As the international privacy community marks Data Privacy Day 2025, the conversation around data protection and regulation takes on heightened significance for Canada. With federal legislative efforts delayed and provinces stepping in to fill critical gaps, organizations face regulatory uncertainty.
To help navigate these developments, we spoke to these leading experts in the field: Constantine Karbaliotis, Counsel for nNovation LLP and Sylvia Klasovec, Principal Advisor at Trusteva Consulting
Together, they provide perspective on the challenges and opportunities facing businesses in 2025, offering insights on how businesses can stay ahead in this evolving landscape.
What does 2025 hold for data privacy in Canada?
The Office of the Privacy Commissioner of Canada (OPC) has set the tone for 2025, pledging this Data Privacy Week to ‘put privacy first’. But with the delay in federal legislation due to the prorogation of Parliament, how will privacy evolve in Canada this year?
Sylvia believes, “It will be a defining year for our country and our privacy landscape. There will be a fragmented approach to privacy, where the provinces may drive their own privacy laws, just as we saw with Quebec’s Law 25, creating dual compliance regimes and more operational complexity.
“The good news is that our privacy regulators are ahead of the curve, collaborating with international organisations like the Future of Privacy Forum to address emerging challenges, such as children’s privacy, biometrics, and data anonymization.
“I predict a heavy focus on data and metadata management for AI readiness, emphasizing data quality, integrity, and transparency to support secure and reliable AI governance.”
How do Canadian privacy practices compare to the EU?
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the EU’s General Data Protection Regulation (GDPR) share foundational similarities but there are key differences in enforcement, scope, and approach. Both adopt a principles-based approach, although the GDPR has stricter requirements, extra-territorial scope and fines tied to global revenue. PIPEDA generally only applies to companies operating in Canada and fines are capped at $100,000 per violation.
Constantine acknowledges the influence of EU practices on Canadian privacy regulation, especially in a principles-based legal environment: “We can look to jurisdictions like the EU and UK to interpret and take guidance on new situations, and our commissioner looks to Europe to understand how to apply our legislation.”
What are the key aspects businesses should focus on for complying with PIPEDA?
Constantine suggests organizations focus on two key areas: safeguarding data and third-party developments.
“First and foremost, always be conscious of the risks and implement the appropriate controls to protect individuals’ data. Secondly, watch what your vendors are doing. As they introduce new features to their services, ask yourself: What does this mean for my business? Are they selling the data, and if so, to whom? And most importantly, is my current risk assessment still valid?”
To help you comply with PIPEDA, it is advisable to take these essential steps:
- Understand what information your organization collects and processes
- Implement appropriate technical and organizational measures
- Ensure appropriate consent is obtained and documented for all data collections
- Conduct regular training and awareness programmes for employees
- Establish comprehensive policies and procedures that include:
- Purpose specificity, data minimisation, and accuracy
- Transparency on how information is collected, used, disclosed, retained, and destroyed
- Processes for individual access, challenging compliance, and privacy incident management
What does pausing Bill C-27 mean for data privacy in Canada?
After nearly three years of review, Bill-C27 was halted when Parliament was suspended on 6 January 2025.
Key aspects of Bill C-27:
- Consumer Privacy Protection Act (CPPA), which would provide updated privacy protections for individuals
- Artificial Intelligence and Data Act (AIDA), to establish a risk-based framework to regulate AI
Privacy experts raise concerns about the impact of the delay
Constantine notes that the EU’s renewal of Canada’s adequacy status in 2024 was a missed opportunity to push meaningful reform forward.
“When the EU renewed our adequacy finding, they took away the one thing that would have put a fire under our parliamentarians’ butts to actually make them pass a law.”
Sylvia highlights the gaps in critical areas like children’s privacy, cross-border data transfers, and AI governance. She cautions that, “Without the regulatory guardrails AIDA provides, it could stifle innovation and lead to risky AI projects.
“Consent management will be particularly challenging as global counterparts rely on Legitimate Interests for AI data processing, while Canada follows implied consent rules. This will impact multinational AI companies and market dynamics. Whereas, in the EU, rules require transparency, fairness, and AI risk assessments, to name a few.”
She cautions that, “Without similar regulatory guardrails that AIDA would have offered – though not a perfect solution – innovation may be stifled and AI projects could become more risky.”
How can organizations prepare for future regulations in a rapidly evolving environment?
Constantine thinks that as a trading country, we must consider how our business partners are going to interact with us “Look to laws that exist in other countries to provide a structure and build effective governance around these things.”
Sylvia advises taking cues from international guidelines, calling the EU a “north star” that sets the world stage on the protection of human rights and freedoms. “We look to international guidelines because they usually indicate the direction in which any enacted laws will take shape. Mature Canadian enterprises have already codified much of this into their data management practices and some have gone as far as complementing our Canadian laws with ISO standards, ethical codes of practice, and certifications.”
Summary
As we commemorate Data Privacy Day 2025, Canada is at a pivotal juncture. With federal legislation on hold and provinces stepping in to fill regulatory gaps, businesses face both challenges and opportunities.
Insights from Constantine and Sylvia underscore the importance of proactive compliance and alignment with global privacy standards. Organizations should prioritize data governance, stay informed on emerging regulations, and implement robust privacy practices.
____________________________________________________________________________________________________________
In case you missed it…
- Privacy in Canada and USA: 2024 highlights and 2025 expectations
- Canadian privacy laws: PIPEDA and beyond
- Quebec’s Law 25: A guide to support privacy compliance
____________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn