It’s been a busy year for data protection and privacy in Canada and the USA, with significant developments not only across North America, but also globally. As businesses face evolving privacy challenges, understanding the year’s developments and preparing for 2025’s expectations is crucial for maintaining compliance and staying competitive.
In this blog, we highlight some of the key 2024 highlights for privacy in Canada and USA and cast an eye to what we can expect in 2025.
Privacy in Canada: Challenges and progress
2024 has brought notable advancements to privacy in Canada, including the final phase of Quebec’s Law 25 coming into effect and the European Commission’s decision to uphold Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as adequate under GDPR. This means data can keep moving easily between the EU and Canada, helping to support both trade and data safety.
Key areas of focus in 2024 include Ontario’s Bill 194, Quebec’s Law 25, the awaited updates to PIPEDA under the proposed Bill C-27, and the privacy implications of Bill C-65.
Let’s take a closer look at each:
Quebec’s Law 25
In September 2024, Quebec completed an overhaul of its privacy regime with Law 25’s final stage implementation. It requires organizations covered by Law 25 to, among other things, accommodate stricter consent rules, extended privacy rights, and data breach notifications.
Quebec’s Law 25: A guide to support privacy compliance
Updating PIPEDA: Bill C-27
At the Federal level, the Consumer Privacy Protection Act (Bill C-27) is still under review. A change in government might also mean changes to when the Bill is implemented and in what form.
While there’s currently no comprehensive legislation in Canada that specifically governs AI systems, Bill C-27 does include within it the Artificial Intelligence and Data Act (AIDA) to establish a risk-based framework to regulate AI. As such, privacy professionals are expecting closer alignment with international frameworks like GDPR that aim to boost both data protection standards and economic competitiveness.
Ontario’s Bill 194
Ontario’s Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, has been a major development in Canadian privacy legislation this year. The Bill now obligates public sector organizations to:
- Develop comprehensive cybersecurity programs
- Establish clear accountability frameworks for AI systems
- Be open and transparent about how digital technology is used
- Carry out privacy impact assessments
- Notify people quickly if their data is breached
These obligations may also affect private sector companies working with provincial or municipal governments, as the requirements could extend to them through contractual or operational responsibilities.
Bill C-65
The Electoral Participation Act (Bill C-65) has sparked considerable debate, with Canadian Privacy Commissioner, Philippe Dufresne highlighting critical gaps in its approach to data protection and that it lacked “basic elements”. He has urged lawmakers to address these shortcomings and recommended the Bill should:
- Require political parties to get consent to use data and limit how they collect and use it
- Provide a way for people to access and correct their data
- Contain broader obligations about privacy breach notifications to include mandatory reporting
- Encourage more formal collaboration between the Office of the Privacy Commissioner, Elections Canada, and the Commissioner of Canada Elections
The Bill has yet to reach the third reading in the House of Commons.
United States: State-level innovation leads the way
The USA has seen much state-level activity, with 19 states now having comprehensive privacy laws. California, New York, and Florida have led the way in AI governance, with each taking a distinctive approach.
Key developments in AI regulations include:
California – the Artificial Intelligence Accountability Act proposes to make state-level assessments of generative AI risks mandatory and enforce safety and privacy standards in AI services. California is also planning to establish a centralized AI research hub to collaborate across sectors.
New York – its focus on algorithm accountability and transparency requires companies to disclose how their AI systems handle customers’ personal data. This fits with consumer protection efforts to maintain human oversight of decisions around AI algorithms.
Florida – introduced measures on AI transparency in public and educational settings. The state’s also considering regulations that require human oversight of autonomous vehicles.
Global impact: EU data protection regulations affecting Canada and U.S.
The EU’s adequacy decision for Canada under the General Date Protection Regulation (GDPR) has been particularly important for maintaining uninterrupted data flows between the EU and Canada. This decision ensures that Canada’s data protection laws meet the EU’s stringent standards, allowing businesses to transfer personal data across borders without additional safeguards.
For the United States, the situation remains more complex. In July 2023, the EU-US Data Privacy Framework (DPF) was established, with the UK’s ‘Data Bridge’ extension to the DPF Framework effective from October 2023. The DPF allows data transfers to organizations participating in the DPF program without the need for further transfer mechanisms. However, the DPF is not accessible for all, and many companies still rely on Standard Contractual Clauses (SCCs) and supplementary measures.
Looking ahead to 2025
Looking to next year, several key trends are emerging that could shape the legislation landscape across North America. In Canada we could see:
- Updates to privacy laws in Alberta and British Columbia
- Introduction of privacy legislation in Ontario
- Implementation and enforcement of Bill C-27 (if passed)
- More provinces aligning with Quebec’s Law 25
In the U.S. we will see:
- More states beyond the current 19 adopting privacy legislation
- More focus on AI regulation and transparency set by California, New York, and Florida
- More focus on AI accountability and initiatives regarding how algorithms work
What it means for businesses
Organizations across Canada and the United States should prepare for evolving privacy regulations in 2025, with an emphasis on strengthening consent processes and implementing effective data minimization strategies.
It is essential for businesses to conduct Privacy Impact Assessments (PIAs) on a regular basis and ensure robust data breach plans and policies are in place. As artificial intelligence (AI) continues to shape business operations, organizations must also develop and establish clear guidelines for its responsible use, treating privacy as a key part of building and maintaining customer trust.
Success will ultimately depend on integrating these measures not individually, but as interconnected elements of a comprehensive data protection and privacy management strategy.
Privacy support and advice for 2025
The world of data protection and privacy management is changing fast. And no matter the sector, businesses need to stay updated and flexible, adapting privacy practices to meet new requirements – all while ensuring compliance with current laws.
Effective privacy management in 2025 will require a proactive approach, viewing privacy not just as a compliance obligation but a fundamental element of business strategy. This shift will place even more pressure on Privacy Officers to find trusted, experienced, and reliable sources of professional advice and expert guidance as the year unfolds.
If your organization would benefit from additional Privacy Office Support, The DPO Centre offers a range of services, including Privacy Consulting, UK and EU GDPR Representation, and Outsourced Privacy Officers.
____________________________________________________________________________________________________________
In case you missed it…
- International data transfers: Explaining EU SCCs, UK Addendum and UK ITDA
- Canadian privacy laws: PIPEDA and beyond
- GDPR Representative: Do you need one?
____________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
