ARTICLE
4 August 2025

Fasken's Noteworthy News: Privacy & Cybersecurity In Canada, The US, And The EU (July 2025)

F
Fasken

Contributor

Fasken logo
Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
Explore Firm Details
Lexpert Firm Profile
On June 18, 2025, the Federal Government tabled a new bill in Parliament titled "An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts".
Worldwide Privacy
Sam Delechantos and Julie Uzan-Naulin
Your Author LinkedIn Connections

Privacy & Cybersecurity in Canada, the US and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

Federal Bill C-8 Tabled in Parliament

On June 18, 2025, the Federal Government tabled a new bill in Parliament titled "An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts". The Bill is nearly identical to the previous Bill-26, which was introduced in 2022 but failed to pass. It aims to impose additional cybersecurity requirements on the telecommunications industry, along with additional oversight by the government. It is expected that this bill is a priority for the Federal government and will likely pass in the next few months.

Québec Commissioner Publishes Decision Regarding Use of Video Surveillance in Company Vehicles

In May 2025, the Québec Privacy Commissioner issued a decision (in French only) regarding an organization's use of in-vehicle cameras for security, safety and employee surveillance. The Commissioner determined that the organization did not use the cameras in compliance with Québec's private sector privacy act and ordered the organization to bring their practices into compliance. The use of surveillance in vehicles has become a focus for many privacy commissioners across Canada, so organizations utilizing in-vehicle surveillance should regularly review their privacy practices and policies and strongly consider completing privacy impact assessments for surveillance tools.

BC Privacy Commissioner Publishes Guidance on Use of Personal Email Accounts for Public Body Business

In July 2025, the BC Office of the Information and Privacy Commissioner published a guidance document providing information for public bodies on their employees' use of personal email and messaging accounts for work purposes, and the application of the Freedom of Information and Protection of Privacy Act ("FIPPA"). The general conclusion is that FIPPA applies to work-related emails and messages sent to or received from the personal accounts of public body employees.

Europe

United Kingdom Data Use and Access Bill in Force

On June 19, 2025, the UK Data Use and Access Act 2025 (the "DUAA") was passed into law. The DUAA amends the UK General Data Protection Regulation ("UK GDPR") and the Privacy and Electronic Communications Directive Regulations 2003. The DUAA makes amendments to provisions around international data transfers, automated decision-making, cookies, the protection of children's data, and it establishes the Digital ID Trust Framework. The Digital ID Trust Framework establishes rules for digital verification services in the UK. Businesses operating in the UK must consider these changes to determine if they comply.

A General-Purpose AI Code of Practice

The Code of Practice helps industry comply with the AI Act's legal obligations on safety, transparency, and copyright of general-purpose AI models. The General-Purpose AI (GPAI) Code of Practice is a voluntary tool, prepared by independent experts in a multi-stakeholder process, designed to help industry comply with the AI Act's obligations for providers of general-purpose AI models. The Code was published on July 10, 2025. In the following weeks, Member States and the Commission will assess its adequacy. Additionally, the Code will be complemented by Commission guidelines on key concepts related to general-purpose AI models.

EU AI Rules to Be Rolled Out as per Legislation

In recent months, the European Commission received numerous requests from organizations to pause implementation of its landmark rules on artificial intelligence. However, in early July, the European Commission dismissed such requests and confirmed it will proceed with rolling out the rules in the EU AI Act as stated in the legislation. As such, general purpose AI model obligations will begin in August 2025, and high-risk model obligations will begin in August 2026. Organizations offering AI products in the EU should be ready and willing to comply with the EU AI Act as contemplated in the legislation.

United States

Texas Court Vacates Key Portions of Updates to HIPAA Privacy Rule

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated key portions of the 2024 updates to the HIPAA Privacy Rule related to reproductive health care information. The decision is effective immediately and applies across the U.S. Organizations are no longer required to comply with the additional obligations imposed by the new rule, including obtaining attestations from certain requestors of protected health information potentially related to reproductive health care. Any organizations that have implemented changes to accommodate the updated rule should consider whether to roll back these changes in light of this decision.

Court of Appeals Vacates Federal Trade Commission Negative Option (Click to Cancel) Rule

On July 8, 2025, the Court of Appeals for the Eighth Circuit vacated the US Federal Trade Commission's ("FTC") negative option (click-to-cancel) rule, which was due to come into full effect on July 14, 2025. The rule required organizations offering products or services with a negative option feature to disclose all material terms to consumers before collecting billing information, obtain the consumer's affirmative consent to the negative option of the transaction, and provide the consumer with a simple mechanism to cancel the negative option feature and any recurring charges at any time. The court found that the FTC had failed to provide the required preliminary regulatory analysis before finalizing the rule, prompting it to vacate the rule.

In Case You Missed It

The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.

About Fasken's Privacy and Cybersecurity Group

As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO 'Privacy Team of the Year' award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Sam Delechantos
Sam Delechantos
Photo of Julie Uzan-Naulin
Julie Uzan-Naulin
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More