Fasken’s Noteworthy News: Privacy & Cybersecurity In Canada, The US, And The EU (April 2026)

Privacy & Cybersecurity in Canada, the US, and the EU

This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.

Canada

BC Court of Appeal Issues Decision on Clearview AI Case

On February 18, 2026, the Court of Appeal for British Columbia dismissed Clearview AI’s appeal regarding the judicial review of the British Columbia (BC) Office of the Information and Privacy Commissioner’s decision that Clearview contravened the Personal Information Protection Act (PIPA). The BC Privacy Commissioner prohibited Clearview from offering its facial recognition services in BC. The Court of Appeal determined that PIPA does apply to Clearview and that PIPA does not exempt Clearview from obtaining individual consent to collect and use personal information from online sources.

Amendments Proposed to the Freedom of Information and Protection of Privacy Act in British Columbia

On February 26, 2026, Bill 9, the Freedom of Information and Protection of Privacy Amendment Act (FIPPA), 2026 was introduced in the BC Legislature. This proposes to amend the current BC FIPPA governing how public sector entities collect, use and disclose personal information. Public sector entities should keep an eye on these amendments as they make their way through the legislative process.

Bill 97, Plan to Protect Ontario Act (Budget Measures), 2026

Bill 97 (the Plan to Protect Ontario Act (Budget Measures), 2026) will introduce significant amendments to Ontario’s freedom of information and privacy framework by updating both FIPPA and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).

The reforms would modernize Ontario’s Freedom of Information (FOI) and privacy framework by strengthening confidentiality for senior government offices, streamlining FOI processes, and enhancing transparency mechanisms. They also introduce stronger cybersecurity obligations across the public sector, including mandatory safeguards, incident reporting, and improved data protection practices.

Updated Global Privacy Enforcement Network Sweep Report Published

The Federal Privacy Commissioner of Canada published the results of their most recent privacy sweep highlighting how child-friendly practices on websites and mobile applications can protect children’s privacy online. The sweep was a coordinated effort between 26 data protection and privacy authorities across the world and generally found more privacy protections in place than in the last sweep conducted in 2015. The report can be found here.

British Columbia Privacy Commissioner Publishes Guidance on OIPC Audits, Investigations and Compliance Reviews

On March 23, 2026, the Office of the Information and Privacy Commissioner (OIPC) BC published a guidance document on OIPC audits, investigations and compliance reviews. The guidance document is intended to assist public bodies and private sector organizations to better understand the OIPC’s authority and function regarding audits, investigations and compliance reviews.

Alberta Privacy Commissioner Develops New Guide and Template to Assist Public Bodies with Preparing Privacy Impact Assessments

On March 26, 2026, the Alberta Information and Privacy Commissioner announced the publication of their new guide and template to assist public bodies with completing privacy impact assessments under the new Protection of Privacy Act (POPA), which came into effect in 2025. This guide aims to establish a clear and consistent method for public bodies to work through the privacy impact assessment process. The guide and template have been published on the website of the Alberta Privacy Commissioner.

Bill C‑8 Passes House of Commons

On March 26, 2026, Bill C‑8 (An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts) passed Third Reading in the House of Commons and proceeded to the Senate. The Bill establishes a mandatory cybersecurity framework for critical systems across key sectors, while leaving government cybersecurity orders subject to after‑the‑fact judicial review following a ruling by the Speaker of the House.

See our recent bulletin for further discussion.

United States

South Carolina Enacts Age-Appropriate Design Code for Online Platforms

On February 5, 2026, South Carolina passed H 3431, the Age-Appropriate Design Code, which took effect on March 1, 2026. The new law applies to “covered online services” that do business in South Carolina, are “reasonably likely to be accessed by minors” (children under 18), and meet certain thresholds for revenue or data volume. Any organization doing business online in South Carolina relating to minors should review and consider the requirements under the new act.

Oklahoma Passes New Privacy Law

On March 23, 2026, the Oklahoma House of Representatives announced the passing of Bill 546 by the Senate. The new law establishes new consumer rights regarding personal information and new rules for businesses that collect, use and process information about Oklahoma residents. The new law will be effective on January 1, 2027, leaving time for businesses to prepare for compliance.

Washington State Passes Law on AI Companions

In March 2026, Washington State passed HB 2225, a new law regarding the use of AI companions by online businesses. An AI companion chatbot is defined to include an AI system that creates a “sustained human-like relationship with a user.” The law does not relate to AI systems used for customer service, productivity, education, and in-game chats. The provisions of the new law focus primarily on ensuring transparency with users of the AI companions. The law will be effective on January 1, 2027, leaving time for businesses to comply with the requirements.

South Dakota Enacts Genetic Data Privacy Act

On March 23, 2026, South Dakota passed Bill 49, aimed at protecting consumer genetic data. The Act imposes certain requirements on genetic testing companies and adds rights for residents of South Dakota. It will come into effect on July 1, 2026.

European Union

First Request for Access May Be Rejected as Abusive Under GDPR

A request for access to one’s own personal data may be considered abusive and refused if it is made for the sole purpose of subsequently claiming compensation for an alleged infringement of the General Data Protection Regulation (GDPR).

An individual living in Austria subscribed to the newsletter of a German optician, Brillen Rottler, by providing his personal data through the company’s website. Thirteen days later, he submitted a request for access to his personal data under Article 15 of the GDPR. Brillen Rottler refused the request, arguing that it was abusive, as the individual allegedly had a pattern of subscribing to newsletters solely to submit access requests and then claim compensation. The individual disputed this characterization, maintained that his request was legitimate, and sought at least €1,000 in non-material damages for the refusal. The local court referred questions to the Court of Justice of the EU on whether a first access request can be considered excessive and whether compensation may be claimed for an alleged infringement of the right of access.

The Court replies that a first request for access may, in certain circumstances, already be regarded as ‘excessive’ within the meaning of the GDPR and may therefore be abusive.

• This is the case where the controller can show that the request was made not to understand or verify the lawfulness of data processing, but rather to artificially create grounds for claiming compensation. Evidence that a data subject has repeatedly submitted access requests to multiple controllers, followed by compensation claims, may be taken into account to establish abusive intent.
• Individuals who suffer material or non‑material damage due to a GDPR infringement, including a breach of the right of access, are in principle entitled to compensation. However, to obtain compensation, the data subject must prove that actual damage was suffered.
• Compensation is not available where the damage is primarily caused by the data subject’s own conduct.

Digital Networks Act – EDPS Brief

On January 21, 2026, the European Commission adopted the Proposal for a Digital Networks Act, aiming to harmonise EU rules on electronic communications and replace key legislation such as the European Electronic Communications Code, Body of European Regulators for Electronic Communications Regulation, Radio Spectrum Policy Program, and parts of the Open Internet Regulation and ePrivacy Directive.

The European Data Protection Supervisor (EDPS) welcomes the objective but calls for stronger privacy safeguards. In particular, the EDPS stresses that:

• Personal data must not be treated as remuneration for electronic communications services;
• End user protection against fraud should be further specified;
• Prior consent should be required before including users in public directories.

The EDPS also recommends assigning GDPR supervisory authorities to enforce the new ePrivacy related provisions and enabling information sharing between regulators.

Finally, the EDPS raises concerns over the proposed use of geospatial and granular socio economic data, calling for strict necessity checks and clear safeguards.

UK Information Commissioner’s Office Issues Joint Statement on Age Assurance for Online Services

On March 25, 2026, the Information Commissioner’s Office of the United Kingdom issued a joint statement with Ofcom regarding the scope of the Online Safety Act and UK data protection legislation as they relate to age assurance. The statement aims to provide online services that are accessed by children with the information necessary to comply with their obligations under the laws. The statement can be found online here.

EDPB Adopts DPIA Template

On April 14, 2026, the European Data Protection Board adopted a template for Data Protection Impact Assessments (DPIA). The template is accompanied by an explanatory document designed to facilitate its completion by clarifying key concepts in plain language and addressing common questions or knowledge gaps that controllers may encounter. The template is open for public consultation until June 9, 2026, during which stakeholders are invited to submit comments and feedback. Following the consultation period, Data Protection Authorities will take steps to adopt the template, either as their primary standard or as a “meta‑template” aligned with national DPIA frameworks. In the interim, organisations are encouraged to use the template and to provide feedback as part of the consultation process.

In Case You Missed It!

The Fasken Privacy and Cybersecurity group published the following article recently, that might be of interest.

• Bill C‑8 Passes House of Commons Following Substantive Amendments and Speaker’s Ruling

Where You Will Find Us

Members of our Privacy and Cybersecurity group will be speaking at or attending the following event in the coming months. Keep an eye out for our team and stop by to say hi!

• IAPP Canada Symposium 2026 – May 4-5, 2026.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.