Issue sheets on the Study of challenges posed by AI

Forms of AI

Speaking Points

• There are many forms of AI ranging from machine learning, large language models (LLMs), generative AI and, more recently, agentic AI.
• In general, each new form of AI increases in size and capability when compared to earlier AI technologies.
• Similarly, the privacy risks of each new form of AI increase as well.
• To the extent that new forms of AI process more personal information, both as part of their training and in their deployment, and are used to make predictions about individuals in increasingly sensitive situations, the risks to privacy increase both in number and form.

Background

• AI is an umbrella term for a range of technologies and methods to develop applications that can perform tasks normally requiring human intelligence.
• Machine learning is a subfield of AI that develops predictive models using methods that “learn from data.”
• LLMs are machine learning models trained on massive corpora of mainly web-scraped text as well as human-curated examples to act as helpful assistants / chatbots.
• Generative AI is a subfield of machine learning whose models generally fall into two categories: LLM-based assistants / chatbots and text-to-image art systems.
  • Examples of LLM-based assistants / chatbots include ChatGPT (OpenAI), Gemini (Google), Copilot (Microsoft), LLaMA (Meta); examples of text-to-image art systems include Stable Diffusion (Midjourney), DALL-E (OpenAI).
• Agentic AI tools are next-generation LLMs trained to act autonomously and perform more abstract goal-oriented tasks without constant human oversight.
• Examples of privacy risks that emerged due to advancements in AI such as LLMs / generative AI are web scraping of training data and hallucinations in AI outputs.

Lead: PRPA

---

Privacy Implications of AI

Speaking Points

• AI has privacy implications which arise in both the development and use phases.
• Development of AI systems requires massive amounts of data, including personal information; even where individuals are aware of this collection, it is not always clear that they have consented to it or are able to exercise their privacy rights, such as rights to access and correction.
• Use of AI systems can be associated with bias or discrimination, non-transparent decisions, or a lack of accountability. AI systems can also process large amounts of data, leading to more sophisticated tracking or surveillance of individuals.
• However, none of these are inherent problems; designing privacy into the development and use of AI systems can lead to responsible innovation.

Background

• OPC 2024-25 Survey of Canadians: When Canadians were asked about their level of privacy concern associated with certain situations, the greatest level of “extreme concern” was associated with using AI tools (34%).
• Recommendation 6, 2025 PIPEDA Priority Recommendations: “Enhance accountability by requiring organizations to implement privacy by design and conduct privacy impact assessments (PIAs) for high-risk activities.”
• G7 DPA Roundtable statement on responsible innovation: Common considerations that support prioritizing privacy in practice include:
  • Determining whether the processing of personal data is necessary;
  • Conducting an assessment of privacy risks that may be created or exacerbated by the technology, and making appropriate design, development and deployment decisions to mitigate identified risks;
  • Designing technologies in a way that supports the exercise of privacy rights; and,
  • Monitoring and regularly re-assessing the effectiveness of risk mitigations.

Lead: PRPA

---

AI Training Data and Privacy

Speaking Points

• AI’s need for massive amounts of training data – which will often include personal information – can pose significant privacy issues.
• Where training data is scraped from online sources, one risk is that it will be ‘memorized’ by an AI system and disclosed in future responses. This is particularly problematic where an individual thought they were posting information to a limited audience or did not post the information themselves.
• Similarly, individuals might not expect the sensitive information they provide to an organization – or directly to a large language model – to subsequently be used to fine-tune an AI system, again risking that it will be disclosed in the future.
• The collection and use of data for training AI systems must be respectful of the expectations of individuals (which may shift over time), be transparent, and allow for the exercise of individuals’ privacy rights. Data minimization approaches (such as filtering personal information from datasets) should also be explored.
• This is an issue of high importance to Canadians, with 42% reporting being “extremely concerned” about their personal information being used to train AI systems.

Background

• The OPC’s open investigations of OpenAI and X both examine the use of personal information to train AI systems, as did our engagement with LinkedIn.
• In the OPC’s 2024-25 Survey of Canadians, in being asked about their concern about personal information being used to train AI, 42% of respondents said they were “extremely concerned”, 46% were ‘concerned’ or ‘somewhat concerned, and only 11% stated they were “not concerned.”
• The EU AI Act requires providers of ‘general-purpose AI models’ (such as most LLMs) to “draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model” (Article 53(1)(d)).

Lead: PRPA

---

AI and digital sovereignty

Speaking Points

• I understand that reliance on foreign AI companies raises concerns regarding Canada’s digital sovereignty. Personal information processed in a foreign country or by foreign companies may be accessible to the law enforcement and national security authorities of that jurisdiction.
• The trade agreement between Canada, the US and Mexico allows member countries to implement certain measures that may restrict cross border data transfers for a “legitimate public policy objective”.
• Modernizing Canada’s privacy laws could help to effectively regulate the risks associated with cross border data transfers. For instance, I have recommended that PIPEDA be amended to include guardrails such as requiring privacy impact assessments for high-risk activities, and specific rules to protect personal data moving outside the country.

Background

• PIPEDA does not currently prohibit organizations in Canada from transferring personal information to organizations in another jurisdiction, nor does it distinguish between domestic and international transfers. PIPEDA requires that organizations be transparent about their data practices and clarifies that organizations remain responsible for personal information transferred to a third party for processing and must ensure that a “comparable level of protection” is provided.
• Article 19.11 of CUSMA generally prohibits restrictions on cross border data transfers. However, member countries can restrict cross border data flows where necessary for a “legitimate public policy objective,” such as the protection of public safety, provided measures are not arbitrary or discriminatory, a disguised barrier to trade, or impose greater restrictions than are necessary for the objective.
• A joint review of CUSMA is set for July 2026, following which the parties can extend its term for another 16 years. If any of the parties does not support an extension, annual reviews will continue until CUSMA expires in 2036.
• Under the European Data Union Strategy, the European Union is developing its own AI framework, focusing on strengthening the EU’s digital sovereignty. Aims include supporting a sovereign cloud and AI services for EU businesses and public administrations and ensuring that data is exchanged across borders to trusted partners on terms that are fair, secure and consistent with EU values and interests.

Lead: PRPA

---

Algorithmic pricing

Speaking Points

• Algorithmic pricing refers to the use of automated tools to assign prices for products or services, often in real time, based on a set of data inputs.
• While it has the potential to improve market efficiencies, algorithmic pricing can also lead to harms such as discrimination, anti-competitive behaviour, lack of algorithmic transparency and privacy concerns.
• While context-based algorithmic pricing is common in certain sectors, it is unclear to what extent algorithmic pricing based on individuals’ personal information is occurring in Canada.
• Algorithmic pricing is a cross-regulatory issue; in fact, the Competition Bureau recently ran a public consultation on algorithmic pricing and competition in order to aid their understanding of the topic and how it might impact competition and consumers.

Background

• Examples of context-based algorithmic pricing include Uber’s “surge pricing” based on driver availability and airline ticket prices based on remaining seats / closeness to flight date.
• Examples of algorithmic pricing based on individuals’ personal information include modifying prices based on individual demographics, socioeconomic status and purchasing behaviour.
• The Competition Bureau launched a public consultation on algorithmic pricing and competition in summer 2025.
• On January 22, 2026, the Bureau published a “What We Heard” report highlighting feedback received from individuals and stakeholder groups.
• The report noted that there were significant concerns raised about how algorithms might collect and use consumer data, with respondents mentioning the risk of consumer information being shared with data brokers, and questioning how consent is obtained online.

Lead: PRPA

---

Deepfakes

Speaking Points

• In December 2023, Canada’s provincial and territorial information and privacy commissioners and I published joint principles for responsible, trustworthy, and privacy-protective generative AI technologies.
• In that document, we suggested that the creation of AI content for malicious purposes, including deepfakes and intimate images of an identifiable person generated without their consent, would likely constitute a “no-go zone.”
• My colleagues in the Canadian Digital Regulators Forum and I explored the topic of synthetic media, which includes deepfakes, in a paper published last September. In that paper, we noted areas where privacy issues and synthetic media interact, as well as how Canada’s federal private sector privacy law may apply.
• Where an AI system is trained on or uses personal information, privacy legislation applies. However, explicit clarification that legislation applies to the creation or dissemination of altered content may provide regulatory certainty.

Background

• In the CDRF report on synthetic media, the OPC highlighted the importance of privacy given that large amounts of information are needed to train synthetic media algorithms to generate accurate or convincing images, mimic the timbre and inflection of a person’s voice, or produce the writing style of an author or thinker.
• We noted that synthetic media systems use inputs and produce outputs that may constitute personal information, in which cases privacy law would likely apply.
• We further noted that any collection, use or disclosure of personal information related to a synthetic media system should only be for purposes that a reasonable person would consider appropriate under the circumstances. We also outlined that collecting or using the personal information of a person without their consent to generate nude or sexually intimate images of them would be a “no-go zone.”

Lead: PRPA

---

C-16 Protecting Victims Act / Deepfakes

Speaking Points

• Bill C-16 would criminalize the non-consensual distribution of certain deepfakes. The Bill also contains other privacy-impactful criminal law amendments that my office is presently reviewing. I am supportive of many of the elements of this Bill.
• However, an effective response to the issue of deepfakes must extend beyond the criminal law. My office needs stronger enforcement tools, in particular order-making powers to more effectively hold organizations to account. I also support the need for comprehensive online harms legislation.

Background

• Scope of s. 162.1: this offence applies to “intimate images”, which includes deepfakes that depict a person as either “nude”, “exposing their sexual organs”, or “engaged in explicit sexual activity” (s. 164.1(2) of the Criminal Code). Other categories of deepfakes would not be covered, including for example deepfakes of children that do not meet the above criteria.
• Other privacy protective features: Bill C-16 would place new limits on evidence of a complainant’s past sexual history, as well as on the production of private records, including therapeutic records, in the prosecution of sexual offences under the Criminal Code (ss. 276-276.13 and 278.1-278.38 of the Criminal Code). These amendments have the potential to limit the proliferation of highly sensitive information during the prosecution of sexual offences.
• Areas of potential concern in Bill C-16: Bill C-16 contains broad information-sharing authorities for Correctional Services Canada (see proposed ss. 25.1-25.4 of the Corrections and Conditional Release Act).
• Online harms bills:
  • Former Bill C-63 proposed the Online Harms Act which would have regulated “social media services” and set out an arms-length regulatory structure. A new online harms bill is expected soon.
  • Private Members Bill C-216, (presently at first reading in the House) would apply exclusively to minors, and regulates Internet “operators”. Rather than creating a new regulatory structure, it would extend the role of the Canadian Radio-television and Telecommunications Commission (CRTC).

Lead: PRPA/LEGAL

Automated Decision-Making

Speaking Points

• Automated decision-making is a good example of how AI is impacting Canadians now, rather than just being a future concern.
• Bill C-27 included a provision that would have required organizations to provide a general account of their use of any automated system to make predictions, recommendations, or decisions about individuals that could have a significant impact on them. It would also have allowed individuals to request explanations of those decisions.
• These would have been positive and welcome developments that would have brought federal privacy law more in line with modern laws such as the EU’s GDPR and Quebec’s Loi 25.
• This speaks to the need to ensure that regardless of whether an AI-specific law is introduced, complementary legislation (such as privacy laws) must also be updated or amended to ensure that AI regulation is comprehensive and effective.

Background

• The EU’s GDPR creates the right “not to be subject to a decision based solely on automated processing … which produces legal effects concerning him or her.” Where this does occur (for instance, if the individual gives consent) the individual must be provided the right to obtain human intervention, express their point of view and contest the decision (Article 22.1; 22.3).
• Quebec’s Loi 25 requires that, if personal information is used to make a decision based exclusively on automated decision-making, an individual, on request, must be informed, as well as of the following (i) the personal information used to make the decision, (ii) the reasons, principal factors and parameters that led to the decision, and (iii) the right to have the personal information in (i) corrected. The person must also be provided a mechanism to appeal the decision to a person (s.12.1).
• In our submission on Bill C-27, we recommended that the explanation requirement be expanded to all automated decision-making (not just for those with “significant impact”), and that profiling be explicitly included in the provisions related to automated decision-making.

Lead: PRPA

---

Regulation of AI in Canada

Speaking Points

• As we have seen with issues such as sexualized deepfakes, some protections need to be built into the AI system itself to prevent harmful uses. In other instances, a system might cause harms not foreseeable to the developer, suggesting that use also requires regulation.
• This strategy of limiting what harms are possible and what uses are permissible is similar to what we see in privacy law – reducing the potential for harm (such as through data minimization) while also establishing rules for what can be done with personal information.
• Regardless of whether regulation is done through standalone AI legislation or a more sectoral approach, given the importance of personal information to AI systems, i privacy legislation must remain central to their governance. This will help to develop trust in these systems, which will in turn spur innovation and adoption.
• Data protection authorities such as the OPC are well placed to work with other authorities in a cooperative manner to ensure that Canada can harness the benefits of AI technologies while managing risks and safeguarding fundamental rights.

Background

• Multiple witnesses during this study have discussed whether it is more appropriate to regulate development or use of AI systems. Those that focus on the latter often argue that regulating development will be very challenging as this often happens outside of Canada.
• On the role of DPAs and regulatory collaboration, the 2024 G7 Statement on the Role of Data Protection Authorities in Fostering Trustworthy AI stated, “We believe that a cooperative approach, in which DPAs are at the forefront in working closely with other authorities and competent bodies, ensures a holistic governance framework that can effectively manage the risks and harness the benefits of trustworthy AI technologies whilst safeguarding fundamental rights.”
• The 2025 G7 Data Protection and Privacy Authorities Roundtable Statement argued that “When individuals have confidence that their data is protected and used lawfully and responsibly, trust exists; where trust exists, innovation is embraced.”

Lead: PRPA

---

Key Elements of an AI Law

Speaking Points

• Given that AI systems process personal information, AI regulation will unavoidably overlap or need to be integrated with privacy laws.
• For example, privacy law should still apply to the collection and use of personal information in the development and use of AI systems.
• Standalone AI legislation should fill gaps and not be a replacement for existing regimes.
• Should Parliament opt to introduce a standalone AI law, it will be important that there is clarity with respect to what processes are covered by an AI law vs. privacy legislation. As well, should there be an AI regulator, it will be imperative that they are able to collaborate with my office on matters that touch on both of our jurisdictions.
• Ideally a risk-based approach would be followed in any AI regulation. Canada needs to ensure that individuals’ rights are protected, while guarding against low-risk uses of AI being overregulated to support AI innovation.

Background

• Risk-based approach: For example, the requirements of the EU AI Act depend on whether an AI system is “prohibited”, “high-risk” or (so-called) limited risk, with additional obligations for “general purpose AI [such as Large Language Models]”.
• Recommendation 2, 2025 PIPEDA Priority Recommendations: “Recognize privacy as a fundamental right in the purpose clause and in an embedded preamble.”
• Recommendation 6, 2025 PIPEDA Priority Recommendations: “Enhance accountability by requiring organizations to implement privacy by design and conduct privacy impact assessments (PIAs) for high-risk activities.”

Lead: PRPA

---

PIPEDA reform to regulate AI

Speaking Points

• I have identified seven priority recommendations for PIPEDA reform that will be the most impactful in enhancing privacy protections and privacy rights in Canada.
• Most directly related to AI is that organizations be required to implement privacy by design and conduct PIAs for high-risk activities. These would help to develop the public’s trust in AI systems.
• Other recommendations I made would also support AI regulation: for instance, a de-identification framework would protect AI training data; rules for trans-border data flows would help to ensure that Canadians remain protected when using AI systems operated outside the country; and, enforcement powers would make the OPC more effective in dealing with contraventions.
• Overall, modernizing and strengthening PIPEDA would help to improve AI regulation in Canada – both for Canadians and for organizations.

Background

• OPC’s seven priority recommendations for PIPEDA reform relate to:
  • Enforcement powers
  • Fundamental right to privacy
  • Children’s privacy
  • De-identification
  • Right to deletion and de-listing
  • Privacy by design and privacy impact assessments
  • Trans-border data flows
• In the OPC’s submission on Bill C-27, the recommendation re: privacy impact assessments specifically cited certain AI systems as being higher-risk activities to which the provision should apply:
  • “[Higher-risk activities] could include things like AI systems making impactful decisions about individuals, including whether they get a job offer, qualify for a loan, pay a higher insurance premium, or are suspected of suspicious or unlawful behaviour.”

Lead: PRPA

---

Canada’s AI Strategy

Speaking Points

• Canada’s AI strategy is in the process of being updated by the government, based on ISED’s public consultation in October 2025.
• The current (but soon-to-be-replaced) strategy consists mainly of the Pan-Canadian Artificial Intelligence Strategy.
• The Pan-Canadian AI Strategy was launched in 2017 as the world’s first national AI strategy.
• It is built on three pillars:
  • Commercialization to translate research into commercial applications and adopt made-in-Canada technologies.
  • Standards to advance the development and adoption standards related to AI.
  • Talent and research to attract, retain and develop academic research talent and provide dedicated compute capacity.

Background

• The government committed to developing an updated national AI strategy “by the end of 2025,” but nothing has been released to date.
• The Digital Research Alliance of Canada and Canadian AI research institutes such as Amii (Alberta), Mila (Quebec), the Vector Institute and CIFAR (the Canadian Institute for Advanced Research) feature prominently in the Pan-Canadian AI Strategy.
• The AI Strategy also outlines that through the Standards Council of Canada, the government is advancing the development of AI standards.
• Other documents sometimes mentioned in relation to Canada’s AI Strategy include:
  • ISED’s Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems.
  • The Canadian Centre for Cyber Security’s Guidelines for secure AI system development (developed jointly with 22 international partner organizations).

Lead: PRPA

---

ISED AI Consultation

Speaking Points

• In October 2025, ISED ran a 30-day “national sprint” public consultation to develop a renewed national AI strategy.
• The OPC provided a submission, which is published on our website.
• Our submission focussed on key areas of alignment between building safe, responsible AI and protecting privacy, including:
  • privacy as a driver of innovation and public trust
  • the need to modernize Canada’s privacy laws
  • recognizing privacy as a fundamental right
  • the growing importance of children’s privacy rights
• As outlined in our submission, we commend the timely exploration of this issue and the Government of Canada’s efforts to transform Canada into a world leader in responsible and secure AI.

Background

• ISED’s consultation had a high level of engagement, with over 11,300 submissions.
• The consultation sought advice on a broad range of AI-related themes, including:
  • research and talent
  • AI adoption by industry and governments
  • commercialization of AI
  • scaling Canadian champions and attracting investments
  • building safe AI systems and strengthening public trust in AI
  • education and skills
  • building enabling infrastructure
  • security of Canadian infrastructure and capacity
• The government also launched an AI Strategy Task Force consisting of 28 AI leaders from across Canada to provide additional input on the renewed AI strategy.
• A new strategy was expected before the end of 2025 but has not yet been released.

Lead: PRPA

---

Canada’s AI Safety Institute

Speaking Points

• The Canadian Artificial Intelligence Safety Institute (CAISI) is a government-led initiative that aims to advance AI safety, help governments and society understand the risks posed by advanced AI systems, and suggest solutions to address those risks to minimize harm.
• CAISI is part of the International Network of AI Safety Institutes, which includes other AI safety institutes from countries such as Australia, the European Commission, France, Japan, Kenya, the Republic of Korea, Singapore, the United Kingdom, and the United States.
• The focus of CAISI’s work is research, not regulation.
• While CAISI’s work may help inform technical standards and best practices in AI safety, the OPC’s mandate is distinct insofar as it deals with the application of federal privacy laws, including issues such as consent.

Background

• CAISI was established in November 2024, two weeks before the International Network of AI Safety Institutes.
• CAISI is led by ISED but leverages the research capabilities of the National Research Council (NRC) as well as the broader Canadian research community through the Canadian Institute for Advanced Research (CIFAR).
• The current research agenda of CAISI is focussed on risks from synthetic content such as deepfakes.
• Research areas include proliferation of harmful content, facilitation of fraud, impersonation and deception, and undermining trust and individual autonomy.
• Technical solutions being researched include digital fingerprints and watermarks to help distinguish AI-generated content from human-generated content.

Lead: PRPA

---

ISED Voluntary Code of Conduct

Speaking Points

• In late 2023, ISED published its Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. Since then, over 40 signatories have committed to adopt the measures it sets out.
• My Office welcomes the acknowledgement in the code of the privacy implications of generative AI, including a reference to the G7 Data Protection and Privacy Authorities’ Statement on Generative AI and to legal obligations under PIPEDA.
• We are supportive of the concept of codes of practice in general and broadly agree with the principles and measures set out in ISED’s voluntary code. However, to be an effective governance tool they need to be buttressed by strong and effective legislation.
• This code was intended as a way for organizations to signal their commitment to the responsible development and use of generative AI systems, in advance of AI-specific legislation being passed. While it is an effective stopgap measure, it should not be relied on as a standalone control.

Background

• ISED hosted a series of roundtables on the development of this code with key stakeholders in the AI industry and civil society organizations. We were not involved in this consultation process, though we did provide feedback on a draft of the code.
• In an FAQ document, ISED states: “The code is meant to provide a bridge to regulations under AIDA by providing a clear set of guidelines that firms can implement immediately.”
• The code’s principles relate to: accountability; safety; fairness and equity; transparency; human oversight and monitoring, and validity and robustness. Multiple implementation measures are identified under each.

Lead: PRPA

---

Government use of AI

Speaking Points

• While AI can offer benefits, such as efficiency, privacy must be built in by design in the implementation of AI tools.
• The OPC has engaged with several federal institutions, through consultations and PIA reviews, on the topic of AI initiatives such as Microsoft 365. Our engagements tend to indicate that there is an increase in the use of AI for internal purposes.
• Major use cases have included public-facing chatbots, screening for job candidates, internal file creation and case document summarization.
• The OPC deems any of the current early use cases to be relatively low risk; that said, some applications and contexts (such as law enforcement) require greater caution, given potential higher impacts.
• While the OPC does did not have significant concerns about AI initiatives presented in PIAs received and consultations held, it is possible that we were not notified off all government AI initiatives.
• I note that government lacks some control over AI systems supplied by third party providers who may be able to push updates and implement new functionalities. Institutions should continually reevaluate tools.

Background

• In November 2025, TBS published an AI Register with basic information about existing Government of Canada AI systems. A review of the registry conducted in December 2025 suggests that at least 10-15 of the 402 listed systems likely involved personal information/were not known to the OPC. The OPC will be reaching out to the relevant institutions to understand privacy implications.
• OPC’s advice to federal institutions about use of AI has frequently related to: compliance with the TBS Directive; ensuring due diligence in contracting; ensuring awareness of, and testing for, bias and accuracy; promoting public transparency about the use of AI; and considering necessity, effectiveness and proportionality.

Lead: Compliance

---

TBS Directive on Automated Decision-Making

Speaking Points

• The OPC has been engaging with the Treasury Board Secretariat (TBS) since 2018 on its Directive on Automated Decision-making (DADM).
• TBS has been generally receptive to my Office’s comments on the Directive and demonstrated commitment to continuing to improve it, as well as the associated Algorithmic Impact Assessment (AIA).
• The Directive is a useful policy instrument, and my Office incorporates the Directive requirements into its review of Privacy Impact Assessments (PIAs).
• Although departments are required to complete an AIA before launching any automated decision system, my Office notes that implementation is not consistent across federal institutions. In several instances, following the review of PIAs on automated systems, my Office has recommended that the institution undertake an AIA.

Background

• The DADM was first published in 2019, with compliance required by April 2020. TBS is required to review and update the Directive every two years. The OPC has provided comments to TBS on both updates (2022 and 2024).
• Historically, the OPC’s comments have emphasized legal authority, necessity, involvement of privacy officials, and public transparency about the use of automated decision systems.
• The DADM aims to ensure that federal institutions deploy automated decision-making systems in a manner that reduces organizational and societal risks and leads to accurate and interpretable decisions. It requires federal institutions to undertake and publish AIAs before production of any automated decision system.
• There are currently 31 AIAs published to TBS’s Open Government Portal as required by the DADM.
• The OPC has made recommendations to federal institutions regarding gaps in compliance with the DADM (e.g., missing AIAs, lack of testing for bias and accuracy) in seven instances this fiscal year.

Lead: Compliance

---

International approaches to AI regulation

Speaking Points

• For some time, the EU’s approach of establishing a standalone AI law (the “AI Act”) was viewed as the standard approach to regulating AI. However, others have started to emerge.
• The UK, for example, has taken a sectoral and principles-based approach, with the government setting out a set of five “pro-innovation” principles for regulators to interpret and apply within their individual remits.
• As well, rather than focusing on legislation Singapore has established measures such as the “AI Verify” governance testing framework which maps to recognized standards from the International Organization for Standards (ISO) and the US National Institute of Standards and Technology (NIST). They also release targeted frameworks, such as January’s Model AI Governance Framework for Agentic AI.
• Notably, across all jurisdictions the processing of personal information in the context of AI systems remains under the purview of privacy legislation.
• While I am supportive of the creation of practical frameworks that can support innovation while protecting fundamental rights, most AI frameworks are voluntary tools rather than enforceable legal requirements. They would therefore ideally supplement and not replace legislation.

Background

• Previous witnesses have highlighted the UK and Singapore approaches to AI regulation as potential alternative models to the EU AI Act.
• The UK Government’s AI regulation principles (set out in a March 2023 AI Regulation White Paper) are: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; contestability and redress.

Lead: PRPA

---

EU AI Act

Speaking Points

• The EU Artificial Intelligence Act (AI Act) takes a risk-based approach, prohibiting some artificial intelligence practices (such as social scoring) and labelling others as high-risk (such as AI systems used to evaluate eligibility for public benefits or services).
• The AI Act’s main requirements apply to these high-risk systems, and to “general purpose” AI models (such as those upon which generative AI is built). Certain transparency requirements will also apply to lower risk systems.
• In November 2025, the EU introduced the Digital Omnibus which, among other things, would delay the coming-into-force of the requirements for high-risk systems. Importantly, this is to allow for the development of associated standards and guidelines – it does not suggest that the primary requirements will ultimately change.
• As such, Canada could still reasonably look to the AI Act as a model for AI governance measures.

Background

• The EU AI Act came into force on August 1, 2024, with its substantive requirements being phased in over time. Most requirements for high-risk AI systems would have come into force on August 1, 2026. The Digital Omnibus delays these until after relevant standards become available, but in any case, no later than August 2, 2028.
• The Digital Omnibus also introduces changes aimed at reducing administrative burden, such as certain registration requirements for lower-risk systems.
• In the EU AI Act, “high-risk” AI systems are subject to requirements including:
  • risk and quality assessments,
  • logging and record-keeping for traceability,
  • general human oversight,
  • accurate and representative data for AI training,
  • ex-ante conformity assessments, and
  • demonstrable accountability.

Lead: PRPA

---

European Data Protection Board (EDPB) Task Force on ChatGPT

Speaking Points

• In April 2023 several European data protection authorities (DPAs) formed a Task Force to coordinate their ongoing investigations into ChatGPT under the umbrella of the EDPB.
• In May 2024 the Task Force published a report that sets out a common framework according to which DPAs agree to interpret applicable provisions of the GDPR in their respective investigations.
• Issues analyzed in the report include: the lawfulness of web scraping, accuracy of probabilistic outputs, and supporting data subject rights.
• The report is not meant to prejudge any of the findings of DPAs’ investigations; rather, it reflects the “common denominator” of shared positions with respect to interpreting the GDPR.

Background

• The reason the Task Force was created was because at the time OpenAI did not have a legally established presence in the European Union; as such, no coordination procedures under the GDPR’s “one-stop-shop” mechanism could apply.
• OpenAI became a legally established entity in the EU (in Ireland) in February 2024 - 10 months after the Task Force was created.
• In December 2024, Italy’s DPA (the Garante) fined OpenAI 15 million euros after completing its investigation; Task Force members who have opened investigations into ChatGPT include France, Spain, Germany and Poland.
• The EDPB is the GDPR equivalent of the Article 29 Working Party under the EU’s former Data Protection Directive; it works to ensure consistency in the application of the GDPR and cooperation between DPAs, including on enforcement; it is composed of representatives from national DPAs as well as the European Data Protection Supervisor.

Lead: PRPA

---

OPC work on AI

Speaking Points

• One of my strategic priorities focuses on bolstering the OPC’s ability to address the privacy impacts of the fast-moving pace of technological advancements, especially in the world of AI and generative AI.
• We have taken significant steps towards enhancing our understanding of, and establishing expectations for, AI systems, often in collaboration with key partners.
• For example, we have drafted principles for responsible, trustworthy and privacy-protective generative AI technologies with our provincial and territorial counterparts; led on a resolution that establishes a common understanding of “meaningful human oversight” of AI-based decisions through the Global Privacy Assembly; and worked with our G7 partners on statements related to Children and AI and the role of data protection authorities in promoting responsible AI.
• We are also finding ways to stay on top of the latest research in this field, including by funding multiple AI-related projects through our contributions program during the 2024-2025 funding cycle.
• Finally, we are seeking to better understand AI by exploring how it can be integrated into our own work, including with our own internal LLM.

Background

• Funded Contributions Program projects include:
  • Generative AI, Privacy Policy and Young Canadians (Toronto Metropolitan University)
  • Benchmarking Large Language Models and Privacy Protection (University of Ottawa)
  • The Machine-Readable Child: Governance of Emotional AI Used with Canadian Children (Internet of Things Privacy Forum)
• Relevant G7 Statements: 2024: Statement on the Role of Data Protection Authorities in Fostering Trustworthy AI; Statement on AI and Children. 2023:
  • Statement on Generative AI.

Lead: PRPA

---

OPC Expertise in Artificial Intelligence

Speaking Points

• In recent years, AI has taken a central role in shaping a constantly evolving digital environment. As a result, expertise across privacy, technology, finance, national security, and law is required to ensure that guardrails are put in place and adequately monitored.
• My Office hires employees from diverse backgrounds and prioritises continuous training to keep pace with rapid technological and regulatory changes.
• We have established expertise in AI, including the deployment and responsible use of AI-enabled solutions, along with the assessment of privacy safeguards in third-party AI-enabled systems and services.
• Developing and hiring specialised expertise enhances the OPC’s capacity to support forthcoming AI-related legislative reforms and align with the Government of Canada’s ambitions to rapidly gain efficiencies through broader AI adoption.

Background

• Privacy expertise remains in high demand, particularly at the intersection of cybersecurity, data governance and Artificial Intelligence (AI), and children’s privacy.
• In our current fiscal and workforce environment, we focus on retention and developing internal expertise through hands-on training to ensure that the OPC can regulate AI in a privacy context.
• We target technology-related training on high-impact areas to use existing resources effectively and maintain capability to assess emerging technologies and their privacy implications.
• However, given the increased complexity and frequency of AI-related regulatory activities, the OPC is continuously exploring new ways and funding mechanisms to attract top talent in a highly competitive job marketplace.

Lead: Corporate

---

AI Adoption at OPC

Speaking Points

• In October 2024, the OPC launched its internal AI strategy to demonstrate a privacy-first AI implementation within the Government of Canada, build practical AI expertise across the Office, and help staff improve efficiency through responsible AI use.
• My Office has invested in secure, high-performance internal AI servers. We aim to share our experience with other government departments to promote privacy by design principles and meeting policy and legal obligations.
• The first version of our internal AI service - focused on low-risk use cases such as summarization of public documents that do not include personal information - was rolled out in Q4 of 2025, with plans to expand to additional use cases later in 2026.
• This initiative supports OPC’s second strategic priority, which addresses the privacy impacts of rapid technological advancements, especially in AI.

Background

• OPC employees are instructed not to use third-party AI services for work-related tasks or on OPC devices, except when evaluating them as part of an investigation or when their use follows guidance from our Chief Information Officer and Chief Security Officer and aligns with our acceptable use and AI-assisted technologies policies and guidelines.
• OPC’s first version of internal AI is not trained on internal data, does not collect any personal information, nor deliver research capabilities and automated decision-making, and does not provide any external services to Canadians.
• A “privacy by design” approach was used in delivering the solution, including conducting a Privacy Impact Assessment (PIA). Additional PIAs will be performed to ensure risks are identified and adequately managed as we add functionality.

Lead: Corporate

---

OpenAI investigation

Speaking Points

• In May 2023, my Office commenced an investigation into the practices of OpenAI in relation to its ChatGPT service. This has been a joint endeavour with counterparts in Alberta, British Columbia, and Quebec.
• Among the issues under examination are consent, openness, access, accuracy, and accountability. We have also been looking into whether OpenAI collects, uses and discloses personal information for appropriate purposes, and whether this collection is limited to information that is necessary for these purposes.
• We aim to release our findings in the Spring.
• It is important that AI and other related emerging technologies be developed and deployed in a responsible and privacy-protective manner. This is why my Office has made it a strategic priority to address and advocate for privacy in this time of technological change.

Background

• ChatGPT is a natural language processing tool (or chatbot) driven by AI technology. The language model can answer questions and assist users with a range of tasks, such as composing emails and essays.
• In April 2023, the OPC launched an investigation into ChatGPT after receiving a complaint alleging that the company collected (“scraped”), used, and disclosed the complainant’s personal information for the purpose of its commercial text-generation service without first obtaining their consent. We closed this investigation in May 2023 to pursue a broader, joint, commissioner-initiated complaint.
• DPAs around the world, including many in Europe, initiated investigations into ChatGPT. The European Data Protection Board launched a dedicated task force to “exchange information on possible enforcement actions” and issued a report in May 2024, sharing a preliminary assessment of OpenAI’s practices against the GDPR.

Lead: Compliance

---

LinkedIn engagement

Speaking Points

• As a result of media reports, my Office engaged with LinkedIn over the course of the last year to discuss privacy issues related to its use of Canadian members’ personal information to train its generative AI models.
• As a result of this engagement, LinkedIn implemented a number of privacy-protective measures, including directly notifying its members via email and/or text of the availability of an opt-out mechanism.
• Engaging with organizations to promote the responsible development and use of trustworthy and privacy-friendly technologies, like AI, is part of my Office’s strategic priority of advocating for privacy amid technological change.
• We will continue to monitor future developments in relation to LinkedIn’s AI training.

Background

• Initial media reports indicated that LinkedIn had started using Canadian members’ personal information without prior notice.
• On November 1, 2024, LinkedIn paused the training of its AI models in Canada, and on December 10, 2024, the OPC published a statement welcoming LinkedIn’s commitment.
• When resuming the practice in November 2025, LinkedIn also started sharing members’ personal information with parent company Microsoft and Microsoft branded affiliates, a practice about which it is transparent and for which it provides its members with an opportunity to opt-out.
• LinkedIn’s engagement with the OPC was voluntary; the OPC did not launch a formal investigation.

Lead: Compliance

---

OPC Investigation into X/Grok

Speaking Points

• In February 2025, after receiving a complaint, my Office commenced an investigation into X Corp, the operator of the social media platform X, regarding its collection, use, and disclosure of Canadian’s personal information to train artificial intelligence (“AI”) models, including Grok.
• In January 2026, following multiple media reports that the AI chatbot Grok was being used to create and share explicit images of individuals without their consent, my Office expanded its current investigation into X Corp. and launched a related investigation into xAI, the AI company responsible for Grok.
• The investigations will consider whether X Corp. and xAI collected, used, and disclosed personal information via Grok to create deepfakes, including explicit content, in contravention of PIPEDA. This will include examining whether the organizations’ practices were appropriate and whether the organizations obtained valid consent.
• I am unable to elaborate further given that the investigations are ongoing.

Background

• In April 2025, Ireland launched an investigation into X’s use of data to train Grok.
• In January 2026, Ofcom, the UK’s media regulator, initiated a formal investigation into X under the Online Safety Act over the use of Grok AI to manipulate images. The UK ICO has also sought clarification from X and xAI regarding compliance.
• Australia online safety regulator, eSafety, is investigating this matter. Malaysia and Indonesia have blocked access to Grok.
• To address this issue, both X Corp. and xAI announced that they have implemented measures to limit the creation of explicit content.

Lead: Compliance

---

Codes of Practice

Speaking Points

• As of March 4 2025, reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) can develop codes of practice that relate to the sharing of personal information without consent between themselves and submit them to me for review and approval. I am fully supportive of this initiative.
• To date, my Office has received 7 codes for review, significantly more than what was estimated in the Regulatory Impact Analysis Statement. I note that the OPC did not receive any additional funding for this new activity. To ensure the success of this initiative, we have reallocated internal resources.
• I am pleased to report that my Office approved the first code on December 19 2025. We are currently reviewing 3 further submissions.
• I have appreciated FINTRAC’s close collaboration on this important file, including exchanged on FINTRAC’s Model Code, which serves as a resource for entities.

Background

• Section 11.01 of the PCMLTFA allows for the disclosure, collection, and use of personal information without consent, where the disclosure is made in accordance with the regulations. The regulations provide that reporting entities can establish and implement a code of practice for this purpose and submit it to the Commissioner for approval.
• The code of practice must, among other things, provide for substantially the same or greater protection than PIPEDA. The legislated timeline is 120 days.
• The RIAS stated that only 3 reporting entity sectors would participate in the information sharing regime in the first 10 years costing period.