Blakes Data Governor: Summer 2025

Welcome to the Summer 2025 issue of Blakes Data Governor, published by the Blakes Privacy & Data Protection group. Blakes Data Governor provides actionable insights and practical overviews of recent developments impacting privacy, cybersecurity, access to information and artificial intelligence (AI) governance law in Canada.

In This Issue

• Ontario FIPPA Amendments. What Ontario public sector institutions, and their service providers, need to know about new amendments in force on July 1, 2025.
• Update on Parliament. What to expect for privacy reform and AI regulation from the 45th Canadian Parliament.
• New Quebec Video Surveillance Decision. Insights from the Commission d’accès à l’information du Québec’s decision regarding the use of in-vehicle video surveillance technology by a delivery company.
• New Alberta Court Decision on “Publicly Available” Information. Overview of the Court of King’s Bench expansion of the scope of the “publicly available” exception under Alberta’s private-sector privacy law and the impact for training AI models.
• New Guidance for Small Ontario Health Information Custodians. Tips from the Information and Privacy Commissioner of Ontario’s new guidance for small healthcare organizations.
• Regulatory Round-Up. New legislative proposals and enforcement decisions impacting privacy, cybersecurity, access to information and AI governance.

Scanning the Horizon

Ontario FIPPA Amendments in Force July 1, 2025

Effective July 1, amendments to Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) made under the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) will come into force. FIPPA applies to Government of Ontario ministries, ServiceOntario, hospitals, and prescribed agencies, boards, commissions, corporations or other bodies (FIPPA Institutions).

FIPPA Institutions should review their existing privacy policies and procedures to ensure that the new Bill 194 obligations are met. For instance, FIPPA Institutions must address:

• Privacy Impact Assessments (PIAs). A written assessment must be prepared before collecting and processing personal information (or before substantially changing a process). The assessment must set out the purpose for processing personal information, the legal authority for processing, the types of personal information processed, the sources of personal information processed, the positions that will have access to the personal information, any limitations or restrictions on the processing of personal information, the safeguards and practices used to protect personal information, and the steps to be taken to prevent, reduce and mitigate harm to individuals whose personal information is processed. FIPPA Institutions will need to train internal stakeholders on this new requirement and create a form of PIA template to be used for these assessments.
• Mandatory Breach Reporting. FIPPA Institutions must report to the Information and Privacy Commissioner of Ontario (IPC) and notify affected individuals of any theft, loss or unauthorized use or disclosure of personal information in their custody or control if it is reasonable in the circumstances to believe that there is a real risk of significant harm to an individual. Previously, breach reporting was voluntary and simply recommended by the IPC. FIPPA Institutions should develop, or modify existing, incident response plans to account for these new requirements.
• Safeguarding Personal Information. FIPPA Institutions must ensure that reasonable steps are taken to ensure personal information in their custody or control is protected against theft, loss, and unauthorized use, disclosure, copying, modification or disposal. Previously, there were no information security requirements applicable to all FIPPA Institutions. In addition to reviewing existing internal privacy safeguards, FIPPA Institutions should review their data protection agreements with service providers to ensure that adequate safeguarding, breach reporting and audit rights are in place so that the FIPPA Institution can appropriately respond in the event of any inquiries from the IPC.

Additionally, the IPC now has power to conduct a review of a FIPPA Institution’s information practices if they receive a complaint and to make orders to discontinue or change an information practice, return, transfer or destroy personal information, implement a different information practice, or make a recommendation in respect of how the information practice could be improved.

While regulations expanding on the Bill 194 amendments have not yet been filed, we anticipate that Ontario will publish compliance guidance for FIPPA Institutions in the coming weeks.

Update on Parliament

Following the federal election in April, the 45th Parliament is now underway. To support the new sitting of the House of Commons, new members have been appointed to the Standing Committee of Access to Information, Privacy and Ethics, which oversees both the Office of the Information Commissioner of Canada as well as the Office of the Privacy Commissioner of Canada (OPC).

Before the House rose for its summer break, the Minister of Public Safety introduced Bill C-8, a nearly identical version of the previous C-26, which died on the Order Paper when Parliament was prorogued earlier this year. As drafted and if passed, Bill C-8 would enact the Critical Cyber Systems Protection Act (CCSPA), which would impose certain cybersecurity obligations on operators of certain “vital systems,” including in the telecommunications and energy sectors. Our Blakes Bulletin: House of Commons Re-Introduces Federal Cybersecurity Legislation, summarizes the implications of the new Bill C-8.

The Speech from the Throne and initial comments from Evan Solomon, the new Minister of Artificial Intelligence and Digital Innovation, have not provided any indication that this government is keen to re-introduce Bill C-27 (See our Blakes Bulletin on 2022’s Bill C-27). In particular, based on Minister Solomon’s recent comments signalling that the government intends to take an approach that promotes the growth of the Canadian AI industry (rather than regulate it), it is unlikely that the Artificial Intelligence and Data Act will be re-introduced. We expect that amendments to reform the Personal Information Protection and Electronic Documents Act, as well as the public sector Privacy Act, will be introduced at some point during the parliamentary session, but privacy reform does not seem to be an immediate government priority.

Interestingly, the government’s proposed Bill C-5, which would enact (among other things) the Free Trade and Labour Mobility in Canada Act and is intended to remove federal barriers to the interprovincial movement of goods and provision of services, could be interpreted to apply to PIPEDA. The proposed law, which is now before the Senate, would, subject to regulations, exempt a service provided in accordance with a provincial or territorial requirement from meeting any comparable federal requirement so long as the provincial or territorial requirement continues to apply to the service provider. It is not clear that the federal government intends for this exemption to apply where a service meets provincial privacy laws, such as those in British Columbia, Alberta or Quebec. We will monitor the fast-moving debate of Bill C-5 and provide updates on the potential implications for the OPC’s jurisdiction over private-sector privacy matters in future issues of Blakes Data Governor.

Insights Radar

Quebec CAI Decision on Video Surveillance in Delivery Vehicles

On May 20, 2025, Quebec’s access to information and privacy regulator, the Commission d’accès à l’information du Québec (CAI), issued a decision regarding the use of in-vehicle video surveillance technology by a delivery company, concluding that the collection of personal information was not sufficiently minimized. In our Blakes Bulletin: Quebec Privacy Regulator Publishes Decision on Video Surveillance in Delivery Vehicles, we review the CAI’s order and discuss the implications for businesses operating in Quebec.

“Publicly Available” Exception Under Alberta PIPA Expanded by Court

In Clearview AI Inc v. Alberta (Information and Privacy Commissioner), the Court of King’s Bench of Alberta expanded the scope of the “publicly available” exception to the consent requirement for the collection, use or disclosure of personal information under Alberta’s Personal Information Protection Act (PIPA) to include personal information published by an individual on the internet, including on social media sites, where the information is published without the use of privacy settings. Our Blakes Bulletin: Alberta Court Expands Scope of the “Publicly Available” Exception to Consent Requirement Under Province’s PIPA, unpacks this decision and highlights implications for AI model development.

New Ontario IPC Guidance for Small Health Information Custodians

The IPC released a new Privacy Management Handbook (Handbook) aimed at helping small healthcare organizations meet their privacy obligations under Ontario’s health information privacy law. Our Blakes Bulletin: New Guidance From Ontario’s Information and Privacy Commissioner on Privacy Management for Small Healthcare Organizations reviews the Handbook and highlights how it can be used by health information custodians to support their privacy management programs.

Regulatory Watch

Key Legislative Developments

• Parliament will return September 15, 2025, following the summer break.
• The Office of the Privacy Commissioner of Canada tabled its Annual Report to Parliament, including plans to modernize the OPC and respond more effectively to emerging issues.
• Alberta’s Bill 46, which amends the recently enacted Access to Information Act and Protection of Privacy Act, received Royal Assent on May 15, 2025.
• Alberta’s Security Management for Critical Infrastructure Regulation (Regulation) under the Responsible Energy Development Act came into force May 31, 2025. The Regulation creates requirements for specific critical facilities to implement a security management program in compliance with CSA Z246.1, which includes cybersecurity measures. Stay tuned for a future Bulletin on the Regulation.

New Decisions and Guidance

• The OPC has launched an exploratory consultation on the development of a Canadian children’s privacy code that will clarify obligations under PIPEDA and set out the OPC’s expectations regarding organizations’ handling of children’s personal information.
• The OPC, together with the U.K. Information Commissioner, issued findings in their investigation into a global data breach that occurred at 23andMe, a direct-to-consumer genetic testing company. The OPC concluded that 23andMe contravened section 10.1 of PIPEDA and sections 2 and 3 of the Breach of Safeguards Regulations, given the inadequacies in its breach notifications to the OPC and to affected individuals.
• The B.C. Court of Appeal held that the B.C. Privacy Act does not require proof of actual harm for an award of damages and awarded aggregate damages of C$15,000 per class member, without proof of individualized harm.
• The B.C. Privacy Commissioner published guidance on how individuals can request personal information concerning deceased individuals.
• In Investigation Report F2025-IR-01, Alberta’s Information and Privacy Commissioner found that the Government of Alberta failed to meet its obligations under the Freedom of Information and Protection of Privacy Act. The report states the government public bodies improperly refused 28 access-to-information requests and outlines the Commissioner’s recommendations.

Contact Us

Please do not hesitate to contact your usual Blakes contact or any member of the Blakes Privacy & Data Protection group. To receive Privacy & Data Protection group Insights directly to your inbox, including Blakes Data Governor, sign up here.