This article examines the EU AI Act, which introduces a risk-based regulatory framework for artificial intelligence (AI) by categorizing applications into four risk levels: unacceptable, high, limited, and minimal risk. It highlights the need to balance innovation and safety, particularly for high-risk systems that require stringent compliance measures. Additionally, the article discusses tiered regulations for general-purpose AI models based on their risks. Ultimately, the EU AI Act aims to create a secure environment for AI innovation while providing clear guidelines to protect users and adapt to evolving technologies.

Quebec's Law 25 now comes with the right to data portability. This article dives into what this right is and how to implement it in compliance with legislation. The article dives into 10 practical action items to get you started on your data portability journey.

Google’s plans to follow suit with other big browsers like Safari and Firefox and remove third-party cookies (TPCs) from Chrome has come to a crashing stop. The decision to move forward with keeping TPCs on their web browser is the culmination of many years of back-and-forth discussion on Google’s end (since the year 2020), however, they have ultimately decided to simply enhance their privacy settings without losing an advertising penny from their large pockets. Their solution – the Privacy Sandbox.

With the increased use of AI, particularly in the workplace, and legislation coming in (irrespective of whether legislation governs the use of AI right now), there is a risk to your business if you do not regulate how your employees use it.

Breach notification plays out differently within various sectors in Ontario. From health legislation to municipal regulations, incident obligations can vary and sometimes operate in a gray area or piggyback off “best practice” approaches.

Hashing is a popular tool in data analysis for businesses, known for its ability to convert personal data into an anonymous format. However, hashed data is not truly anonymized and can be vulnerable to attacks that may re-identify the original data. To ensure data privacy, it's important to use hashing alongside other methods like encryption and tokenization, and to understand privacy regulations and best practices. This approach provides a more robust way to safeguard sensitive information. Explore advanced techniques to protect your data assets while maintaining privacy and security.

Data clean rooms have emerged as a pivotal solution for retailers seeking to harness the power of data collaboration without compromising privacy. For retailers, the advantages are numerous: from gaining deeper insights into customer behaviour to enhancing targeted marketing strategies, data clean rooms offer a treasure trove of opportunities. However, the journey has its challenges. Retailers must navigate issues such as data integration complexities, compliance with privacy regulations, and the need for robust security measures. Choosing the right data clean room is crucial and involves evaluating factors such as scalability, ease of use, and the ability to integrate with existing systems. This article delves into the intricacies of data clean rooms, exploring their benefits, challenges, and key considerations for retailers aiming to leverage this innovative technology.

As a non-profit, you will likely collect and have access to highly sensitive data, be it from members, supported individuals, minors, volunteers or donors – you are privy to quite a lot. You may be exempt from several onerous pieces of legislation however non-profit organizations are not automatically exempt from PIPEDA. The Office of the Privacy Commissioner of Canada (OPC) has said that “Whether an organization is a non-profit business for purposes of taxation is not determinative of whether its collection, use or disclosure of personal information is carried out in the course of commercial activity”. So is it a ”maybe?”. Over the years there have been several cases in Ontario trying to determine this question.

Whether you are a managed service provider (“MSP”) or a managed security service provider (“MSSP”), you are likely collecting, storing, reviewing, using, or disclosing personal information from your client. Most MSSPs need to comply with privacy legislation as both a regulatory and contractual requirement. This article serves to provide MSPs and MSSPs considerations towards becoming privacy compliant.

Last week, Bamboo hosted a Privacy & Retail Workshop with several national retailers in attendance. This workshop was a huge success! The discussions in the room focused on privacy implementation in retail and facilitated the exchange of lessons learned and how to grow a business alongside privacy compliance. What stood out most to the Bamboo team was the undeniable truth of the shared challenge every retailer faces on the journey to bolstering their company’s privacy posture – communication.

When it comes to securing our environments, the controls we have in place work in harmony to keep our kingdoms safe. A layered approach means that there are many different controls that serve the purpose of securing your environment, so that if one fails, another takes over. With layers comes complexity, and it’s important to not lose sight of fundamental controls that are almost “a given” in favour of the more detailed controls on our hosted environments.

At Bamboo we’re constantly aware of the push and pull nature between privacy and security, and often it comes to the fore in processes such as incident response or considerations around data lakes and operational data. In the last few weeks though, we’ve seen a great deal of discussion around Data Leak Prevention (DLP) and endpoint protection, and the clash it has against employee privacy – particularly when Bring Your Own Device (BYOD) is involved.

The article discusses the implications of someone filing a privacy complaint with the Office of the Privacy Commissioner of Canada (OPC) and the motivation of naming and shaming companies. It highlights that even if a complaint seems frivolous, it can lead to thorough investigations by the OPC, potentially uncovering compliance gaps within a company's privacy program. The article emphasizes the importance of proactive preparation for businesses, including maintaining updated policies, designating a Privacy Officer, and viewing every decision through the lens of potential regulatory scrutiny. It warns that regardless of the company's size or industry, a single complaint can have significant financial, operational, and reputational consequences, stressing the necessity for vigilance in addressing privacy concerns in the digital age.

In recent years, Canada has experienced a concerning surge in shoplifting incidents, a trend potentially exacerbated by economic factors such as inflation. As the guardians of a retailer's assets, loss prevention personnel find themselves on the frontline in addressing this growing challenge. However, in the pursuit of securing business interests, it is imperative to recognize the delicate dance between protecting assets and upholding privacy rights.

As an immigrant to Canada, I have seen the process and the documentation required to get here. My entire life condensed into a folder to be submitted to a consultant, who will in turn validate everything, and then submit it all to the IRCC (Immigration, Refugees and Citizenship Canada). This translates to a lot of deeply personal information put into the trust of a third-party, and this article goes into how quickly a phishing attack on any business can put sensitive information at risk.

The criteria for obtaining lawful consent was discussed in depth in our Law 25 Consent White Paper released late 2023. The CAI published its final consent guidelines (Guidelines 2023-1-Consent: Validity Criteria (“Consent Guidelines”)) providing us with a clearer picture and refined guidance on what is required for consent to be valid.

In a world where data breaches and privacy concerns are constantly in the headlines, it’s more crucial than ever for businesses to prioritize and navigate both privacy and security. While these concepts are often treated as separate entities, tackling them together can yield significant benefits for organizations.

The privacy and security functions, respectively, often have tunnel vision and move in different directions causing the business to spin rather than move forward fast. It is time for privacy and security to form an alliance. When privacy and security cross-pollinate to form Governance, Privacy, and Security (GPS), they are better able to protect the business, protect data, and protect individuals.

Can personal data be anonymized for one party while identifiable for another party? This has been a long-standing question and we finally have an answer. Processors who tokenize data should be aware of this new CJEU ruling to determine if they need to comply with the GDPR or any other privacy legislation.

When dealing with privacy and security, everyone jumps straight onto the compliance bandwagon. There are set laws, frameworks, regulations, standards and other checklists that allow you as a business to proudly state that you are compliant. But does ‘to-the-letter’ compliance match the public’s expectations?