Championing privacy in the age of AI

Letter to the Speaker of the Senate

June 4, 2026

The Honourable Raymonde Gagné, Senator
Speaker of the Senate
Senate of Canada
Ottawa, Ontario
K1A 0A4

Dear Madam Speaker:

I have the honour to submit to Parliament the Annual Report of the Office of the Privacy Commissioner of Canada, for the period from April 1, 2025 to March 31, 2026, entitled Championing privacy in the age of AI. This tabling is done pursuant to sections 38 and 40(1) of the Privacy Act and section 25 of the Personal Information Protection and Electronic Documents Act.

Sincerely,

Letter to the Speaker of the House of Commons

June 4, 2026

The Honourable Francis Scarpaleggia, M.P.
Speaker of the House of Commons
House of Commons
Ottawa, Ontario
K1A 0A6

Dear Mr. Speaker:

I have the honour to submit to Parliament the Annual Report of the Office of the Privacy Commissioner of Canada, for the period from April 1, 2025 to March 31, 2026, entitled Championing privacy in the age of AI. This tabling is done pursuant to sections 38 and 40(1) of the Privacy Act and section 25 of the Personal Information Protection and Electronic Documents Act.

Sincerely,

Commissioner’s message

I am pleased to submit my 2025-2026 Annual Report to Parliament, highlighting the work of the Office of the Privacy Commissioner of Canada (OPC) over the last fiscal year.

This report details the activities and achievements of my Office to protect and promote individuals’ fundamental right to privacy. It covers both the Privacy Act, which applies to the personal information handling practices of federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.

The OPC operates in a rapidly changing environment, where personal information is being collected and used at unprecedented volumes.

New and evolving technologies bring opportunities to connect, to create, and to innovate. At the same time, technological advances in areas such as data analytics, artificial intelligence (AI), biometrics, and smart devices raise novel and complex privacy risks.

Privacy and data protection are more relevant today than ever, as the digital economy brings very real and concrete issues for privacy.

How organizations manage personal information is increasingly important – data protection is now regarded as a strategic value proposition in the private sector for consumers, and an imperative in the public sector for federal institutions.

Trust in how data is handled is becoming an important factor in how Canadians interact with government, businesses, and technology, which is a significant consideration, particularly during challenging economic times.

Many key players subject to private sector privacy legislation now see privacy as a competitive asset and advantage. In government circles, privacy is increasingly recognized as a necessary condition of democracy and transparency.

For innovation to flourish, privacy must be protected. The value of innovation will be maximized when it is accompanied by trust.

My Office continues to advance the strategic priorities that I identified two years ago: protecting and promoting privacy with maximum impact; addressing and advocating for privacy in a time of technological change; and protecting the privacy of children, which is the theme of this year’s spotlight.

Championing children’s privacy has been a major focus of our work this year, especially in the private sector. We held a public consultation with stakeholders on the topic of age assurance and have since published guidance. My Office is also working on developing a Children’s Privacy Code after publishing a report on what we heard during another public consultation.

During an international symposium on youth privacy that I hosted in June 2025, I announced that I was creating a Youth Council, in order to hear directly from youth about their privacy concerns. The Youth Council held its first meeting in November 2025.

This year, a Global Privacy Enforcement Network (GPEN) sweep focused on the privacy practices of website and mobile applications (apps) that are used by children and youth, and together with my provincial and territorial counterparts, we issued a joint resolution on educational technology in schools.

The priority of addressing and advocating for privacy in a time of technological change also remained a central component of our efforts. From exploring synthetic media through the lens of Canada’s privacy laws, to preparing guidance on the use of biometrics, to issuing a joint statement from the G7 Data Protection and Privacy Authorities Roundtable on responsible innovation, this priority has entered into nearly every facet of the OPC’s work.

Under the priority of maximizing impact, my Office has continued to implement the transformation plan that I announced in January 2025 to streamline our operations and promote compliance more strategically and more rapidly.

The plan has created opportunities for innovation and more synergies in our work, including through the modernization of online forms and more efficient ways to address breaches. To that end, we launched the beta version of our internal AI service, PRIVIA, which we began piloting across the OPC in the fall of 2025. It has allowed the OPC to explore potential ways to use AI in our work, while leading by example in demonstrating how privacy can enable safe, secure, and responsible innovation.

Privacy is a global issue that cannot be dealt with by any one country or regulatory jurisdiction alone. Working across borders and jurisdictions allows us to leverage our collective strength and influence so that we can tackle global privacy challenges and ensure consistent protections for individuals.

To that end, I was honoured to be elected Chair of the Global Privacy Assembly (GPA) in September 2025. This international forum brings together more than 130 data protection and privacy authorities from all over the world.

Having the Privacy Commissioner of Canada in this global leadership role represents a significant opportunity to help shape the future of data protection globally – to support stronger privacy protections for individuals and to enable Canada’s economic success, including supporting digital trade and advancing Canada’s international presence.

In 2025 I chaired the G7 Data Protection and Privacy Authorities Roundtable in the context of Canada’s G7 presidency. I was pleased to host the members of the Roundtable in the National Capital Region in June 2025.

Domestically, I collaborate regularly with my provincial and territorial counterparts. Since October 2025, I have co-chaired the Federal, Provincial, and Territorial Information and Privacy Commissioners and Ombuds group alongside Information Commissioner of Canada Caroline Maynard. Together, we are working towards hosting the annual conference in the fall of 2026.

Through its efforts with these and other organizations, my Office can help create a regulatory environment that makes it easier for Canadian businesses to engage and succeed in a globalized world and for government institutions to innovate responsibly to maintain citizen trust.

I remain optimistic about movement on privacy law reform and I look forward to proposals to modernize both Acts. Modernizing Canada’s privacy laws is necessary to fully meet the challenges of today’s data-driven world – enabling Canadians to confidently reap the benefits of a digital society, and future-proofing businesses for success.

Philippe Dufresne
Privacy Commissioner of Canada

Timeline

Highlights of key activities in 2025-2026.

May2025

Commissioner launches exploratory consultation on Children’s Privacy Code

June2025

Commissioner Dufresne and the United Kingdom Information Commissioner release findings of joint investigation into 23andMe breach

Commissioner Dufresne hosts G7 Data Protection and Privacy Authorities Roundtable

Commissioner Dufresne hosts 2025 international symposium on youth privacy in a digital age

July2025

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

August2025

OPC releases findings of investigation into Google and de-listing of online information

September2025

Commissioner Dufresne elected Chair of the Global Privacy Assembly

Commissioner Dufresne and privacy protection authorities for Quebec, British Columbia, and Alberta release findings of joint investigation into TikTok and user privacy

October2025

Commissioner Dufresne attends Annual Meeting of Federal, Provincial, and Territorial Information and Privacy Commissioners and Ombuds

November2025

Commissioner Dufresne and privacy authorities from across the country issue joint resolution on protecting the privacy of children and youth in the classroom through responsible educational technologies

December2025

OPC launches 2026-2027 Contributions Program funding cycle

Privacy Commissioner of Canada launches consultation on guidance modernization

January2026

Privacy Commissioner of Canada releases report into Staples investigation - a reminder to businesses to fully delete personal data on electronic devices before resale

Privacy Commissioner of Canada expands investigation into social media platform X following reports of AI-generated sexualized deepfake images

February2026

Global joint statement by data protection and privacy authorities on AI-generated imagery

March2026

Privacy Commissioner of Canada tables in Parliament Special Report on ArriveCAN app investigation

Privacy Commissioner of Canada concludes compliance letter with Nova Scotia Power to confirm its commitment to strengthening security measures

OPC conducts review of websites and apps used by children as part of global privacy sweep with 26 privacy regulators

Privacy Commissioner of Canada concludes compliance agreement with World Anti-Doping Agency regarding limitations to uses of athletes’ sensitive personal information

Top trends in privacy

Privacy, data, and trust in the digital age

Privacy is being tested in new ways as digital technologies evolve, and children grow up in increasingly data-driven environments. AI, connected services, online platforms, and immersive digital tools are creating new opportunities, but they also raise questions about how personal information is collected, used, shared, and protected.

In Canada and around the world, expectations are shifting. Individuals want innovation, but they also want stronger safeguards, clearer accountability, and better protection for children and youth. The trends in this section reflect two of the OPC’s strategic priorities: advancing privacy in a time of technological change and championing children’s privacy rights. They show where privacy pressures are rising and where leadership is needed most.

Shaping the digital future: Privacy and innovation

Digital technologies are evolving quickly, from AI tools and synthetic media to smarter devices, automated systems, and more connected digital services. These changes are creating new opportunities for innovation, better services, and improved standards of living, while also requiring that privacy be a central part of how new technologies are designed, used, and governed. As adoption grows, privacy is no longer a side issue. It is increasingly part of bigger conversations about security, accountability, digital markets, and how rules keep pace with technological change. And the stakes can be high: weak privacy and governance can contribute to serious real-world harms affecting safety, well-being, and health.

AI is moving into everyday life and work

AI is becoming a regular part of how Canadians work, create, study, search, and solve problems. Use is growing among individuals, especially younger adults, and adoption of these technologies by both the private and public sectors is rising as organizations test how these tools can support operations, services, and decision-making. While AI becomes more embedded in everyday settings, privacy implications become more immediate because massive amounts of data, including personal information, are being entered into these systems and more organizations are using them in routine ways.

16%

Use of AI by Canadian businesses more than doubled in 2026 to 16%, compared to 6% two years prior.^{Footnote 1}

57%

of Canadians have tried AI tools; up from 25% in 2023.^{Footnote 2} Globally, 66% of individuals use AI regularly.^{Footnote 3}

2X

AI use by firms across Organisation for Economic Co-operation and Development (OECD) countries has more than doubled in two years.^{Footnote 4}

Text version of Figure 1

AI is moving into everyday life and work

How Canadians and Canadian businesses are using AI	2023/2024	2026
Use of AI by Canadian businesses	6%	16%
Canadians who tried AI tools	25%	57%
Firms using AI in OECD countries	8.7%	20.2%

AI adoption has more than doubled across the board

Canadians want innovation with guardrails

Canadians are not turning away from AI or other emerging technologies. Many see real value in innovation and are open to new tools, but they also want stronger privacy and data governance protections and clearer expectations for responsible use. The public conversation is shifting from beyond just whether AI is good or bad to whether personal information is being used properly, whether risks are understood, and whether the right safeguards are in place. Across Canada and internationally, governments and regulators are also responding with consultations, guidance, rules, and other efforts to establish expectations for responsible AI use.

70%

of Canadians say that AI will lead to positive outcomes and 60% are already seeing the benefits in their personal and professional lives.^{Footnote 5}

88%

of Canadians are concerned about their personal information being used to train AI systems.^{Footnote 6}

85%

of Canadians believe that AI should be regulated by governments to ensure ethical and safe use.^{Footnote 7}

Text version of Figure 2

Canadians want innovation with guardrails

• 70% of Canadians say that AI will lead to positive outcomes
• 88% of Canadians are concerned about their personal information being used
• 85% of Canadians believe that AI should be regulated

Privacy is becoming part of broader digital governance

What used to sit in separate lanes is now converging, as regulators, lawmakers, and organizations grapple with risks that cut across privacy, competition, communications, copyright, borders, cybersecurity, and consumer protection. Better privacy protections for Canadians is a core part of building a stronger Canada. How digital systems are designed, governed, and made accountable are not stand-alone compliance issues. There is increasing pressure for clearer rules, better coordination, and stronger safeguards that can work across technologies and jurisdictions.

Growing up digital: Privacy for children and youth

Children and youth are growing up in a digital environment that is more connected, more personalized, and more immersive than ever. Social platforms, games, learning tools, connected devices, and AI systems are collecting, inferring, and using the data of children and youth to build profiles of them that are shaping their lives from an early age. Privacy is increasingly tied to wider questions about online safety, platform design, and age assurance. Parents, children, and youth cannot be expected to manage complex risks on their own. Organizations must be accountable and build privacy protections directly into the technologies that children and youth use at school and at home.

Children are going online earlier and leaving bigger digital footprints

Children’s digital lives are starting earlier and becoming more participatory. While younger children are mostly using devices for direct entertainment, with or without connection to the internet (watching movies, playing standalone games) under adult supervision, older children and teens tend to spend more time on social platforms, creating content, and interacting with systems that collect data about what they do, watch, and share. This data can then be used to entice them to spend money, stay online, and engage even more. The growth and learning experiences of Canadian youth is now taking place in environments built to track engagement, personalize content, and encourage ongoing participation. That raises privacy questions much earlier, and in settings where younger users may have a more limited understanding or control over how their information is used.

69%

of Canadian children aged two to six can use some technology without help.^{Footnote 11}

7/10

Canadian children and youth aged seven to 17 engage with social media every month.^{Footnote 12}

1/3

of Canadian children and youth aged seven to 17 who use social media have created content in the past week, including comments, photos, and videos.^{Footnote 13}

Text version of Figure 3

Children and youth in the digital environment

• 69% ages 2-6 can use some technology without help
• 7 in 10 ages 7-17 engage with social media monthly
• 1 in 3 ages 7-17 created social media content in the past week

Support is growing for stronger child privacy protections by design

In Canada and abroad, there is growing support for stronger default protections for children, with clearer limits on how their data is collected and used, and on ensuring that age-appropriate experiences do not depend on children navigating complex privacy choices by themselves. Age assurance sits inside that shift, but the debate is increasingly about how to do so in ways that are effective, proportionate, and privacy-protective. The emerging direction of regulators across the globe is toward privacy and safety by design, with more recognition that the collection, use, and disclosure of children’s data present distinct risks that call for stronger default protections.

Children’s privacy is moving into design, oversight, and enforcement

Children’s privacy is no longer being treated as an issue limited to consumer apps. It is increasingly showing up in work on other areas including educational technology, AI, online safety, age assurance, and platform accountability. Regulators around the world are signaling that children need more robust default protections, and that schools, governments, platforms, and vendors all have responsibilities when digital tools are used by and around children.

Privacy spotlight: Championing children’s privacy

In 2025-2026, the strategic priority of championing children’s privacy was a major focus of the OPC’s work. Initiatives helped to deepen the OPC’s understanding of the data protection issues that impact Canadian youth, including by engaging directly with children and youth, and included applying a children’s privacy lens to enforcement activities, such as the joint investigation into TikTok.

In today’s ever increasing digital world, youth have little choice but to be online, be it for school, play, or to keep in touch with family and friends.

Nearly half of Canadian youth (46%) who responded to a 2025 UNICEF study said that they spend four to six hours online each day, while 22% said that they were online as many as nine hours a day between school, work, chatting with friends, or playing games. A Media Technology Monitor study suggests that 70% of children aged seven to 17 regularly use social media.

The online world offers children and youth unprecedented opportunities for innovation, creativity, self-expression, and engagement, but it also increases their risk of being targeted, manipulated or harmed.

Earlier generations had the privilege of growing up without having to worry about who was tracking their actions, and without the possibility that the things that they said and did in their childhood and adolescence could be documented and made available to the whole world. Today’s youth deserve the same freedom to grow up, make mistakes, and move forward. Strong privacy protections are what make that possible in a digital age.

It is important that children and youth have the skills to be active digital citizens, and for this, they need to be able to explore and experiment online with confidence and autonomy, knowing that it is a safe space for them.

It is a complex and continually evolving issue that has required the OPC to work collaboratively with children and youth, and also with other data protection and privacy authorities from around the world, as well as across regulatory spheres, with children’s rights and the best interests of the child as the starting point.

To that end, the OPC has undertaken a number of initiatives this year to advance its children’s privacy priority. The work that the OPC carried out in 2025-2026 has laid the groundwork for active collaboration with Canadian youth, which will give them a voice on issues that concern them and position the OPC as a leader on children’s privacy.

“We all want to ensure that young people can experience youth in an environment that is safe. An environment where the things that they say and do are not tracked, or used against them. One where one action is not caught like a fly in amber, and then found and exploited over and over again.”

International symposium

In June 2025, the OPC hosted an international symposium titled “Youth Privacy in a Digital Age.”

The symposium brought together Canadian youth leaders, academics, senior government leaders, civil society representatives, industry stakeholders, and data protection and privacy authorities from around the world. Participants explored issues ranging from data privacy from the perspective of teens to the impacts of AI on children and youth, deceptive design, educational technologies, and the best interests of the child in the digital space.

OPC international symposium: Youth Privacy in a Digital Age (June 20, 2025)

OPC international symposium: Youth Privacy in a Digital Age (June 20, 2025)

Direct outreach

In keeping with Article 12 of the United Nations Convention on the Rights of the Child (UNCRC), which requires that adults take children’s views into account when making decisions that impact them, the OPC collaborated with a team of academic researchers to hold a two-day youth summit in the National Capital Region in November 2025. Twenty-four children and youth between the ages of nine and 17 were invited to share their experiences and opinions on a range of privacy issues. In their preliminary report, the researchers identified eight priority areas that will help inform the OPC’s work to address children’s privacy issues, including ongoing efforts to draft a Children’s Privacy Code.

The OPC also held three focus groups to better understand the views of youth. During the focus groups, participants expressed concern about reputational harm online and a desire to have more control over their digital footprint, particularly as they age. They indicated a desire for companies to do more to protect children and for more privacy education for youth, their parents, and educators.

Youth Council

The OPC established a Youth Council, comprised of seven students aged 14 to 17 from across Canada. The Council is a space for youth to share their insights, experiences, and ideas on the privacy issues that matter the most to them. The Council’s voice is playing an important role in helping the OPC understand the impact that privacy issues have on youth.

The Youth Council met virtually for the first time in November 2025 and again in person in February 2026. Members expressed a strong interest in activities related to communications and outreach, such as creating youth-accessible versions of complex reports, and designing awareness campaigns, workshops, and presentations.

The Youth Council is an important channel to support the OPC’s efforts to effectively reach youth across Canada, as well as educators, parents, and organizations that serve this demographic.

“In an increasingly complex digital world, privacy is harder to protect but more essential than ever for youth. The OPC Youth Council empowers youth by ensuring Canada’s privacy landscape reflects the diverse realities of youth.”

Children’s Privacy Code

The OPC is also developing a Children’s Privacy Code following a consultation launched in May 2025, that included a youth roundtable held in collaboration with Children First Canada.

A Canadian Code will address the handling of children’s personal information by organizations and is critical to ensuring that the personal information of children and youth is properly protected and that they are able to effectively exercise their privacy rights.

Many jurisdictions around the world have benefited from privacy regulators releasing guidance and/or governments adopting legislation that requires organizations to adapt their data practices, including with respect to the design of products and services, to address the unique needs and best interests of children.

Consultation on age assurance

From June to September 2025, the OPC ran a consultation on age assurance that invited interested parties to provide feedback on the OPC’s preliminary position and any additional context that could inform future approaches to the topic.

The significant public interest in, and importance of, a well-considered policy position on age assurance was reflected in the 40 responses that were received.

The OPC published a summary of what we heard during the consultation followed by guidance on assessing when age assurance should be used, and on designing age assurance.

“Talk to us and get our opinion. Do things like beta testing on websites with young people to make sure your sites work well for kids. Do surveys, consultations, having more open discussions could help us come to better solutions.”

GPEN privacy sweep

In November 2025, the OPC partnered with 26 data protection and privacy authorities from across Canada and around the world to conduct a sweep that examined the privacy practices of 876 websites and mobile apps that are used by children. The results were published in March 2026. The GPEN-led sweep was similar to one conducted in 2015, thereby enabling participating authorities to compare how online services have protected children and used their data over time.

Overall, sweep participants observed good practices to protect children and their personal information, such as notifications advising children not to use their real names or upload images, as well as having location sharing disabled by default.

However, they also noted practices that raised concerns about children’s privacy, and that suggests that some risks may have increased over the last 10 years. For example, compared to 2015, more online services that are used by children now require users to provide their personal information to access the full functionality of the platform. In addition, more platforms indicated in their privacy policies that they may share personal information with third parties.

Educational technologies

At their October 2025 meeting, the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight adopted a resolution on the responsible use of educational technologies in the classroom. The joint resolution recognizes that governments, educational institutions, and educational technology (EdTech) providers share a responsibility to ensure that the adoption of new tools does not come at the expense of students’ privacy.

This focus on and concern for the privacy of youth is behind a global trend toward the development of new laws, regulations, guidelines, and initiatives by governments and data protection authorities around the world.

Statement: Promoting Responsible Innovation and Protecting Children by Prioritizing Privacy

Following his election as Chair of the GPA in September 2025, Commissioner Dufresne indicated that one of the themes of his term would be championing youth privacy. The Assembly’s International Enforcement Working Group, which is co-chaired by the OPC, held a closed session in December 2025, titled “Promoting a Safe Digital Childhood,” to talk about online gaming.

This theme was also reflected in the statement that came out of the meeting of the G7 Data Protection and Privacy Authorities Roundtable that Commissioner Dufresne hosted in the National Capital Region in June 2025, in the context of Canada’s G7 presidency.

The statement notes that this generation of children will be the first to be raised in a world strongly influenced by AI, and that the development and deployment of new technologies that are used by children will have significant effects on their users, who “remain particularly vulnerable to their associated harms.”

Communications, promotion, and outreach activities

Introduction

The OPC carries out its mandate to protect and promote Canadians’ fundamental right to privacy in numerous ways.

In addition to overseeing compliance with the Privacy Act and PIPEDA, the OPC provides advice to Parliament, collaborates with international, domestic, cross-regulatory, and civil society partners, facilitates privacy-related research, creates guidance for federal government institutions, businesses, and individuals, maintains the organization’s website and social media channels, responds to questions from the media, and pursues other communication and outreach activities throughout the year.

Commissioner Dufresne, Deputy Commissioners, and OPC subject-matter experts frequently speak about their work to audiences that include students, stakeholders working in the field of privacy, federal government institutions, private-sector organizations, and fellow domestic and international regulators. This work includes organizing events and speaking with organizations about privacy, reviewing codes of practice to combat financial crimes, providing advice to federal government institutions in respect of new privacy-impactful programs, and negotiating voluntary resolutions to high-risk breaches. Proactively engaging with public- and private-sector organizations helps to promote privacy and improve compliance outside the context of resource-intensive investigations.

In 2025-2026, the OPC’s outreach and other proactive activities focused on the priorities outlined in Commissioner Dufresne’s strategic plan, as well as on areas identified through business intelligence – for example, inquiries to the Information Centre and other complaints received by the OPC.

Proactive engagement

In 2025-2026, the OPC increased its use of proactive compliance engagements as a mechanism to address issues that could present a serious privacy risk to Canadians.

The aim of these engagements is to address potential privacy risks more promptly and efficiently and where possible avoid a full resource-intensive investigation. Through voluntary engagements, the OPC seeks to better understand organizations’ practices, provide recommendations to address any identified potential compliance issues, and encourage organizations to voluntarily implement measures to improve their privacy practices.

This year, the OPC engaged with a number of organizations in this manner. This included exchanges with social media company LinkedIn as well as with automotive industry manufacturer Magna International. 

“Technology moves at the speed of innovation. Adoption moves at the speed of trust.”

LinkedIn

The OPC engaged with LinkedIn to get a better understanding of its AI training practices following media reports indicating that the company had started training AI models using the personal information of its members without having first notified them of the practice.

During the engagement, LinkedIn voluntarily paused its use and disclosure of Canadian members’ personal information to train generative AI models. The company also committed to implementing a number of privacy-protective measures to accompany its generative AI model training prior to resuming this practice in November 2025. This included sending advance notices to LinkedIn’s Canadian members to inform them of the availability of an opt out mechanism and using appropriate privacy-enhancing technologies to limit the presence of personal information in the training datasets.

Magna

The OPC approached Magna International to gain clearer insight into its pilot for autonomous delivery vehicles in Toronto, which raised potential privacy issues regarding its handling of images captured via the vehicles’ cameras.

During the engagement, the company informed the OPC that it completed the pilot and had no immediate plans to further implement the program at the time.

As a proactive measure, the OPC provided Magna with advice and guidance and invited the company to consult further with the OPC on its compliance with PIPEDA should it decide to deploy autonomous vehicles in Canada in the future.

Promoting privacy

Outreach

The OPC participated in more than 50 speaking and outreach events in 2025-2026. This included major keynote addresses by Commissioner Dufresne during the IAPP Canada Symposium in May 2025 and the Victoria International Privacy & Security Summit in February 2026.

The OPC promoted educational resources for teachers through an email campaign and participated in an event attended by educators and librarians to support young people’s privacy education.

Privacy Awareness Week was observed in May 2025 with the release of the results from the OPC’s Survey of Canadians and a social media campaign centered on the theme “Prioritize Privacy.” For Data Privacy Week in January 2026, the OPC promoted privacy by design on social media and during a keynote address by Commissioner Dufresne before federal access to information and privacy professionals.

Like all organizations, federal government institutions face increasing cyber threats. For this reason, the OPC also hosted, with the Treasury Board of Canada Secretariat (TBS) and the Canadian Centre for Cyber Security, a Data Privacy Week webinar on privacy obligations and strategies to prevent and respond to breaches in the public sector. The webinar, and another event held during Privacy Awareness Week on conducting Privacy Impact Assessments (PIA), allowed the OPC to reach more than 1,400 public servants with advice on privacy protection best practices.

The OPC held other outreach events with a number of organizations in 2025-2026, including TBS, the Privy Council Office, and other federal government institutions, as well as with various private-sector innovation hubs, accelerators, and networks in the National Capital Region, the Greater Toronto Area and other parts of Canada. Through these activities, the OPC connected with more than 3,600 public servants and over 1,000 businesses.

The OPC used these outreach events to discuss compliance with federal privacy laws, policies, and best practices, raise awareness in the public and private sectors about the Commissioner’s priorities, and provide information about expectations and best practices for protecting privacy in the context of AI and children’s personal information.

As one of Canada’s largest employers, the Government of Canada has a key role to play in setting a good example for privacy practices in the workplace. Upon noticing a significant number of complaints and inquiries related to employee privacy this past year, the OPC organized a half-day event in February 2026 to address privacy in the context of public-sector human resources.

The OPC welcomed chief human resources officers and chief privacy officers from across the federal government to discuss issues such as how to respect privacy in the context of the duty to accommodate, emerging human resources technologies such as virtual interviews and using AI for resume review, and managing public service return-to-office initiatives.

“HR professionals, as a collective, are known to embrace new technologies and modern ways of doing things. You are often at the forefront of innovation, and you also play an important role in organizational culture and values. It is more important than ever to be diligent in prioritizing privacy.”

Additional public-sector outreach initiatives offered in collaboration with TBS, PCO, and other federal government institutions addressed topics such as balancing privacy and transparency in access to information and using open-source intelligence to collect and use personal information.

On the private sector side, the OPC continued to receive a large number of complaints and inquiries under PIPEDA relating to the financial sector. As such, the OPC engaged with the Canadian Bankers Association to better understand the privacy challenges faced by financial institutions as well as the measures that they are implementing to combat those privacy risks. The OPC also leveraged these engagements to discuss issues relating to breach reports, such as those involving unauthorized employee access.

According to Innovation, Science and Economic Development Canada (ISED) data, small and medium enterprises (SMEs) represent 98.2% of total businesses in Canada and are often at the leading edge of innovation. The OPC therefore also aimed to expand its reach to small businesses by exhibiting at events such as the Small Business Summit organized by Canadian SME Magazine, and the City of Toronto’s Small Business Forum.

The OPC also continued to deliver virtual “Privacy and Your Business” presentations to SMEs across Canada, with additional focus in 2025-2026 on the responsible use of AI and the importance of protecting children’s privacy. These presentations were generally offered in collaboration with various innovation hubs and industry associations to maximize reach.

Privacy and technology were also the subject of OPC engagements in the Atlantic and Prairies, including with AI startup incubator Volta and the Atlantic Tech Summit in Nova Scotia, the IT Alliance in PEI, Community Futures in Saskatchewan, and Tech Week Manitoba.

IAPP Canada Privacy Symposium (May 2025)

Information Centre

The OPC’s Information Centre responds to inquiries for information about privacy-related matters in the private and public sectors. Over the last year, a significant number of Canadians expressed concerns related to deactivated social media accounts and the inability to regain access to their account and personal information, such as several years’ worth of photos.

While other inquiries are varied, with topics ranging from obtaining access to personal information to the privacy implications associated with AI, the OPC noted a trend in inquiries related to employee privacy, as well as a number of questions from tenants related to issues with landlords and property management companies. Common concerns raised by tenants included the use of video surveillance, units being photographed, tenant information such as court records being posted on public forums, and other issues related to overcollection or the disclosure of personal information.

Privacy advice

In the public sector, the OPC offers advice to federal government institutions that are considering the development or implementation of new or amended programs that will have an impact on privacy, to encourage privacy by design – building privacy considerations in at the outset. The OPC encourages the completion of PIAs to comply with TBS policy requirements to identify and mitigate privacy risks. The OPC also reviews PIAs and provides advice and recommendations where high-risk issues are identified. In 2025-2026, the OPC reviewed 181 PIAs, a 31% increase compared to the previous year, including an increase in PIAs from smaller institutions subject to the Privacy Act.

The OPC also provided advice and recommendations on a range of government AI-related initiatives, including the development of business intelligence and data trend analysis, the provision of wellness services, analysis of video footage, and the use of facial recognition. In addition, the OPC sought out opportunities to make recommendations to strengthen federal government institutions’ privacy practices related to children and youth, for example, in tracking student loans, managing travel visas, and combatting child exploitation.

The use of novel technologies by law enforcement agencies to identify and combat criminal actors was a trend observed by the OPC in the past year, whether through PIAs submitted for review, enquiries made by the public, or elsewhere. To discuss and learn more about these issues, the OPC consulted with federal government institutions on several programs including those related to the use of satellite imaging to find missing persons, techniques to counter drones, anti-cybercrime programs, as well as the use of software designed to investigate cases of child sexual abuse material and locate victims of child sexual abuse and sex trafficking.

The OPC recognizes the important work of law enforcement and its need for modern tools. Its advice stressed the need for necessity and proportionality to minimize privacy harms and maintain public trust in the use of these tools.

In the private sector, the OPC provided advice to businesses during in-person events or through the Information Centre and also continued to deliver privacy clinics on the margins of outreach events, to provide businesses an opportunity to obtain answers to specific privacy questions directly related to their privacy practices.

Through this work, the OPC provided privacy advice to a wide range of organizations that may handle highly sensitive personal information. These included the developer of a parenting app regarding the protection of children’s personal information, an organization seeking to strengthen its privacy measures related to the photography of children during extra-curricular activities, a company exploring the development of an app to assist customers during a dissolution of marriage, and a company providing services in support of motor vehicle accident insurance claims.

Guidance and resources

The OPC develops guidance to help organizations comply with their legal obligations under federal privacy laws and implement privacy best practices. As part of its public education mandate, the OPC also produces tips for individuals to help them better understand their privacy rights and take actions to protect their privacy.

As a growing number of organizations use biometric technologies such as facial recognition and fingerprint scanning to verify identity and provide services, the OPC issued new guidance in August 2025 on protecting privacy in biometric initiatives.

Developed for both businesses and federal government institutions following an extensive consultation, the biometric guidance addresses key considerations for organizations when planning and implementing initiatives involving biometric technology.

In February 2026, the OPC updated its Interpretation bulletin on sensitive information to add “neural data” to the list of personal information that will generally be considered sensitive and require a higher degree of protection. Interpretation bulletins summarize the general principles that have emerged over time from court decisions and the OPC’s findings under PIPEDA. They are intended to help organizations comply with their legal obligations.

In June 2024, the OPC launched an exploratory consultation to gather input on how and when online services should confirm the age of a user in order to restrict children and youth from accessing certain content. Based on the feedback received, the OPC released guidance in May 2026 to help organizations design age-assurance systems and assess when they should be used.

In May 2025, the OPC launched an exploratory consultation on the development of a Children’s Privacy Code to promote compliance with privacy obligations under PIPEDA and set out the OPC’s expectations regarding organizations’ handling of children’s personal information. In May 2026, the OPC published a “what we heard” report based on that consultation.

Consistent with Commissioner Dufresne’s strategic priority of protecting and promoting privacy with maximum impact, the OPC also launched a consultation to inform the development of future guidance for organizations subject to Canada’s federal private-sector privacy law to ensure that it is timely, effective, and responsive to the needs of stakeholders.

For individuals, the OPC published Your privacy and AI chatbots in May 2025 to help individuals to better understand the technology and how to use it in a privacy-protective way. The OPC has also made updates to its guidance for individuals considering filing a formal complaint to clarify the process.

Advice to Parliament and Government

As an Agent of Parliament, the Privacy Commissioner of Canada is frequently called to appear before House of Commons and Senate committees to advise Parliamentarians on privacy-related legislation and other matters. In 2025-2026, the Commissioner appeared nine times and made four submissions to Parliamentary committees.

Another important part of the OPC’s work is to provide advice to government on the privacy impacts of proposed legislation and policy direction. The OPC made three submissions to government as detailed later in this section.

Appearances before Parliament

Appearance on Bill S-209, An Act to restrict young persons’ online access to pornographic material

In his October 2025 appearance before the Standing Senate Committee on Legal and Constitutional Affairs (LCJC), Commissioner Dufresne discussed his Office’s work on age assurance. He stated that it is essential that regulators, along with governments, industry, and civil society, work together to prioritize the best interests of children and youth, which includes their fundamental right to privacy, so that they are supported to be able to safely navigate the online world.

Appearance before the Standing Committee on Access to Information, Privacy and Ethics to discuss the work of the OPC

In October 2025, Commissioner Dufresne appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI). The Commissioner noted the importance of prioritizing privacy, measures taken by his Office to improve efficiency, and the need to modernize Canada’s privacy laws to meet the challenges of today’s data-driven world.

Appearance on Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

Commissioner Dufresne appeared before the House of Commons Standing Committee on Public Safety and National Security (SECU) in October 2025 to discuss the privacy implications of Bill C 8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. Commissioner Dufresne said that Bill C-8 recognizes that steps must be taken to protect critical infrastructure against cyber threats as they continue to evolve in sophistication and complexity. He also made recommendations to strengthen the Bill from a privacy perspective.

Appearances on Bill C-12, the Strengthening Canada’s Immigration System and Borders Act

In November 2025, Commissioner Dufresne appeared before SECU to discuss Bill C-12, the Strengthening Canada’s Immigration System and Borders Act. Bill C-12 would amend a number of laws and regulations with a view to strengthening immigration and border security and combatting transnational organized crime and the flow of illicit narcotics and financing. The Commissioner recommended an amendment to Part 1 to clarify that customs officers may not enter a dwelling-house for the purpose of accessing goods destined for export without the consent of the occupant, except under the authority of a warrant.

Commissioner Dufresne then appeared before the Standing Senate Committee on National Security, Defence and Veterans Affairs in February 2026 to support the Committee’s study of the Bill. In his remarks, Commissioner Dufresne said that language in the Bill related to information-sharing agreements is a good example of an approach that he has recommended in the past for Bills that contemplate extensive or ongoing disclosures of personal information, particularly between jurisdictions.

“Data has become one of the most important resources of the 21st century. Through modern laws, collaboration, and engagement, we can and we must create a regulatory environment that will benefit Canada’s economy, support Canadian businesses, and protect the privacy rights of Canadians.”

Appearances to discuss C-15 data-mobility provisions

Commissioner Dufresne appeared before the Standing Senate Committee on Banking, Commerce and the Economy in December 2025 to offer his views on the proposed amendments to PIPEDA introduced in Bill C-15, the Budget 2025 Implementation Act, No. 1. The Commissioner noted the importance of the Bill’s policy objectives and the importance of the right to data mobility in today’s digital economy, given that it would provide Canadians with greater control over their personal information. The Commissioner also stated that it will be important for the OPC to be consulted in the development of the regulations associated with the data mobility framework.

In January 2026, Commissioner Dufresne appeared before the House of Commons Standing Committee on Industry and Technology to offer his views on the proposed amendments to PIPEDA introduced in Bill C-15. The Commissioner supported efforts to introduce a right to data mobility in Canada, noting that such a right would give Canadians greater control of their personal information by allowing them to make decisions about who they want their information shared with. The Commissioner also reiterated the importance of consulting with the OPC on the development of the regulations and that he looks forward to working with the government on this important issue.

Appearance on a study on artificial intelligence and its regulation

Commissioner Dufresne appeared before ETHI in February 2026 as part of its study of “Challenges Posed by Artificial Intelligence and its Regulation.” In his remarks, the Commissioner said that privacy is an important and timely issue for Canada. He noted that as AI technologies continue to evolve rapidly and become increasingly integrated into personal and professional lives, modernization of Canada’s privacy laws would further enable Canadians and Canadian organizations to use and deploy these technologies with appropriate protections for personal data.

Appearance on issues related to privacy and political parties in Bill C-4, the Making Life More Affordable for Canadians Act

In his February 2026 appearance before LCJC, Commissioner Dufresne stated that political parties should be subject to privacy rules that parallel requirements that are already set out for the public and private sectors under federal law, while being adapted to the unique role that political parties play in the democratic process.

Submissions to Parliamentary committees

Letter to the House of Commons Standing Committee on Finance on Bill C-4, the Making Life More Affordable for Canadians Act

In a June 2025 letter to the Standing Committee on Finance on the privacy implications of Bill C-4, the Making Life More Affordable for Canadians Act, Commissioner Dufresne called for political parties to be subject to privacy rules substantially similar to requirements set out for the public and private sectors in the Privacy Act and PIPEDA.

Letter to the Standing Senate Committee on Legal and Constitutional Affairs on Bill S-209

In October 2025, Commissioner Dufresne provided additional information to LCJC following his appearance on Bill S-209, the Protecting Young Persons from Exposure to Pornography Act. In his letter, the Commissioner highlighted his seven priority recommendations for PIPEDA reform and stressed that modernizing Canada’s privacy laws is necessary to fully meet the challenges of today’s data-driven world.

Letter to the House of Commons Standing Committee on Public Safety and National Security on Bill C-8

In November 2025, Commissioner Dufresne provided a written submission to SECU following his appearance on Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. In response to questions from Committee members, the Commissioner highlighted specific sections of the Bill that would benefit from privacy-focused amendments.

Letter to the House of Commons Standing Committee on Public Accounts on Bill C-230

In March 2026, Commissioner Dufresne provided a written submission to the Standing Committee on Public Accounts on the privacy implications of Bill C-230, An Act to amend the Financial Administration Act and to make consequential amendments to other Acts (debt forgiveness registry). The Commissioner indicated that the proposed amendments relate to corporations, trust companies, and partnerships rather than the personal information of individuals. As such, he said that any potential impacts to privacy, if any at all, would be minor.

Advice to Government

Submission on the implementation of the Global Cross-Border Privacy Rules Forum certifications in Canada

In June 2025, Commissioner Dufresne provided feedback as part of an ISED consultation on the implementation of the Global Cross-Border Privacy Rules Forum certifications in Canada. The submission highlighted that having strong privacy protections facilitated through certification mechanisms can benefit organizations and Canadians and support international trade.

Letter to the Minister of Canadian Identity and Culture regarding an amendment to the Broadcasting Act

In September 2025, Commissioner Dufresne sent a letter to the Minister of Canadian Identity and Culture recommending that he restore an amendment to the Broadcasting Act, which had specified that the Act shall be construed and applied in a manner that is consistent with the right to privacy, after it was inadvertently deleted as a result of a coordinating amendment.

Submission to Innovation, Science and Economic Development Canada consultation on a renewed AI strategy

In October 2025, Commissioner Dufresne provided comments in response to ISED’s consultation on a renewed Canadian AI strategy. The submission focused on ways to prioritize privacy in order to ensure that advanced data-driven technologies such as AI are developed and deployed in a secure, responsible, and trustworthy manner.

Collaboration

Collaboration among regulators, public institutions, industry, and civil society is essential to addressing global privacy challenges.

Sharing knowledge and expertise, jointly examining emerging issues, and working together to advance common standards provides greater consistency for organizations operating across jurisdictions and better privacy protections for individuals.

The following is an overview of key 2025-2026 collaborative initiatives involving Commissioner Dufresne and his domestic, cross-regulatory, and international partners, as well as other civil society stakeholders.

Domestic collaboration

In 2025-2026, the OPC worked closely with privacy regulators across Canada to identify ways to protect and promote Canadians’ fundamental right to privacy, while at the same time encouraging innovation in support of the public interest and a strong economy.

In October 2025, at the annual meeting of Federal, Provincial, and Territorial Information and Privacy Commissioners and Ombuds, Commissioner Dufresne became co-chair of the group, alongside Information Commissioner of Canada Caroline Maynard.

The annual meeting included discussions on a broad range of privacy and access to information matters, with a strong focus on emerging issues related to new technologies, such as the use of AI, cybersecurity risks, and the protection of online data.

In November 2025, Commissioner Dufresne and his provincial and territorial counterparts issued a joint resolution on protecting the privacy of children and youth in the classroom through responsible educational technologies (EdTech). The resolution seeks to ensure that privacy rights and the best interests of children are prioritized in the development, procurement, and deployment of EdTech.

This year, the Privacy Commissioner of Canada also updated his Office’s memorandum of understanding with the Information and Privacy Commissioner of Ontario. The agreement facilitates information sharing between the two Offices on matters of mutual interest. It updates a similar agreement signed in 2014 and allows the Commissioners to communicate and cooperate with each other, as well as to conduct joint investigations of matters that arise under PIPEDA or under one or more of the statutes that govern privacy in Ontario.

 

Canadian Digital Regulators Forum (May 2025)

 

International collaboration

It is essential for Canada to play an international leadership role in the privacy world. Doing so helps to protect Canadians, no matter where they or their data may travel.

Having Canada at the table of leading international privacy forums is essential to building global alliances, advocating for consistent privacy laws and standards throughout the world, and protecting Canadians in the global economy.

G7 Data Protection and Privacy Authorities Roundtable

In the context of Canada’s G7 presidency, Commissioner Dufresne welcomed members of the G7 Data Protection and Privacy Authorities Roundtable in June 2025 to the National Capital Region for the group’s annual meeting.

Convening under the theme of “Championing privacy in a digital age: Collective action today for a trusted tomorrow,” members discussed the evolving data protection and privacy landscape, the implications of emerging technologies, and the importance of cooperation among data protection and privacy authorities of like-minded countries to safeguard the rights of individuals across jurisdictions.

In alignment with their shared dedication to safeguarding privacy while also supporting responsible innovation, the Roundtable adopted a joint statement affirming that prioritizing privacy throughout the lifecycle of a technology, from design to development to deployment, can allow organizations to unleash innovation and seize market opportunities in a cost-effective way. In their joint statement, the members also emphasized that the protection of children’s online privacy must consider the best interests of children.

Highlights of the Roundtable meeting included keynote speeches from Professor Yoshua Bengio, whose discoveries led to modern generative AI, and Dr. Martin Laforest, a leading expert in quantum technology.

The Roundtable also issued a joint communiqué on “Championing privacy in a digital age.”

In December 2025, Commissioner Dufresne hosted a virtual Roundtable meeting where he concluded his year as convener of the Roundtable.

During that meeting, the participants adopted a position paper on data free flow with trust, as well as an Action Plan for 2026 that commits to continuing to foster trust and support innovation that protects privacy, especially that of children.

The President of France’s Commission nationale de l’informatique et des libertés (CNIL) will host the 2026 G7 Data Protection and Privacy Authorities Roundtable.

“As the AI becomes more and more powerful, we have to ask, how do we align that continued development with the interests of our citizens, with the interests of democracy?”

G7 Data Protection and Privacy Authorities met on June 18 and 19 in Canada’s National Capital Region.

Global Privacy Assembly

Commissioner Dufresne was honoured to be elected Chair of the GPA in September 2025. The international forum brings together more than 130 data protection and privacy authorities from around the world.

This is the first time in the Assembly’s history that it is being led by the Privacy Commissioner of Canada, and it is a recognition of long-standing Canadian leadership on the global privacy stage.

This new role will both help protect and promote privacy globally and position the OPC as an important enabler of Canada’s economic success, supporting digital trade and advancing Canada’s international presence.

It reinforces the OPC’s influence and impact here in Canada and will help to support stronger privacy protections for all Canadians.

As Chair of the Assembly, Commissioner Dufresne’s vision centres around collaboration on three main themes: addressing the privacy impacts of technology, championing youth privacy, and continuing progress towards strong economies and a high level of data protection in global frameworks, including through data free flow with trust. As Chair, he also aims to improve member engagement by increasing transparency around procedures and decision-making, thereby making the organization more accessible and inclusive for data protection and privacy authorities of all sizes from all regions.

Three resolutions were adopted during the 47th GPA Annual Conference in September 2025, including a resolution on the need for human oversight decisions involving AI, authored by the OPC, and co-sponsored by 12 other data protection authorities. The resolution calls on organizations to ensure meaningful human oversight when AI systems are used to make decisions, particularly where these decisions may have significant impacts on individuals’ fundamental rights and freedoms.

In his role as chair of the GPA’s Data Protection and Other Rights and Freedoms Working Group, Commissioner Dufresne launched the second iteration of the Privacy and Human Rights Award in September 2025. The award, issued in collaboration with international human rights organization Access Now, celebrates outstanding leadership by organizations around the world that have made a significant contribution in the fields of privacy, data protection, and other fundamental rights.

“I look forward to working with all of the members of the Global Privacy Assembly. By prioritizing collaboration and leveraging our combined capabilities, resources, and expertise, we can maximize our impact and shape a future where innovation can flourish, privacy rights are respected, and trust is reinforced.”

47th Global Privacy Assembly Conference (September 2025)

Other international work

Commissioner Dufresne concluded various agreements and declarations in 2025-2026, including with the Information Commissioner for the United Kingdom of Great Britain and Northern Ireland, with the President of France’s Commission nationale de l’informatique et des libertés (CNIL), and with the Chairperson of the Personal Information Protection Commission of Japan. The agreements facilitate information sharing between their respective Offices, allowing them to respond more effectively to emerging privacy risks.

In September 2025, Commissioner Dufresne joined 20 of his international counterparts in signing a joint statement on trustworthy data governance for AI that calls for data protection principles to be incorporated into the design of AI systems and for the establishment of robust data governance structures.

In February 2026, Commissioner Dufresne joined 60 international and domestic counterparts in issuing a joint statement on AI-generated imagery and the protection of privacy.

Contributions Program

In December 2025, the OPC launched its 2026-2027 Contributions Program funding cycle with a call for proposals under the theme “Achievement unlocked: protecting privacy while online gaming.”

With nearly half of Canadian adults and 70% of Canadian teens regularly playing games online, according to a report from the Entertainment Software Association of Canada, the OPC sought proposals for projects that would advance knowledge related to the collection and use of personal data in the online gaming sphere to learn more about the privacy implications of gaming on individuals.

The OPC received 46 research proposals by the February 2026 submission deadline.

For the 2025-2026 funding cycle, the OPC selected seven research projects to fund in response to its call for proposals under the theme “Connected but exposed: exploring smart devices and privacy,” which aimed to increase Canadians’ knowledge and awareness of how smart devices handle personal information.

Aligned with Commissioner Dufresne’s strategic priority of protecting and promoting privacy at a time of rapid technological change, two of the selected research projects explored data-collection practices and protection measures related to connected cars.

Other funded projects included a look at the unique privacy challenges and opportunities faced by teens and young adults aged 16-24 as smart devices become more embedded in their everyday lives, and an analysis of the privacy implications of FemTech mobile apps dedicated to wellness and the body.

Created in 2004, the Contributions Program provides funding of up to $500,000 annually for innovative privacy research and public awareness initiatives that seek to better understand and address key and emerging issues related to privacy. Individual project submissions may be eligible for up to $100,000.

Enforcement and supervision activities

Introduction

The OPC saw a very significant increase in the number of complaints received under both the Privacy Act and PIPEDA in 2025-2026, steadily rising over the course of year, with a total of 6,190 for the full year compared to 3,400 the previous year, representing an 82% increase overall for both acts combined.

The increase was broad-based under PIPEDA – with growth distributed across several sectors of the economy as was the case in previous years. While the reason for the increase has not been ascertained, it is likely attributable to several factors, including increased awareness and ease in access following the launch in Canada of AI-enhanced search engine functionality. The OPC expects that this higher volume of complaints will be sustained.

Under the Privacy Act, the increase in complaints was more narrowly focused on security-related departments, most notably Immigration, Refugees and Citizenship Canada (IRCC), the Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (RCMP), the Canada Border Service Agency (CBSA), and the Department of National Defence.

The number of complaints received under the Privacy Act was 3,146, a 62% increase over 2024-2025.

This includes a 121% increase in time limit complaints – complaints related to the fact that an institution has not responded to a personal information request within the time period set out in the legislation.

The OPC was able to increase the number of time limit files closed in 2025-2026 compared to 2024-2025, to 966, up from 622, due in part to internal efficiencies and additional efforts.

There was also a 105% increase in complaints related to Privacy Act Extension Order, No.3, which allows individuals outside Canada, including foreign nationals, to request information that Canadian federal government institutions hold about them.

Several federal government institutions for which the OPC typically receives a high volume of complaints were especially impacted. The largest proportion of accepted complaints involved CSIS (22%, 468 cases), and IRCC (13%, 293 cases), followed by the RCMP (13%, 292 cases).

Most of these complaints related to an access request or a delayed response to an access request where the information sought involved an immigration application process. The OPC engaged with these institutions over the past year to work towards resolving complaints as efficiently as possible.

Under PIPEDA, the number of complaints received rose from 1,458 to 3,044, an increase of 109% over 2024-2025, and 137% more than the average of the previous two years.

The sustained rise in volume of complaints received resulted in longer processing timelines, with files being processed on average within 66 days while the operational standard is 28 days. While the OPC is implementing additional efficiencies and reviewing its intake process to expedite files, the volume continues to outpace the OPC’s capacity.

“I am writing to express my deepest gratitude for your assistance in resolving an issue that had caused me tremendous stress and concern over the past year. After months of feeling harassed and threatened, I truly believed the situation would never be resolved — but thanks to your diligence, I finally feel a sense of relief and safety. Your team’s dedication to protecting privacy rights and ensuring accountability made a profound difference in my life. I appreciate the time, care, and attention you gave to my case, and I am deeply thankful for the respect and understanding you showed me throughout the process.”

Investigations

The following is an overview of some of the investigations that the OPC closed in 2025-2026:

Privacy Act

ArriveCAN investigation into privacy in contracting practices

The OPC investigated a complaint against the CBSA related to its contracting practices during the development of the ArriveCAN app.

The investigation found no evidence to suggest that personal information collected through the ArriveCAN app was used or disclosed in contravention of the Privacy Act. The OPC found that all ArriveCAN-related contracts that allowed access to personal information included appropriate clauses to describe the contract’s security requirements and outlined specific safeguards that should be implemented.

While no contraventions were identified, the CBSA accepted the Commissioner’s recommendations aimed at mitigating privacy risks when contractors perform work on its behalf and agreed with the overall objective of strengthening privacy and security practices within its contracting framework.

Correctional Service of Canada video deletion

The OPC investigated a complaint from an inmate who alleged that the Correctional Service of Canada (CSC) had failed to retain video footage that captured incidents of use of force against them.

In one instance, the investigation found conclusive evidence that CSC had recorded footage of a use of force incident but failed to retain it as required under CSC’s own policies.

As a result of CSC’s failure to retain the footage, there was no way for the inmate to access the footage. The OPC considered this to be a serious failure given the sensitive nature of the recordings.

To address the issue moving forward, the CSC agreed to implement additional oversight measures to ensure that retention policies are respected, including conducting random audits to verify compliance with video retention requirements.

Immigration, Refugees and Citizenship Canada systematically withholds access to certain personal information in its Global Case Management System

The OPC investigated a complaint against IRCC related to its processing of personal information requests in records stored in its Global Case Management System.

The investigation found that even when individuals requested their entire file or specific content contained in the long form for immigration matters like visa applications, IRCC was systematically retrieving and only processing a subset of records contained in a short form.

By not retrieving and releasing the full content, IRCC is not meeting its obligations under section 12 of the Privacy Act, which requires that government institutions provide individuals with access to their personal information under the government’s control, subject to certain exceptions.

While in this case IRCC ultimately processed and provided the complainant with the entire long form, it did not agree to implement the OPC’s recommendation to update its procedures to retrieve and process the long form in response to requests from other individuals seeking access to their entire file.

PIPEDA

Google investigation highlights right to have information de-listed in limited circumstances

In August 2025, Commissioner Dufresne released the findings from his investigation into a complaint related to Google’s search engine service. The investigation found that individuals have the right, in limited circumstances, to have certain information about them de-listed so that it is not displayed in search engine results when their name is searched online.

This right applies in situations where there is a risk of serious harm to an individual if certain elements of their personal information continue to be displayed through an online search for their name, and that this risk of harm to the individual outweighs the public interest in that information remaining accessible through such a search.

In this case, an individual faced a criminal charge that was dropped shortly after it was laid. Several years later, news articles about the charge continue to be made available online through searches for the individual’s name, revealing highly sensitive personal information that the individual said has caused them direct harm, such as physical assault, lost employment opportunities, and severe social stigma.

TikTok investigation highlights privacy concerns related to children’s personal information

In September 2025, Commissioner Dufresne and his counterparts in Quebec, British Columbia, and Alberta published the findings of a joint investigation into TikTok Pte. Ltd.

The investigation found that the measures in place to keep children under 13 (under 14 in Quebec) off the popular online video-sharing platform and to prevent the collection and use of their sensitive personal information for purposes, such as delivering targeted ads and tailored content, were inadequate.

Even though the company’s terms provide that its platform is not intended for children under the age of 13, the investigation found that hundreds of thousands of Canadian children access TikTok’s platform each year – and that it has been collecting and using their personal information.

Although the joint investigation was focused on children, it also found that TikTok Pte. Ltd. did not adequately explain its data handling practices to teen and adult users, and that it did not obtain meaningful consent for the collection and use of vast amounts of user data, including sensitive data of younger users, as required under Canadian privacy laws.

In response to the findings and recommendations, TikTok Pte. Ltd. agreed to enhance age-assurance methods to keep underage users off TikTok. It also agreed to strengthen privacy communications to ensure that users, and in particular younger users, understand how their data could be used, including for targeted advertising and content personalization. In addition, TikTok Pte. Ltd. agreed to provide more privacy information in French.

World Anti-Doping Agency takes steps to limit how athletes’ sensitive personal information is used

The World Anti-Doping Agency (WADA) committed to implementing measures to help ensure that international sport federations and other anti-doping organizations do not use the highly sensitive personal information collected from athletes that is under WADA’s control for purposes other than those related to anti-doping.

The commitments follow the launch of an investigation by Commissioner Dufresne into a complaint alleging that some personal information disclosed by WADA to international sporting federations was being used to assess athletes’ sex-based eligibility without their knowledge or consent.

In a compliance agreement finalized with the OPC in March 2026, WADA committed to implementing several remedial measures, including informing anti-doping organizations that they are only permitted to use personal information available in the WADA database for anti-doping purposes and updating existing agreements with federations to reflect this directive.

Staples investigation a reminder to businesses to fully delete personal data on returned devices

An investigation into Staples Canada, concluded in January 2026, found that the company did not fully remove users’ personal information from returned laptops that it later resold.

The results of the investigation were similar to those of a 2011 OPC audit of Staples. While at that time, the company committed to improving its practices, including by testing various means of wiping data, this most recent investigation revealed that some of the same problems persisted 15 years later.

The latest investigation revealed a number of deficiencies in Staples’ policies, procedures, and employee training to protect personal information contained in returned laptops.

The OPC recommended that Staples develop clear procedures and standards for wiping devices in a manner that is consistent with manufacturers’ guidelines for factory restore and data sanitization. It also recommended that Staples improve its training program for employees and that it engages an independent third party to conduct spot checks of returned devices.

Staples committed to implementing the OPC’s recommendations.

Digital services platform builds in tools for health and wellness practitioners to better manage personal information life cycle

The OPC received a complaint from an individual against the online platform called Jane that provides cloud computing, chat, and booking services to health and wellness practitioners.

The complainant alleged that the app did not provide a way to delete or disable their user profile for practitioners that they had stopped using – leaving their personal information, including credit card, unnecessarily available online. Jane initially redirected the complainant to make individual requests to each practitioner, citing potential legal requirements for retaining health information. However, PIPEDA allows individuals to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

After preliminary discussions with the OPC, the company operating the Jane platform took proactive steps to address the issue. The company began directly responding to requests to delete credit card information and developed a mechanism within the app for individuals to request the deletion of their accounts. Requests are now automatically routed to the relevant practitioner(s) for action and Jane will follow up upon request if needed. Additionally, the company is implementing safeguards for dormant accounts and creating enhanced reporting options to help practitioners manage record disposal in line with their specific retention requirements.

Based on these actions, the OPC considers the complaint resolved.

Requiring consent to post children’s photos as a condition of service was inappropriate

An individual filed a complaint with the OPC regarding a privately owned swim school that required parents/guardians wishing to enroll their children in swimming lessons to accept a waiver allowing the school to take and post photos and videos of their children online.

The investigation concluded that this was an inappropriate condition of service and that parents should be able to freely choose whether or not to allow the facility to take photos of their child. The swim school argued that having to track who had and had not provided consent would place a burden on its operations, and that collecting and posting the images was a reasonable business need in order to show potential customers what to expect for swimming lessons.

Under PIPEDA, organizations may not require individuals to allow the collection, use, or disclosure of personal information beyond what is needed to fulfill “explicitly specified, and legitimate purposes.” The OPC found that collecting photos and videos of children in this context was not necessary for the purposes of providing swimming lessons. The OPC also found that the personal information in question – images of children in swimsuits – is sensitive personal information. As such, consistent with the OPC’s guidance on consent, it was recommended that the facility seek “opt-in” consent for collecting and posting photos of children online. In response, the facility changed its registration process, thereby resolving the complaint.

Loblaw investigation leads to improved procedures to address privacy concerns

The OPC released the findings of its investigation into Loblaw’s PC Optimum Loyalty Program in March 2026. Several complainants alleged that the company did not delete their PC Optimum accounts after they requested it, and/or that it had not responded to inquiries about their deletion requests.

The investigation found that, while Loblaw had mechanisms in place for customers to request account deletion or to raise privacy concerns, it took an unreasonable amount of time to address the requests and also failed to respond to some privacy-related inquiries.

Moreover, the investigation found that Loblaw retained PC Optimum members’ purchase history after their account had been deleted and that the removal of personal identifiers such as names and email addresses was an insufficient measure to limit the risk that individuals could be identified.

During the investigation, Loblaw took steps to ensure that in the future, individuals’ privacy-related requests would be responded to in a timely manner. The company also agreed to implement the Commissioner’s recommendation aimed at ensuring that the company’s anonymization process be independently reviewed and that any required risk mitigation measures be implemented.

Bell commits to changes to provide appropriate access to information in shared accounts

An investigation into a complaint against Bell Canada highlighted issues related to access to personal information involving shared accounts, particularly following the dissolution of a relationship.

In this case, the complainant and their ex-spouse had previously shared an account for their respective cellphone lines, with the complainant’s ex-spouse being the account holder while the complainant was an authorized user.

Following the dissolution of the relationship and with the complainant’s agreement, the ex-spouse removed the complainant as an authorized user from the account.

The complainant subsequently submitted an access request to Bell for the call and text message log records of their phone line for the period in which they were an authorized user on the account. Bell declined to provide the requested records without the written consent of the account holder, indicating that it considered the data to be the personal information of the account holder only.

The investigation found that Bell had contravened Principle 4.9 of PIPEDA by denying the complainant access to their personal information and subsection 8(3) by taking more than 30 days to respond to their request.

The records relating to the complainant’s phone number were the complainant’s personal information, as the owner and authorized user of the phone line. While this information may have also been the ex-spouse’s personal information by virtue of being the account holder, the complainant had a greater privacy interest in the information.

The OPC made several recommendations, which Bell agreed to implement, to enhance its internal procedures and public communication.

Breaches

Introduction

In 2025-2026, the OPC received 451 breach reports from federal government institutions affecting 48,159 Canadians, and 696 breach reports from businesses, affecting 20,328,495 Canadians, for a total of 1,147 breach reports. Collectively, breaches were slightly down compared to the previous fiscal year, which saw 1,301 breaches reported to the OPC by both businesses and federal government institutions. However, the total number of Canadian accounts impacted in 2025-2026 was up slightly at 20,376,654 compared to 20,087,391 in 2024-2025.

Of those reported to the OPC, 94% of Privacy Act breaches and 58% of PIPEDA breaches were assessed as likely to cause a real risk of significant harm.

In federal government institutions, mishandling of information (e.g., data entry error, misdirected correspondence, labelling error) was the cause of 368 breaches reported under the Privacy Act, representing the most common type of Privacy Act breach for the past three fiscal years. This was followed by cyber incidents (39), employee snooping (22), and security vulnerabilities (19).

The largest proportion of public sector breach reports (69%) were received from Employment and Social Development Canada, largely attributed to lost passports (86%). Breaches at the Canada Revenue Agency (CRA), notably those related to the unauthorized use of taxpayer information by a third party, which was the subject of an investigation concluded in May 2026, accounted for the second highest proportion of breach reports (11%) to the OPC.

Under PIPEDA, unauthorized access accounted for 78% of all breaches reported to the OPC by businesses in 2025-2026. More than two-thirds of those breaches (68%) were the result of a cybersecurity incident. Social engineering attacks (13%) and employees misusing their access privileges (8%) were the next most common causes of unauthorized access.

Consistent with previous years, the financial sector accounted for the largest proportion of breach reports (24%). Other sectors reporting high numbers of breaches involving unauthorized access were telecommunications (15%); services (8%) which can include collection agencies and credit bureaus, educational institutions and services, investigation and security services, real estate and services such as employment, travel agencies, and repair companies; and sales/retail (8%).

Breach response

As part of its transformation, the OPC has worked to address higher-risk breaches more expeditiously, to mitigate risks to individuals, and where possible to resolve the incident without having to conduct a full formal investigation, which can be costly and lengthy for the OPC, the organization, and potentially complainants.

These engagements aim to ensure that the nature and extent of a breach are identified promptly and that appropriate steps are being taken to respond to the breach.

Where the organization commits to implement certain measures to ensure adequate privacy protections according to specified timelines acceptable to the Commissioner, the OPC may enter into a compliance letter with the organization, and commitments are subject to ongoing monitoring by the OPC until such time as the Commissioner is satisfied that they have all been met.

The following is an overview of some breach engagement initiatives that the OPC conducted in 2025-2026.

PowerSchool commits to strengthen security measures after millions impacted in cyberattack

Following a cyberattack that impacted millions of Canadian students, parents, and educators and subsequent engagement with the OPC, education technology software company PowerSchool committed to take steps to ensure that its security measures were appropriately strengthened.

As part of the breach, a hacker obtained data pertaining to current and former students, current and former educators, and parents across several provinces and territories. Compromised data included names, contact information, dates of birth and, in some cases, medical information and Social Insurance Numbers.

Shortly after becoming aware of the breach, the OPC engaged with the organization to ensure that appropriate steps were taken to respond to the incident including containing the breach and notifying affected individuals and organizations. In July 2025, following the OPC’s engagement, PowerSchool committed to additional actions to support its security safeguards. These include strengthened monitoring and detection tools, as well as engaging an accredited and independent security firm to assess the adequacy of its updated information security safeguards. The OPC will continue to engage with PowerSchool until the Commissioner is satisfied that the company has fulfilled its commitments with respect to this breach.

Nova Scotia Power signs compliance letter to bolster privacy protections after data breach

In May 2025, Nova Scotia Power notified the OPC of a data breach that affected its systems.

The OPC also received numerous complaints and inquiries from Nova Scotia Power customers regarding the breach, prompting Commissioner Dufresne to launch an investigation.

Nova Scotia Power determined that approximately 375,000 of its current customers and approximately 540,000 former customers were affected by the breach. Compromised personal information included names, phone numbers, email addresses, mailing addresses, dates of birth, driver’s license numbers, Social Insurance Numbers, and account histories, including customer payment, billing, credit history, and bank account numbers.

Nova Scotia Power took steps to contain the breach and mitigate further risks, including identifying and resetting compromised account credentials, and enhancing security measures. The company notified affected individuals and offered credit monitoring and identity protection services.

In March 2026, Nova Scotia Power signed a compliance letter, committing to take further steps to ensure that the risk to customers’ personal information is adequately mitigated. The Commissioner’s investigation will remain open until he is satisfied that Nova Scotia Power has met all its commitments.

The following is an overview of some of the breach investigations that the OPC closed in 2025-2026:

Privacy Act

The OPC concludes investigation after cyberattack at Global Affairs Canada affecting employee data

The OPC investigated a data breach at Global Affairs Canada (GAC) involving a cyberattack on an internal network where a threat actor exploited devices used by GAC and gained access to the department’s network, allowing them to intercept Virtual Private Network (VPN) traffic and exfiltrate the personal information of employees.

During the investigation, the OPC learned that Shared Services Canada (SSC) and the Canadian Centre for Cyber Security play distinct roles in the context of cybersecurity incidents. SSC administers and manages GAC’s VPN infrastructure, which in this case included the compromised devices, and is generally responsible for ensuring the functionality of the VPN. The Canadian Centre for Cyber Security is involved in the monitoring and detection of the Government of Canada infrastructure and, in the context of this incident, was first alerted to the suspicious activity on GAC’s network.

The OPC reviewed information from all three parties related to the devices and VPN protocols that were in use at the time of the attack, as well as the monitoring and detecting capabilities employed by GAC, and established that there were deficiencies. The investigation found that, once the breach was discovered, GAC took immediate steps and successfully contained, remediated, and mitigated the incident. The department also took several other actions to mitigate the risk of future breaches and made concrete improvements and commitments to enhance its security posture to better protect the personal information under its control going forward. That said, the OPC also found that more clearly defined communication structures or processes amongst the institutions may have resulted in faster detection of the breach.

The OPC therefore recommended that GAC develop a written agreement with partners as appropriate, to clarify decision-making authorities, roles and responsibilities, define the process for sharing information, and identify the mechanisms to mitigate and resolve issues. The OPC also recommended that GAC provide the OPC with an update on other cybersecurity improvements made as well as modernization actions taken as a result of this breach. GAC accepted both recommendations.

Breaches of employee data at the Canada Border Services Agency reinforce importance of procedures to protect against accidental internal over-disclosure of employee information

In two separate CBSA breaches investigated by the OPC, there was accidental disclosure of employees’ personal information.

In the first case, the personal information of more than 18,000 CBSA employees was disclosed to 70 CBSA employees when a spreadsheet to facilitate shift scheduling for that group accidentally included the data of those other employees.

The CBSA’s own internal investigation of the incident uncovered four previous similar incidents. In its response to the incidents, the CBSA focused on reducing the risk of harm to affected employees and on introducing new procedures and stronger oversight to address the underlying causes of the incidents. The OPC was satisfied that these steps will help prevent similar events from reoccurring in the future.

In a second breach investigated by the OPC, sensitive information, including an employee’s accommodation request, was accidentally left visible to other employees because permissions to a folder in CBSA’s information management system had been improperly set, revealing document titles containing personal information.

The CBSA corrected the permissions in question and committed to do a broader review of folder permissions. It also undertook measures to improve staff awareness of document naming conventions. However, it stopped short of committing to making permissions management training mandatory and tracking it as recommended by the OPC.

PIPEDA

23andMe breach a cautionary tale for all organizations

In June 2025, Commissioner Dufresne and UK Information Commissioner John Edwards announced the findings of their joint investigation into global direct-to-consumer genetic testing company 23andMe following a credential-stuffing attack that impacted almost seven million customers worldwide, including nearly 320,000 Canadians.

The types of personal information accessible to the hacker via customers’ accounts included highly sensitive information related to health, race, and ethnicity, as well as information about relatives, date of birth, sex at birth and gender. Much of this information was derived from the individual’s DNA.

The investigation found that 23andMe had failed to implement adequate security measures to protect against unauthorized access to highly sensitive personal data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.

The investigation underscored the need for all organizations to ensure that they are taking proactive steps to protect against cyberattacks, including multi-factor authentication, strong minimum password requirements, compromised password checks, and adequate monitoring to detect abnormal activity.

Cybersecurity incident at Ticketmaster Canada an important reminder regarding credential management

The OPC launched an investigation into Ticketmaster Canada Holdings ULC in 2024 after receiving a complaint from an individual alleging that the company did not have adequate safeguards in place to protect their personal information, resulting in an unauthorized third-party gaining access to data.

While Ticketmaster Canada had certain safeguards in place, the investigation, which concluded in March 2026, found that there were several deficiencies which allowed a threat actor to obtain the credentials of a service account to access personal information under the organization’s control.

Compromised personal information included names and contact information and in some cases dates of birth and passport numbers. Some of the key deficiencies identified included the sharing of account credentials with more individuals than necessary and having insufficient monitoring and detection measures in place.

The OPC recommended that Ticketmaster Canada take steps to better safeguard the personal information under its control, for example, by implementing more robust measures to protect credentials. The OPC also recommended that Ticketmaster Canada update its breach notification processes.

After receiving the OPC’s recommendations, Ticketmaster Canada demonstrated that it took a number of steps to improve its security posture, including by improving monitoring for known suspicious threats, and implementing more robust measures and policies to safeguard credentials. The company also demonstrated that it has policies in place that align with PIPEDA’s requirements to action breach responses in a timely manner, and indicated that it made efforts to fulfill its notification obligations in this case. The OPC ultimately concluded that both the safeguards and breach notification matters were resolved.

Before the Courts

In 2025-2026, the OPC was involved in several litigation matters, including:

Privacy Commissioner of Canada v. 9219-1568 Quebec Inc. et al., (T-702-25)

In 2024, an OPC investigation found that Aylo (formerly known as MindGeek), the operator of many of the world’s most popular pornographic websites, including Pornhub and Youporn, contravened PIPEDA by failing to undertake reasonable efforts to ensure that it was obtaining meaningful consent from each person who appears in intimate content uploaded to its websites.

The OPC filed a notice of application with the Federal Court on February 27, 2025, under s. 15 of PIPEDA (File T-702-25) seeking an order requiring Aylo to implement clear and specific measures to ensure that meaningful consent is obtained directly from all individuals who appear in intimate images and videos that are uploaded to its websites.

While Aylo changed some of its privacy practices and consent verification mechanisms during and after the OPC’s investigation, the application states that the company’s practices continue to fail to ensure that meaningful consent is obtained from everyone who appears in the videos.

The Federal Court has, among other powers, the authority to impose binding orders requiring an organization to correct or change its practices and comply with the law.

In May 2025, the OPC served its affidavit evidence on Aylo.

In September 2025, Aylo served its affidavit evidence on the OPC.

In October 2025, the Canadian Internet Policy and Public Interest Clinic and the Women’s Legal Education and Action Fund were granted leave to intervene in the proceeding.

Privacy Commissioner of Canada v. Facebook, Inc. (A-129-23 & SCC 41538)

A 2019 OPC investigation found that Facebook contravened PIPEDA by failing to obtain meaningful consent from users for the disclosure of their personal information and to safeguard that information.

The OPC filed a notice of application with the Federal Court in 2020 under s. 15 of PIPEDA, seeking an order requiring Facebook to comply with the federal private-sector privacy law.

In 2023, the Federal Court dismissed the OPC’s application. The OPC appealed this decision to the Federal Court of Appeal (A-129-23).

In September 2024, the Federal Court of Appeal allowed the OPC’s appeal with costs and declared that Facebook’s privacy practices between 2013 and 2015 breached PIPEDA. The Federal Court of Appeal required the OPC and Facebook to advise the Court within 90 days as to whether they agreed on the terms of a remedial order, failing which the Court would give further direction.

In November 2024, Facebook sought leave to appeal the decision to the Supreme Court of Canada (SCC 41538). The Supreme Court of Canada heard the matter on March 19, 2026, and the judgement is pending.

Canadian Civil Liberties Association v. Canada (Attorney General), 2026 ONSC 783 (CV-14-504139-00)

The Canadian Civil Liberties Association (CCLA) challenged the constitutionality of sections 7(3)(c.1) and 9(2.1)- 9(2.4) of PIPEDA, alleging that they violate sections 2(b), 7, and 8 of the Canadian Charter of Rights and Freedoms. The CCLA argued that these provisions allow the disclosure of personal information to government institutions without meaningful oversight, accountability, or safeguards. Amongst other forms of relief, the CCLA sought a declaration from the Court severing those provisions from PIPEDA so that they are no longer operative.

The OPC was granted intervenor status in the proceeding to explain its oversight role and experience in applying the provisions at issue. The OPC served and filed its factum in October 2025. In December 2025, the case was heard over the course of a three-day hearing at the Ontario Superior Court of Justice in Toronto where counsel for the OPC provided oral submissions.

On February 10, 2026, the Court dismissed the CCLA’s application, largely on the basis that it was bound by appellate jurisprudence that held that PIPEDA’s disclosure provisions do not engage s. 8 of the Charter because they do not authorize a search or seizure. Additionally, the Court concluded that s.7 does not provide any additional basis for invalidity; and that the veto provisions contained in ss.9(2.1-2.4) of PIPEDA do not infringe on s. 2(b) of the Charter.

The Court noted that had it not been bound by precedent, it would have significant concerns that the lack of oversight, accountability, and transparency in PIPEDA’s framework renders the information-gathering process constitutionally suspect. The CCLA has filed a Notice of Appeal.

S. v. Privacy Commissioner of Canada, (T-2142-24)

The OPC was named as the respondent in this application for judicial review challenging the OPC’s decision that it lacked jurisdiction to investigate an access complaint concerning employment-related information held by a provincially regulated organization. The matter is ongoing.

Appendices

Appendix 1: Definitions

Complaint types

Access

The institution/organization is alleged to have denied one or more individuals access to their personal information as requested through a formal access request.

Accountability

Under PIPEDA, an organization has failed to exercise responsibility for personal information in its possession or custody, or has failed to identify an individual responsible for overseeing its compliance with the Act.

Accuracy

The institution/organization is alleged to have failed to take all reasonable steps to ensure that personal information that is used is accurate, up-to-date, and complete.

Challenging compliance

Under PIPEDA, an organization has failed to put procedures or policies in place that allow an individual to challenge its compliance with the Act, or has failed to follow its own procedures and policies.

Collection

The institution/organization is alleged to have collected personal information that is not necessary, or has collected it by unfair or unlawful means.

Consent

Under PIPEDA, an organization has collected, used, or disclosed personal information without valid consent, or has made the provisions of a good or service conditional on individuals consenting to an unreasonable collection, use, or disclosure.

Correction/notation (access)

The institution/organization is alleged to have failed to correct personal information or has not placed a notation on the file in the instances where it disagrees with the requested correction.

Correction/notation (time limit)

Under the Privacy Act, the institution is alleged to have failed to correct personal information or has not placed a notation on the file within 30 days of receipt of a request for correction.

Extension notice

Under the Privacy Act, the institution is alleged to have not provided an appropriate rationale for an extension of the time limit, applied for the extension after the initial 30 days had been exceeded, or, applied a due date more than 60 days from date of receipt.

Fee

The institution/organization is alleged to have inappropriately requested fees in an access to personal information request.

Identifying purposes

Under PIPEDA, an organization has failed to identify the purposes for which personal information is collected at or before the time the information is collected.

Index

Info Source (a federal government directory that describes each institution and the information banks – groups of files on the same subject – held by that particular institution) is alleged to not adequately describe the personal information holdings of an institution.

Language

In a request under the Privacy Act, personal information is alleged to have not been provided in the official language of choice.

Openness

Under PIPEDA, an organization has failed to make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Retention (and disposal)

The institution/organization is alleged to have failed to keep personal information in accordance with the relevant retention period: either destroyed too soon or kept too long.

Safeguards

Under PIPEDA, an organization has failed to protect personal information with appropriate security safeguards.

Time limits

Under the Privacy Act, the institution is alleged to have not responded within the statutory limits.

Use and disclosure

The institution/organization is alleged to have used or disclosed personal information without the consent of the individual or outside permissible uses and disclosures allowed in legislation.

Dispositions

Well-founded

The institution or organization contravened a provision of the Privacy Act or PIPEDA.

Well-founded and resolved

The institution or organization contravened a provision of the Privacy Act or PIPEDA but has since taken corrective measures to resolve the issue to the satisfaction of the OPC.

Well-founded and conditionally resolved

The institution or organization contravened a provision of the Privacy Act or PIPEDA. The institution or organization committed to implementing satisfactory corrective actions as agreed to by the OPC.

Not well-founded

There was no or insufficient evidence to conclude the institution/organization contravened the privacy legislation.

Resolved

Under the Privacy Act, the investigation revealed that the complaint is essentially a result of a miscommunication, misunderstanding, etc., between parties; and/or the institution agreed to take measures to rectify the problem to the satisfaction of the OPC.

Settled

The OPC helped negotiate a solution that satisfied all parties during the course of the investigation, and did not issue a finding.

Discontinued

Under the Privacy Act: The investigation was terminated before all the allegations were fully investigated. A case may be discontinued for various reasons, but not at the OPC’s behest. For example, the complainant may no longer be interested in pursuing the matter or cannot be located to provide additional information critical to reaching a conclusion.

Under PIPEDA: The investigation was discontinued without issuing a finding. An investigation may be discontinued at the Commissioner’s discretion for the reasons set out in subsection 12.2(1) of PIPEDA.

No jurisdiction

It was determined that federal privacy legislation did not apply to the institution/organization, or to the complaint’s subject matter. As a result, no report is issued.

Early resolution (ER)

Applied to situations in which the issue is resolved to the satisfaction of the complainant early in the investigation process and the OPC did not issue a finding.

Declined to investigate

Under PIPEDA, the Commissioner declined to commence an investigation in respect of a complaint because the Commissioner was of the view that:

• the complainant ought first to exhaust grievance or review procedures otherwise reasonably available;
• the complaint could be more appropriately dealt with by means of another procedure provided for under the laws of Canada or of a province; or,
• the complaint was not filed within a reasonable period after the day on which the subject matter of the complaint arose, as set out in subsection 12(1) of PIPEDA.

Withdrawn

Under PIPEDA, the complainant voluntarily withdrew the complaint or could no longer be practicably reached. The Commissioner does not issue a report.

Appendix 2: Statistical tables

Statistical tables related to the Privacy Act

Statistical tables related to PIPEDA

Appendix 3: Substantially similar legislation

Subsection 25(1) of PIPEDA requires the OPC to report annually to Parliament on the “extent to which the provinces have enacted legislation that is substantially similar” to the Act.

Under paragraph 26(2)(b) of PIPEDA, the Governor in Council may issue an Order exempting an organization, a class of organizations, an activity, or a class of activities from the application of Part 1 of PIPEDA with respect to the collection, use, or disclosure of personal information that occurs within a province that has passed legislation that is “substantially similar” to Part 1 of PIPEDA.

On August 3, 2002, Industry Canada (now known as Innovation, Science and Economic Development Canada) published the Process for the Determination of “Substantially Similar” Provincial Legislation by the Governor in Council, outlining the policy and criteria used to determine whether provincial legislation will be considered substantially similar. Under the policy, laws that are substantially similar:

• provide privacy protection that is consistent with and equivalent to that in PIPEDA;
• incorporate the 10 principles in Schedule 1 of PIPEDA;
• provide for an independent and effective oversight and redress mechanism with powers to investigate; and
• restrict the collection, use, and disclosure of personal information to purposes that are appropriate or legitimate.

Organizations that are subject to provincial legislation deemed substantially similar are exempt from Part 1 of PIPEDA with respect to the collection, use, or disclosure of personal information occurring within the respective province.

Accordingly, PIPEDA continues to apply to the collection, use, or disclosure of personal information in connection with the operations of a federal work, undertaking or business in the respective province, as well as to the collection, use, or disclosure of personal information outside the province.

The following provincial laws have been declared substantially similar to Part 1 of PIPEDA:

• Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector
• British Columbia’s Personal Information Protection Act
• Alberta’s Personal Information Protection Act
• Ontario’s Personal Health Information Protection Act, with respect to health information custodians
• New Brunswick’s Personal Health Information Privacy and Access Act, with respect to health information custodians
• Newfoundland and Labrador’s Personal Health Information Act, with respect to health information custodians
• Nova Scotia’s Personal Health Information Act, with respect to health information custodians

Appendix 4: Report of the Privacy Commissioner, Ad Hoc

As Ad Hoc Privacy Commissioner, I review the outcomes of cases where individuals sought access to information held by the Office of the Privacy Commissioner of Canada (OPC), or where it is alleged the OPC mishandled the personal information of an individual. The OPC is subject to the legislation it oversees, the Privacy Act, and such outcomes may trigger the right to complain to the Ad Hoc Privacy Commissioner.

In the reporting year of April 1, 2025, to March 31, 2026, I handled 33 matters:

• Prior year complaints not yet concluded: 1
• New complaints investigated and concluded: 12
• New complaints under investigation: 3
• Complaints and inquiries redirected: 17

While the prior year investigation could not be concluded only due to time constraints, there were many new complaints this year which were. Most regarded cases where individuals were not satisfied with the outcome to an access to information request. As was the case in previous annual reports, those cases are derived mainly from the fact that the OPC was not permitted to grant access due to the strict and limiting exemption to disclosure involving complaint investigations. Those files are borne of matters where a complainant was not satisfied with the outcome of a complaint investigation that leaves them with questions. I do not examine how such outcomes are derived; nonetheless, these reviews provide a necessary verification that rights of access and protection of privacy are always upheld and remain a good avenue to raise greater awareness of how the Privacy Act applies to the OPC.

Of interest this year was a complaint regarding a claim for “blanket” time extensions in the OPC processing of 53 requests submitted within 22 days. Under the Act, individuals have a right to timely access to personal information, typically within 30 days, but section 15 allows for extensions under certain conditions. The time extension notifications for an additional 30 days were made on the basis of interference of operations. The OPC said the overall number and timing of the requests was equal to its annual volume of requests. That complaint highlighted a dramatic increase in workload giving rise to unprecedented operational pressures. As such, I found the extensions were justified and without evidence of bias. More importantly, that case spoke to the overarching principle of reasonableness for individuals who request information and the need to maintain the integrity of the access to information process generally.

Another interesting complaint before me was the challenge to the definition of “personal information,” where an individual requested access to metadata found in the OPC’s computer systems associated with their digital activity so as to grant a right of access. That case required extensive research of existing caselaw interpretation of section 3 as to whether metadata was indeed “personal information” about an individual. My analysis found that the metadata in this case was not about an individual as it did not match the concept of “privacy” and the values that concept was meant to protect.

Finally, I was also called upon to assist the OPC in a complaint investigation that required a delegation of extended powers. It involved a complaint investigation of a federal government institution’s response to an access to personal information request. Again, that work proved both interesting and rewarding in the opportunity to be of service.

Other matters did not require investigation or written findings but rather, redirection to the right forum. In those cases, I take time to reply to explain why I cannot accept their complaint, and individuals are redirected to the appropriate provincial or federal oversight offices. I enjoy providing this helpful public service.

I genuinely look forward to another year of important work in this field.

Respectfully submitted,

Anne E. Bertrand, K.C.
Ad Hoc Privacy Commissioner