Technology and Entertainment

The World Anti Doping Agency suffered a data breach in 2016­—a vivid illustration that even the most prominent sporting institutions are not immune to cyber incidents. The authorities have now formalized what was previously just an observation: In a bulletin published in 2024, the Canadian Centre for Cyber Security warned that the entire sports ecosystem—spectators, athletes, organizations and government representatives—is the target of cyberattack campaigns.  Malicious actors will attempt extortion through business email compromise, ransomware attacks, phishing, malicious websites and search engine poisoning, among others. Take heed, as when an incident occurs that is serious enough to require a report to the authorities, it is often too late to establish sound governance and engage in due diligence. The sporting competitions of today are producing massive amounts of data. The quantity is staggering, and the data itself almost Orwellian. Check the tables below to see for yourself. Data collected on athletes  League Information collected NFL Performance data (statistics, position and movement metrics, speed, and passing, rushing and receiving yards) Medical and/or health data (examinations, injuries, concussion protocols) Substance screening data Data on disciplinary actions and investigations Professional and contractual data Travel, logistics and security data NHL Performance data Medical and/or health data (examinations, injuries, concussion protocols) Substance screening data Data on disciplinary actions and investigations Professional and contractual data Travel, logistics and security data MLB Performance data Medical and/or health data (examinations, injuries, concussion protocols) Substance screening data Data on disciplinary actions and investigations Professional and contractual data Travel, logistics and security data   Collection of customer information online  League Information collected NFL  Information provided by individuals  Identifiers: name, email, address, telephone number, date of birth; unique identifiers (username, password, SSN and other government identifiers if required, e.g. for awards) Demographic data and other protected categories: gender, race, ethnicity, sexual orientation Financial and commercial information: payment data, purchase history Real-time geolocation; precise geolocation Communication and marketing preferences Favorite team and inferences about preferences Audio, electronic and visual information (e.g., photos provided) Biometric data, if you opt for biometric authentication at the stadium; with consent and additional notice if required Information about your contacts (name, email) that you share; if authorized, access to your contacts, calendars and photos Search queries Content posted (comments, forums) Professional and employment information Education information Information that may be health-related (e.g., accessible seating) Correspondence, waivers, consents and other information sent Automatic collection  Device and network identifiers and technical data: IP address, MAC address, advertising identifiers, device type, browser, OS Usage: page views, links clicked, browsing journeys, application usage data Tracking and emails: cookies, pixels, tags, interaction with emails (opened emails, clicks) Social media (if linked): data received according to your settings and the platform’s policy Logs and traffic: server logs, stadium Wi-Fi traffic Video and audio recordings: CCTV and pictures taken or video recorded during events   NHL  Information provided by individuals Identifiers and contact information (name, email, telephone number, address, date of birth) Commercial information (payments, purchases, services) Demographic data (language, age, gender, race, ethnicity, household composition and income) Preferences (favourite team, favourite players) Photos and/or videos Content, feedback (comments, surveys) Contact information of friends Application data (resume, references, checks permitted) Automatic collection Activity and interactions (content viewed, bids, purchases, time spent, cookies, tags), access methods (browser, OS, IP address, browsing history before and after) Device information and identifiers (type, unique identifiers, local content if allowed) Location (GPS, Bluetooth, Wi-Fi, cells) Inferences about preferences Commercial information about transactions (e.g., timestamps) Collection from third parties Member clubs (ticketing, login credential, usage logs) Fanatics, NHL Shop, NHL Auctions (name, email, items purchased; marketing engagement statistics) Other business partners, public sources, commercial sources (data brokers) Connected social media (according to the platform’s settings and policies) NHL teams* Contact information: name, email address, home address, gender, date of birth, telephone number (e.g., ticket purchase, ticket transfer, account creation, inquiries, contests, promotions) Demographic data and preferences (age group, race, gender; preferred events, preferred products, e.g., surveys) Health data related to accessibility needs Video surveillance in venues (security; sharing limited by law) Anonymous traffic analysis and device counting (cameras, technological devices; Wi-Fi); statistics that can be shared with partners Depersonalized web analytics (Google Analytics); opt-out option Online advertising and/or remarketing (Google, Facebook, LinkedIn, etc.) through cookies; opt-out mechanisms (platform settings; DAAC) Geolocation through applications if enabled Social media: profile data and authorized interactions Technical data (IP, browser, OS, resolution, location, language, origin, keywords, pages viewed, data entered, ads viewed), identifiers (IDFA, AAID), connection information (operator, ISP, Wi-Fi); ability to recognize a device) MLB Information provided by individuals Identifiers and contact information: full name, email address, home address, telephone numbers, date of birth Security and authentication: password Payments: payment details Demographic data: demographic characteristics Content and recordings: voice recordings, audiovisual recordings Preferences and interests: information about your interests and preferences Activity and event related data: information requested for an activity or event (e.g., emergency contact) Sensitive personal information: as defined by applicable laws (e.g., racial or ethnic origin; health information such as disabilities or allergies) Automatic collection  Technical and usage data: IP addresses, device data, usage data Location and contacts: location data; contacts saved on your mobile device Collection from third parties Data from third parties and integrations: information provided by other companies if individuals connect their services * This data is collected about website users, people who visit venues, people who apply for jobs or participate in contests, people who submit drafts.   How leagues are structured Regarding privacy and personal information, we must look at how sports leagues are organized to understand who does what. In most cases, sports leagues are non-profit organizations or corporations. An entire framework of rules is built around these structures, defining both how governance is done and what business model is used. First, there are the articles of association and by-laws, which dictate governance, team admissions, voting rights, and the powers of the commissioner or board of directors. There are also the sporting and competition regulations regarding eligibility, game schedules, transfers, drafts, salary caps and cost control mechanisms. The leagues also adopt integrity and security policies against doping, betting and manipulation, harassment and abuse, as well as commercial agreements covering broadcasting, sponsorships, ticketing and data leveraging, among others. There can also be collective agreements with players’ associations and formal dispute resolution mechanisms. In this environment, the league plays a central role. It generally has the power to adopt, interpret and amend its rules; admit teams; manage expansion and relocation projects and changes of control; as well as the power to impose sanctions such as fines, point deductions, suspensions or exclusions. It also centralizes strategic commercial rights, media rights, trademarks and data, and it implements revenue-sharing policies designed to maintain a competitive balance between teams. Personal information: the roles of each Teams In day-to-day relations with athletes and customers, teams are generally the main point of contact. They sign contracts with players, sell tickets, manage subscriptions and operate online stores and loyalty programs. In practice, teams are often the ones that collect personal information, that explain what the information is used for, that decide what information needs to be collected and that put in place security and incident management measures. Teams must therefore be able to clearly inform athletes and customers about the purposes for which personal information is collected, the means by which it is collected, the categories of information collected, who receives the information, and the rights that  athletes and customers have. Teams must limit collection to what is necessary. They must ensure that information is accurate; they must obtain valid, manifest, free, informed and explicit consent for sensitive information such as health or biometric data; they must implement security measures adapted to risks; they must manage and report confidentiality incidents likely to cause serious harm; they must respond to requests for access and rectification; and they must stringently govern the sharing of information with service providers and mandataries. Athletes and customers often see the team as the true holder of their data. Leagues The role leagues play regarding personal information is more difficult to understand, as it varies depending on activities. When a league directly collects information from an individual, for example through an official application, a broadcasting platform or a transactional site for its own purposes, it must assume responsibilities comparable to those a team has. This is what MLB Advanced Media does, for example, defining itself as a “data controller” with respect to its customers’ data. But in many cases, the league acts behind the scenes. In some respects, it acts as a mandatary for the teams, negotiating and signing technology contracts, broadcasting agreements and other commercial agreements that will be used by the teams. In other respects, it acts as a service provider, offering centralized technology platforms, ticketing systems, data infrastructure and shared administrative services. Under Quebec law, these two roles—mandatary and service provider—are treated the same: The team can transmit to the league the information it needs to perform the mandate or service contract without having to ask for the consent of each person again, provided that a written agreement imposes clear measures to protect privacy, limits the use of data to the sole purposes of the mandate or service and governs data retention. The league must also promptly inform a team’s privacy officer of any privacy breach or attempted privacy breach and allow the officer to conduct checks. Also, teams and the league can always choose to base certain exchanges of information on the explicit consent of athletes or customers. However, such consent must be genuinely explicit, free, informed, given for specific purposes and presented separately when asked to be given in writing. Conclusion Although professional leagues are the ones in the spotlight, the same logic applies to amateur or non-professional sports organizations. In all cases, the relationship between the league, the team and the athlete or customer must be clearly governed from a privacy standpoint. Sports organizations should map the flow of personal information, harmonize the information messages they give to the those concerned, establish a standard agreement governing the sharing of information between teams and the league, provide simple mechanisms for access and rectification, and have key employees trained in privacy matters. Incorporating these points into articles of association, by-laws and team and league agreements will reduce risks and strengthen the confidence of athletes, parents, fans and business partners. Yet, a fundamental question still remains: Given that by law, data can only be collected for serious and legitimate reasons (necessity criterion), is the mass of information currently collected in the sports ecosystem really warranted? Sports organizations will have no choice but to delve into this strategic issue. 

Introduction When we hear the term “export controls,” we may think it only applies to weapons and other highly sensitive technologies, but that is not the case. There are a multitude of circumstances—some unexpected—to which it is important to know that export controls apply. This is especially true if you are involved in research or in the design and development of seemingly innocuous solutions that are not necessarily tangible objects. Today, technological knowledge is shared not only through conventional partnerships between businesses or universities, but also through data sharing or access to databases that feed large language models. Artificial intelligence is, in itself, a means of sharing knowledge. Feeding such algorithms with sensitive data, or data that can become sensitive when combined, carries a risk of violating the applicable legal framework. Here are some key concepts. Overview of the federal export control framework The Export and Import Permits Act In Canada, the Export and Import Permits Act (the “EIPA”) establishes the primary framework governing the export of controlled goods and technologies. The EIPA gives the Minister of Foreign Affairs the power to issue, to any resident of Canada who applies for one, a permit authorizing the export or transfer of a wide range of items included on the Export Control List (the “ECL”) or destined for a country listed on the Area Control List. In other words, the EIPA regulates, and at times prohibits, the trade of critical goods and technologies outside Canada. The Export Control List To get the full picture of the ECL, we need to refer to the Guide to Canada's Export Control Listas published by the Department with its successive amendments, the most recent of which date back to May 2025 (the “Guide”). In summary, the Guide includes military goods and technologies, strategic goods and dual-use (civilian and military) goods and technology that are controlled in accordance with Canada’s commitments made in multilateral regimes, such as the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, bilateral agreements, and certain unilateral controls implemented by Canada as part of its defence policy. The Guide also includes forest products, agricultural and food products, apparel goods and vehicles. Other laws that affect exports Also to take into account are the sanctions that Canada imposes under laws that affect exports, such as: the United Nations Act the Special Economic Measures Act the Justice for Victims of Corrupt Foreign Officials Act These sanctions against specific countries, organizations or persons include a number of measures, including restricting or prohibiting trade, financial transactions or other economic activities with Canada, or the freezing of property located in Canada.1 Finally, in order for an individual (or an organization) to transfer controlled goods outside Canada, they must register with the Controlled Goods Program (the “CGP”) to obtain an export permit, unless exempt. Key concepts Did you know? Certain goods and technologies are referred to as “dual-use” goods and technologies. This means that even though they were initially designed for civilian use or appear harmless, they may be subject to export controls if they can be used for military purposes or to produce military items. A “technology” is broadly defined to include technical data, technical assistance and information necessary for the development, production or use of an item listed on the ECL. Also included in this notion, albeit indirectly, are the technologies referred to in any of the regulations associated with the laws listed above, which make certain countries subject to specific technology transfer restrictions. A “transfer” in relation to a technology, means to dispose of it (e.g. sell it) or disclose its content in any manner from a place in Canada to a place outside Canada. This definition stems from legislative amendments to the EIPA, which expanded the scope of the law to include the mere transfer of intangible technologies by various means, thereby broadening the circumstances to which permits apply as regards transfers.2 Regarding trade relations with the United States, Canadian exporters may face additional restrictions and considerable challenges, particularly in situations where their employees or other stakeholders involved are foreign nationals.The International Traffic in Arms Regulations (“ITAR”) and the Export Administration Regulations(“EAR”) are two key sets of rules that govern exports from the United States.3 They protect both similar and distinct interests. While the ITAR aim to protect defence articles and defence services (including weapons and information), the EAR govern dual-use items.4 Both prevent exports5 in a broad sense, i.e., up to and including the transfer of information to so-called “foreign” persons, except with the permission of the authorities. It is thus quite possible that Canadian exporters will be required to comply with these American regulations, which, in addition to targeting territories, target the national origin of individuals. This is diametrically opposed to Canada’s export regime, which rather centres on prohibiting trade with a country or anyone located there. In this regard, note that Quebec’s Charter of Human Rights and Freedoms considers national origin to be a ground for discrimination. 6 A Quebec business can thus find itself struggling to balance its contractual obligations under a contract with an American company with the requirements of the Quebec Charter. Artificial intelligence: novel challenges The development of large language models in the field of artificial intelligence represents a new challenge from an export control standpoint, and a significant one at that. For example, if a large language model is trained using restricted data, a state subject to the aforementioned sanctions might attempt to use the large language model to indirectly obtain information to which it would not otherwise have had direct access. As a result, training a large language model on plans, technical specifications or textual descriptions of technologies covered by transfer restrictions (which can include knowledge transfers) can create a risk of non-compliance with the law. The same applies to accessing such data for retrieval-augmented generation, a widely used technique to expand and improve large language model responses. To limit the risk during research and development, a company that trains a large language models on such data or allows access to such data for retrieval-augmented generation will need to consider where the data will be hosted and processed. Similarly, once the artificial intelligence application is developed, it will be important to restrict access to it in a manner consistent with the law, both in terms of locating the servers on which the large language model will be installed and in terms of user access. Sanctions Any person or organization that contravenes any provision of the EIPA or its regulations commits an offence punishable by fine and/or imprisonment, as applicable. Also, failure to register with the CGPmay constitute an offence under federal laws that can lead to prosecution and substantial sanctions against the offender(s).7 Conclusion Canada’s export controls are quite complex, not only in how they are structured, but also in how they must be implemented. With the changing geopolitical and commercial landscape, it is advisable to periodically read the resources made available by the relevant authorities and put in place appropriate policies and measures, or to seek professional advice in this regard. Government of Canada, “Types of sanctions” (date modified: 2024-09-10): Types of sanctions Martha L. Harrison & Tonya Hughes, “Understanding Exports: A Primer on Canada’s Export Control Regime” (2010) 8(2) Canadian International Lawyer, 97 The ITAR and EAR are included in the Code of Federal Regulations (“CFR”). Austin D. Michel, “Hiring in the Export-Control Context: A Framework to Explain How Some Institutions of High Education Are Discriminating against Job Applicants” (2021) 106:4 Iowa L Review, 1993 The ITAR and EAR also provide for restrictions on re-exportation. See Maroine Bendaoud, “Quand la sécurité nationale américaine fait fléchir le principe de non-discrimination en droit canadien : le cas de l'International Traffic in Arms Regulations (ITAR)” (2013) Les cahiers de droit, 54 (2–3), 549 Government of Canada, “Guideline on Controlled Goods Program registration” (date modified: 2025-05-08): Guideline on Controlled Goods Program registration – Canada.ca

While the world is focused on how the tariff war is affecting various products, it may be overlooking the risks the war is posing to information technology. Yet, many businesses rely on artificial intelligence to provide their services, and many of these technologies are powered by large language models, such as the widely-used ChatGPT. It is relevant to ask whether businesses should rely on purely US-based technology service providers. There is talk of using Chinese alternatives, such as DeepSeek, but their use raises questions about data security and the associated control over information. Back in 2023, Professor Teresa Scassa wrote that, when it comes to artificial intelligence, sovereignty can take on many forms, such as state sovereignty, community sovereignty over data and individual sovereignty.1 Others have even suggested that AI will force the recalibration of international interests.2 In our current context, how can businesses protect themselves from the volatility caused by the actions of foreign governments? We believe that it’s precisely by exercising a certain degree of sovereignty over their own affairs that businesses can guard against such volatility. A few tips: Understand Intellectual property issues: Large language models underlying the majority of artificial intelligence technologies are sometimes offered under open-source licenses, but certain technologies are distributed under restrictive commercial licenses. It is important to understand the limits imposed by the licenses under which these technologies are offered. Some language model owners reserve the right to alter or restrict the technology’s functionality without notice. Conversely, permissive open-source licenses allow a language model to be used without time restrictions. From a strategic standpoint, businesses should keep intellectual property rights over their data compilations that can be integrated into artificial intelligence solutions. Consider other options: Whenever technology is used to process personal information, a privacy impact assessment is required by law before such technology is acquired, developed or redesigned.[3] Even if a privacy impact assessment is not legally required, it is prudent to assess the risks associated with technological choices. If you are dealing with a technology that your service provider integrates, check whether there are alternatives. Would you be able to quickly migrate to one of these if you faced issues? If you are dealing with custom solution, check whether it is limited to a single large language model. Adopt a modular approach: When a business chooses an external service provider to provide a large language model, it is often because the provider offers a solution that is integrated to other applications that the business already uses, or because it provides an application programming interface developed specifically for the business. In making such a choice, you should determine whether the service provider can replace the language model or application if problems were to arise. If the technology in question is a fully integrated solution from a service provider, find out whether the provider offers sufficient guarantees that it could replace a language model if it were no longer available. If it is a custom solution, find out whether the service provider can, right from the design stage, provide for the possibility of replacing one language model with another. Make a proportionate choice: Not all applications require the most powerful language models. If your technological objective is middle-of-the-road, you can consider more possibilities, including solutions hosted on local servers that use open-source language models. As a bonus, if you choose a language model proportionate to your needs, you are helping to reduce the environmental footprint of these technologies in terms of energy consumption.  These tips each require different steps to be put into practice. Remember to take legal considerations, in addition to technological constraints, into account. Licenses, intellectual property, privacy impact assessments and limited liability clauses imposed by certain service providers are all aspects that need to be considered before making any changes. This isn’t just about being prudent—it’s about taking advantage of the opportunity our businesses have to show they are technologically innovative and exercise greater control over their futures. Scassa, T. 2023. “Sovereignty and the governance of artificial intelligence.” 71 UCLA L. Rev. Disc. 214. Xu, W., Wang, S., & Zuo, X. 2025. “Whose victory? A perspective on shifts in US-China cross-border data flow rules in the AI era.” The Pacific Review, 1–27. See in particular the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, s. 3.3.

In a strategic move to bolster domestic production of critical minerals, President Donald Trump has invoked the Defense Production Act (DPA). He signed an executive order aiming to reduce U.S. dependence on foreign sources, particularly China, which dominates the global rare earth minerals market. This market dominance poses economic and security risks for countries reliant on these materials for advanced technologies, such as the U.S. and Canada. The executive order leverages the DPA to provide financing, loans, and investment support for domestic processing of rare earth elements (REEs) and critical rare earth elements (CREEs). REEs are profoundly valuable and are essential in the manufacture of electronics (e.g., microchips, semiconductors, and essentially any product with a computer chip).  This initiative seeks to enhance national security by ensuring a stable supply of materials essential for technologies ranging from batteries to defense systems. Standard NdFeB magnets, without terbium (Tb) or dysprosium (Dy), cannot be used in high-temperature applications such as in electric vehicles (EV) critical components.  The production of high-value pre-magnetic REE alloys, requires the purchase of separated Tb and Dy oxides from China. Recent concerns about future supplies of REEs have now narrowed chiefly to the heavy rare earth elements (HREEs). Essentially, all of the world's HREEs are currently sourced from the south China ion-adsorption clay deposits.  The ability of those deposits to maintain and increase production is uncertain, particularly in light of environmental degradation associated with some mining and extraction operations in the region. As the U.S. intensifies efforts to secure its mineral supply chains, Canada, rich in mineral resources, has an opportunity to strengthen its position as a key supplier. However, Canada must also navigate its own strategic interests, ensuring that domestic extraction and processing capabilities remain competitive. REE mineral deposits typically contain appreciable levels of radioactive elements such as thorium (Th) and uranium (U), making the extraction of REE values environmentally challenging.  Novel processes for the extraction and separation of REE values in high yield and purity, with an environmentally cleaner design and overcoming the technical and economic limitations of the existing commercial processes, are of commercial interest. Additionally, diversifying export markets beyond the U.S. could shield Canada from potential shifts in American policy while strengthening its role as a global player in the critical minerals industry. As the Trump administration’s directive underscores the strategic importance of CREEs and the necessity to develop resilient supply chains, we can expect more news in the upcoming months from the U.S. regarding its efforts to lessen its dependence on other countries in the mining industry. Stay tuned!