ARTICLE
29 January 2026

Fasken's Noteworthy News: Privacy & Cybersecurity In Canada, The US, And The EU (January 2026)

F
Fasken

Contributor

Fasken logo
Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
Explore Firm Details
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates.
Canada Privacy
Julie Uzan-Naulin and Dongwoo Kim
Your Author LinkedIn Connections
Julie Uzan-Naulin’s articles from Fasken are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in Canada
  • with readers working within the Banking & Credit, Insurance and Technology industries

Privacy & Cybersecurity in Canada, the US, and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

Review Launched into Federal Security Agencies' Use of AI

Canada's National Security and Intelligence Review Agency (NSIRA) has launched a review into how federal security agencies deploy and oversee artificial intelligence tools, including systems used for document translation and malware detection. The review will assess whether current governance frameworks adequately address emerging risks and evaluate how AI is defined, managed, and audited across agencies.

NSIRA has notified multiple federal ministers and the heads of CSIS, the RCMP, and the Communications Security Establishment, and may request documents, conduct interviews, and perform technical inspections as part of the process. The findings are expected to identify oversight gaps and inform future policy approaches to AI use in national security.

United States

New York Enacts California-Style AI Transparency Law for Large AI Companies

On December 19, 2025, New York Governor Kathy Hochul signed Responsible AI Safety and Education Act (RAISE Act). Taking effect on January 1, 2027, the RAISE Act is modelled after California's Transparency in Frontier Artificial Intelligence Act and imposes obligations on AI developers with more than USD $500 million in revenue to adopt safety and security protocols and to share information with regulators. The RAISE Act also requires developers to report safety incidents within 72 hours and allows for monetary penalties of up to USD $30 million for violations.

European Union

CNIL Launches "FantomApp" to Support Safer Social Media Use by Minors

To help 10 to 15‑year‑olds use social networks more safely and responsibly, the Commission nationale de l'informatique et des libertés (CNIL), France's data protection authority, is offering its application called "FantomApp." Nine European data protection authorities have expressed interest in and supported the project, and the application will be translated into the language of each partner country.

This application allows users to:

  • access tools and tutorials to protect their accounts and clean up their online presence (e.g., how to blur a photo); and
  • get advice and content to help in case of problems (e.g., how to delete content or what to do in case of hacking).

This free and secure application does not collect any data (only the IP address, necessary for the functioning of the application, and the type of device used).

Renewal of the United Kingdom's Adequacy Decisions

On December 21, 2025, the European Commission adopted two new adequacy decisions for the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other under the directive on data protection in the law enforcement sector. As a reminder, sunset clauses had been introduced in the previous decisions, which expired on December 27, 2025.

In accordance with the new decisions of the European Commission, transfers of personal data from the European Union to the United Kingdom can continue without specific safeguards. Through these decisions, the European Commission confirms that such data benefits from a level of protection substantially equivalent to that guaranteed under the GDPR.

€42 Million Fine Imposed on Free Mobile and Free by the CNIL (France)

On January 13, 2026, the CNIL issued two sanction decisions against the companies FREE MOBILE (in French only) and FREE (in French only), imposing fines of €27 million and €15 million respectively, due to inadequate measures taken to ensure the security of their subscribers' data.

In October 2024, an attacker managed to infiltrate the companies' IT system and access personal data relating to 24 million subscriber contracts, including banking details (IBAN). Following numerous complaints, the CNIL carried out an inspection that revealed breaches of several obligations under the GDPR, in particular the failure to ensure the security of personal data.

In case you missed it!

The Fasken Privacy and Cybersecurity Group recently shared the following thought leadership, which may be of interest.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Julie Uzan-Naulin
Julie Uzan-Naulin
Photo of Dongwoo Kim
Dongwoo Kim
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More