We are at the mid-year point of 2025 and the privacy landscape in Canada continues to evolve. This article highlights Canada’s top five notable developments in the privacy space in 2025 so far.
1. Federal Privacy Reforms
Bill C-27, which was the Federal Government’s attempt to reform Canada’s federal private sector privacy law, died when Parliament was prorogued backed in January. It will be up to the new government to update the Canada’s federal privacy law, which is in dire need of retooling.
2. Clearview AI Inc v Alberta (Information and Privacy Commissioner), 2025 ABKB 287
In Clearview AI Inc v Alberta (Information and Privacy Commissioner), 2025 ABKB 287 (“Clearview AI”) is a paradigm shifting decision that found that:
- PIPA's blanket restrictions on collecting publicly available information from the Internet without obtaining individuals' consent were unconstitutional. This implies that search engines and companies can lawfully harvest and use personal information made publicly available online, including for training AI systems, provided the purpose is one that individuals would view as reasonable.
- Despite Clearview AI being based in the U.S., the court applied PIPA to the company under the "real and substantial connection" test, due to its activities involving the collection of images from Alberta-based websites and social media account.
The court concluded that Clearview AI did not have a reasonable purpose for collecting, using, and disclosing personal information, thus violating PIPA.
3. Quantz v Ontario, 2025 ONSC 90
In Quantz v. Ontario, 2025 ONSC 90 (“Quantz”), the Ontario Superior Court of Justice addressed a proposed class action stemming from a 2018 data breach within the Ontario Disability Support Program (ODSP). The incident involved an ODSP caseworker inadvertently emailing a spreadsheet containing personal information of approximately 45,000 clients to all Ministry caseworkers. Subsequently, another caseworker forwarded this email to 103 ODSP clients, leading to unintended disclosures.
The plaintiff sought certification of a class action, alleging claims such as intrusion upon seclusion, negligence, breach of confidence, and publication of private facts. However, the court dismissed the motion for certification. A key reason was that the tort of intrusion upon seclusion requires intentional or reckless conduct, and the disclosure in this case was accidental. The court emphasized that without deliberate action, this tort could not be established.
This decision aligns with recent jurisprudence set forth in the Equifax trilogy, where courts have limited the scope of liability for privacy breaches, particularly emphasizing the necessity of intentional conduct for certain privacy torts.
The ruling in Quantz underscores the challenges plaintiffs face in certifying class actions for data breaches resulting from inadvertent disclosures, reinforcing the legal requirement for intentionality in certain privacy-related claims.
4. Insurance Corporation of British Columbia v Ari, 2025 BCCA 131
Insurance Corporation of British Columbia v Ari, 2025 BCCA 131 (“ICBC”), was an appeal of a decision of the BCSC awarding aggregate general damages of $15,000 for vicarious liability under British Columbia’s Privacy Act for a breach of privacy that involved an employee’s wilful and flagrant disregard for the plaintiff’s privacy.
The Appellant, the Insurance Corporation of British Columbia, was found vicariously liable for serious breach of the privacy of a number of its customers. The facts in this matter were not in dispute. An employee of the Appellant accessed the private information of 78 ICBC policy holders for “nefarious purposes.” The employee sold the information of at least 45 policy holders to criminals. Between 2011 and 2012, 13 of these 45 policy holders were targeted in arson and shooting attacks.
The question on appeal was whether an aggregate award of damages for a breach of privacy under Section 1 of British Columbia’s Privacy Act can be anything more than nominal in the absence of proof of consequential harm?
The BCCA held that the aggregate damages award made by the trial judge provided compensation for the injury to the class members’ privacy interests and is responsive to the seriousness of the defendant’s misconduct. This decision establishes that significant damages may be awarded for privacy breaches in British Columbia even in the absence of actual harm.
5. Hvitved v Home Depot of Canada Inc., 2025 BCSC 18
In Hvitved v Home Depot of Canada Inc., 2025 BCSC 18 (“Hvited”), the Plaintiff sought to certify a class action on behalf of customers who provided their email address to Home Depot of Canada Inc. (“Home Depot”), between October 2018 and October 2022, for the purpose of receiving an electronic receipt when making a purchase. The Plaintiff alleged that Home Depot violated the privacy rights of the proposed class by collecting their personal information and disclosing it to an unrelated third party, Meta Platforms Inc. (“Meta”), the operator of the Facebook platform.
Home Depot used Meta’s services from October 2018 to October 2022 to better understand whether its advertising campaigns were effective is generating in-store sales. Home Depot maintained that it understood that the protocol being used would only allow Meta to link the customer information provided to a specific email account. However, the service agreements in place permitted Meta to use the information provided by Home Depot improve Meta’s own products, including user profiling and targeted advertising.
The Plaintiff’s application for certification was allowed in relation to only the alleged breaches of provincial privacy legislation and dismissed claims for common law intrusion upon seclusion, breach of contract and unjust enrichment.
Bonus: Creation of new Ministry of Artificial Intelligence and Digital Innovation
It is also timely to note that in addition to the legal developments set out above, Canada’s newly elected Prime Minster, Mark Carney, has created the first cabinet post responsible for artificial intelligence and data innovation. This is a clear signal from the federal government that Canada aims to increase innovation and develop new and updated frameworks for a wide range of digital issues, including privacy and artificial intelligence.
As we reach the midpoint of the year, the privacy law landscape continues to evolve. We will continue to monitor developments closely and is available to assist with any questions.
About the authors
Laura Crimi, associate, and Roland Hung, partner, practise in the Technology, Privacy & Data Management Group at Torkin Manes.
Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.