Staying Ahead of Privacy and Cybersecurity Developments: 2024 Year-End Recap

As we move into 2025, we take this opportunity to provide an overview of key legal developments in the privacy and cybersecurity space across Canadian provinces that may impact organizations’ operations. With ongoing regulatory changes and emerging threats, staying up-to-date on these issues is crucial for any organization.

As privacy laws and case law continue to evolve, particularly in response to increasing concerns over data protection, here are some notable updates from 2024.
 

1. Privacy Law Reforms – Status Update on Proposed Legislation

Federal government

Bill C-27, introduced on June 16, 2022, aims to reform federal privacy laws by establishing the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (Tribunal Act), and the Artificial Intelligence and Data Act (AI Act). The CPPA introduces principles such as consent for data handling, rights to erasure, algorithmic transparency, data portability, and stronger enforcement powers for the Office of the Privacy Commissioner of Canada (the “OPC”). The Tribunal Act proposes to create a new tribunal for data protection matters, while the AI Act regulates high-risk AI systems. The bill is currently under review by the Standing Committee on Industry and Technology.

Bill C-26, introduced on June 14, 2022, amends the Telecommunications Act and establishes the Critical Cyber Systems Protection Act. It proposes to empower the government to direct telecom providers to enhance security and creates a compliance framework for critical cyber infrastructure, aimed at improving security and situational awareness of cyber threats. Bill C-26 has completed its second reading in the Senate and is now under review by the Standing Senate Committee on National Security, Defence, and Veterans Affairs.

Finally, Bill C-63, the federal government’s Online Harms Act is progressing, focusing on issues like online bullying, hate speech, and the protection of youth. The bill includes provisions for social media platforms to implement protective design features for children, potentially resembling the UK’s Age-Appropriate Design Code.

Quebec

Quebec’s Law 25, An Act to modernize legislative provisions as regards the protection of personal information, became fully effective in 2024. A key change, which came into force on September 22, 2024, is the new provision which establishes data portability. This requirement mandates that organizations provide individuals, upon request, with their personal data in a structured, commonly used digital format. Additionally, individuals can request the transfer of their data to another person or organization authorized to receive it.

The Act respecting Health Information and Social Services also came into force on July 1^st, 2024. This statute regulates the collection, processing, and sharing of health data by health and social service bodies by enhancing privacy protection, streamlining data flow, and defining when and how health information can be accessed or shared.

Ontario

On May 13, 2024, the Government of Ontario introduced Bill 194, the Enhancing Digital Security and Trust Act, which amends the Freedom of Information and Protection of Privacy Act (FIPPA). Bill 194 introduces updates to FIPPA to align with modern privacy laws, formalizing the powers of the Information and Privacy Commissioner, as well as new regulations for cybersecurity, artificial intelligence, and children's privacy. It applies to public sector institutions but does not amend the Municipal Freedom of Information and Protection of Privacy Act.

Alberta

On November 6, 2024, the Alberta government introduced Bill 33, the Protection of Privacy Act, and Bill 34, the Access to Information Act, to modernize public sector privacy and access laws. Bill 33 proposes stricter privacy protections, including prohibiting the sale of personal information, mandatory breach notifications, transparency in automated decision-making, and stronger penalties for misuse of personal data. Bill 34 focuses on modernizing access to information, recognizing electronic records, and expanding exemptions for cabinet confidentiality.
 

2. Recent Trends in Privacy Class Actions in Canada

Class actions related to privacy breaches are becoming more prevalent in Canada, with varying outcomes across provinces.

One of the key questions in such class actions is whether individuals can claim damages against data custodians for having failed to adequately safeguard personal information, in the wake of a cyber security incident.  In a trilogy of decisions, the Ontario Court of Appeal ruled out the application of the tort of intrusion upon seclusion to “database defendants”, as in its view the reckless storage of personal information could not in itself constitute an “intrusion upon seclusion” (see for instance Del Giudice v. Thompson, 2024 ONCA 70). The court emphasized that privacy violations are limited to the actions of third-party hackers, not data custodians.

In contrast, the British Columbia (“BC”) Court of Appeal adopted a different approach in two 2024 decisions (Campbell v. Capital One Financial Corporation (2024 BCCA 253), and G.D. v. South Coast BC Transportation Authority (2024 BCCA 252). In South Coast, the BC Court of Appeal allowed the privacy class action to proceed and held that “database defendants” could be held liable for the statutory privacy torts should they fail to adequately safeguard personal information. The BC Court of Appeal partially justified these conclusions by noting the quasi-constitutional status of privacy interests, the BC Privacy Act’s purpose of protecting these constitutionally recognized interests, the rapid growth of information collection and the potential for misuse.

The Ontario decisions had a significant impact on the viability of Canadian class actions. While plaintiffs can still bring other claims, such as negligence or breach of contract against database defendants, these claims generally require proof of actual harm. While the BCCA noted recent Ontario case law concluding that the common law tort of intrusion upon seclusion is not applicable to database defendants, it determined that the defendants could still be held liable for statutory privacy torts under BC’s Privacy Act and similar laws in other provinces, which can also be pursued without proving damages.

As legal scrutiny around data breaches intensifies, courts are also examining whether organizations are adequately protecting personal data. These trends stress the importance of strong cybersecurity practices to minimize breach risks and potential legal exposure.
 

3. Federal Court of Appeal Ruling on Meaningful Consent and Adequate Safeguarding of Personal Information

On September 9, 2024, the Federal Court of Appeal reversed a trial court ruling dismissing the OPC’s application against Facebook (now Meta) over its involvement in the Cambridge Analytica scandal (OPC v. Facebook, 2024 FCA 140). The Court found that Facebook failed to obtain meaningful consent from users and did not adequately safeguard their data, thereby breaching PIPEDA. This important ruling reinforces the importance of obtaining informed consent and ensuring proper safeguards when handling user data, particularly in relation to third-party access. It also emphasizes the need for a clear and objective assessment of consent and data protection obligations.
 

4. Ontario Superior Court of Justice’s Decision on Legal Privilege over Forensic Investigation Report

On April 30, 2024, the Ontario Divisional Court ruled that LifeLabs had to provide privacy regulators with records related to a cyber security incident investigation, despite claims of solicitor-client and litigation privilege (LifeLabs LP v. IPC, 2024 ONSC 2194). The decision highlights that litigation privilege does not cover underlying facts that must be disclosed if they exist independently of documents. In addition, copying counsel on a document does not automatically confer privilege over the document or its underlying facts. Litigation privilege applies to a party’s litigation strategy but it does not extend to facts or “base information” that may be useful to counsel in preparing for litigation.

LifeLabs’ motion for leave to appeal to the Ontario Court of Appeal was denied. This case highlights the importance of carefully asserting privilege in response to a cybersecurity breach. Privilege claims must be supported by evidence and parties asserting litigation privilege must be prepared to identify a litigation strategy that would be disclosed in an investigation report. As the Divisional Court noted, a litigation privilege claim requires proof that the document was created with the dominant purpose of preparing for litigation.

These developments signal an increasing focus on privacy rights, especially around user consent, safeguarding data, and protecting children and vulnerable groups.

Our team of experts is ready to support organizations in navigating these changes with confidence, offering guidance on compliance strategies, risk management, incident response, as well as privacy or technology-related litigation matters.

Do not hesitate to reach out to us to learn how we can support your organization and your insureds as you prepare for 2025 and beyond.