As in previous years, our team marks Data Privacy Week with a summary of important privacy developments in Canada in 2024 and highlights what a busy electoral year could mean for Canadian privacy law in 2025.
Alberta
Privacy Breach Reporting Process Revamped
In April 2024, the Office of the Information and Privacy Commissioner of Alberta (OIPC AB) revised its privacy breach notification process. Previously, the OIPC AB would issue a Breach Notification Decision (BND) for all incidents reported to its office where the breach created a real risk of significant harm (RROSH) and would publish the BND on its website. Under the new process, a BND will only be issued if the organization has not notified affected individuals of the breach or if the notice is deficient. Additionally, BNDs will no longer be routinely published online but may be published at the discretion of the Commissioner.
Public Sector Privacy and Access Laws to be Replaced
In December 2024, the Legislative Assembly of Alberta passed two bills that will repeal and replace Alberta’s Freedom of Information and Protection of Privacy Act (AB FIPPA) with two distinct pieces of legislation, the Protection of Privacy Act (AB PPA) and the Access to Information Act (AB ATIA).
Under the AB PPA, public bodies will be subject to new privacy protection obligations, including:
- Prohibition on selling personal information in any circumstance, including for marketing or advertising purposes
- Requirement to adopt a “privacy by design” approach to program and service design
- Requirement to establish and implement a privacy management program consisting of policies and procedures to promote compliance with the AB PPA
- Obligation to notify Albertans if the public body intends to use personal information in an automated system to generate content or make decisions, recommendations or predictions
- Obligation to prepare and submit PIAs to the OIPC AB in certain circumstances
- Requirement to notify affected individuals, the OIPC AB and the Minister responsible for the AB PPA of privacy incidents where a RROSH exists
As compared with the freedom of information provisions of the existing AB FIPPA, the new AB ATIA will expand the exceptions to the general right of access to information in a public body’s custody or control, and it will provide public bodies with several new and significant powers to manage access requests. For instance, public bodies will be permitted, without OIPC AB approval, to disregard access to information requests for a variety of reasons, including if the request will unreasonably interfere with the public body’s operations, the request is repeated or systematically submitted, or the request is otherwise broad or incomprehensible. Additionally, the scope of information available to requesters will be limited to what can be provided using the public body’s standard computer hardware, software and technical expertise. There will no longer be an obligation to create documents containing information responsive to an access request — an obligation which exists in other jurisdictions.
For more information, please see our Blakes Bulletin: Alberta’s New Public Sector Privacy and Access to Information Legislation: What Businesses Need to Know.
Ontario
New Public Sector Privacy and AI Legislation
In November 2024, Ontario’s Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) received Royal Assent. Bill 194 included amendments that will significantly reform Ontario’s Freedom of Information and Protection of Privacy Act (ON FIPPA) and will enact new legislation, the Enhancing Digital Security and Trust Act (EDSTA).
The amendments to ON FIPPA introduce several new obligations for institutions, including:
- A requirement to notify the Information and Privacy Commissioner of Ontario (IPC ON) and affected individuals of privacy incidents involving a RROSH to an individual
- A general obligation to protect personal information in the institution’s custody or control against theft, loss, and unauthorized use or disclosure, and ensure records are protected against unauthorized copying, modification or disposal
- Prior to collecting personal information, institutions must conduct a written assessment that addresses considerations prescribed in the legislation, including identifying and implementing risk mitigation steps. Such assessment must be provided to the IPC ON on request
The EDSTA will regulate the use of artificial intelligence systems by public-sector entities in Ontario. The EDSTA defines “artificial intelligence systems” as “a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments” or other prescribed systems, and applies to systems that are publicly available, developed or produced by the public-sector entity itself, or developed by third parties on behalf of the public-sector entity. The specific requirements and obligations for public-sector entities using artificial intelligence systems will be prescribed by regulations that have yet to be published.
The amendments to ON FIPPA and the EDSTA will come into force once proclaimed by the Lieutenant Governor. Elections are anticipated in Ontario in 2025, and a change in government could delay proclamation (including indefinitely).
Please see our Blakes Bulletins for more information: New Ontario Bill 194 to Reform FIPPA and Introduce Mandatory Privacy Breach Reporting and New Ontario Bill 194 to Regulate Public-Sector Use of Artificial Intelligence Systems.
SCC Clarifies Application of Charter Privacy Rights to Ontario School Boards
In June 2024, the Supreme Court of Canada (SCC) delivered its landmark decision in York Region District School Board v. Elementary Teachers’ Federation of Ontario, holding that the Canadian Charter of Rights and Freedoms applies to Ontario public school boards and that all actions carried on by Ontario public school boards.
The Elementary Teachers’ Federation of Ontario filed a grievance on behalf of two elementary school teachers who received a written reprimand for misusing technology belonging to the York Region District School Board. The teachers used a Google Drive to create a log of concerns about another teacher. An arbitrator held that teachers had a reasonable expectation of privacy in the log, which was diminished by leaving the computer open in the workplace.
Affirming the Ontario Court of Appeal’s overturning of the arbitrator’s decision, the SCC majority held that where the Charter applies, arbitrators must acknowledge and analyze Charter rights using the applicable framework. The SCC held that analyzing whether the Charter’s section 8 protection against unreasonable search and seizure has been violated involves two questions: First, whether there is a reasonable expectation of privacy, which is a contextual analysis based on the “totality of the circumstances.” Second, whether the search was reasonable, having regard to the terms of an applicable collective agreement. Arbitrators may continue to draw on existing arbitral jurisprudence regarding workplace privacy but must ensure that their analysis conforms with the section 8 framework.
For more information, please see our Blakes Bulletin: SCC Holds that the Charter Applies to Public School Boards in Landmark Decision.
Quebec
Anonymization Regulations Finalized
In May 2024, the Quebec government published the final Regulation respecting the anonymization of personal information (Anonymization Regulation), which sets out requirements for organizations subject to Quebec’s Act respecting the protection of personal information in the private sector (QC PPIPS) when anonymizing personal information. Under QC PPIPS, once the purposes for which personal information was collected are achieved, the organization must either destroy the personal information or anonymize it for use only in connection with “serious and legitimate purposes.” Such anonymization must be done in accordance with generally accepted best practices and the requirements in the Anonymization Regulation.
New Health Information Law
In July 2024, Quebec’s Act respecting health and social services information and amending various legislative provisions (HSSI) came into force, accompanied by two related regulations. The HSSI introduces a comprehensive privacy framework for health and social services information in Quebec. The HSSI applies broadly to both private and public sector bodies engaged in healthcare and creates numerous obligations similar to the obligations under QC PPIPS.
Data Portability
In September 2024, the remaining amendments to QC PPIPS created under An Act to modernize legislative provisions as regards the protection of personal information came into force. This included the “data portability right,” which enables individuals to require an organization to communicate “computerized personal information” to the individual or another person or body authorized by law to collect it in a structured and commonly used technological format. “Computerized personal information” refers to personal information that is organized and structured using information technology (i.e., information stored on paper would not be in scope). Additionally, this right only applies to personal information that is collected from the applicant, not created or deduced from other personal information.
Please see our Blakes Bulletins for more information regarding the Anonymization Regulation, the HSSI, or the new data portability right under QC PPIPS: Privacy Update: Quebec Publishes Final Anonymization Regulation, Quebec’s Comprehensive Health Information Privacy Law Comes Into Force, and New Data Portability Right in Force in Quebec.
Federal
Prorogation of Parliament Ends Federal Privacy Law Reform Efforts
On January 6, 2025, Prime Minister Trudeau prorogued federal Parliament, which effectively terminated all bills before the House of Commons and the Senate. Notable privacy and data-related bills impacted by prorogation include:
- Bill C-26, which would have enacted the Critical Cyber Systems Protection Act
- Bill C-27, which if passed would have significantly reformed federal private sector privacy laws and introduced the Artificial Intelligence and Data Act
- Bill C-63, which if passed would have enacted the Online Harms Act
If the current Parliament continues, these bills would need to be reintroduced by the government in the next session. However, elections are expected to be triggered in the Spring and must take place by October. It is difficult to predict what privacy reforms the government may propose in the next Parliament.
See our Blakes Bulletins for more information regarding Bill C-26, Bill C-27 or Bill C-63: Canadian Cybersecurity Law Update: Bill C-26 Gains Momentum in the House of Commons, Privacy Reform Redux: New Federal Bill Set to Reform Canada’s Private-Sector Privacy Law, and Canada’s Bill C-63: Online Harms Act Targets Harmful Content on Social Media.
For further information, please contact the authors or any other member of our Privacy & Data Protection group.
Related Insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at communications@blakes.com.
© 2025 Blake, Cassels & Graydon LLP
