Data Privacy Day 2025: A Time to Reflect and Project

Data Privacy Day offers a valuable opportunity to pause and reflect: on what privacy means, on what has transpired over the last year, and on current trends and opportunities.  It is also an important opportunity to look ahead and consider what the future holds.

Looking Back

In 2024, I had the opportunity to speak at various events addressing the velocity of change in the privacy law space. From a Canadian perspective, one key driver of that change came to a screeching halt on January 6, 2025, when the federal government prorogued Parliament, bringing some important privacy, AI and cybersecurity related bills (Bill C-27, Bill C-26, and Bill C-72) to an end.  Despite this setback, progress was still made throughout 2024.  Here is a quick rundown of what happened last year:

• In 2022, Canada introduced Bill C-27, the Digital Charter Implementation Act. It had three parts: (1) the Consumer Privacy Protection Act, a new privacy law to replace Part I of PIPEDA (Protection of Personal Information) in an effort to modernize Canada’s approach to the handling of personal information and bring it in line with global trends; (2) the Personal Information and Data Protection Tribunal Act, which proposed to establish an independent body to hear appeals of findings or orders of the Privacy Commissioner of Canada and to address recommendations regarding administrative monetary penalties; and (3) the Artificial Intelligence and Data Act, which was Canada’s first attempt to regulate use of AI in the private sector.  Through 2024, Bill C-27 was with the Committee on Industry, Science and Technology for a public consultation process in which over 130 witnesses testified and over 110 written briefs were submitted for consideration. In the spring of 2024, the Committee moved to a clause-by-clause review of the bill before breaking for the summer. When the House returned in the fall, the cooperation agreement between the governing Liberals and the NDP had broken down and it appeared an election was imminent.  At that point, progress on Bill C-27 ground to a halt, culminating in the bill dying when Parliament was prorogued on January 6, 2025, ultimately suffering the same fate as its predecessor, Bill C-11. Therefore, once again, efforts to modernize PIPEDA are at a standstill.  For now, we can now only hope that the progress made with Bill C-27, which built on prior work through Bill C-11, will result in better informed and more efficient future reform efforts.

• The federal government also made good progress in advancing a cybersecurity law (Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts) which proposed to: (i) amend theTelecommunications Act to give the government more authority over telecommunications service providers; and (ii) enact the Critical Cyber Systems Protection Act to create a framework for the protection of the critical cyber systems of services and systems.  This Bill made it all the way to third reading in the Senate, but the discovery of a technical (numbering) error required that to be sent back to the House in late December.  Parliament was prorogued before the issue could be addressed so, it too, has now died.  It is possible for a bill to be reinstated, at the start of a new session, to the same stage it was at in the previous session, on unanimous consent.  Perhaps we will see that approach adopted for Bill C-26, given the strong support it had.

• Ontario, on the other hand, was more successful at advancing legislation in 2024 by taking the strategy of “something is better than nothing” to the extreme. In May 2024, the Ontario government tabled Bill 194 which included two parts: (1) amendments to the public sector privacy law (Freedom of Information and Protection of Privacy Act) to modernize the very outdated regime (incorporating requirements for privacy impact assessments, breach reporting and bestowing on the regulator more enforcement authority); and (2) the introduction of a new law, the Enhancing Digital Security and Trust Act, 2024, which will impose on public sector entities requirements related to cybersecurity and AI. Bill 194 passed in November and has received Royal Assent so now we wait on it to be proclaimed into force. The new Act just sets out some high-level requirements with all the details to come by way of regulation and/or directives. So, at this point, the scope of its impact is very unclear.

• The final piece of Quebec's Law 25, the right to data portability, came into force in September 2024.

• In Alberta, the Standing Committee on Resource Stewardship began a review of its private sector privacy law in January 2024. This process is expected to wrap up sometime in the middle of 2025.

Some of the common trends emerging from legislative reform efforts across Canada, which align with broader global trends, are: directly addressing anonymization and/or de-identification (definitions, standards, and application of the law to this form of information); requirements to implement privacy management programs and conduct privacy impact assessments; and additional enforcement powers for regulators, including the ability to impose administrative monetary penalties on organizations who fail to comply with applicable legislation.

Regulators were also busy in 2024.  A few key highlights were as follows:

• In November, the Ontario and BC Privacy Commissioners issued their Joint Investigation Report into LifeLabs Data Breach.

• Privacy regulators from across Canada issued a Joint Resolution calling for action on the growing use of deceptive design patterns.

• In June, the UK Information Commissioner’s Office (UK ICO) and Canada’s Office of the Privacy Commissioner (OPC) launched a joint investigation between into the data breach that happened in October 2023 at the global direct-to-consumer genetic testing company 23andMe.

• Canada’s OPC published the Joint Statement on a Common International Approach to Age Assurance, a product of the International Age Assurance Working Group (led by the UK ICO).

One obvious trend that is reflected in the above is that regulators from different jurisdictions, nationally and internationally, are collaborating on common issues more than ever before.

Looking Forward

What does this all mean for 2025?  I am currently tracking three key issues:

1. How can we balance the development of AI with privacy laws?

With AI systems becoming increasingly capable of processing vast amounts of personal data, there is a growing concern about how to ensure privacy while still enabling innovation. In 2025, will AI developers be able to comply with evolving privacy regulations while pushing the boundaries of AI technology?  What impact will the new Enhancing Digital Security and Trust Act, 2024 have in Ontario?  And which other Canadian jurisdictions will pass AI related laws in 2025?

2. What new cybersecurity strategies will be needed to defend against AI-driven cyberattacks?

As AI technologies improve, they can both aid in defending against cyber threats and be used to launch more sophisticated attacks. In 2025, how will organizations adapt their cybersecurity strategies to protect against AI-enhanced malware, phishing, and other forms of cybercrime? What role will AI itself play in strengthening defense mechanisms.

3. Can AI-driven privacy tools and technologies effectively preserve user privacy without compromising functionality?

Privacy-enhancing technologies (PETs), such as homomorphic encryption, federated learning, and differential privacy, are designed to allow organizations to use and analyze data while minimizing the risk of exposing personal information. On one hand, AI-driven advancements could improve the capabilities of PETs, making them more efficient and scalable. On the other hand, AI's increasing ability to analyze vast amounts of data creates privacy risk, such as when AI models learn to infer sensitive information from anonymized datasets. As a result, companies will need to closely monitor and evolve their use of PETs in AI contexts to ensure that they can both protect privacy and leverage data for business insights in compliance with privacy requirements.

Strategies to Adopt Now

How should companies prepare for the issues that we can see coming in 2025 and beyond?  Here are two ideas to consider:

1. Integrate Governance: As legal frameworks for privacy, AI, and cybersecurity continue to evolve, companies should adopt integrated governance practices to manage risk. One effective strategy is to align and unify governance efforts across these domains, to ensure issues are addressed in a consistent manner. For example, an integrated risk assessment framework can be applied across all three areas, allowing businesses to identify and address related threats or gaps in a consistent and holistic manner. The same is true for vendor diligence and incident management.  This trend is already well underway.  As noted in the IAPP-EY Professionalizing Organizational AI Governance Report, “… 63% of organizations have tasked their privacy functions with AI governance responsibility. In some cases, the extension is even broader to include digital safety and ethics.”[1]

2. Lean into Automation: It is becoming increasingly important to leverage software tools that automate many of the compliance and governance tasks related to privacy, AI, and cybersecurity. Automation can significantly improve efficiency, consistency, and accuracy in managing complex and often overlapping regulatory requirements. For example, they can help streamline tasks like data classification, privacy impact assessments, and AI model auditing, ensuring these activities are conducted in line with regulatory standards. Additionally, automation can enhance incident management by providing real-time alerts, tracking compliance deadlines, and even suggesting corrective actions based on the latest regulatory changes. By adopting such software tools, companies can reduce the manual workload associated with regulatory compliance, improve response times to potential issues, and maintain a proactive approach to emerging risks.

As we move further into 2025, it’s more critical than ever to stay informed, adapt quickly, and align your strategies with the evolving regulatory landscape. Whether you're managing data privacy, navigating AI, or enhancing cybersecurity protocols, now is the time to act.

Reach out if you need guidance on how to navigate this evolving landscape and stay tuned for more updates as we continue to track these important issues and help you stay ahead of the curve in an ever-changing legal environment.

[1] https://iapp.org/resources/article/organizational-digital-governance-report/