Keynote remarks by the Privacy Commissioner of Canada to the IAPP Canada Privacy Symposium 2026

May 4, 2026
Toronto, ON

Address by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Good morning, everyone.

Thank you to Kris Klein and the IAPP team for organizing what I know will be another exceptional IAPP Canada Privacy Symposium.

It is an honour to be here and I commend the IAPP for its thought leadership in advancing privacy in this constantly evolving, digital, data-driven world.

Last month, I had the opportunity to attend the IAPP Global Summit in Washington. During the opening of the Summit, IAPP CEO Trevor Hughes highlighted the complexity and changes that are occurring in the privacy landscape. He showcased the evolving web of digital governance, where privacy and data protection intersect across numerous fields – from human rights and ethics, to digital and data governance, to cybersecurity and consumer protection.

Four years into my mandate as Privacy Commissioner of Canada, this theme of convergence rings incredibly true.

The interconnected nature of all of our work, at this important juncture of human and technological innovation, is both a challenge and an opportunity for us to make a difference, and to help shape a course for the future that prioritizes and protects the best interests of individuals, especially for our children and future generations.

This is why I have made collaboration central to my vision, both as Privacy Commissioner of Canada and as the new Chair of the Global Privacy Assembly.

Innovations such as artificial intelligence (AI), and the speed at which they are being introduced and evolving, mean that we must all work together to ensure that the protection of individuals’ fundamental right to privacy, including strong data protection principles, are embedded into the tools and services that permeate our personal and professional lives.

It is increasingly clear that prioritizing privacy is essential to enable innovation.

Technologies such as AI bring important economic, social, and public-interest benefits, but the full value of these innovations will only be maximized if they are safe for individuals to trust them. Trust that there are steps that they can take to protect their privacy; trust that those who develop and deploy new technologies are doing so in a privacy-protective manner; and trust that governments and regulators are taking effective action to ensure that their citizens are protected.

Building trust is at the heart of Privacy Awareness Week, which begins today under the over-arching theme “Protecting your privacy in the age of AI.”

Integrating privacy throughout the lifecycle of a technology, from design to development to deployment, is a strategic opportunity for organizations. This approach can advance innovation, open market opportunities through interoperable standards, and prevent risks such as major breaches, which can exact a heavy financial and reputational toll.

While current privacy laws can be applied to new technologies, AI governance, one of the themes of this symposium, is a particularly timely subject. The need for clearer guardrails and the integration of data protection principles to enable the safe and responsible deployment of AI is increasingly evident.

This is why I continue to advocate for the modernization of Canada’s privacy laws.

In terms of current laws, I look forward to releasing the results of a joint investigation with my counterparts from Quebec, British Columbia, and Alberta into OpenAI, the parent company of ChatGPT, later this week, on Wednesday.

The investigation examined OpenAI’s collection, use, and disclosure of personal information for the purpose of developing its AI-powered chatbot. I expect that the findings will provide more clarity on the expectations of Canadian privacy regulators for those developing and deploying AI-powered products.

In January, I announced an expanded investigation into X Corp., the operator of the platform X and xAI, following reports that the Grok AI chatbot was being used to create and share explicit deepfakes of individuals, including children. The use of AI to generate realistic content, such as audio, images, and video, including deepfakes, is an emerging risk posed by this technology. I have expedited that investigation, and I look forward to releasing the findings soon as well.

In my remarks today, I will discuss AI governance and also share some of the results from my Office’s latest Survey of Canadian businesses on privacy issues.

You will also be the first to hear about new guidance on age assurance that my Office is launching today following an extensive public consultation and the next steps in the development of the Children’s Privacy Code.

Finally, I will share an update on how the OPC is continuing to transform our work and collaborate with partners in Canada and around the world and to address the growing number of complaints in the past year.

Public opinion research results

The results of our latest public opinion research will be released later this month, but let me share some highlights with you now.

For this year’s Survey of Canadian businesses on privacy issues, we focused our efforts on businesses operating in sectors with a higher likelihood of collecting, using, storing, and/or disclosing customers’ personal information. To be eligible to take part, companies needed to sell or offer services or products directly to individual consumers.

I am pleased to say that many of the survey responses were very encouraging from a privacy perspective. For example:

• 77% of respondents said that they had formal procedures in place to handle complaints from customers who believe that their personal information had been mishandled;
• 91% said that they have taken steps to ensure that their company complies with Canada’s privacy laws;
• 84% said their company has a privacy policy; and
• 90% said that their company is at least moderately prepared to deal with a data breach.

Reports have shown that while Canada has been a leader in AI development, businesses have been slow to adopt it. This was consistent with our findings. Fewer than one in five (16%) Canadian businesses surveyed reported using AI in their operations.

This makes sense when considered in the context of a 2026 survey by PwC Canada on Trust in AI. That report found that 61 percent of businesses cite unclear or evolving legal and regulatory requirements as a major challenge for implementing AI. Businesses feel that they risk either being left behind if they wait for clarity, or building the wrong thing if they move forward.

All of this suggests that for innovation to truly flourish, organizations also need to be able to trust new technologies. Moreover, regulators and policymakers need to provide a governance structure that ensures clarity for organizations as well as protections for individuals.

Championing children’s privacy

I have been talking about children’s privacy from day one. This is arguably even more critical today given the impact that technologies are having on younger generations.

Just last week, I read a new report from the Centre for Media, Technology and Democracy on Gen(Z)AI: Canada’s Youth Assembly on Artificial Intelligence. It lays out policy recommendations for AI and online harms governance in Canada from the perspective of 100 young Canadians, aged 17 to 23, from across the country.

There were several passages in this report that have stayed with me.

On transparency, the report notes that participants consistently said that “existing transparency mechanisms, including privacy policies, consent notices, terms of service, and disclosure prompts, are systematically failing young users.”

Participants expressed “disclosure fatigue, a condition of indifference created by the sheer density of consent mechanisms that renders genuine engagement with them practically impossible.”

Especially concerning is that several participants said that they had “given up on data privacy” by age fourteen, “assuming that extraction of their information had long outpaced any realistic capacity to contest it.”

This report illustrates the importance of engaging directly with those who are potentially most affected by these technologies, and the importance of their insights.

Championing children’s privacy is one of my three strategic priorities.

Over the last year, my Office has advanced a number of initiatives related to children’s privacy, including hosting an international symposium on youth privacy in a digital age last June in Ottawa.

I have also established a Youth Council comprised of seven students aged 14 to 17 from across Canada. This is a space for youth to share their insights, experiences, and ideas on the privacy issues that matter the most to them.

The Council is helping my Office to better understand the impact that privacy issues have on youth and will be an important channel to support efforts to reach youth. For example, when I met with them, they shared concerns about teachers and schools using AI to generate letters of recommendation without taking steps to protect students’ privacy. They are also involved in the development of our Children’s Privacy Code to ensure that it reflects the views and experience of youth.

Last September, I announced the results of my joint investigation into TikTok with my colleagues in Quebec, British Columbia, and Alberta. Our investigation concluded that the measures in place to keep children off the platform and to prevent the collection and use of their sensitive personal information for profiling and targeting purposes, were inadequate. In response, TikTok agreed to enhance age-assurance methods to keep underage users off the platform, and to make privacy communications easier to understand for children and adults. We also required that the risks of data transfers to China be more explicitly highlighted for Canadian users.

In November, I issued a joint resolution with my provincial and territorial counterparts on protecting children’s privacy in the classroom through the responsible use of educational technologies.

This past March, I released the results of a joint international privacy sweep that examined how websites and apps handle children’s personal information. While some good practices were observed, the results suggest that some risks may have increased over the last 10 years – for example, more online services used by children requiring their personal information to be able to access platform, as well as more platforms sharing personal information with third parties.

Today, I am happy to announce the culmination of a number of OPC projects, beginning with the launch of two new guidance documents on age assurance – one for websites and services, and another for developers. The guidance has been informed by the feedback, including from some of you, that was received during a public consultation.

My aim is to ensure that age assurance can support the goal of creating a safer online experience for children, without creating an undue impact on privacy rights.

Last year at this symposium, I announced the launch of an exploratory consultation on the development of a Children’s Privacy Code. Today, we are posting a report that captures what we heard during this consultation, and my Office is preparing the Code that builds upon these responses and is working with the Youth Council to develop a child-friendly version.

International examples demonstrate that codes of practice and special protections contained in privacy legislation can empower children to exercise their privacy rights and protect them against potential harms as they navigate online spaces.

The OPC is also posting two reports from research related to children’s privacy today, including a report on focus groups with youth regarding their online privacy, as well as a preliminary research report on the “Best Interests of the Child in the Digital Environment” from an event in November with children and youth, led by researchers from the University of Ottawa and McGill University.

Children’s privacy remains a priority for my Office, as well as for many of my Canadian and international counterparts. Together, we will continue to advance specific initiatives focussed on the needs of children and youth, learn from them and those who advocate for them, and identify opportunities through research and engagement.

Children deserve to be children, even in the digital realm, with the freedom to navigate online spaces securely. Through the work that my Office is doing, I want to support organizations to design services and products with strong protections for the personal information of children and respecting their fundamental right to privacy.

Maximizing impact

I would also like to take this opportunity to share an update on ongoing work to adapt to the growing complexity of the digital environment, including a significant increase in complaint volumes, and to make our services to Canadians as impactful as possible through more timely outcomes.

This includes finding appropriate alternatives to full investigations, for example, this past year entering into compliance agreements with Nova Scotia Power, PowerSchool, and the World Anti-Doping Agency.

This past year, the OPC completed hundreds of investigations, and these include several high-profile investigations for which I released my findings, including TikTok as well as Google where I found that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Last June, I announced the findings of a joint investigation with U.K. Information Commissioner into a data breach at global genetic testing company 23andMe. That investigation concluded that the company had failed to implement adequate security measures to protect the personal information of seven million customers, including nearly 320,000 Canadians. The findings serve as a cautionary tale for all companies regarding the importance of prioritizing privacy protection.

Collaboration – national, international, and cross-regulatory – extends well beyond compliance actions. Collaboration among regulators, public institutions, industry, and civil society is essential to addressing modern privacy issues.

Sharing knowledge, jointly examining emerging issues, and working together to advance common standards can help to ensure better privacy protections for individuals and provide greater consistency for organizations operating across jurisdictions.

In October, I became co-chair of the Federal, Provincial and Territorial Information and Privacy Commissioners and Ombuds group alongside Information Commissioner of Canada Caroline Maynard. Throughout the year, the FPT authorities collaborate on a range of issues through working groups, joint initiatives, and enforcement.

Through the Canadian Digital Regulators Forum, I work with my counterparts at the Canadian Radio-television and Telecommunications Commission, the Competition Bureau, and the Copyright Board of Canada to strengthen information-sharing and collaboration on matters related to digital markets and platforms. Last September, we issued a joint paper on synthetic media that provides an overview of the global regulatory landscape and key considerations for individuals and organizations as the technology develops.

On an international level, I hosted a meeting of the G7 Data Protection and Privacy Authorities Roundtable last June, in the context of Canada’s G7 presidency. The Roundtable adopted a joint statement on promoting responsible innovation and protecting children by prioritizing privacy, where we stated that “when individuals have confidence that their data is protected and used lawfully and responsibly, trust exists; where trust exists, innovation is embraced.” We ultimately defined responsible innovation as innovation that builds safety and privacy into the design of new technologies and services, and considers the special protections that may be required to act in the best interests of children.

In September, I was honoured to be elected Chair of the Global Privacy Assembly, the leading international forum bringing together more than 130 data protection and privacy authorities from around the world.

The Assembly plays an important role in the international privacy community by maximizing our collective voice, impact, and capacity in providing global leadership on data protection in support of individuals and organizations.

It provides a forum for members to advance common objectives, such as data free flow with trust, working toward common standards that can support growth and trade and provide necessary certainty for the business community.

The Assembly’s leadership was recently demonstrated in addressing the emerging risks posed by deepfakes. In February, 61 members, whose combined population of jurisdictions account for more than 2.1 billion individuals, signed on to a joint statement on AI-generated imagery and the protection of privacy laying out expectations for the development and use of those systems.

The statement called on organizations “to engage proactively with regulators, and ensure that technological advancement does not come at the expense of privacy, dignity, safety, and other fundamental rights – particularly for the most vulnerable of our global society.”

I would also like to take this opportunity to thank the IAPP for its incredible support with respect to the 48th Global Privacy Assembly annual conference, which had to be relocated from Dubai to Brussels this year and will be co-located with the IAPP Europe Congress 2026, making it an exceptional opportunity for global privacy and data protection professionals to connect, learn, and collaborate.

Conclusion

Here in Canada, the federal government recently announced a review of the Privacy Act, the law that governs how more than 250 government institutions collect, use, disclose, and protect the personal information of Canadians. This is an important and welcome development, particularly proposals to explicitly recognize privacy as a fundamental human right, and new requirements for privacy impact assessments, safeguarding personal information, and breach reporting.

I am committed to working with the government to ensure that a modernized law will protect Canadians’ fundamental right to privacy in the digital age.

I also remain optimistic about movement on private-sector law reform. A modernized PIPEDA would help provide clarity for organizations and better protections for Canadians. It could also help to strengthen Canada’s digital sovereignty by setting out clear expectations and guardrails for data leaving Canada.

Prioritizing privacy is more important than ever – as new technologies are being developed, as AI is getting integrated into a wide range of personal and professional applications, and as operating models increasingly capture, share, and rely on personal information.

I have been fortunate to get to know many professionals in this room over the years, and I am continuously energized by the commitment, ingenuity, and level of engagement that you each bring to this work.

The collective mandate that is shared by everyone in this room cannot be understated at this time of significant change and complexity.

Together, let us continue to grow this community, build intersecting networks, and seek opportunities for collaboration and convergence to shape a culture of privacy – by implementing privacy-by-design principles, by innovating responsibly, and by prioritizing the best interests of individuals, and children.

Thank you for your time, and thank you to IAPP Canada for inviting me to speak with you today and for putting together another fantastic IAPP Canada Privacy Symposium. OPC personnel will be speaking on several panels, and I encourage you to attend.

I am delighted to be here, and I look forward to the many important discussions that I know that we will be having over the coming days. Thank you and happy Privacy Awareness Week.