Blakes Data Governor™: May 2025

Welcome to Blakes Data Governor, a new publication of the Blakes Privacy & Data Protection group. Blakes Data Governor provides actionable insights and practical overviews of recent developments impacting privacy, cybersecurity, access to information and artificial intelligence (AI) governance law in Canada.

In This Issue 

• Cross-Border Data Transfers. What your business needs to know about processing personal information outside of Canada.
• Identity Verification for Financial Services. Our recent tips on ensuring your identity verification solution complies with Canadian privacy laws.
• New Privacy Commissioner RROSH Assessment Tool. Insights on how to approach this new resource from the federal regulator.
• Quebec Guidance on Recruitment Activities. Overview of Quebec’s guidance on processing personal information during recruitment activities.
• Amendments to the PCMLTFR. New requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) regarding the disclosure of personal information without consent between regulated entities.
• Regulatory Round-Up. New legislative proposals and enforcement decisions impacting privacy, cybersecurity, access to information and AI governance.

Scanning the Horizon 

Cross-Border Data Transfers 

As global markets shift in response to new economic pressures, including unexpected tariffs and trade disruptions, it may be useful to have a refresher on data transfer obligations under Canadian privacy laws. Here are our top five takeaways to find your bearings in cross-border processing:

• Private-sector privacy laws generally allow personal information to be transferred to service providers outside of Canada. Organizations that are subject to Canadian federal and/or provincial private-sector privacy laws must meet certain requirements when transferring personal information to a service provider outside of Canada, such as implementing a written agreement, being transparent about the cross-border processing and completing a privacy impact assessment in some cases.
• Public-sector bodies may be restricted by law or policy or need approval to transfer personal information to service providers outside of Canada. Like private sector entities, public-sector bodies must meet certain requirements to transfer personal information to service providers outside of Canada, including executing written agreements and conducting privacy impact assessments. Additionally, government policies may limit how public-sector bodies may transfer personal information outside of Canada. In Nova Scotia, it is generally prohibited for a public body or its service providers to store or access personal information from outside of Canada, but there are exceptions, including where the head of a public body determines that processing personal information outside of Canada meets necessary requirements and makes a report to the Minister of Justice.
• Disclosures of personal information outside Canada may be treated differently than transfers to service providers. Entities that disclose personal information (i.e., release personal information to another entity’s control) outside of Canada may be subject to sector-specific obligations. For example, Ontario’s Personal Health Information Protection Act, 2004 restricts disclosures outside of the province unless certain conditions are met.
• Data residency requirements may be imposed by contract. Even where law or policy allows for personal information to be transferred outside of Canada, an entity — particularly an entity that acts as a service provider — may be subject to contractual restrictions that require personal information to remain in Canada. Entities should review their contractual commitments before transferring or accessing personal information outside of Canada.
• Be transparent about processing activities outside of Canada. Entities should ensure that individuals are informed that their personal information may be processed in a foreign country and should explain that while outside of Canada, personal information may be accessible to law enforcement and national security authorities of the relevant foreign jurisdiction(s).

Insights Radar 

Identity Verification for Financial Services 

Financial services organizations of all types depend upon accurate identity verification solutions to meet their legal obligations and protect their businesses. However, organizations must also ensure that their use of these solutions are in compliance with applicable privacy laws. In our Blakes Bulletin: Digital Identity Verification Best Practices for Canadian Financial Services, we provide key tips on how to ensure your identity verification solution complies with Canadian laws.

New OPC RROSH Tool 

The Office of the Privacy Commissioner of Canada (OPC) has launched a new tool to help organizations subject to the Personal Information Protection and Electronic Documents Act assess whether a breach of security safeguards creates a real risk of significant harm for individuals, triggering mandatory reporting obligations. Our recent Blakes Bulletin: Privacy Commissioner of Canada Releases Privacy Breach Risk Assessment Tool introduces the tool and provides helpful context for implementing the OPC’s guidance into your breach response plans.

New Quebec Guidelines for Collecting Personal Information During the Recruitment Process 

Recently published guidance from the Commission d’accès a l’information du Québec (CAI) provides a better understanding of the regulator’s position on the collection of personal information in the context of employee recruitment. The CAI confirms that employers should exercise caution when collecting personal information and remain compliant with the Act and the Quebec Charter. See our Blakes Bulletin: Guidelines for Collecting Personal Information During the Recruitment Process in Quebec summarizing the new Guidelines.

New Requirements Under the PCMLTFR Regarding Personal Information Sharing Now in Force 

On March 4, 2025, amendments to the PCMLTFR regarding the disclosure of personal information without consent between regulated entities came into force. Regulated entities that disclose personal information to another regulated entity for the purpose of detecting or deterring money laundering, terrorist financing or sanctions evasion are now required to implement and follow an internal code of practice governing these disclosures. The code of practice must adhere to requirements established in the PCMLTFR and must be submitted to and approved by the OPC. See our Blakes Bulletin: But Wait, There’s More: Significant Amendments to Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime summarizing these amendments.

Regulatory Watch 

Key Legislative Developments 

• Parliament is expected to return in May following the federal election
• Amendments to Ontario’s Freedom of Information and Protection of Privacy Act are in-force July 1, 2025
• Recent amendments to Alberta’s Freedom of Information and Protection of Privacy Act are yet to be proclaimed
• Amendments to Nova Scotia’s Freedom of Information and Protection of Privacy Act received Royal Assent

New Decisions and Guidance 

• Commission d’accès a l’information du Québec -Metro Inc.: Pursuant to an investigation under Quebec’s Actrespecting the protection of personal information in the private sector (Quebec Privacy Act) and Act respecting the legal framework for information technology (Quebec IT Act), the CAI reinforced a broad interpretation of the legislation and determined that Metro Inc.’s proposed facial recognition project would violate the Quebec IT Act and ordered Metro not to move forward with the project. Metro Inc.’s project involved the commissioning of a database of biometric characteristics or measurements for the purpose of identifying, by means of facial recognition, persons who have already been involved in shoplifting or fraud events at the company’s establishments, without express consent. The CAI’s decision did not assess compliance with the Quebec Privacy Act.
• Clearview AI Inc. v. Information and Privacy Commissioner for British Columbia: This judicial review of an order by the Information and Privacy Commissioner (OIPC) for British Columbia prohibited Clearview from offering facial recognition services in B.C. and required Clearview to make best efforts to (1) stop collecting, using and disclosing personal information from individuals in B.C. and (2) delete personal information collected from individuals in B.C. without their consent. Clearview scraped images of faces and associated metadata from online sources, including social media, using an algorithm to create a database for facial recognition. They also sold facial recognition services to law enforcement agencies, including in B.C. The B.C. Supreme Court upheld the OIPC order, noting that B.C. privacy legislation applies to companies providing services to entities in the province and conducting business in the province, even if those companies do not have employees, offices or servers in B.C. Further, the court held that personal information on social media websites is not considered “publicly available information” under provincial privacy legislation and therefore companies require consent to collect this information.
• G.D. v. South Coast British Columbia Transportation Authority: An appeal decision was issued following the dismissal of an application for class action certification, involving a cyberattack by third-party hackers causing a data breach of personal information of employees and customers of the South Coast B.C. Transportation Authority (TransLink). In the B.C. Court of Appeal’s decision, the Court allowed the appeal and overturned the chamber judge’s finding that the plaintiff’s claims under B.C.’s privacy legislation were bound to fail. The court held that it is arguable that a data custodian’s failure to take reasonable measures to safeguard private information that it collects, leading to a data breach, is itself a violation of a person’s privacy for the purpose of B.C.’s statutory breach of privacy tort. The Court also held that it is arguable that both the employee and customer appellants were owed a duty of care by TransLink to safeguard their personal information, opening the possibility for liability in negligence as well.

Contact Us 

Please do not hesitate to contact your usual Blakes contact or any member of the Blakes Privacy & Data Protection group. To receive Privacy group Insights directly to your inbox, including Blakes Data Governor, sign up here. 

If you’re headed to the IAPP Canada Privacy Symposium, we would be happy to connect at the conference!