Privacy & Cybersecurity #32
Canada Moves Cyber Bill C-8 | Canada–EU Digital Pact | G7 on Privacy & Innovation | Ireland Cyber Guide | Belgium DPA 2024 Report | U.S. Fair Use Order in Anthropic Case
🇨🇦 Canada Reintroduces Federal Cybersecurity Bill as C-8
On 10 June 2025, Canada’s House of Commons passed Bill C-8, An Act respecting cybersecurity, at first reading. This legislation reintroduces, with refinements, the cybersecurity framework previously set out in Bill C-26. Bill C-8 will proceed to second reading, followed by committee review.
The earlier version of the proposal was covered in a prior edition of this newsletter when it was returned from the Senate to the House of Commons with amendments: Canadian Cybersecurity Bill C-26 Returned with Amendments.
Bill C-8 mirrors the structure of C-26 and consists of two main components:
Amendments to the Telecommunications Act
The amendments authorize the Governor in Council (i.e., the federal Cabinet acting through the Governor General) and the Minister of Industry to issue binding directions to telecommunications service providers in the interest of national security. These directions may include prohibitions on the use of specific products or services, requirements to suspend services to designated individuals or organizations, obligations to implement mitigation measures addressing cybersecurity vulnerabilities.
The amendments:
Formally recognize national security as a policy objective of the Telecommunications Act;
Establish a legal framework for issuing, enforcing, and appealing such directions;
Provide for the confidentiality of related orders;
Grant authority for inspections and enforcement related to compliance.
The Critical Cyber Systems Protection Act
Part 2 of the Bill enacts the Critical Cyber Systems Protection Act. This new statute applies to operators designated by the government as responsible for “vital services and systems” across federally regulated sectors such as finance, telecommunications, energy, and transportation. Once designated, these operators are subject to legally binding obligations in the areas of cybersecurity program governance, risk mitigation, reporting, and compliance oversight.
The CCSPA imposes duties on designated operators, including specific timelines for compliance activities:
Cybersecurity Program:
A designated operator must develop and implement a cybersecurity program within 90 days of receiving notice of designation, unless a shorter period is prescribed by regulation. The program must:Identify and manage organizational cybersecurity risks;
Include measures for protecting critical systems;
Establish controls to detect, prevent, and respond to incidents;
Provide for internal oversight, employee training, and program evaluation.
Supply Chain and Third-Party Risk Management:
Operators must assess and mitigate risks associated with their supply chains, including products and services that support critical cyber systems. This includes ensuring that procured technologies and outsourced services meet minimum security requirements.Incident Reporting to CSE:
A designated operator must report any cybersecurity incident affecting its critical systems to the Communications Security Establishment (CSE) within 72 hours or such a shorter period as may be prescribed by regulation. The report must enable CSE to exercise its functions related to national cybersecurity coordination and threat response.Regulator Notification (Section 18):
Immediately after submitting the report to CSE, the operator must:Notify the appropriate regulator that a report was made;
Provide a copy of the incident report to the regulator, in accordance with regulatory form and manner requirements.
CSE-Agency Coordination (Section 19):
CSE is required to share incident reports or relevant portions with the appropriate regulator without delay upon request, enabling verification of compliance or enforcement actions under the Act.Ministerial Orders (Sections 14–15):
Responsible ministers may issue directions to designated operators, requiring them to take specific actions to address deficiencies in their cybersecurity programs or other compliance failures. Operators must comply with such orders within prescribed timeframes.Recordkeeping and Inspections (Sections 21–27):
Designated operators must retain records demonstrating compliance with the Act and cooperate with inspections conducted by regulatory authorities. Inspectors are granted extensive powers, including access to facilities, records, and technical systems, subject to privacy and privilege protections.
Substantively, Bill C-8 retains the core features and policy direction of former Bill C-26. The overall regulatory architecture—designation of operators, incident reporting to CSE, ministerial directions, supply chain oversight, and enforcement powers—is unchanged. There is no indication that C-8 introduces any policy reversals or substantive changes to the designation or compliance criteria established in C-26. Rather, the updates serve to clarify interpretation, improve operational feasibility, and ensure legal precision in preparation for eventual implementation.
Non-compliance with the Act or related ministerial orders may give rise to administrative penalties or, in more serious cases, criminal liability. The framework includes protections for the confidentiality of sensitive security-related information and sets out procedures for appeals and judicial review.
Recommendations for Businesses
Determine whether your organization is likely to be designated as an operator of a vital service. Consider dependencies on critical infrastructure and supply chains.
If not already in place, develop or update a cybersecurity program aligned with NIST, ISO 27001, or other relevant frameworks.
Begin identifying external providers, software tools, and hardware components critical to system operations, particularly those from high-risk jurisdictions.
Ensure procedures are in place for timely detection and reporting of incidents to CSE, as well as internal escalation protocols.
Legal and compliance teams should monitor the development of implementing regulations and consider participating in any consultation processes.
🇪🇺🇨🇦 EU and Canada Deepen Cybersecurity and Digital Policy Cooperation under New Strategic Partnership
Brussels, 23 June 2025 – At the 2025 EU–Canada Summit, leaders adopted a comprehensive joint statement launching an expanded bilateral agenda. Of particular relevance to the privacy and cybersecurity community is the reinforced cooperation on digital regulation, cybersecurity, artificial intelligence, and cross-border data governance.
Key Cybersecurity and Digital Commitments
1. Canada–EU Digital Partnership Advances
The parties reaffirmed and expanded the Canada–EU Digital Partnership, announcing that the first Digital Partnership Council will be held later this year. Priority areas include:
Cybersecurity and Secure Communications: Joint work on advanced connectivity, trusted communication infrastructure (including 5G and subsea cables), and resilience of tech supply chains.
AI Governance and Safety: Regulatory cooperation will include alignment of AI standards and certification frameworks, with a view to mutual recognition of AI product certifications under CETA’s Protocol on Conformity Assessment.
Platform Regulation and Digital Identity: The parties aim to promote safer online platforms, establish interoperable digital identities and credentials, and counter foreign information manipulation and interference (FIMI).
Research Cooperation: Emphasis was placed on cross-border collaboration in cybersecurity, AI, quantum science, and researcher mobility under Horizon Europe and the EU–Canada Science and Technology Agreement.
2. Supply Chain and Technology Security
The statement emphasized the importance of securing strategic digital supply chains, notably for:
Semiconductors and Supercomputing
AI infrastructure (“AI Factories”)
Critical Raw Materials for digital and green technologies
These priorities align with the EU’s broader efforts to reduce dependency on third-country technology inputs and enhance transatlantic resilience.
3. Defense and Cyber Capabilities
Under the new EU–Canada Security and Defence Partnership, the parties agreed to:
Expand cooperation in cyber defense and resilience against hybrid threats
Increase interoperability of cyber capabilities in the context of collective security
Explore joint defense procurement arrangements and participation in EU PESCO projects with cybersecurity components
4. Regulatory Alignment and Privacy Cooperation
Although the joint statement does not amend existing data protection frameworks, it underscores efforts to:
Deepen regulatory alignment between the EU and Canada, including for emerging digital technologies
Finalize a renewed Competition Cooperation Agreement that includes privacy safeguards for shared enforcement data
No changes were announced regarding the status of adequacy or data transfer frameworks between Canada and the EU, but the collaborative tone and focus on trust-enhancing technologies (e.g., certification, digital ID) suggest a foundation for deeper alignment over time.
G7 Data Protection Authorities Call for Privacy by Design to Enable Responsible Innovation and Protect Children
On 19 June 2025, the G7 Data Protection and Privacy Authorities (DPAs) released a joint statement reaffirming their support for integrating privacy protections into the design and deployment of emerging technologies. This builds on their October 2024 Action Plan adopted in Rome and underscores the critical role of privacy in enabling responsible innovation—particularly in relation to technologies impacting children.
The statement positions privacy as both a legal obligation and a driver of market trust and adoption. Authorities stress that users are more likely to engage with new technologies when privacy protections are clearly communicated and embedded from the outset. Transparent data practices, user-friendly controls, and accurate disclosures are viewed as essential components of a trustworthy digital environment.
Recommendations for organizations include:
Designing technologies to reflect reasonable user expectations;
Communicating data practices clearly, without relying on complex or hidden settings;
Ensuring meaningful choices where data processing could depart from those expectations;
Considering privacy as a continuous process, not a one-time compliance exercise.
The G7 DPAs highlight children’s particular vulnerability to online harms and deceptive design, noting the ubiquity of technology use among minors in G7 countries. They affirm that children deserve strong, age-appropriate safeguards and stress that innovation targeting children must center their best interests. The statement refers to several international standards, including the OECD Recommendation on Children in the Digital Environment and the UN Convention on the Rights of the Child.
Recommended measures include:
Turning off or limiting tracking for known child users;
Communicating with children and parents in accessible language;
Avoiding design patterns that undermine informed choices;
Conducting privacy impact assessments tailored to children;
Implementing age assurance in a proportionate, risk-based manner.
The statement endorses ongoing international cooperation on age assurance frameworks, referencing the Joint Statement on a Common International Approach to Age Assurance and the EDPB Statement on Age Assurance. Both emphasize the need for safeguards that are proportionate to risk and compliant with privacy principles.
Operationalizing Privacy by Design
To help operationalize these goals, the G7 DPAs propose a five-part approach:
Necessity Assessment – Determine whether personal data processing is essential to the product.
Privacy Risk Assessment – Identify and periodically re-evaluate privacy risks.
Design Mitigations – Use privacy-enhancing technologies and controls to mitigate risks.
Rights Enablement – Build features that allow users to exercise their data rights easily.
Continuous Monitoring – Reassess risk mitigations over time and improve where needed.
Authorities also reaffirm their role in supporting organizations, through both guidance and enforcement, in meeting privacy expectations even in jurisdictions where “privacy by design” is not a legal requirement.
🇪🇺🇬🇧 EU Extends UK GDPR Adequacy Decision Until December 2025
On 24 June 2025, the European Commission adopted Implementing Decision (EU) 2025/1226, extending the validity of the UK's adequacy decision under the GDPR until 27 December 2025. This decision amends the original Implementing Decision (EU) 2021/1772, which was set to expire on 27 June 2025.
The extension allows the Commission additional time to assess whether the UK continues to provide an adequate level of protection for personal data transferred from the EU, as required under Article 45(3) of the GDPR. The key reason for the extension is the pending conclusion of the UK's domestic legislative process, particularly the adoption of the Data (Use and Access) Bill.
The Commission emphasized that such an assessment must be based on a stable legal framework, and therefore deferred its decision until the UK reforms are finalized. The European Data Protection Board (EDPB) issued an opinion (6/2025) supporting this cautious approach, which the Commission took into account.
Until the new expiry date of 27 December 2025, data transfers from the EU to the UK can continue under the current adequacy decision, except for data transferred for UK immigration control purposes, which remains excluded from the adequacy scope.
🇮🇪 Ireland Launches Cyber Fundamentals Framework and Updated Guidance for Organizations
On 25 June 2025, Ireland’s Department of Justice and National Cyber Security Center (NCSC) introduced a new Cyber Fundamentals Framework, along with updated guidance for organizations handling personal data. The initiative is intended to streamline cybersecurity obligations and support compliance with the GDPR and national laws.
The Cyber Fundamentals Framework is a tiered, risk-based structure aimed primarily at small and medium-sized enterprises (SMEs), charities, and organizations outside critical national infrastructure. It provides security expectations in three ascending tiers: Basic, Intermediate, and Advanced. Each tier defines achievable security measures proportionate to the organization’s risk exposure and operational complexity.
This Framework is complemented by new Guidance on Cybersecurity Measures, published by the Department of Justice. It clarifies expectations under GDPR Article 32 (security of processing) and aligns with existing EU-level recommendations. It emphasizes:
Proportionality of security measures to risk
The importance of governance, access control, encryption, and vulnerability management
Integration with accountability and data protection by design principles
The guidance also addresses common questions from data controllers and processors, especially those in the voluntary and community sectors, educational institutions, and SMEs.
These resources are part of the Irish government’s broader commitment to bolster cybersecurity maturity and regulatory clarity. The Department highlights that adopting the Cyber Fundamentals Framework may assist organizations in demonstrating compliance with legal requirements and protecting personal data against cyber threats.
Recommendations for Businesses
Review the tiered Cyber Fundamentals Framework to assess which level applies to your organization.
Align internal security practices with the updated guidance to meet GDPR obligations.
Consider using the Framework as part of evidence in regulatory compliance documentation, such as DPIAs or vendor assessments.
🇧🇪 Belgium DPA Highlights Data Broker Enforcement, AI Guidance, and DPO Focus in 2024 Report
The Belgian Data Protection Authority (Gegevensbeschermingsautoriteit – GBA) has published its 2024 annual report, outlining key enforcement actions, regulatory developments, and guidance initiatives. The report reflects a continued emphasis on transparency, responsible AI practices, and the strategic role of Data Protection Officers (DPOs).
Key Enforcement Actions and Guidance
Data Broker Sanction: In January 2024, the GBA imposed a fine of €174,640 on Black Tiger Belgium (formerly Bisnode) for unlawful data enrichment practices and lack of transparency in informing data subjects. The case highlights the GBA’s scrutiny of profiling and indirect data collection without adequate notice or legal basis. The company’s reliance on legitimate interest was found insufficient where data subjects had no knowledge of the processing.
AI Model Training Case: In Decision 46/2024, the GBA evaluated the use of customer transaction data by a bank to train AI models for personalized discounts. The reuse was found to be compatible with the original processing purpose under the legitimate interest ground, provided safeguards were in place, such as pseudonymization and opt-out options. The decision offers one of the clearest signals yet from a European DPA on the conditions under which AI training may be permissible under the GDPR.
Cookie Banner Enforcement: The GBA issued corrective orders and financial penalties against RTL and Mediahuis over deceptive cookie consent interfaces. Both cases emphasized the illegality of "nudging" users into consent through design tricks and reaffirmed that non-essential cookies must be rejectable on the first layer of the banner.
Freedelity Sanction: The company was ordered to amend its eID-based customer database practices due to excessive data collection and lack of demonstrable consent. The GBA imposed a corrective order with a daily penalty of €5,000, capped at €100,000.
AI and “Smart Cities” as Strategic Priorities
In line with its strategic plan, the GBA focused on the privacy implications of AI systems and “smart city” deployments:
The Inspection Service initiated multiple investigations into AI use cases, particularly LLMs and predictive analytics.
The GBA contributed to EDPB guidelines on anonymization and pseudonymization techniques.
A dedicated “Smart Cities” colloquium was held, engaging public and private stakeholders on privacy-by-design in urban data governance.
Emphasis on DPO Support and Oversight
The GBA considers DPOs essential partners in ensuring compliance:
A national DPO event was held in February 2024, highlighting operational expectations and cross-functional collaboration.
The Inspection Service reported recurring issues, including insufficient DPO independence, dual roles creating conflicts of interest, and inadequate involvement of DPOs in decision-making processes.
Procedural and Institutional Developments
In June 2024, amendments to the GBA’s founding law entered into force. These include a more centralized governance model and explicit authority for pre-submission questions in complaint handling.
The internal reorganisation continued with the aim of streamlining the decision-making process and aligning operational procedures with enforcement priorities.
Figures for 2024
1455 personal data breaches were notified, up 13% from 2023. Nearly 40% stemmed from human error; 35% from cyberattacks.
837 complaints and 243 mediation requests were received; 157 inspections were initiated, up 83% from the previous year.
310 legal opinions were issued by the Advisory Service, many addressing smart infrastructure, eID use, and data exchange in the public sector.
Total fines issued: €708,371.
DPO registrations stood at 9,491 active records by year-end, with 1,266 new or updated notifications during the year.
🇮🇹 Italy: Garante Fines Interflora €40,000 for Unlawful Marketing and Consent Practices
On 13 March 2025, the Italian Data Protection Authority (Garante) issued a €40,000 fine against Interflora Italia S.p.A. for multiple GDPR and national law violations stemming from its promotional SMS practices and deficient consent mechanisms.
The enforcement action followed a complaint submitted in February 2023, in which a customer reported receiving repeated marketing messages without the possibility to opt out. Although purchases were made as a guest (i.e. without registering an account), users were required to provide a mobile number to complete the order. The privacy notice referenced only email marketing and did not indicate SMS use. The complainant’s request to stop the messages and to clarify the legal basis went unanswered.
The Garante’s own investigation, including simulated purchases, revealed:
Mobile phone numbers were collected with a service-related justification (“to allow delivery”), but were used for marketing.
There was no opportunity to opt out or give specific consent for SMS marketing.
Interflora failed to respond to both the complainant and the Garante in a timely manner.
The Garante found breaches of the following provisions:
Article 6(1)(a) GDPR and Article 130(2) of the Italian Privacy Code: promotional SMS were sent without valid consent.
Articles 5(1)(a) and (b) GDPR: the data collection lacked transparency and purpose limitation, misleading users about the reason for collecting their mobile number.
Articles 12(3), 15, and 21 GDPR: failure to respond to data subject requests and to implement a proper opt-out mechanism.
Although the company later revised its procedures—adding opt-in consent boxes, suspending promotional SMS, deleting improperly collected contacts, and retraining staff—the Garante highlighted the systemic deficiencies and the long delay in remedial action. The violations affected not just the complainant but potentially all Interflora e-commerce customers.
Recommendations for Businesses
Ensure marketing communications rely on valid consent when required, particularly for channels such as SMS.
Review user interface design for transparency and ensure data collected for service delivery is not repurposed without consent.
Maintain active monitoring of designated communication channels, such as the DPO contact and official company PEC email.
React promptly to data subject requests and regulatory inquiries.
Document and periodically audit the legal basis for all processing activities, especially in e-commerce flows.
🇷🇴 Romanian DPA Fines Online Retailer for Cookie Consent Breach
The Romanian Data Protection Authority has issued a fine of 5,000 RON (approximately €1,000) to SC Kashto Concept SRL, following an investigation into unlawful cookie practices on the company’s website. The enforcement action was based on a violation of Article 4(5) of Law no. 506/2004, which transposes the ePrivacy Directive into Romanian law.
The investigation was triggered by a data subject complaint. During the inquiry, the DPA found that non-essential cookies were being stored on the operator’s website without prior user consent. Furthermore, the company was unable to demonstrate that valid consent had been obtained from users before deploying such cookies.
The ANSPDCP clarified that the cookies in question were not technically necessary for the functioning of the website, and that the company failed to establish any lawful justification for their use under the applicable legal framework. The fine was paid voluntarily by the operator.
The decision reaffirms that ePrivacy obligations around cookie usage apply independently of the GDPR and are actively enforced by national authorities:
Article 4(5) of Law no. 506/2004 requires prior consent before the placement of any cookies that are not strictly necessary for providing an information society service explicitly requested by the user.
The failure to obtain or demonstrate valid consent is sufficient to trigger sanctions, even where the underlying website operates at a modest commercial scale.
The case exemplifies the low evidentiary threshold for enforcement under ePrivacy rules—organizations must be able to show both the presence of a compliant consent mechanism and evidence that consent was actually obtained.
This enforcement reflects a broader trend across EU member states, where data protection authorities are intensifying scrutiny over cookie banners and tracking technologies. It also illustrates that even small online retailers are subject to full compliance obligations.
Recommendations for Businesses
Conduct a cookie audit to identify and categorize all tracking technologies used on websites and apps.
Implement a consent management platform that ensures non-essential cookies are only activated after explicit, opt-in consent.
Maintain records of consent in line with accountability principles—who consented, when, and for what purpose.
Regularly review cookie banners and privacy policies to ensure clarity, accessibility, and alignment with the latest regulatory expectations.
🇸🇮 Slovenia: DPA Finds Employer Breached GDPR by Redirecting Ex-Employee’s Email
On 20 March 2025, the Slovenian Information Commissioner (IP) issued Decision No. 0600-43/2024/12, finding that an employer unlawfully redirected the email of a former employee, thereby violating the GDPR.
The investigation stemmed from a complaint filed by a former employee on 2 October 2024. She alleged that her employer continued to redirect emails sent to her former work email address, long after her departure on 1 April 2022. The redirection was set up to forward incoming messages to the email address of the company’s director.
The IP confirmed that:
The redirection remained active until 8 October 2024.
The email address constituted a personal data point, as it could identify the complainant.
The redirection amounted to processing of personal data, requiring a valid legal basis under Article 6(1) GDPR.
The employer did not demonstrate any valid legal basis for the redirection. It argued that the complainant had “implicitly consented” by continuing to use the address as a secondary email reference and that the redirection was needed to prevent financial harm to clients. However, the IP rejected this, noting:
No informed, specific, and unambiguous consent was obtained.
The employer failed to conduct a legitimate interests assessment under Article 6(1)(f).
Less intrusive alternatives were available, such as automated bounce-back messages suggesting alternative contact information.
The IP also considered whether to allow a supplementary claim regarding alleged unlawful retention of archived emails. It declined, finding this issue was materially different and would require a separate investigation.
Outcome
The IP found a violation of Article 5(1)(a) and Article 6(1) GDPR (lawfulness principle).
It did not order corrective measures, as the unlawful redirection had already ceased.
Each party was instructed to bear its own procedural costs.
Recommendations for Businesses
Develop and enforce a clear offboarding protocol for deactivating work email accounts.
Avoid forwarding ex-employee communications without explicit consent or clear legal justification.
Use auto-reply messages to inform senders of updated contact information, minimizing privacy intrusions.
Review internal practices for email retention and archiving to ensure alignment with GDPR principles, especially data minimization and storage limitation.
Court Distinguishes Between Lawful and Unlawful Copying in Anthropic AI Copyright Ruling
On June 23, 2025, the U.S. District Court for the Northern District of California issued an Order on Fair Use in Bartz et al. v. Anthropic PBC. The case addresses Anthropic’s copying of millions of books—both lawfully purchased and pirated—for use in training its Claude AI models and in maintaining a central research library.
In this order, Judge William Alsup partially granted Anthropic’s motion for summary judgment, holding that certain uses—such as training large language models on lawfully acquired books and format-shifting print books for internal use—qualified as fair use. However, the court found that Anthropic’s acquisition and indefinite retention of pirated books could not be justified under the fair use doctrine, and denied summary judgment on those claims.
The court evaluated fair use separately for three distinct types of copying:
Training LLMs on Copyrighted Works. The court held that using books to train Claude and its underlying large language models (LLMs) was “spectacularly” transformative and therefore a fair use under Section 107 of the Copyright Act. The training process involved compressing books into statistical representations that helped the model generate new, non-infringing outputs.
Crucially, the plaintiffs did not allege that Claude’s responses reproduced their texts or imitated their expressive styles. Because no infringing outputs were shown or alleged, the use of the books for training was deemed lawful—even when entire works were used.
Scanning Purchased Print Books for Internal Use. Anthropic’s digitization of lawfully purchased books, involving destructive scanning and replacement of each print copy with a digital version, was also found to be fair use. The court distinguished this from unauthorized duplication or distribution, reasoning that format-shifting for internal use enhanced storage and searchability and did not create additional copies. Importantly, the court treated this format-shifting as a standalone fair use, not merely incidental to LLM training. The digital versions remained internal and were not redistributed, which weighed in favor of fair use.
Acquisition and Retention of Pirated Copies. In contrast, the court ruled that Anthropic’s downloading of over seven million pirated books—many of which were never used for training—was not fair use. The company had deliberately sourced books from pirate libraries to avoid licensing burdens, retaining them indefinitely as part of a central research library. The court found this conduct unjustifiable: the act of piracy was not transformed merely by the potential future use of some works for LLM training. Retaining pirated works for general-purpose reference, especially when lawful alternatives were available, was held to directly displace the legitimate market and to contravene the Copyright Act.
The court emphasized that fair use must be evaluated based on the objective use of each copy, not the user’s subjective intent. Training LLMs was compared to human learning and ruled to be transformative because it did not supplant the market for the original works. In contrast, building a general-purpose library from pirated materials was not transformative. All books at issue were expressive works, favoring the plaintiffs on this factor. However, the court found this was outweighed by the transformative character of the LLM training and format-shifting uses. Even though Anthropic used entire works, this was deemed proportionate to the training purpose. For pirated books, however, copying entire texts for uncertain future use was excessive and unjustified. The court rejected plaintiffs’ claim to a licensing market for AI training data as too speculative. However, it held that piracy did displace the actual market for authorized copies, and that such displacement could not be excused by future intentions.
While the court granted summary judgment for Anthropic on the issues of training and format-shifting, it denied judgment on the pirated books. A trial will follow to determine damages for infringing uses, including whether the infringement was willful.
***
Direct your questions to groundcontrol@kepler.consulting.
Until the next transmission, stay secure and steady on course. Ground Control, out.