Blakes Data Governor: Fall 2025

Welcome to the Fall 2025 issue of Blakes Data Governor, published by the Blakes Privacy & Data Protection group. Blakes Data Governor provides actionable insights and practical overviews of recent developments impacting privacy, cybersecurity, access to information and artificial intelligence (AI) governance law in Canada.

In This Issue

• Update of Federal Digital Policy. With Parliament back in session, we highlight recent developments and discuss what we are currently expecting from Parliament on reforming federal privacy laws.
• OPC Publishes New Biometrics Guidance. The Office of the Privacy Commissioner of Canada’s (OPC) guidance addresses how to ensure your use of biometric tools complies with the federal Personal Information Protection and Electronic Documents Act.
• OPC Finds Right to Delist Under PIPEDA. The OPC’s investigation of Google results in a new right to have personal information delisted from search results in certain circumstances.
• Final OSFI Guideline for AI Use by Federally Regulated Financial Institutions. The Office of the Superintendent of Financial Institutions Canada’s (OSFI) new guideline addresses emerging technology risks and imposes risk management requirements on the use of artificial intelligence (AI) models by federally regulated financial institutions (FRFIs).
• AI and Cybersecurity Essentials for Boards. We look at recent developments and best practices for directors or officers navigating new risks and opportunities that AI presents.
• Costs and Consequences of AI-Cited Case Law. The Court of Appeal of Alberta considers personal costs against counsel for citing AI-generated “hallucinated” case law, underscoring the importance of verifying AI-generated content.
• Domain Name Scams. In parts I and II of a new series (in time for October Cybersecurity Awareness Month), we discuss the current landscape of domain name fraud, helpful identification methods and best practices for preventing such threats.
• Regulatory Round-Up. New legislative proposals and enforcement decisions impacting privacy, cybersecurity, access to information and AI governance.

Scanning the Horizon

Federal Policy Update

As of the first week of October, the federal government has not yet tabled or signalled any indication that it intends to reintroduce the Consumer Privacy Protection Act or Artificial Intelligence and Data Act from the previous Parliament’s Bill C-27. However, there are some notable developments at the federal level.

The Ministry of Artificial Intelligence announced a new 30-day “national sprint” to set out a renewed national AI strategy through public consultation. This sprint will include gathering input from a new AI Strategy Task Force formed of experts from industry, academia and civil society. Feedback from the AI Strategy Task Force is expected to be shared in November. The public consultation does not imply that the federal government intends to introduce comprehensive AI legislation. The consultation’s questions primarily focus on commercializing AI and attracting investment to Canada, but they also seek feedback on frameworks, standards, regulations and norms that could support AI adoption across the country. Submissions from the public are being accepted through the Consulting Canadians portal or by email.

In his Briefing Session with the new members of the Access to Information, Privacy and Ethics Standing Committee, the Privacy Commissioner of Canada reiterated that the rise in privacy complaints and breach notifications reflects a broader public concern with privacy rights that should be addressed in modernized laws granting the Commissioner authority to levy fines and issue orders. The Commissioner’s comments also reiterate that protecting children’s privacy is one of the OPC’s core priorities. We anticipate that the OPC’s Children’s Privacy Code will be published in early 2026.

Insights Radar

Privacy Commissioner’s Google Investigation Finds Right to Delist Under PIPEDA

The OPC recently published its findings in its investigation into the Google search engine’s compliance with obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), determining that Google’s failure to delist personal information in search results that resulted in significant harm to an individual was inappropriate in contravention of section 5(3) of PIPEDA. In our Blakes Bulletin: Privacy Commissioner of Canada Finds Limited Right to Delist Under PIPEDA, we discuss these findings and consider the implications for businesses operating in Canada.

OPC Guidance on Processing Biometric Data in the Private Sector

The OPC published new guidance for private-sector organizations on their privacy obligations under PIPEDA when handling biometric information. In our Blakes Bulletin: New Federal Privacy Commissioner Guidance on Processing Biometric Data in the Private Sector, we unpack the guidance and explain how the OPC’s helpful “dos and don’ts” assist organizations in complying with PIPEDA requirements.

For additional insights into critical privacy considerations for the use of biometrics, log in or register to watch our seminar on Biometric Data: Privacy Obligations and Regulatory Risks.

New OSFI Guideline for AI Use by FRFIs

On September 11, 2025, as part of its quarterly release of regulatory changes, the Office of the Superintendent of Financial Institutions Canada (OSFI) published its final version of Guideline E-23 Model Risk Management 2027 (Final Guideline). The Final Guideline, which will take effect on May 1, 2027, addresses emerging technology risks and imposes risk management requirements on the use of AI models in federally regulated financial institutions (FRFIs). In our Blakes Bulletin: OSFI Releases Final Guideline E-23 for Model Risk Management and AI Use by Federally Regulated Financial Institutions, we discuss how OSFI expects more than a static compliance program, as FRFIs will need to engage in ongoing testing, monitoring and review throughout the full model lifecycle to effectively mitigate risk.

Board Essentials for AI and Cybersecurity

AI and cybersecurity are two areas that share similarly steep growth trajectories, presenting both risks and opportunities to issuers. To assist directors and officers in navigating these new challenges, our Blakes Bulletin: Artificial Intelligence and Cybersecurity: Board Oversight Essentials summarizes recent legal developments and existing best practices and provides key takeaways and action items for Canadian board members.

Domain Name Scams: Part 1 – What Are They and How to Spot Them? and Part II – Best Practices for Prevention

Domain names have become a critical component of business branding, allowing a business’s website and email address to be easily identified by the public. Consequently, issues pertaining to fraudulent domain names are not a new occurrence. To minimize the risk of falling victim to scams, misleading customers or damaging your brand, it is essential for businesses to actively monitor for potential domain name fraud. Prompt intervention can often mitigate these risks. In Part I and Part II of a new series of Blakes Bulletins (in time for October Cybersecurity Awareness Month), we discuss the current landscape of domain name fraud, helpful identification methods and best practices for preventing such threats. Stay tuned for Part III, where we’ll discuss effective ways to respond once a fraudulent domain has been identified.

Reality Check: Alberta Court Weighs Costs Award Against Counsel for AI-Generated Case Law Hallucinations

On September 26, 2025, the Court of Appeal of Alberta (ABCA) released its first decision addressing the potential for generative AI tools to create references to non-existent case law or statutes, commonly referred to as “hallucinations.” The ABCA is considering awarding enhanced costs against the appellant’s counsel personally for failing to confirm the accuracy of their cited cases. Our Blakes Bulletin unpacks this decision and the implications of this evolving issue.

Regulatory Watch

Key Legislative Developments

• Nova Scotia’s Bill 150 received Royal Assent, enacting the province’s new Freedom of Information and Protection of Privacy Act, which modernizes public-sector access to information and privacy law in the province and introduces significant changes, including making the Information and Privacy Commissioner an Officer of the Legislature.
• Nova Scotia’s Bill 127: Protecting Nova Scotians Act (PNSA) was also passed by the Nova Scotia government and received Royal Assent on October 3, 2025. The PNSA, amongst other things, introduces the Social Insurance Number Protection Act (SINPA), which aims to limit unnecessary collection of an individual’s Social Insurance Number (SIN). SINPA prohibits anyone in the course of commercial activities from requesting or collecting an individual’s SIN, unless it is required by law or permitted by the regulations. Organizations that contravene the SINPA are guilty of an offence and liable to a maximum fine of C$500,000. SINPA will come into force once proclaimed by the Governor in Council.

New Decisions and Guidance

• Report of Findings in OPC TikTok Investigation: The OPC published its findings in a joint investigation with its provincial counterparts into TikTok Pte. Ltd. (TikTok), which made several recommendations regarding TikTok’s privacy practices, including to implement new enhanced age assurance mechanisms, enhance its privacy policy to better address targeted advertising and cease allowing advertisers to target under-18 users (except through generic categories).
• PHIPA Decision 298: The Information and Privacy Commissioner of Ontario (IPC) has levied the first monetary penalties under the Personal Health Information Protection Act for non-compliance with the statute. The decision relates to a physician’s unauthorized access to a hospital’s electronic health record system to solicit potential pediatric clients. In doing so, the IPC references its published guidance for the health sector and stated that the penalties are not intended to be punitive, but rather a flexible, balanced and progressive regulatory tool focused on accountability and learning, while reserving more severe consequences for more serious or repeated breaches.
• Alberta OIPC Guidance for Health Custodians on Use of AI: The Office of the Information and Privacy Commissioner of Alberta (OIPC) issued new guidance for custodians under the Health Information Act regarding the use of AI transcription and summarization tools (i.e., “scribe tools”). The guidance emphasizes that while these tools may assist custodians in providing enhanced healthcare services, such as permitting a custodian to focus more on the patient rather than on taking notes during a patient encounter, there are privacy and security risks associated with the use of these tools that must be considered and addressed by custodians prior to using them. The OIPC guidance additionally reminds custodians in Alberta of their obligations to submit privacy impact assessments.
• New Ontario De-identification Guidance: On October 15, 2025, the Information and Privacy Commissioner of Ontario (IPC) released updated and expanded guidance on the de-identification of structured data. The guidance outlines the IPC’s position on what is or is not considered de-identified data, how de-identified data may be used, including data sharing between related organizations, and detailed processes for de-identifying structured data.
• Quebec Commission d’accès à l’information Annual Report: The Quebec Commission d’accès à l’information published its Annual Report for 2024–2025 (available in French only), highlighting its work over the past year. Insights into the Commission’s work note that complaints continue to grow year over year; 514 reports of confidentiality incidents were received, an increase of 16% from the prior year. Human error and ransomware continue to drive incidents for organizations subject to the Commission’s jurisdiction.

Contact Us

Please do not hesitate to contact your usual Blakes contact or any member of the Blakes Privacy & Data Protection group. To receive Privacy & Data Protection group Insights directly to your inbox, including Blakes Data Governor, sign up here.