Vision, mission, raison d’être and operating context – 2023-24 Departmental Results Report

As an agent of Parliament, the Privacy Commissioner of Canada reports directly to the House of Commons and the Senate. The mandate of the Office of the Privacy Commissioner of Canada (OPC) is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, along with some aspects of Canada’s anti-spam legislation (CASL). The OPC’s mission is to protect and promote the privacy rights of individuals.^{Footnote 1}

The Privacy Commissioner’s powers to further the privacy rights of Canadians include:

• investigating complaints, conducting audits and pursuing court action under the authority of the Privacy Act and PIPEDA;
• publicly reporting on the personal information-handling practices of public and private sector organizations;
• supporting, undertaking and publishing research into privacy issues; and
• promoting public awareness and understanding of privacy issues, including appearing before Parliament on proposed legislation and studies on issues affecting the privacy rights of Canadians.

The Commissioner works independently of government to investigate federal public sector-related complaints from individuals under the Privacy Act, and complaints related to the private sector under PIPEDA. He also has some designated responsibilities to ensure compliance with CASL.

The Commissioner may address complaints through mediation and conciliation; he also has the power to summon witnesses, administer oaths, and compel the production of evidence. In cases where the investigation does not result in a voluntary agreement/resolution and remains unresolved, the Commissioner may seek an order from the Federal Court to address the situation under certain circumstances.

Operating context – 2023-2024

The OPC’s operating environment is constantly evolving, given the speed of technological change and novel uses of personal data.

In today’s fast-paced digital age, the sheer breadth of digital advancement, notably in artificial intelligence (AI), is reshaping our world. With rapid adoption of emerging technologies by businesses, federal institutions and individuals, it is a landscape teeming with exciting possibilities and unprecedented challenges. While new technologies promise improvements to our lives, it is essential to consider and protect the personal information involved in innovations that are intensely data dependent. In particular, despite potential benefits, children and young people are particularly vulnerable in the digital world, facing risks that can limit their development and compromise their well-being.

Data breaches have surged over the past decade. In particular, ransomware and malware attacks are rising sharply. This risk of cyberattacks and data exfiltration from a variety of threat actors is of great concern to private and public sector organizations, and the majority of individuals are concerned about identity theft.

The rapid expansion of AI and generative AI technologies, in Canada and around the world, is generating privacy concerns. Partnerships with data protection authorities and other regulators became increasingly necessary in 2023–24, as generative AI topped the list of rapidly emerging technologies calling for a coordinated response.

Technological changes add complexity to the OPC’s investigations, especially in a context where laws remain unchanged. In 2023–24, private-sector organizations reported 693 breaches to the OPC, affecting approximately 25 million Canadian accounts. Navigating this dynamic landscape requires keeping pace with the rapid evolution of technology, as well as providing advice, guidance and solutions that are clear and practical.

Laws that govern the collection, use and disclosure of personal information are changing worldwide. More than 20 years ago, the PIPEDA positioned Canada among the pioneers. Bill C-27, the Digital Charter Implementation Act, 2022 marks a major stride toward federal private-sector privacy law modernization and AI regulation in Canada. At the time of writing this report, the bill was still before Parliament.

Anticipating law reform, this period prompts the OPC to prepare for operational and structural changes. However, the situation calls for adaptability and innovation, to ensure that the OPC has a meaningful impact regardless of the legislative outcome. If reform does not materialize, the OPC must continue to innovate within the limits of existing laws. The prospect of reforms to public sector legislation also stresses the need for adaptability and preparedness.

As a small organization, the OPC’s current funding levels present a challenge in adapting to the evolving operational context and fully delivering on its mandate in the way that it aspires. Since the mandatory reporting of privacy breaches under the Personal Information Protection and Electronic Documents Act in 2018, the OPC experienced a 600% increase in breach notifications. Breach reporting under the Privacy Act has also increased; in 2023–24 alone, they rose by 88%, compared to the previous year. Temporary funding in recent years has helped reduce investigative backlogs and has allowed the OPC to conduct investigations into complex emerging technologies and novel business practices, as well as an in-depth review of a larger number of breaches reported to it. To fulfill the OPC’s existing mandate and any new legislative requirements, additional, timely and stable funding is crucial.

To remain effective within this rapidly evolving and complex privacy landscape, the Commissioner launched a three-year Strategic Plan that serves as a tool to guide the OPC’s efforts and focus them on areas of greatest risk and potential impact. This plan will drive the OPC’s responsiveness and its proactivity and help it make choices about where to focus its limited resources over the next three years.