Canada: Fasken Noteworthy Privacy & Cybersecurity News (April 2024)

Privacy & Cybersecurity in Canada, the US and the EU

This is a monthly bulletin published by the National Privacy and Cybersecurity team at Fasken. The information contained herein includes noteworthy news, topics, discussions and cases in the privacy and cybersecurity landscape. If you have any questions about any of the topics herein, please reach out to our friendly Fasken Privacy and Cybersecurity team.

This Month's Noteworthy News

EU Parliament Adopts AI Act

On March 13, 2024, the European Parliament passed the AI Act with substantial support, garnering 523 votes in favor, 46 against, and 49 abstentions. This Act will establish comprehensive regulations for AI use in the EU, marking a significant milestone as the first major economic bloc to do so. Its primary aims include safeguarding fundamental rights, democracy, the rule of law, and environmental sustainability from the risks associated with high-risk AI technologies. The regulation further introduces specific obligations for AI systems based on their potential risks and impact levels.

Following this adoption, the French Data Protection authority has published practical guidelines on AI: https://www.cnil.fr/fr/les-fiches-pratiques-ia (available in French only).

United States Federal Privacy Bill Introduced

On April 5, 2024, it was reported that two key members of Congress introduced a draft bipartisan Federal privacy bill. This illustrates the ongoing push of the U.S. to harmonize their National approach to privacy protections. The text of the draft bill can be found here. The bill is currently in early stages, but is a development worth following for any organization doing business in the States.

Quebec Health Information Draft Regulations

Following the adoption of the Act respecting health and social services information in Quebec ("Act 5"), the Quebec government launched two draft Regulations:

• On February 21, 2024, the Quebec government launched its draft Regulation respecting the application of certain provisions of the Act respecting health information and social services;
• On March 6, 2024, it also published a second regulation called the Regulation respecting the governance of health and social services information.

The purpose of these draft regulations is to clarify the terms of certain sections of the new law governing the collection, use and communication of health and social services information in Quebec. For example, in the context of the individual's right to that his/her personal information may be accessible to certain categories of persons or the right to restrict access to his/her information by indicating that a particular service provider is not entitled to have access to one or more pieces of information. For more information, a specific Fasken bulletin will be published soon.

United Nations Adopts Resolution on Safe AI Use

On March 21, 2024, the United Nations adopted a resolution that promotes the use of safe, secure and trustworthy AI. The resolution speaks about the rapid technological change occurring globally, and how we must be continuing to respect, protect and promote human rights. This is reportedly the first time that the UN Assembly has adopted a resolution on regulating an emerging field. The press release for the UN can be found here.

Kentucky Passes Consumer Privacy Law

The Kentucky governor signed into law a comprehensive privacy law on April 4, 2024, becoming the 15th state to do so. The Kentucky bill contains similar terms to the Virginia privacy law, and will come into effect on January 1, 2026. The text of the bill can be found here.

Utah Passes New Privacy Amendments

In March 2024, the Utah Governor signed Bill H.B. 491, which enacted the Government Privacy Act. This bill focuses on how Government bodies should be protecting privacy. The text of the Bill can be found here.

U.S. DHHS Issues Bulletin on Health Entities Using Tracking Technologies Under HIPAA

On March 18, 2024, the United States Department of Health and Human Services ("DHHS") issued a bulletin outlining the obligations of covered health entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") when using online tracking technologies, such as cookies, pixels, tags and the like. Specifically, the DHHS has clarified the regulated health entities are not permitted to use tracking technologies in a manner that would result in the impermissible disclosure of Personal Health Information to tracking technology vendors, including for marketing purposes. Any entities impacted by HIPAA should review its website and application settings to ensure that they are in compliance.

In Case You Missed It!

The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.

• Algorithmic Scoring and the CJEU Decision on Shufa: Has the Pandora's Box of Automated Individual Decisions Been Unleashed?
• Data Anonymization Under Law 25: Québec Interpretation — European Facsimile

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.