Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Keynote Remarks by the Privacy Commissioner of Canada at the International Association of Privacy Professionals (IAPP) Canada Privacy Symposium 2025

May 12, 2025
Toronto, Ontario

Address by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

Thank you for the warm introduction and for welcoming me back to this important symposium that brings together privacy champions from across Canada to discuss and debate the many critical issues that are impacting the privacy landscape.

From biometrics to artificial intelligence, surveillance in the workplace to children’s privacy, and from cyberbreaches to law reform, the conversations taking place here at IAPP over the next few days mirror the conversations that are happening in my Office and with my counterparts in Canada and around the world.

Yesterday marked the end of Privacy Awareness Week and our theme for this year was prioritizing privacy.

Prioritizing privacy reflects our Canadian values and ambitions and is more important now than ever – as more and more of our personal data is being collected, used, and shared – often across borders.

Cyber breaches continue to grow – in scale and in severity – exposing Canadians to serious risks, including privacy breaches which can cause significant harms.

New technologies, like generative AI, are being fueled by an unprecedented and massive collection of data, including Canadians’ personal information.

As privacy professionals, YOU play a vital and strategic role in your organizations at this pivotal time – advocating for a culture of privacy by design that will support responsible innovation and protect Canadians’ fundamental rights.

As you know, today, almost every organization is also in the data business – collecting personal information for a variety of purposes.

Not only does embedding strong privacy management frameworks into businesses and governments protect Canadians, it builds organizational resilience against emerging risks and supports the achievement of broader objectives.

And protecting Canadians brings about public trust, which is essential for strong institutions and successful organizations. Those that protect personal data earn credibility and long-term success.

With this in mind, I will highlight some of the findings from the OPC’s latest survey of Canadians. I will also provide an update on recent work to advance my strategic privacy priorities, and what is still to come in the year ahead.

Public opinion insights

Last week, I released the results of my Office’s biennial Survey of Canadians on privacy.

The responses demonstrate that individuals’ concern about privacy is high, while trust in the ability of government and businesses to protect their privacy is lagging.

Nine in 10 Canadians expressed some level of concern about the protection of their privacy, with more than a third indicating that they are extremely concerned.

The results indicate that 62% believe that government respects their privacy rights, and just 40% say the same about businesses. Social media companies, big tech, retailers and telcos and internet service providers were among the businesses for which Canadians raised the most concerns.

As I have said many times, Canadians want, and need, to trust that their personal information is being protected so that they can feel confident about participating freely in the digital economy.

As the privacy champions within your organizations, you play a pivotal role in shaping a culture where privacy is valued, and data protection is taken seriously.

The survey data supports the premise that organizations that prioritize privacy will reap the benefits.

Overall, three-quarters of Canadians are less willing to share personal information with organizations today than they were five years ago.

Meanwhile, 41% have stopped doing business with a company that experienced a privacy breach.

Trust in how data is handled is therefore becoming a deciding factor in how people interact with businesses, government, and technology.

Commissioner’s priorities – progress and the year ahead

My strategic plan and the three privacy priorities on which it is based offers a roadmap for maintaining trust and promoting innovation while protecting the fundamental right to privacy in the digital age.

The priorities are:

  • Protecting and promoting privacy with maximum impact;
  • Addressing and advocating for privacy in this time of technological change; and
  • Championing children’s privacy rights.

The priorities address areas where I believe that my Office can have the greatest impact, and where the greatest risks lie if they are not addressed.

Protecting and promoting privacy with maximum impact

My first strategic priority, protecting and promoting privacy with maximum impact, is focused on the OPC itself and aims at ensuring that all of our activities, including our compliance activities, are effective, efficient and impactful to respond to the many and new challenges facing privacy today.

While I have advocated, and will continue to advocate, for law reform and for additional resources for my Office, I wanted to also ensure that that were doing everything we can within the OPC itself to adapt to the growing complexity of our environment and make our services to Canadians as efficient as possible.

To that end, last Fall, I undertook a strategic review to research, consult and reflect on how the OPC could extend its impact and advance our strategic priorities.

My goal was to streamline our activities and focus on achieving more efficient outcomes. This includes speedier resolution of complaints by taking alternative approaches to investigations, such as early interventions. Quicker guidance on key and emerging issues through more proactive engagement with private- and public-sector organizations. And, more cooperation with domestic and international partners to get faster results in Canada and on a global scale. 

As a result of this exercise, I announced in January and put in motion over the last few months a major OPC reorganisation and transformation.

The new structure reframes the compliance function as a continuum – that will allow us to put greater emphasis on engaging with organizations, proactively as well as reactively to promote compliance, softening structural lines between the two federal privacy acts, and purposefully undertaking certain activities and interventions.

We are building a promotion culture into our approach to compliance, for example, by shifting to a more proactive stance to address issues. We are focussing on greater frontline engagement with private- and public-sector organizations that will help us to identify and respond more rapidly and effectively to emerging issues.

Our goal will be to resolve as many cases as possible through early engagement and resolution, and focus our in-depth investigations on key priority issues or incidents.

We will continue to rely on ethical walls to divide our lines of work, providing assurance to organizations that they can seek advice and guidance on a confidential basis, without becoming subject to an investigation.

I am confident that these changes will make a difference.

While transformational change like this takes time, I am pleased to say that we are already seeing results. For example, with earlier focused compliance activities, such our early intervention in LinkedIn’s use of personal information to train AI models. And, we have reduced our backlog of investigations over he past two years, from 24% down to 9% this past fiscal year. And I look forward to announcing soon the conclusion of our major investigations in the Tik Tok, OpenAI and 23andMe cases.  I thank this community for your support during this important transition.

Addressing and advocating for privacy in this time of technological change

Transforming our approach to compliance and streamlining interactions with you, our stakeholders, is a critical step towards maximizing our effectiveness as a regulator. Yet these changes alone will not be enough – we also need modern federal privacy laws.

My second strategic priority is addressing and advocating for privacy in this time of technological change, and modernizing Canada’s privacy laws is one of the best and most effective ways to meet the challenges of today’s data-driven world.

It is time for Canada’s privacy laws to catch up with the digital world. Canada needs clear guardrails for responsible data management to support progress in critical areas. This means giving the Privacy Commissioner the ability to issue orders and monetary consequences in appropriate cases.

Having the authority to issue orders would not only help to resolve investigations more quickly, it would also encourage organizations to prioritize good privacy practices.

I am confident that law reform will again become a legislative priority in the 45th Parliament, to ensure that Canadians remain protected in a modern world and to provide a framework within which the digital economy can thrive. This includes both reform to the private sector privacy law, as well as long-awaited reform of the Privacy Act. These reforms will help us address one of the most pressing technological issues of our time: AI.

AI holds incredible promise in advancing innovation, efficiency, and convenience – and for Canadians to fully embrace it, they must have confidence that it is being developed and deployed in a responsible and privacy preserving manner.  As we have heard in the last week, new Prime Minister Mark Carney intends to lead economic transformation that will include a renewed focus on AI. This is about building a responsible AI economy – one where we build bridges with privacy allies and collaborate with like-minded countries.

I have been working hard to increase Canada’s international visibility and leadership in this area. We cannot be left behind. Canada must be at the table, at this pivotal time, to protect Canadians’ privacy as this new digital economy unfolds. I am working collaboratively with my domestic, international, and cross-regulatory partners to develop and champion privacy principles that will support AI technologies that are designed and built on a solid foundation, one that is adaptable over time. For instance:

  • At the Tokyo G7 Data Protection and Privacy Authorities Roundtable meeting in 2023, my G7 counterparts and I issued the first global resolution stressing that AI is not a law-free zone and that current laws, including privacy law, apply to AI.
  • Last fall, in Rome, the G7 Data Protection and Privacy Authorities Roundtable issued statements on the role of data protection authorities in fostering trustworthy AI, and on child-appropriate AI.
  • Engagements with the Asia-Pacific Privacy Authorities have allowed Canada to play a leadership role in the development of important benchmarks with respect to de-identified information and to advance work and to further build bridges for the safe flow of data between Canada and the Asia-Pacific Region
  • We have collaborated on similar initiatives on a global stage, with the Global Privacy Assembly, and this has been reflected in the work done with my provincial and territorial counterparts in issuing guidance outlining principles for responsible, trustworthy, and privacy-protective generative AI technologies;
  • And, of course, given the many investigations underway around the world in the context of AI, international collaboration and engagements allow privacy regulators around the world to compare our practices, to learn from one another, and to ensure the maximum level of interoperability in terms of regulatory approaches.

International engagement is crucial to address the growing complexity and global nature of data protection, and helps privacy regulation evolve in tandem with international partners, which is good for citizens and for organizations.

Our work has also emphasized the need for developers and providers of generative AI to embed privacy in the design, conception, operation, and management of new products and services, and that they consider the unique impact that these tools have on children as well as on groups that have historically experienced discrimination or bias.

AI will impact us all, and as an organization comprised of highly knowledgeable and innovative privacy processionals, we intend to practice what we preach at the OPC.

Last fall, as we commenced our internal strategic review, we also launched an internal AI strategy to evaluate if and how we might leverage AI to advance our own internal workflows, with the goal of setting an example for how AI can be adopted safely and responsibility.

We have identified potential use cases related to summarizing documents, translation, database searches, and the automation of various tasks. Our next step will be to evaluate the risks, develop a data-management strategy, and begin to test low-risk AI use opportunities on an internal AI test server. We see great potential in using technology to help us further improve our services and standards.

Youth privacy

My third priority – championing children’s privacy – recognizes the unique sensitivities around young people’s privacy and the need to ensure that their rights are protected so that they can benefit from technology without compromising their privacy and well-being.

Our work over the last year has focused on research to deepen our understanding of the privacy issues being experienced by young people and applying a children’s privacy lens to our enforcement activities.

Our ongoing investigation into TikTok is an example of this, as the investigation is focused on the organization’s privacy practices as they affect younger users.

Meanwhile, our research efforts have included focus groups with young people to learn more about their views on their privacy rights and the harms that they face online, and a survey of parents and educators, the results of which were released last week.  Let me give you a few highlights:

  • The survey found that the vast majority of parents worry about their children’s online privacy.
  • Two-thirds or more were moderately to extremely concerned, and
  • 45% were highly concerned about risks to their child from the use or misuse of their personal information.

The research will help to inform our guidance and resources for individuals, federal institutions, organizations, and businesses.

In the context of our work to promote children’s privacy, I am also very pleased to announce today that my Office is launching an exploratory consultation on the development of a children’s privacy code.

This code will be aimed at creating a safer, more transparent online environment for children. We want young people to feel empowered to exercise their privacy rights and to safely explore, learn, and grow without compromising their privacy or security.

Some European countries and several American states have adopted codes that have led to better online protections for children and youth.

It is something that we now hope to replicate here in Canada. But we will only be able to do this effectively with input from fellow regulators, the legal community, civil society, academia, businesses, and all Canadians, including parents, educators, and child advocacy groups.

I encourage you to visit our website to read the consultation document and provide your views on topics such as how a Children’s Code might be applied; the role of consent; how Privacy Impact Assessments can address the best interests of the child, as well as best practices and no-go zones.    

We want to create clear, practical guidelines for organizations that handle children’s personal information so that their products and services are designed with the highest standards of privacy and data protection in mind.

Collaboration

Finally, across each of these strategic priorities is a clear commitment to collaboration, both within Canada, and with the international community.

Sharing knowledge and expertise, jointly examining emerging issues, and working together to advance common standards provides greater consistency for organizations operating across multiple jurisdictions. And greater consistency means better privacy protections for individuals.

As I have said, this is especially true in an era where personal data moves across borders at lightning speed and scale.

In the digital age, protecting privacy requires global coordination. Working across jurisdictions allows us to leverage our collective strength and influence so that we can tackle global privacy challenges and ensure consistent protections for individuals no matter where they or their data may travel.

My ongoing joint investigation with UK Information Commissioner John Edwards into a data breach at global direct-to-consumer genetic testing company 23andMe is an example of how we are combining our resources and expertise to maximize impact.

Last summer’s Global Privacy Enforcement Network (GPEN) privacy sweep on deceptive design is another international activity led by the OPC that showcases not just international collaboration, but also domestic and cross-regulatory collaboration.

The sweep involved 26 privacy enforcement authorities from across Canada and around the world. Collectively, we found that 97% of the more than 1,000 websites and apps that were reviewed were using some form of deceptive design patterns to encourage people to give away more personal information online than they want to or should.

Following the publication of the sweep results, the OPC wrote to several organizations to encourage them to review their websites and apps for deceptive design patterns.

I am pleased to report that nearly three quarters of those organizations responded and committed to implementing improvements.

Recognizing the growing intersection between privacy and other regulatory spheres, this was also the first sweep to be coordinated with the International Consumer Protection and Enforcement Network. The network represents consumer protection authorities from around the world, including Canada’s Competition Bureau.

This initiative demonstrates the value and potential reach of international engagement and collaboration, and I am very much looking forward to announcing the theme of the next sweep in the Fall.

In line with greater collaboration amongst organisations, over the last year, I have also chaired the Canadian Digital Regulators Forum, which brings together the OPC, the Competition Bureau, the Canadian Radio-television and Telecommunications Commission, and the Copyright Board. The purpose of the Forum is to strengthen information sharing and collaboration on issues of common interest relating to digital markets and platforms.

In the coming weeks, I look forward to releasing the Forum’s report on the impact of synthetic media on our respective domains.

It is especially timely given the allegations in a CBC report last week that a Canadian man was behind what media describe as the “world’s most notorious” website for non-consensual, AI-generated pornography of real people, known as MrDeepFakes.com.

The report suggested that the site had more than 650,000 users and hosted tens of thousands of deepfake videos and images of celebrities, politicians, social media influencers, and private citizens, including Canadians.

While this site was shut down during the CBC’s important investigation, the story highlights the importance of this issue and the potentially serious negative impacts on people.

The distribution of intimate images and videos, whether real or AI generated, without consent is a growing societal problem.

As I said following my investigation into Aylo, which operates Pornhub, this sort of activity is “image-based abuse.” It involves some of the most sensitive personal information and leads to some of the most devastating harms to the victim’s dignity, reputation, health and well-being.

In March of this year, I filed an application before the Federal Court to require Aylo to comply with privacy law. I will continue to use all the tools at my disposal to protect Canadians’ privacy in this context. Unfortunately, in the meantime, the organization’s practice continues, which further demonstrates the need for modernized laws, including order-making powers to obtain more timely enforcement outcomes. 

Lastly, in terms of collaboration, I am looking ahead to next month when I will host the G7 Data Protection and Privacy Authorities Roundtable in the National Capital Region, in the context of Canada’s G7 presidency, as well as an international privacy symposium that will be focused on issues surrounding youth privacy in the digital age.

There is no shortage of work when it comes to collaborations within Canada and with countries around the world.  I am committed to engaging in discussions with global privacy leaders and experts on issues of common interest, including the subject of the future of AI and digital regulation, and to share the outcomes from these events.  Collaboration brings consistency.  And consistency brings greater protections.

Conclusion

And so, at a time when the personal information of Canadians is being collected, used, and shared at unparalleled pace and volume on a global scale, effective privacy protection requires more than the status quo.

We are doing the important work needed to face the privacy challenges of these pivotal, and sometimes, chaotic times.   

I look forward to speaking with and hearing from many of you over the next two days.

Collectively, all of you here today are at the forefront of leading, championing, and guiding important work across your own organizations and institutions that reflects the significance of the task at hand.

In this increasingly digital and data-driven world, where personal information is the resource, the stakes are high.

It is time for a modern approach to privacy – for Canadians, for Canadian businesses, and for Canada.

Thank you.

Date modified: