No results found
Tina Saban, Catherine Hart and Naomi Chernos | September 19, 2025
This article provides an overview of the new privacy breach reporting and notification obligations under the Freedom of Information and Protection of Privacy Act (Ontario) and describes steps that organizations can take to ensure compliance with the new requirements.
Learn moreAlberta Court Finds Sections of Privacy Law Unconstitutional
Imran Ahmad, John Cassell, Travis Walker | July 08, 2025
On May 8, 2025, the Court of King’s Bench of Alberta released its decision in Clearview AI Inc. v Alberta (Information and Privacy Commissioner) (the Decision). The Decision found that certain provisions of Alberta’s private-sector privacy law which limit the scope of “publicly available” information violate subsection 2(b) of the Charter and are therefore unconstitutional. The Decision is noteworthy since it is the first time the constitutionality of certain sections of the Personal Information Protection Act (PIPA) has been considered.
Learn more2025 Mid-Year Year Update: 5 Privacy Law Developments
Roland Hung and Laura Crimi | July 08, 2025
We are at the mid-year point of 2025 and the privacy landscape in Canada continues to evolve. This article highlights Canada’s top five notable developments in the privacy space in 2025 so far.
Learn moreCertification Denied in Privacy Breach Proposed Class Action: No Intent, Just Human Error
Soudeh Hosseini | March 31, 2025
The Ontario Superior Court refused to certify a proposed class action against the Ministry of Children, Community and Social Services arising from an ODSP privacy breach. The court found that the facts as pleaded could not support the requisite intent or actionable harm for the causes of action advanced.
Learn moreTop Five Privacy Developments in Canada: A Year in Review 2024
While 2024 has come to an end, global efforts to regulate artificial intelligence (“AI”) and privacy are only getting started. As technology continues to evolve, legislators are becoming increasingly aware of the need to reform their privacy laws. This article highlights Canada’s top five notable developments in the privacy space in 2024.
Learn moreBill 194 – How Public Sector Institutions Should Prepare For It
James G. Kosa, Vipal Jain, Yatin Sidhu | March 21, 2025
This new legislation, the Strengthening Cyber Security and Building Trust in the Public Sector Act, introduces critical cybersecurity and AI requirements by amending FIPPA and introducing the EDSTA. The bill mandates Privacy Impact Assessments, strengthens the IPC's regulatory power, and demands transparency and accountability in AI usage. This article is intended to provide the highlights of Bill 194 for institutions to proactively prepare by strengthening compliance processes, enhancing cybersecurity measures, and understanding the implications of this legislation.
Learn moreJoan M. Young, Mitch Koczerginski, Darlene Crimeni, Claire Wanhella, McMillan LLP | July 29, 2024
Two recent BC Court of Appeal decisions revive support for Canadian data breach class actions after the viability of such proceedings was recently stifled by a trio of decisions by the Ontario Court of Appeal.
Learn moreYou Are the Company You Keep: Managing Third Party Privacy Risk
Nadia Jandali Chao, partner, Lerners LLP | July 04, 2024
Privacy regulators across Canada are signalling an increased focus on a particular risk area: namely, reliance on service providers. This article explores various key developments.
Learn moreJaime Cardy, Dentons Canada LLP | June 07, 2024
Canadian organizations implementing artificial intelligence products to process personal information are currently working in a vacuum, with no definitive standards or frameworks to guide them. However, a recent report by Ontario's IPC provided recommendations for ensuring the privacy-protective adoption of such technologies.
Learn moreMitch Koczerginski, Robbie Grant, Ada Ang, McMillan LLP | May 15, 2024
After experiencing a cyber attack, organizations tend to keep a tight grip on incident-related information, often by asserting some sort of legal privilege. In LifeLabs LP v. Information and Privacy Commr. (Ontario), a panel of the Divisional Court of Ontario’s Superior Court of Justice found that legal privileges asserted by LifeLabs did not apply to, among other things the forensic investigation report prepared by a third-party cybersecurity consultant.
Learn moreBehind the Screen: Navigating Law Enforcement Requests Post R v. Bykovets
Mitch Koczerginski, Robbie Grant, McMillan LLP | April 02, 2024
In R v. Bykovets, the Supreme Court found that there is a reasonable expectation of privacy in IP addresses and, as such, law enforcement need judicial pre-authorization to obtain access to them. This article provides a brief overview of the SCC’s decision and discusses important considerations under Canadian privacy law when determining the extent to which a business may disclose personal information to law enforcement without consent.
Learn moreSupreme Court of Canada Rules that Ford Government Mandate Letters are Exempt from Disclosure
Roland Hung, Torkin Manes | February 27, 2024
On February 2, 2024, the Supreme Court of Canada ruled that Ontario Premier Doug Ford’s mandate letters issued to his cabinet ministers in 2018 are exempt from public disclosure.
Learn moreTackling the Problem of AI “Revenge Porn” in Canada: existing law and upcoming legislative reform
Mavra Choudhry, Shalom Cumbo-Steinmetz (Torys LLP) | February 15, 2024
This article examines how existing law and upcoming legal reforms can be applied to address AI revenge porn. So far, the law has been slow to respond, though federal AI legislation on the horizon aims to regulate organizations that develop AI systems and make them available for use.
Learn moreTop Five Privacy Developments in Canada: A Year in Review 2023
Roland Hung, Torkin Manes LLP | January 16, 2024
As another year has come to an end and we have already embarked on a new year, we take this opportunity to reflect on a number of significant changes to Canadian privacy law. From promising developments to proposed legislation to a groundbreaking investigation, there is much to review as we head into 2024. This article reviews the top five recent developments we encountered this year.
Learn moreOffice of the Privacy Commissioner Releases Nine Principles for Generative AI
Roland Hung, Torkin Manes LLP | January 04, 2024
On December 7, 2023, the Office of the Privacy Commissioner of Canada released an article with nine principles intended to guide developers, providers and organizations to properly navigate the development and use of generative artificial intelligence. Privacy concerns arise where the AI is trained on data sets that include personal information.
Learn moreTo Use or Not to Use: Navigating Privacy Risks Associated with Generative AI Tools
James G. Kosa, Vipal Jain and Yatin Sidhu, summer student, Weirfoulds LLP | October 13, 2023
Generative AI tools like ChatGPT, Cohere, and DALL-E2 are popular tools that allow organizations to generate images, text, sounds and creative content based on a prompt. While these tools can provide practical benefits such as improved efficiency and productivity, they raise privacy risks which are important to mitigate.
Learn moreCase Update: Google LLC v Canada (Privacy Commissioner)
Govind K Chaturvedi | October 13, 2023
The Federal Court of Appeal recently upheld the ruling of the Federal Court wherein it was held that the Personal Information Protection and Electronic Documents Act (PIPEDA) should apply to Google’s search engine results, as they have a commercial interest in it by way of ads and also connecting two players.
Learn moreHow Canadian Courts Have Ruled on Liability in Wire Transfer Fraud
Mavra Choudhry, Molly Reynolds, Julie Himo, Nic Wall | September 26, 2023
Redirecting bank wire transfers has become an increasingly common method of fraud, frequently perpetuated through hacking or otherwise impersonating individuals representing a business. In the aftermath, there is often dispute about who bears responsibility for the financial loss: the company that mistakenly sent funds to the wrong bank, or the company whose email was hacked.
Learn moreRegulating Generative Artificial Intelligence: Balancing Innovation and Risks*
Roland Hung, Torkin Manes LLP | June 23, 2023
In a matter of months, generative AI has been adopted ravenously by the public, thanks to programs like ChatGPT. The increasing use (or proposed use) of generative AI by organizations has presented a unique challenge for regulators and governments across the globe. This article summarizes some of the key legislation or proposed legislation around the world that tries to strike the balance between fostering innovation while mitigating risks associated with the technology.
Learn moreAI Technology and Privacy: Canadian Privacy Commissioner Launches Investigation into ChatGPT
Roland Hung, Torkin Manes LLP | May 02, 2023
On April 4, 2023, Canada’s Privacy Commissioner, Philippe Dufresne, launched an investigation into OpenAI after having received a complaint alleging the collection, use and disclosure of personal information without consent.
Learn moreMoushmi Mehta & Yonida Koukio | May 02, 2023
Facial recognition technology has become increasingly popular among businesses for various applications, including security, marketing, and customer service. However, with the widespread adoption of this technology, there are growing concerns over its potential impact on privacy, human rights, and data protection.
Learn morePrivacy Breaches in M&A Deals: the Importance of Data Security Diligence
Mitch Koczerginski, Chris Garrah, Adriana Rudensky and Robbie Grant, McMillan LLP | April 20, 2023
In this article, we focus on the importance of data security diligence, tips for the diligence process, and mitigation strategies for companies that have identified risks and wish to proceed with the deal. We also discuss the need to assess and quickly remediate any flaws in a target company’s data security posture following a transaction.
Learn moreNIST Releases AI Framework: a sign of what’s to come in AI regulation?
Jaime Cardy, Dentons LLP | March 02, 2023
The U.S. National Institute of Standards and Technology recently released version 1.0 of its Artificial Intelligence Risk Management Framework. The goal of the framework is to provide a voluntary, rights-preserving, sector- and use-case agnostic guide for AI actors to implement in order to promote trustworthy and responsible AI systems.
Learn morePreparing for and Responding to Security Breaches
Roland Hung (Torkin Manes LLP) | February 21, 2023
In the wake of various high-profile security breaches, now may be a good time for businesses to re-acquaint themselves with the applicable Canadian statutory framework for the protection of personal information, as well as implement or update policies and procedures around breach detection and notification.
Learn moreA Year in Review 2022 - Top Five Privacy Developments in Canada
Roland Hung (Torkin Manes LLP) | January 18, 2023
2022 was an eventful year for privacy law in Canada. The Canadian privacy landscape saw significant changes, as stakeholders at all levels recognized the need to keep up with a data-driven world. This article summarizes the top five recent developments that businesses and stakeholders should be aware of.
Learn moreLyndsay Wasser, Mitch Koczerginski (McMillan LLP) | December 06, 2022
The Court of Appeal for Ontario recently considered and definitively determined the issue of whether organizations that collect and store personal information about individuals for commercial purposes can be held liable for the tort of “intrusion upon seclusion” if they fail to take adequate steps to protect the information from third-party “hackers”.
Learn moreSeven Survival Guide Lessons from a Former Chief Privacy Officer
Roland Hung (Torkin Manes LLP) | November 26, 2022
Having gained substantial leadership experience as a privacy officer, what follows in this article is the perspective the author gained in these unique and essential roles. Each mandate, while quite different in practice, harvested similar lessons that I believe every practitioner working in the privacy sector should adopt to maximize their effectiveness within their organization. The following are seven key lessons every privacy officer or practitioner should know.
Learn moreQuebec Privacy Law: Is Your Organization Ready for New Rules in Force this September?
Ronak Shah, Wendy Mee, Ellie Marshall | September 21, 2022
On September 22, 2022, the first set of amendments from Bill 64 will come into force. Although most amendments will come into force in September 2023, below we highlight significant changes in force this September.
Learn moreNo Coffee Breaks from Privacy Compliance - A Cautionary Tale for App Developers
Roland Hung and Ida Sherkat | July 07, 2022
Mobile applications have become synonymous with organizations’ outreach initiatives. The recent joint investigation by federal and provincial privacy authorities into the Tim Hortons app emphasizes the need for companies to consider Canadian privacy laws when designing their apps.
Learn moreDivisional Court Affirms High Bar in Data Breach Class Actions
Shalom Cumbo-Steinmetz and Alina Butt | April 22, 2022
Shalom Cumbo-Steinmetz and Alina Butt discuss key takeaways from a recent Divisional Court decision overturning certification in a data breach class action involving private health information.
Learn moreESG as the Next Frontier in Privacy and Data Governance: Moving Beyond Regulatory Compliance
Ronak Shah and George Boynton Payne | April 11, 2022
Ronak Shah and George Boynton Payne discuss a growing trend among organizations to include privacy and data governance metrics and disclosure as part of their environmental, social and governance (ESG) reporting framework, and highlight practical steps an organization can take to move beyond a traditional regulatory compliance approach to privacy and security.
Learn moreChanging Tides for the Use of Intrusion upon Seclusion in Data Breach Class Actions
Chloe Snider and Hala Abdul Ghani | February 14, 2022
The common law tort of intrusion upon seclusion continues to develop, as does its use in the class action context. Chloe Snider and Hala Abdul Ghani explore four recent decisions that demonstrate a shift in the use of this tort in large data breach cases.
Learn moreOn December 14, 2021, the British Columbia, Alberta and Quebec privacy regulators issued separate legally binding orders directing Clearview AI to comply with recommendations made in their recent Report of Findings coauthored with the Office of the Privacy Commissioner of Canada. Ellen Xu explores the practices that gave rise to the investigation against Clearview and the recommendations with which Clearview has been ordered to comply.
Learn moreChina's New Privacy Legislation: The Personal Information Protection Law
Nicholas Wall | January 21, 2022
On November 1, 2021, the new law governing privacy in the People's Republic of China (PRC) came into effect. The Personal Information Protection Law (PIPL) contains substantive privacy obligations and has the potential to significantly impact organizations operating both within and outside of the PRC. Nicholas Wall provides an overview of PIPL's scope of application, central principles and restrictions on cross-border transfers.
Learn moreThe Permanent and Irreversible Disposal of Personal Information
Claire Davis, Healthcare of Ontario Pension Plan | November 14, 2021
Although there are no current signs of Bill C-11 (Digital Charter Implementation Act, 2020) being revived in Parliament, the re-election of the Liberal government suggests that it is only a matter of time before it is reintroduced in some form. To prepare for this event, this commentary analyzes one of the more controversial aspects of Bill C-11: its obligations for the disposal of personal information.
Learn moreCovid-19 Vaccine Passports: A Joint Statement from Canada’s Privacy Commissioners
Amanda Branch and Prudence Etkin | June 29, 2021
On May 19th, 2021 Canada’s Federal, Provincial and Territorial Privacy Commissioners released a joint statement on the privacy implications of Covid-19 vaccine passports. Vaccine passports may offer substantial public benefits; however, in exchange for access to these benefits, individuals will be required to disclose personal health information. As a result, the Commissioners emphasize the importance of addressing privacy considerations from the outset.
Learn moreOBA Privacy Law Summit 2021 – PHIPA in the Age of Digital Health
In the session “PHIPA in the Age of Digital Health,” panelists Mary Jane Dykeman (INQ Law), Anita Fineberg (Anita Fineberg & Associates Inc), Daniel Girlando (Borden Ladner Gervais LLP), and Erica Zarkovich (LifeLabs), discussed the recent amendments to the Personal Health Information Protection Act, 2004 (PHIPA), and emerging issues in digital health.
Learn moreDrone Photograph a Breach of Privacy
M. Talal Farrukh Irfan Khan | April 28, 2021
In a recent decision, the Grand Traverse Circuit Court in the State of Michigan (No. 349230, LC No. 18-034553-CE), the court found that the use of a drone to photograph a couple’s home infringed their “reasonable expectation of privacy."
Learn morePrivacy Class Actions in Canada: the misconceptions, the pitfalls and the path forward
Sage Nematollahi, KND Complex Litigation | March 26, 2021
Courts in Ontario and Alberta have recently issued several significant decisions in privacy class actions. These two decisions followed the prevailing trend of the dismissal of privacy class actions in Canada, in which courts have generally found that there is no evidence of harm, or that the information at issue did not rise to a level that would support the finding of a reasonable expectation of privacy, or both.
Learn moreCan the CPPA Strengthen Brand Loyalty?
Maggie Vourakes | February 27, 2021
In November 2020, the federal government introduced Bill C-11 (The Digital Charter Implementation Act). The proposed bill would overhaul Canada’s existing federal private sector privacy law PIPEDA with a modernized replacement known as the Consumer Privacy Protection Act.
Learn moreNevethan Balendra | February 27, 2021
On January 6, 2021, WhatsApp announced that it would update its Privacy Policy to help it better integrate with other Facebook products, making sharing information with Facebook mandatory for WhatsApp users. This prompted many responses online calling for users to leave WhatsApp and to use more “privacy friendly” messaging apps, such as Telegram and Signal. This article discusses the impact of WhatsApp's new Privacy Policy on Canadian users.
Learn moreFacebook Competition Lawsuit Links Privacy as Anti-competitive Harm to Users
Dany H. Assaf, Molly Reynolds, Zirjan Derwa, Ronak Shah and Ally Lawrence | January 26, 2021
On December 9, twin U.S. lawsuits against Facebook were launched that will shape the competition and privacy landscape for years to come. They were initiated by the U.S. Federal Trade Commission (FTC) and a coalition of Attorneys General from 48 U.S. states and territories.
Learn more