Posts by tag

Privacy

29 posts

Technology Law: A Comprehensive Annual Review 2024-2025

Sookman it year in review talk presentation

Computer and IT Law: The Year in Review 2024–2025 – Toronto Computer Lawyers Group Presentation

On June 19, 2025, I had the pleasure of presenting my annual “Computer and IT Law: The Year in Review” to the Toronto Computer Lawyers Group. This year’s talk covered legal developments across a wide range of topics including artificial intelligence, copyright, social media, privacy, cybersecurity, blockchain, online contracting and eCommerce.

As in past years, I prepared a comprehensive written paper to accompany the presentation.…

View Post
Share
Privacy protection for IP addresses
View Post

Privacy of IP Addresses: Understanding the Supreme Court Ruling in R. v. Bykovets

In R. v. Bykovets, 2024 SCC 6, the Supreme Court of Canada ruled that for Charter of Rights purposes, a person being investigated by the police has a reasonable expectation of privacy in an IP address in the possession of a third person, in this case a payment processor, even when not linked to any personally identifying information. The decision and its importance is explained in a blog post written by my colleagues  Dan Glover, Andrew Matheson, Connor Bildwell, Greer Hope and I on the McCarthy Tetrault TechLex blog.…

View Post
Share
automated decision making
View Post

Using privacy laws to regulate automated decision making

Making decisions about individuals using computers and computer algorithms is now commonplace. There are now also increasing proposals to use privacy laws to regulate automated decision making. One of the first explicit attempts to regulate automated decision-making using privacy laws is the European Union General Data Protection Regulation (GDPR).  More recently (and locally), both the Consumer Privacy Protection Act (CPPA), Canada’s proposed controversial new privacy law, and Bill 64, Quebec’s proposed privacy amendments, would enact new transparency and explainability obligations for automated decision making.…

View Post
Share
Liability under the CPPA
View Post

Liability under the CPPA

The headlines about the new proposed federal privacy law, the Consumer Privacy Protection Act (“CPPA”), frequently focus on the extremely high penalties and fines for non-compliance. But, these headline miss by a wide margin how onerous liability under the CPPA will be.

The liability under the CPPA will be a major departure from the PIPEDA regime. The changes are explained in the detailed blog post, The CPPA’s Privacy Law Enforcement Regime published by McCarthy Tetrault lawyers Gillian Kerr, Nikiforos Iatrou, Pippa Leslie and I (with help from Daanish Pasricha).…

View Post
Share

OPC consultation on artificial intelligence: my submission to the consultation

Here is my submission to the OPC consultation.

______________________________________________

Thank you for the opportunity to provide input into the OPC’s consultation on artificial intelligence (AI) as it relates specifically to the Personal Information Protection and Electronic Documents Act (PIPEDA).

By way of introduction, I am a senior technology lawyer with McCarthy Tétrault. As part of my privacy practice, I regularly advise clients on privacy issues. I also teach privacy at Osgoode Hall Law School as part of an intellectual property law course.…

View Post
Share

OPC position on online reputation: search engines must de-index privacy violating personal information

Are search engines subject to PIPEDA? Should they be required to de-index web pages such as when information about an individual is inaccurate, incomplete or outdated, ;or when the linked to information is illegal? Should search engines be subject to a notice and de-indexing or demotion regime? And, should search engines be required to geo-fence to ensure that search results containing personal information about Canadians that violates PIPEDA  is not made accessible in Canada regardless of which domain a Canadian searches on?…

View Post
Share

PIPEDA privacy law given business friendly interpretation by Supreme Court: RBC v Trang

Canada’s federal privacy law, PIPEDA, was enacted to be one of our framework laws that would underpin our digital economy. It’s goal was to recognize the privacy rights of individuals and at the same time to recognize the legitimate needs of organizations to collect, use, and disclose personal information. That balance between privacy and  uses of personal information for appropriate purposes was underscored by the Supreme Court in a decision released yesterday in Royal Bank of Canada v. Trang 2016 SCC 50.  …

View Post
Share

Long arm of EU privacy law: CJEU judgment in Weltimmo v Hatóság

The territorial reach and enforcement jurisdiction of European Union’s data protection law has become a lot more important these days following the decision of the Court of Justice in the Schrems case. In a case decided just a few days before Schrems, the same court gave Directive 95/46/EC a broad reading holding that the laws of a Member State apply to data controllers in another Member State who operate a website that processes data of residents of the first Member State.…

View Post
Share

Schrems, what the CJEU decided and why it is a problem for Canadian and other non-EU businesses (updated)

On October 6, 2015 the Court of Justice of the European Union (CJEU) released a bombshell, but not completely unexpected judgment, invalidating a decision of the European Commission that underpinned the EU-US privacy safe harbor. In Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14 (06 October 2015), the CJEU held that supervisory data authorities in Member States have the joint right with the EU Commission to review whether non-EU countries provide adequate protection to personal data transferred to them from the EU despite a decision by the EU Commission that such protection is provided.…

View Post
Share

Schrems brings down EU-US safe harbour

EU’s highest court struck a major blow to the EU-US safe harbour earlier today in the closely watched case, Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14 (06 October 2015). The decision of the CJEU, which followed the earlier opinion of the Advocate General, is the worst privacy nightmare that could have been imagined by the thousands of US and EU based companies that rely on the safe harbour to transfer personal data to the US for processing. It affects giant social networks like Facebook, search engines like Google, cloud hosting providers, and thousands of other companies that do business in the EU and that transfer personal data to the US.…

View Post
Share
Barry Sookman
This site is about technology, copyright, artificial intelligence, and privacy law.