OPC’s Annual Report – actions taken but frustrations evident
On June 5, 2025 the federal Privacy Commissioner, Phillippe Dufresne, delivered his office’s Annual Report to Parliament, titled “Prioritizing privacy in a data-driven world”. The Report contains a comprehensive summary of the activities of the Office of the Privacy Commissioner over the year ending March 31, 2025, under its legislative jurisdictions of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act.
While providing a ready reference for those looking to keep up to date on the OPC’s investigations and other enforcement actions, including court cases, the Report also chronicles its on-going work related to the OPC’s strategic priorities and current privacy issues. However one senses a frustration with the state of legislative oversight, not only in the privacy sphere but also in the areas of artificial intelligence and digital data.
In his introductory message the Commissioner sets forth key factors that in his view have put data protection at the forefront of public interest: the continued advancement in the adoption of AI and in particular generative AI, the risks of significant harms caused by data breaches, and the increasingly complex nature of global data flows. The Report identifies three top trends that have dominated the privacy landscape and driven much of the OPC’s work over the last year, specifically: the impact of generative AI, the continuing threat of data breaches, and significant concerns with children’s privacy.
Artificial intelligence and privacy
Technology and AI is one of three Strategic Priorities identified by the OPC in January 2024 and its work in this area is usefully compiled in part of the Report. However, the OPC has had to double down on this priority area due to the rapid advent of generative AI usage throughout both the private sector and government – noted as a key privacy trend over the past year. The Report highlights the extensive collection of personal data by generative AI platforms in responding to queries and in particular the ability of such platforms to identify individuals making requests by the data they provide even though the requestor is not identified.
In the Report’s discussion of its ongoing work related to AI, it is clear that the OPC in collaboration with other privacy regulators, both domestic and international, is looking to governments to introduce oversight rules mandating trustworthy AI, to address not only privacy protections but also precepts of fairness and fundamental rights and freedoms. Reference is made to the G7 Data Protection and Privacy Authorities Roundtable Statement on the Role of Data Protection Authorities in Fostering Trustworthy AI which notes that just as data protection principles must be built into AI design, regulators must be included in the governance being developed around these technologies, since they are well positioned to address problems before they become systemic issues.
The “elephant in the room” of course is the suspended state of legislation governing oversight of AI, in particular Bill C-27’s proposed Artificial Intelligence and Data Act (AIDA). The Report makes reference to the Bill, noting that it also included the proposed reformed private sector privacy law, the Consumer Privacy Protection Act. The Report states that the OPC continues to advocate for modernized laws but in the interim will apply the existing laws such as PIPEDA to address privacy issues raised by generative AI and other new technologies.
Youth privacy
A second strategic priority of the OPC, also noted in the Report as a key trend, is the issue of children’s privacy. Here again, while chronicling the OPC’s several initiatives in this area, the Report alludes to potential areas for regulatory oversight addressing children’s safety online that to date either have failed to move forward or remain at the conceptual stage.
In particular, the Report references a second Statement from the G7 Roundtable which focused on children and AI. This Statement noted that since the current generation of children will be the first to be raised in a world strongly influenced by AI it is important to give attention to the harms arising from AI for which they might be particularly vulnerable.
Harms to children that can arise from AI tools include those that can generate manipulative or deceptive content or that are capable of jeopardizing users’ emotions and decision-making – such as “nudge” techniques designed to encourage people to take actions they might not otherwise take, and which may be against their interests. Examples noted in the G7 report include AI in toys and “AI companions” through which young people may form bonds leading them to be manipulated or disclose sensitive personal information, and “deepfakes” such as sexual or otherwise inappropriate images purporting to include the young person.
The Report chronicles a number of OPC initiatives to address children’s privacy, including an exploratory consultation on age assurance and the development and use of age-assurance technologies to protect children online, as well as website sweeps looking at deceptive design patterns targeting children.
Again, the absence of clear regulatory rules addressing online harms to children looms in the background of the Report. In particular, in addition to the interrupted thrust for broader AI oversight which AIDA might have provided, was the proposed Online Harms Act which in a more focussed form addressing children’s safety obtained wide support before Parliament was prorogued in January.
Data Breaches
Finally, the OPC Report identifies a third key privacy trend of the past year – that data breaches continue to be a significant issue of concern. In this regard, the Report highlights the OPC’s new Privacy Breach Risk Self-Assessment Tool as a user-friendly, web-based application that guides organizations through a series of questions to assist them in assessing the real risk of significant harm of a breach and therefore providing critical guidance in assessing the thresholds for breach response stipulated under PIPEDA.
A version of this article originally was published by Law 360 Canada, June 10, 2025.
For more information please contact: David Young 416-968-6286 david@davidyounglaw.ca
Note: The foregoing does not constitute legal advice. © David Young
Read the PDF: OPC’s Annual Report – actions taken but frustrations evident