Fasken’s Noteworthy News: Privacy & Cybersecurity In Canada, The US And The EU (May 2026)

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

This month’s noteworthy news

CANADA

CANADA TO REVIEW FEDERAL PRIVACY ACT

On April 2, 2026, the Treasury Board announced its review of the Federal Privacy Act, which governs how government institutions collect, use, and disclose personal information in Canada. The Treasury Board has made a policy paper with detailed proposals for the review available for comment and feedback until July 10, 2026.

Link: Government of Canada launches review of the Privacy Act - Canada.ca

CANADIAN PRIVACY COMMISSIONERS ISSUE JOINT FINDINGS INTO OPENAI’S CHATGPT

On May 6, 2026, Canada’s federal and provincial privacy commissioners (Alberta, British Columbia, and Québec) released findings from a joint investigation into OpenAI’s data practices, concluding that its ChatGPT models (GPT‑3.5 and GPT‑4) did not comply with core privacy obligations. More specifically, commissioners determined that OpenAI’s collection of personal information for AI training was overbroad and disproportionate, that consent mechanisms were invalid, and that disclosures lacked sufficient transparency. They further identified deficiencies relating to accuracy, access, correction, deletion, retention, and accountability obligations.

Overall, the findings underscore that Canadian organizations remain responsible for complying with privacy laws in connection with the collection, use, and disclosure of personal information in the training and deployment of generative AI systems.

Link: PIPEDA Findings #2026-002: Joint Investigation of OpenAI OpCo, LLC - Office of the Privacy Commissioner of Canada

PRIVACY COMMISSIONER ISSUES SECOND ADMINISTRATIVE MONETARY PENALTY

On April 23, 2026, the Office of the Information and Privacy Commissioner of Ontario (IPC) issued its second administrative monetary penalty under Ontario’s health privacy law. A hospital clerk was ordered to pay a $2,000 penalty for inappropriately accessing 436 patient records. 

Link:  PHIPA DECISION 334 - Information and Privacy Commissioner of Ontario

FEDERAL PRIVACY COMMISSIONER PUBLISHES GUIDANCE ON AGE ASSURANCE

On May 4, 2026, the Privacy Commissioner of Canada announced the publication of its guidance on age assurance, setting out when age assurance should or must be used, and what design features or privacy considerations should be addressed when using or designing age assurance systems. Organizations that operate applicable websites and online service providers are encouraged to review the guidance, along with age assurance developers.

Link: News release: Privacy Commissioner of Canada launches new age assurance guidance to support organizations - Office of the Privacy Commissioner of Canada

UNITED STATES

COLORADO AMENDS ARTIFICIAL INTELLIGENCE LAW

On May 12, 2026, the Colorado legislature passed Senate Bill 26-189, which is an amended version of its previously passed Artificial Intelligence Act. This new law is focused more heavily on automated decision-making technology and comes into effect on January 1, 2027. The definition of automated decision-making technology is quite broad, applying to technology that processes personal data and uses computation to generate outputs (predictions, recommendations, classifications, rankings, or scores) that are used to make or assist decisions about individuals. Organizations using technologies that may be seen as engaging in some form of decision-making should make themselves familiar with the law prior to its effective date to ensure compliance.

Link: SB26-189 Automated Decision-Making Technology | Colorado General Assembly

CALIFORNIA PRIVACY PROTECTION AGENCY SETTLES WITH GENERAL MOTORS OVER PRIVACY BREACHES

On May 8, 2026, the California Privacy Protection Agency and the State’s District Attorneys announced their settlement with General Motors regarding its consumer data practices. The regulator first focused on General Motors' use of consumer data when reviewing the privacy practices of connected vehicles. Specifically, the regulator found that General Motors had allegedly sold consumer data without consent and retained personal data for longer than necessary. This case is the first to focus on the data minimization principle in the California Consumer Privacy Act (“CCPA”), and the California Privacy Protection Agency has indicated that it will not be the last. Organizations operating in California and potentially subject to the CCPA should consider their data minimization and retention practices, ensuring that all personal data is connected to a reasonable business purpose and has a defined retention period.

Link: When It Comes to Data Privacy, Consumers Must Be in the Driver’s Seat: Attorney General Bonta, Partners Secure $12.75 Million General Motors Privacy Settlement | State of California - Department of Justice - Office of the Attorney General

EUROPEAN UNION

DRAFT COMMISSION GUIDELINES ON THE CLASSIFICATION OF HIGH-RISK AI SYSTEMS

On May 19, 2026, the EU Commission published draft guidelines to help AI providers, deployers, and market authorities determine whether an AI system qualifies as “high-risk.” They explain key concepts for classification and provide practical examples of systems that should or should not be considered high-risk. While the examples cover many use cases, they are not exhaustive and may evolve over time.

An AI system is classified as high-risk in two situations:

1. If it is used as a safety component (or is itself a product) regulated under EU harmonization laws and requires third-party conformity assessment.
2. If it falls within specific high-risk use cases listed in Annex III of the AI Act.

Link: Draft Commission guidelines on the classification of high-risk AI systems | Shaping Europe’s digital future

THE EDPB HAS PUBLISHED GUIDELINES ON THE PROCESSING OF PERSONAL DATA FOR SCIENTIFIC RESEARCH PURPOSES

Scientific research is a core objective of the EU, promoting innovation, competitiveness, and the free circulation of knowledge and technology. It often relies on the processing of personal data, which has enabled major breakthroughs, especially with advances like artificial intelligence. While these developments create new opportunities, they also raise risks to fundamental rights and privacy. The GDPR provides a framework to support research while ensuring responsible data use and protecting individuals. To clarify its application, the EDPB issued guidelines to help researchers comply effectively.

In particular, the guidelines address the following questions: storage limitation, consent, public interest, legitimate interest, attribution of responsibility, etc.

The guidelines will be subject to public consultation until June 25, 2026.

Link: Guidelines 1/2026 on processing of personal data for scientific research purposes | European Data Protection Board

EDPB APPROVES UPDATED EUROPRIVACY CRITERIA AND RECOGNIZES EUROPRIVACY AS A GDPR TRANSFER TOOL

In its Opinion 14/2026, the EDPB considers that the Europrivacy certification criteria are consistent with the GDPR and approves them. The EDPB will register the Europrivacy certification scheme in the public register of certification mechanisms and data protection seals.

In addition, in its Opinion 15/2026, the EDPB recognizes the Europrivacy certification criteria as a European Data Protection Seal to be used as a tool for transfers: data importers outside Europe who are not subject to the GDPR can now apply to the Europrivacy certification scheme for the transfers of data they receive.

Link: edpb_opinion_202614_europrivacy_en.pdf

https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-152026-europrivacy-certification-criteria_en

(EN) About Fasken's Privacy and Cybersecurity Group

As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of over 30 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by clients from all sectors. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.

(FR) À propos du Groupe Protection des renseignements confidentiels, vie privée et cybersécurité de Fasken

Notre pratique en protection de la vie privée et en cybersécurité est l’une de celles qui sont établies depuis le plus longtemps dans le marché. Notre équipe nationale de premier plan est composée de plus de 30 avocates et avocats et offre une vaste gamme de services. Qu’il s’agisse de traiter de questions complexes liées à la protection des renseignements personnels et aux incidents de confidentialité ou de fournir des conseils sur le Règlement général sur la protection des données de l’UE et les nouveaux régimes juridiques, nous offrons des conseils juridiques complets et qui bénéficient de la confiance de clients de tous les secteurs. Notre groupe est reconnu comme un chef de file dans son domaine, ayant reçu de nombreuses distinctions, comme le prix « Équipe de protection de la vie privée de l’année » lors des Prix PICCASO, en plus d’avoir été reconnu par les répertoires Chambers Canada et Best Lawyers in Canada. Pour de plus amples renseignements, veuillez consulter notre site Web.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.