Privacylawyer - Canadian privacy and technology law with David Fraser

A deep dive into the "Production Order for Subscriber Information" proposed in Bill C-22, the Lawful Access Act. What is it? What does it do? What is different from the original proposal in Bill C-2 (the Strong Borders Act)? And what's the likely fatal flaw that will mean it will be found to be unconstitutional? My "Lawful Access" playlist, including episodes from this channel and other commentators: https://www.youtube.com/playlist?list=PLV759uJFOchhpCq8rakXDYdwJP3xYSrtf Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

Lawful Access playlist, including my videos and from others on the topic: https://www.youtube.com/playlist?list=PLV759uJFOchhpCq8rakXDYdwJP3xYSrtf My Bill C-22 Lawful Access "deep dive" episode: https://youtu.be/tZFbTYttuN8?list=PLV759uJFOchhpCq8rakXDYdwJP3xYSrtfWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

On March 12, 2026, the Canadian Public Safety Minister tabled Bill C-22 in Parliament: the Lawful Access Act, 2026, which will create new police information demands and require "electronic service providers" to create new capabilities for the interception and retrieval of data for the police and national security authorities. Part 1 is much improved since it was first introduced as Part 14 of the "Strong Borders Act." Part 2, however, is deeply problematic as it has the potential to create a expansive surveillance infrastructure -- mostly in the shadows -- beyond what I think Canadians can tolerate. Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

An overview of privacy law that regulates private sector businesses in Canada (or those outside of the country who deal with personal information of Canadians): the Personal Information Protection and Electronic Documents Act (PIPEDA).0:00 Beginning 0:57 Introduction2:23 Why Canada has a mess of privacy laws5:43 The Canadian Standards Association Model Code for the protection of personal information6:40 How was the Personal Information Protection and Electronic Documents Act (PIPEDA) developed? 8:11 Key concepts - "commercial activity"9:02 Key concepts - "personal information"10:53 PIPEDA's baseline "reasonableness" requirement at s. 5(3)12:16 Principle 1 - Accountability16:09 Principle 2 - Identifying purposes16:47 Principle 3 - Consent20:13 Principle 4 - Limiting collection20:58 Principle 5 - Limiting use, disclosure and retention22:08 Principle 6 - Accuracy22:47 Principle 7 - Safeguards24:23 Principle 8 - Openness25:49 Principle 9 - Individual access26:58 Principle 10 - Challenging compliance27:40 Enforcement under PIPEDA31:22 Court applications under PIPEDA34:16 Data breach notification37:38 Real risk of significant harm (RROSH) analysis40:25 Data breach record-keeping requirements41:36 Wrap-upWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

Online fraud is a widespread, everyday risk that affects individuals, families, businesses, and public institutions. Drawing on real-world examples from my privacy law practice, I walk through how common scams work, from email account compromises and funds-transfer fraud to tech-support scams, ransomware, and “grandparent” scams (increasingly powered by AI).I also focus on practical, concrete steps that individuals can take to reduce their risk. There’s no such thing as perfect security, but understanding how scammers exploit urgency, trust, and information asymmetry can make a real difference. This episode is based on a presentation I was invited to give on Data Privacy Day for a client's employees. 0:00 Introduction0:53 What is privacy and why does it matter?6:13 Common frauds I'm seeing12:19 So what can you do to protect yourself? 16:07 Wrap-upWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

In this episode, I examine a recent Report of Findings and Order issued by British Columbia’s Information and Privacy Commissioner concerning the City of Richmond’s “Public Safety Camera System” field test. The City installed high-resolution intersection cameras intended to provide footage to police to help identify criminal suspects. The Commissioner concluded that the City lacked lawful authority under BC’s Freedom of Information and Protection of Privacy Act to collect this personal information, failed to meet statutory notice requirements, and could not rely on planning or law-enforcement exceptions to justify the program. Because the City declined to follow the Commissioner’s recommendations, a binding order was issued requiring the City to stop collection, delete the footage, and dismantle the system.The OIPC-BC finding can be found here (PDF): https://www.oipc.bc.ca/documents/orders/3071 Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

This episode of PrivacyLawyer examines proposed amendments to the Criminal Code of Canada in Bill C-16, the Protecting Victims Act, which would expand the definition of “intimate image” to include certain AI-generated and deepfake images. The episode explains how the existing offence for the non-consensual distribution of intimate images was designed around real photographs and video recordings, and why that definition has struggled to keep pace with the rapid growth of synthetic and generative imagery.I walk through the current legal framework, including recent provincial civil legislation, and highlight the gap that exists for purely synthetic images that are realistic but not based on altered source photos. The discussion then focuses on the specific language proposed in Bill C-16, which would capture realistic visual representations that could reasonably be mistaken for actual recordings of an identifiable person, even where no real image ever existed.The episode also explores potential freedom of expression concerns under section 2(b) of the Charter of Rights and Freedoms, particularly where AI-generated imagery is used for political satire or commentary, and considers whether the existing “public good” defence is sufficient. Finally, it reviews Bill C-16’s proposed new offence of threatening to distribute intimate images, explaining how it goes beyond traditional sextortion and why it represents a significant change to Canadian criminal law.Information on Bill C-16 can be found here: https://www.parl.ca/LegisInfo/en/bill/45-1/C-16Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

A close look at the #PowerSchool #cybersecurity incident, perhaps the largest education-sector data breaches ever investigated in Canada, and the findings issued by the Information and Privacy Commissioners of Ontario and Alberta.PowerSchool is widely used by Canadian school boards to manage student information, including enrollment, grades, contact details, and medical alerts. In late 2024, a threat actor gained access to PowerSchool’s systems using compromised credentials belonging to a support contractor, allowing them to exfiltrate sensitive student and educator data affecting millions of individuals across multiple provinces.This video explains:► What PowerSchool is and how school boards rely on it► How the cyberattack occurred and what data was accessed► What Ontario and Alberta privacy regulators investigated► Where the regulators’ findings align — and where they differWhat this case teaches about outsourcing, vendor oversight, and accountability under Canadian privacy lawBoth regulators concluded that school boards remained legally responsible for protecting personal information, even though PowerSchool operated the systems. The investigations highlight failures in cybersecurity safeguards, contract management, data retention practices, and breach preparedness — and underscore the heightened sensitivity of children’s personal information.Relevant links: ► Ontario finding: https://www.ipc.on.ca/en/resources/powerschool-report ► Alberta finding: https://oipc.ab.ca/wp-content/uploads/2025/11/FINAL-Investigation-Report-Regarding-PowerSchool-Breach-FOIP2025-IR-02.pdf► Saskatchewan finding: https://oipc.sk.ca/assets/la-foip-investigation_003-2025-035-2025.pdfWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

A Canadian court has ordered French cloud provider OVH to hand over user data stored in France, the UK, and Australia—despite a French law that forbids it. The French government is objecting, but the Canadian government doesn't seem to care. What does this mean for digital sovereignty, cross-border investigations, and the limits of Canadian court jurisdiction? Lots. This episode unpacks a recent Ontario Court of Justice decision involving OVHcloud and a national security investigation, discussing the facts, the legal issues, the court’s reasoning, and why—in my view—the decision is deeply flawed.OVH is not accused of wrongdoing. It’s simply being ordered by a Canadian court to violate the law of the country where it is based—even though France offered to expedite a lawful country-to-country process. That should concern anyone who deals with cross-border data, law enforcement requests, or cloud infrastructure.The decision can be found here: https://drive.google.com/file/d/1QVwO9lPmxuDSQsGd9fHH3QN_ToXs2LQ8/view?usp=drive_linkCases referred to in the episode:► British Columbia (Attorney General) v. Brecknell, 2018 BCCA 5 https://canlii.ca/t/hplpj► R v Love, 2022 ABCA 269 https://canlii.ca/t/jrflw► Toronto-Dominion Bank v. Court of Quebec, 2025 QCCS 2094 https://canlii.ca/t/kcvtw Where you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraser Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.

On November 19, government officials surprised many by apparently calling for the revival of #LawfulAccess measures from Bill C-2, the Strong Borders Act. The presser was filled with incorrect and misleading information. Here's my take on it, with some corrections/clarifications of some pretty problematic statements. The government's press conference is here: https://youtu.be/GoQ2lL0rAJ4My previous video on Part 14 of #BillC2: https://youtu.be/wOgo4TuoJecMy previous video on Part 15 of #BillC2: https://youtu.be/E1LV2fcD9Bs Hat-tip to Michael Geist: https://www.michaelgeist.ca/2025/11/reversing-the-reversal-government-puts-privacy-invasive-lawful-access-back-on-the-agenda/ Here's the decision in R. v. Owen, 2017 ONCJ 729 https://canlii.ca/t/hmx7sWhere you can find me► Privacylawyer blog: https://blog.privacylawyer.ca► My law firm: https://www.mcinnescooper.com/people/david-fraser► Twitter: https://twitter.com/privacylawyer► LinkedIn: https://www.linkedin.com/in/davidtsfraserDisclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.