Privacylawyer - Canadian privacy and technology law with David Fraser

Online fraud is a widespread, everyday risk that affects individuals, families, businesses, and public institutions. Drawing on real-world examples from my privacy law practice, I walk through how common scams work, from email account compromises and funds-transfer fraud to tech-support scams, ransomware, and “grandparent” scams (increasingly powered by AI).I also focus on practical, concrete steps that individuals can take to reduce their risk. There’s no such thing as perfect security, but understanding how scammers exploit urgency, trust, and information asymmetry can make a real difference. This episode is based on a presentation I was invited to give on Data Privacy Day for a client's employees. 0:00 Introduction0:53 What is privacy and why does it matter?6:13 Common frauds I'm seeing12:19 So what can you do to protect yourself? 16:07 Wrap-upWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

In this episode, I examine a recent Report of Findings and Order issued by British Columbia’s Information and Privacy Commissioner concerning the City of Richmond’s “Public Safety Camera System” field test. The City installed high-resolution intersection cameras intended to provide footage to police to help identify criminal suspects. The Commissioner concluded that the City lacked lawful authority under BC’s Freedom of Information and Protection of Privacy Act to collect this personal information, failed to meet statutory notice requirements, and could not rely on planning or law-enforcement exceptions to justify the program. Because the City declined to follow the Commissioner’s recommendations, a binding order was issued requiring the City to stop collection, delete the footage, and dismantle the system.The OIPC-BC finding can be found here (PDF): https://www.oipc.bc.ca/documents/orders/3071 Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

This episode of PrivacyLawyer examines proposed amendments to the Criminal Code of Canada in Bill C-16, the Protecting Victims Act, which would expand the definition of “intimate image” to include certain AI-generated and deepfake images. The episode explains how the existing offence for the non-consensual distribution of intimate images was designed around real photographs and video recordings, and why that definition has struggled to keep pace with the rapid growth of synthetic and generative imagery.I walk through the current legal framework, including recent provincial civil legislation, and highlight the gap that exists for purely synthetic images that are realistic but not based on altered source photos. The discussion then focuses on the specific language proposed in Bill C-16, which would capture realistic visual representations that could reasonably be mistaken for actual recordings of an identifiable person, even where no real image ever existed.The episode also explores potential freedom of expression concerns under section 2(b) of the Charter of Rights and Freedoms, particularly where AI-generated imagery is used for political satire or commentary, and considers whether the existing “public good” defence is sufficient. Finally, it reviews Bill C-16’s proposed new offence of threatening to distribute intimate images, explaining how it goes beyond traditional sextortion and why it represents a significant change to Canadian criminal law.Information on Bill C-16 can be found here: https://www.parl.ca/LegisInfo/en/bill/45-1/C-16Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

A close look at the #PowerSchool #cybersecurity incident, perhaps the largest education-sector data breaches ever investigated in Canada, and the findings issued by the Information and Privacy Commissioners of Ontario and Alberta.PowerSchool is widely used by Canadian school boards to manage student information, including enrollment, grades, contact details, and medical alerts. In late 2024, a threat actor gained access to PowerSchool’s systems using compromised credentials belonging to a support contractor, allowing them to exfiltrate sensitive student and educator data affecting millions of individuals across multiple provinces.This video explains:► What PowerSchool is and how school boards rely on it► How the cyberattack occurred and what data was accessed► What Ontario and Alberta privacy regulators investigated► Where the regulators’ findings align — and where they differWhat this case teaches about outsourcing, vendor oversight, and accountability under Canadian privacy lawBoth regulators concluded that school boards remained legally responsible for protecting personal information, even though PowerSchool operated the systems. The investigations highlight failures in cybersecurity safeguards, contract management, data retention practices, and breach preparedness — and underscore the heightened sensitivity of children’s personal information.Relevant links: ► Ontario finding: https://www.ipc.on.ca/en/resources/powerschool-report ► Alberta finding: https://oipc.ab.ca/wp-content/uploads/2025/11/FINAL-Investigation-Report-Regarding-PowerSchool-Breach-FOIP2025-IR-02.pdf► Saskatchewan finding: https://oipc.sk.ca/assets/la-foip-investigation_003-2025-035-2025.pdfWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

A Canadian court has ordered French cloud provider OVH to hand over user data stored in France, the UK, and Australia—despite a French law that forbids it. The French government is objecting, but the Canadian government doesn't seem to care. What does this mean for digital sovereignty, cross-border investigations, and the limits of Canadian court jurisdiction? Lots. This episode unpacks a recent Ontario Court of Justice decision involving OVHcloud and a national security investigation, discussing the facts, the legal issues, the court’s reasoning, and why—in my view—the decision is deeply flawed.OVH is not accused of wrongdoing. It’s simply being ordered by a Canadian court to violate the law of the country where it is based—even though France offered to expedite a lawful country-to-country process. That should concern anyone who deals with cross-border data, law enforcement requests, or cloud infrastructure.The decision can be found here: https://drive.google.com/file/d/1QVwO9lPmxuDSQsGd9fHH3QN_ToXs2LQ8/view?usp=drive_linkCases referred to in the episode:► British Columbia (Attorney General) v. Brecknell, 2018 BCCA 5 https://canlii.ca/t/hplpj► R v Love, 2022 ABCA 269 https://canlii.ca/t/jrflw► Toronto-Dominion Bank v. Court of Quebec, 2025 QCCS 2094 https://canlii.ca/t/kcvtw Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraser Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

On November 19, government officials surprised many by apparently calling for the revival of #LawfulAccess measures from Bill C-2, the Strong Borders Act. The presser was filled with incorrect and misleading information. Here's my take on it, with some corrections/clarifications of some pretty problematic statements. The government's press conference is here: https://youtu.be/GoQ2lL0rAJ4My previous video on Part 14 of #BillC2: https://youtu.be/wOgo4TuoJecMy previous video on Part 15 of #BillC2: https://youtu.be/E1LV2fcD9Bs Hat-tip to Michael Geist: https://www.michaelgeist.ca/2025/11/reversing-the-reversal-government-puts-privacy-invasive-lawful-access-back-on-the-agenda/ Here's the decision in R. v. Owen, 2017 ONCJ 729 https://canlii.ca/t/hmx7sWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

Canadian privacy lawyer David Fraser breaks down the British Columbia Court of Appeal’s recent decision in RateMDs Inc. v. Bleuler (https://canlii.ca/t/kfhmc), a case about whether hosting online profiles, anonymous reviews, and ranking health professionals on RateMDs.com can result in a claim of invasion of privacy. David walks through the background, the arguments, why the Court found there was no reasonable expectation of privacy in publicly available professional information, and what this means for privacy rights, online review platforms, and professionals across Canada.Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

With no notice and largely out of the blue (following an opaque process), the Nova Scotia government just passed a revamped public sector privacy and access to information law, Bill 150. In this episode, I provide a high level overview of what's new, including the good, the bad and the meh. The new law can be found here: https://www.canlii.org/en/ns/laws/astat/sns-2025-c-13/latest/sns-2025-c-13.html. Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

In this episode, Canadian privacy lawyer David Fraser breaks down the joint investigation by Canada’s federal and provincial privacy commissioners into TikTok — an interesting, complex and consequential privacy finding. The report tackles three major issues: whether TikTok’s data practices (especially with respect to young users who circumvent age-gating) serve a legitimate purpose, whether its consent process is valid and meaningful, and whether it meets transparency obligations under Quebec law. This episode explains the key findings, including TikTok’s commitments to introduce new age-verification systems, restrict ad targeting for youth, and overhaul its privacy communications for Canadian users.But this case also raises a bigger question: Have Canada’s privacy regulators set an impossible standard? In seeking to protect children’s privacy, the Commissioners may have required TikTok to collect more sensitive information — including facial scans or identity documents — from all users. David argues that these well-intentioned recommendations risk making privacy compliance more invasive, not less. Watch (or listen) for a deep dive into how this decision reshapes the balance between privacy, practicality, and policy.The federal/provincial privacy finding is here: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2025/pipeda-2025-003/Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

In this episode, David Fraser, PrivacyLawyer, unpacks the recent Ontario Divisional Court decision in Hospital for Sick Children v. Information and Privacy Commissioner of Ontario. The case arose from ransomware attacks that temporarily encrypted servers at SickKids and the Halton Children’s Aid Society. No evidence suggested that hackers viewed, copied, or exfiltrated personal information—yet the Information and Privacy Commissioner found there had been an unauthorized “use” and “loss” of data, triggering notification obligations. The Court upheld those findings, deferring to the regulator’s broad interpretation.David explains why this matters for organizations across Ontario (and beyond), focusing on how common words like “use” and “loss” may not mean what you think when regulators are involved. He also contrasts Ontario’s strict approach with the federal private-sector law, PIPEDA, which only requires notification where there is a “real risk of significant harm.” The key takeaway: Ontario’s laws can demand notification even when no harm to individuals exists, a standard that may lead to over-notification and notice fatigue.The Divisional Court decision can be found here: https://canlii.ca/t/kffpmWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.