Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Letter to the Standing Committee on Science and Research on its study on the Implications of the Canada-China Preliminary Joint Arrangement on Canada’s Electric Vehicle Sector

April 21, 2026

BY EMAIL

Salma Zahid, M.P.
Chair
Standing Committee on Science and Research
House of Commons
Sixth Floor, 131 Queen Street
Ottawa, ON K1A 0A6

Dear Chair:

I am writing in follow up to my appearance before the Standing Committee on Science and Research on April 16, 2026, in relation to your study on the Implications of the Canada-China Preliminary Arrangement on the Electric Vehicle Sector.

During my appearance, I was asked whether the Government of Canada has an obligation to inform its citizens about privacy and security risks posed by electric vehicles. I am pleased to provide the following in response to this request. I also take this opportunity to provide details on my recommendations for legislative reform of the Personal Information Protection and Electronic Documents Act (PIPEDA).

Transparency requirements regarding risks posed by electric vehicles

In general, the Government has a responsibility for ensuring motor vehicle safety and security in Canada. It is my understanding that the process of addressing the cyber security risks associated with connected vehicles, regardless of origin, is a shared responsibility between multiple departments and agencies of the Government of Canada. On April 13, 2026, the Government tabled a response to Parliamentary order paper question Q-882 which highlighted the role that Public Safety Canada, the Canadian Centre for Cyber Security, and Transport Canada play when addressing the cyber security risks associated with connected and automated vehicles.Footnote 1

In cases where an investment is being made by a foreign entity to acquire an existing business or establish a new business in Canada, there may be a national security review conducted under the Investment Canada Act (ICA), which is led by the Minister of Industry in consultation with the Minister of Public Safety Canada.

I am aware of the Government of Canada’s National Security Transparency Commitments, which include informing Canadians about the strategic issues impacting national security and its current efforts and plans to address those issues.Footnote 2 The Department of Public Safety would be better placed to elaborate on how these commitments balance transparency to Canadians without disclosing information that could compromise Canada’s security or the safety of Canadians.

In terms of communicating the privacy risks associated with a product or service, such as a connected vehicle, organizations have a responsibility under PIPEDA to inform individuals about their policies and practices regarding the management of personal information. As per my Office’s Guidelines for Obtaining Meaningful Consent,Footnote 3 when obtaining consent for the collection, use, or disclosure of personal information, organizations must generally put additional emphasis on the risks of harm and other consequences that would be associated with a particular vehicle.

As I noted during my appearance, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in China, or any other jurisdiction. Under PIPEDA, organizations are required to be transparent about their data practices. If personal information collected through electric vehicles is being sent to another jurisdiction, customers should be made aware by the organization that the information may be accessible by that other country’s courts, law enforcement and national security authorities.

An example of my Office’s expectations regarding transparency and trans-border data flows can be seen in the September 23, 2025 investigation report in which my Office and provincial counterparts in British Columbia, Alberta, and Quebec released findings regarding our joint investigation into TikTok Pte. Ltd. The report highlights recommendations to bring the company into compliance with the consent, transparency and appropriate purposes requirements of our relevant statutes. TikTok Pte. Ltd. agreed to work with our Offices and committed to, among other things, implement various measures such as enhancing its privacy communications, including through prominent up-front notices regarding its collection and use of biometric information and the potential for data to be processed in China.

Recommendations to Modernize PIPEDA

During my testimony, I noted that trans-border data flows can create inherent risks for privacy, potentially exposing personal information to differing legal rules and levels of protection. I expressed that PIPEDA should contain provisions that specifically address trans-border data flows to ensure that Canadians’ personal information is appropriately protected prior to leaving the country.

I have recommended that:

  • Similar to Quebec’s law, organizations could be required to conduct a Privacy Impact Assessment to establish that the information would receive a comparable level of protection to that afforded by PIPEDA, taking into account, among other things, the legal data protection framework in the other jurisdiction.
  • PIPEDA provide for specific tools for organizations to ensure that a “comparable level of protection” is provided when personal information travels across borders, such as standard contractual clauses, codes of practice, certification programs, and binding corporate rules.
  • Given that many trans-border data flows involve service providers located in other jurisdictions, PIPEDA should require all service providers to safeguard personal information and report breaches to the OPC.

These recommendations are a part of my seven priority recommendations for PIPEDA reform that I believe would be the most impactful in enhancing privacy protections and privacy rights in Canada:

  1. Enforcement Powers: Establish stronger enforcement powers by providing the Privacy Commissioner with the power to issue binding orders, impose administrative monetary penalties and to conduct proactive audits.
  2. Fundamental Right to Privacy: Recognize privacy as a fundamental right in the purpose clause and in an embedded preamble.
  3. Children’s Privacy: Enhance children’s privacy rights by explicitly recognizing the best interests of the child and mandating the Privacy Commissioner to develop a code of practice for children’s privacy.
  4. De-identification: Promote innovation by including a framework for de-identification and anonymization.
  5. Right to Deletion and De-listing: Ensure that individuals maintain control over their personal information through a clear and explicit right to de-list and delete personal information.
  6. Privacy by Design and Privacy Impact Assessments: Enhance accountability by requiring organizations to implement privacy by design and conduct privacy impact assessments for high-risk activities.
  7. Trans-Border Data Flows: Promote international trade by instituting specific rules and requirements to protect personal information moving outside of the country.

I hope that this information is of assistance to the Committee. Please do not hesitate to contact me should you have any questions or require further information.

Sincerely,

(Original signed by)

Philippe Dufresne
Commissioner

c.c.: Cédric Taquet, Clerk of the committee

Date modified: