Letter to the Standing Senate Committee on Legal and Constitutional Affairs on Bill S-209

October 14, 2025

BY EMAIL

The Honourable David Arnot, Senator
Chair
Standing Committee on Legal and Constitutional Affairs
The Senate of Canada
Ottawa, Ontario  K1A 0A4
Canada

Dear Senator Arnot,

It was a pleasure to appear before your Committee on October 2, 2025, in the context of your study of Bill S-209, Protecting Young Persons from Exposure to Pornography Act. During my appearance, Senator Oudar asked for additional information regarding my input into privacy law reform.

During my testimony before this Committee, this topic arose in the context of discussing challenges in the regulation of modern technologies, including technologies for age-verification. Since becoming Privacy Commissioner of Canada in 2022, I have advocated for modernization of Canada’s privacy laws. Both of Canada’s federal privacy laws pre-date the modern digital economy, while technologies continue to evolve rapidly. The Privacy Act, which governs federal institutions’ handling of personal information, has remained unchanged since 1983, and the Personal Information Protection and Electronic Documents Act (PIPEDA), our federal private-sector privacy law, has not been comprehensively updated since it came into force in the early 2000s. Since then, the continued advancement in the adoption of artificial intelligence (AI) and generative AI, the risk of significant harms caused by data breaches, and the increasingly complex nature of global data flows, have put data protection at the forefront of the public interest.

In response to Senator Oudar’s question about my recommended amendments to Canada’s federal privacy laws, I would like to share with the Committee seven priority recommendations for PIPEDA reform that I believe would be the most impactful in enhancing privacy protections and privacy rights in Canada:

1. Enforcement Powers: Establish stronger enforcement powers by providing the Privacy Commissioner with the power to issue binding orders, impose administrative monetary penalties (AMPs) and to conduct proactive audits.
2. Fundamental Right to Privacy: Recognize privacy as a fundamental right in the purpose clause and in an embedded preamble.
3. Children’s Privacy: Enhance children’s privacy rights by explicitly recognizing the best interests of the child and mandating the Privacy Commissioner to develop a code of practice for children’s privacy.
4. De-identification: Promote innovation by including a framework for de-identification and anonymization.
5. Right to Deletion and De-listing: Ensure that individuals maintain control over their personal information through a clear and explicit right to de-list and delete personal information.
6. Privacy by Design and Privacy Impact Assessments: Enhance accountability by requiring organizations to implement privacy by design and conduct privacy impact assessments for high-risk activities.
7. Trans-Border Data Flows: Promote international trade by instituting specific rules and requirements to protect personal information moving outside of the country.

I have identified the above list as my priority recommendations for modernizing our federal private-sector privacy law because they would strengthen key regulatory powers and address systemic issues that my Office has observed, including emerging risks in the digital economy. As I indicated to the Committee in my testimony, my recommendations for stronger enforcement mechanisms would give me tangible and effective tools to promote compliance with PIPEDA and significantly enhance my Office’s ability to protect Canadians and their fundamental right to privacy. These recommendations would also bring PIPEDA more in line with the privacy laws of our provincial counterparts in Alberta, British Columbia and Quebec, as well as many international counterparts.

Additionally, with respect to children’s privacy, PIPEDA currently does not contain any special privacy protections for children who are particularly vulnerable to risks in the digital world. Recognizing the best interests of the child in the law would require that young people’s rights and well-being be primary considerations in any decisions or actions concerning them, while also encouraging organizations to build privacy for minors into products and services by design and discouraging harmful practices. My recommendation for a code of practice developed by my Office would allow me to clarify specific requirements for organizations handling the personal information of children to ensure that it is subject to special consideration and protections.

While my recommendations for PIPEDA reform would be most relevant for this Committee’s study of Bill S-209 and age-verification technologies developed by the private-sector, I would also reiterate that the federal Privacy Act is also critically out of date when it comes to regulating modern technologies. I have developed a similar list of priority recommendations for reform of the Privacy Act to address significant gaps in the law. Those recommendations are as follows:

1. Collection Threshold: Create an explicit necessity and proportionality requirement for the collection of personal information.
2. PIA Requirement: Require departments to conduct privacy impact assessments (PIA) in high-risk situations.
3. Orders: Provide the Privacy Commissioner with the power to issue binding orders.
4. Safeguards: Adopt an explicit legislative requirement to safeguard personal information.
5. Breach Reporting: Create a legislative requirement for reporting privacy breaches.
6. Discretion to Report: Provide more discretion to the Privacy Commissioner to publicly report.
7. Discretion to Decline: Provide the Privacy Commissioner with discretion to discontinue or decline complaints.

Modernizing Canada’s privacy laws is necessary to fully meet the challenges of today’s data driven world. It will protect Canadians and give them confidence that their data is protected and used responsibly, and it will support Canadian businesses and public sector institutions to innovate responsibly and earn public trust.

Thank you again for the opportunity to provide my input into your important work.

c.c. Vincent Labrosse, Clerk