Cybersecurity

Fasken Noteworthy Privacy & Cybersecurity News (May 2024) | Knowledge


Privacy & Cybersecurity in Canada, the US and the EU

This is a monthly bulletin published by the National Privacy and Cybersecurity team at Fasken. The information contained herein includes noteworthy news, topics, discussions and cases in the privacy & cybersecurity landscape. If you have any questions about any of the topics herein, please reach out to our friendly Fasken Privacy and Cybersecurity team.

This Month’s Noteworthy News

Quebec’s Privacy Commissioner Publishes Updated Version of its Privacy Impact Assessment Guide

On April 1, 2024, Quebec’s Commission d’accès à l’information (the Quebec relevant authority regarding privacy) published an updated version of its guide for conducting privacy impact assessments (available in French only). The Commissioner advises that the guide was revised from a visual and structural standpoint, but its content remains essentially the same. 

Quebec’s Regulation on Anonymization of Personal Information

Quebec’s Regulation on the anonymization of personal information (available in French only) was adopted on May 15, 2024, and will come into force on May 30, 2024. This regulation sets out the rules for anonymizing personal information as an alternative to destruction. As such, organizations that wish to anonymize personal information must first establish the purposes for which it intends to use the end result. Secondly, they must take into account the criteria derived from the EU GDPR: i.e. correlation, inference and individualization. Finally, organizations must implement a register of anonymization.

Ontario Proposes to Strengthen Cybersecurity

On May 13, 2024, the Ontario government proposed a new legislation titled The Strengthening Cyber Security and Building Trust in the Public Sector Act. It aims to promote cyber security in the Ontario government and other public sector organizations. The legislation also specifically focuses on strengthening safeguards for children’s data and ensuring the ethical use of artificial intelligence. 

Colorado Extends Privacy Rights to Neural Data

On April 17, 2024, Colorado enacted H.B. 1058, a bill that expands the definition of “sensitive data” in the state’s Privacy Act to include biological and “neural data” generated by the brain, the spinal cord and the network of nerves that relays messages throughout the body. This makes Colorado the first state to explicitly extend the protections of a state comprehensive privacy law to neural data.

Colorado Passes New AI Bill

In more Colorado news, on May 8, 2024, Colorado also passed a landmark AI bill. Senate Bill 205, the proposed Colorado Artificial Intelligence Act, draws from the EU AI Act in that it takes a risk-based approach to AI and establishes rules around high-risk systems, as well as creates requirements for when to disclose the use of AI. The bill requires both developers and deployers of AI to take “reasonable care” to prevent algorithmic discrimination in high-risk systems. A high-risk AI system is one that makes or helps make a consequential decision, such as those related to education, employment, finances, housing, health care or legal services. The proposal also puts obligations on deployers of high-risk AI systems, including risk management and governance requirements.

EU Adopts the Digital Identity Regulation

On April 30, 2024, the EU published the Regulation (EU) 2024/1183, establishing the European Digital Identity Framework (the Regulation). It is set to come into force on May 20, 2024, and is intended to facilitate the digital transformation of the public sector, enabling greater access to digital services, including cross-border services. It creates a legal framework for various electronic processes, such as signatures, seals, time stamps, documents, delivery services, website authentication certificates, archiving, attribute attestation, and creation devices for signatures and seals. Businesses will benefit from easier provision of online services across Europe, as the Digital Identity Wallet ensures secure authentication for every potential customer in the EU. Each Member State will offer at least one version of the EU Digital Identity Wallet, adhering to common specifications.

European Parliament Adopts European Health Data Regulation

On April 24, 2024, the European Parliament adopted the European Health Data Space Regulation. This Regulation aims to assist in improving access to health records across the European Union and the interoperability between healthcare providers. It is also intended to help broaden the use of healthcare data for research initiatives, leading to the innovation of new medicines and medical devices. The European Council will still need to provide final approval before this becomes law, so organizations should stay tuned for further updates. 

Connecticut Passes New AI Bill

On April 24, 2024, the Connecticut Senate passed Senate Bill 2, marking a significant step toward comprehensive AI regulation in the U.S. If enacted, this bill would stand as one of the first pieces (see Colorado’s new AI bill above) of legislation governing the private-sector development and deployment of AI similar to the EU AI Act. The law would become effective February 1, 2026. 

European Data Protection Board Issues Opinion on ‘Consent or Pay’ Model

On April 17, 2024, the European Data Protection Board (“EDPB”) issued an opinion on the validity of consent in the ‘consent or pay’ model that was most notably adopted by Meta in November 2023. If you aren’t aware of the ‘consent or pay’ model, it is where a platform provides users with the opportunity to either use their services for free under the condition that they consent to being subject to behavioural advertising, or they pay a subscription price for ad-free use. The EDPB has decided that, for most online platforms, the ‘consent or pay’ model does not comply with GDPR consent requirements “if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee”. This is something for any organization to note if they are using or considering the use of the ‘consent or pay’ model. 

Maryland Passes New Consumer Privacy Law

On April 6, 2024, the Maryland legislature passed its own consumer privacy law, the Maryland Online Data Privacy Act. The law will take effect on October 1, 2025, and will be enforced as of April 1, 2026. Although the law has many similarities to the other state consumer privacy laws, there are some differences that organizations should familiarize themselves with. For now, organizations can review the current version of the bill here.

Just for fun:

If you have read this far, you will learn that some companies have ingenious strategies for encouraging users of their services (or prove a point) to read their contractual documentation. As an experiment, a U.K. think tank hid a condition within their privacy policy that said they “will send a bottle of good wine to the first person to read this.” The clause was added in February, and the think tank only received a claim in May. Ironically, it was by someone who had to write their own privacy policy and was reading others for examples. 

In Case You Missed It!

The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.

Where You Will Find Us

Members of our Privacy and Cybersecurity group will be speaking at or attending the following events in the coming months. Keep an eye out for our team and stop by to say hi!

  • NetDiligence Cyber Risk Summit, San Diego – May 20-24, 2024
  • IAPP Canada Privacy Symposium, Toronto – June 10-11, 2024
  • Supply Chain Management Association British Columbia, Vancouver – June 13, 2024
  • Fasken Labour, Employment and Human Rights BC Blockbuster, Vancouver – June 13, 2024





Source

Related Articles

Back to top button