shape the competition and privacy landscape for years to come. They were initiated by the U.S. Federal Trade Commission (FTC) and a coalition of Attorneys General from 48 U.S. states and territories.