Office of the Privacy Commissioner of Canada
Strategic Plan 2024-2027

---

Commissioner’s message

I am pleased to present the Strategic Plan that will guide the work of the Office of the Privacy Commissioner of Canada (OPC) for the next three years.

Since taking on the role of Privacy Commissioner in mid-2022, I have shared my overarching vision for privacy, anchored in three pillars which are, in brief: privacy as a fundamental right; privacy in support of the public interest and Canada’s innovation and competitiveness; and privacy as an accelerator of Canadians’ trust in their institutions and in their participation as digital citizens.

Building on this vision and informed by our many stakeholder engagements, as well as input from OPC employees, three key strategic priorities emerged and have crystallized:

1. Protecting and promoting privacy with maximum impact

2. Addressing and advocating for privacy in this time of technological change

3. Championing children’s privacy rights

The privacy issues and risks that we collectively face as a society, in both the public and private sectors, are vast and, at times, can seem challenging. However, we face the situation with optimism. These priorities are where we believe that we can have the greatest impact and where the greatest risks lie if they are not addressed.

For the first priority, we will maximize our impact in fully and effectively promoting and protecting the fundamental right to privacy. We will adapt as our operational context changes, such as through potential legislative reforms, and we will pursue the most effective and efficient use of our resources and powers for optimal results for Canada and Canadians, even if privacy laws remain unchanged.

The second priority involves bolstering our ability to address the privacy impacts of the fast-moving pace of technological advancements, especially in the world of artificial intelligence (AI) and generative AI and encouraging privacy protective technological innovations. Our third priority is about doing more to promote and protect the privacy rights of children, who are particularly vulnerable in the digital age.

This plan offers a high-level overview of the kinds of initiatives that we are undertaking, the areas where we will focus our efforts, and the outcomes that we intend to achieve. It will drive our responsiveness and our proactivity and help us make choices about where to focus our resources. It requires us to consistently equip and continue to develop our talented team and recruit new employees to address the complexities in the field and the changes ahead.

Striking a balance between the aspirational and the practical, our goals are suitably ambitious, but also realistic. We are guided by a series of cross-cutting principles, which you will see reflected in the initiatives to advance each of the priorities:

• Risk management and understanding: Embrace nuanced risk assessment and decision-making.
• Use of data to inform decisions: Commit to informed decision-making through a deep understanding of data.
• Partnerships: Harness collaboration to amplify impact and expand capacity via networks.
• Centre of excellence: Aspire to be a centre of excellence, attuned to the evolving societal and economic context, and deliver a practical, proactive, and user-friendly approach.
• Capacity building: Maximize resources, focus on impactful outcomes, and build skills for future direction.

Protecting privacy is one of the paramount challenges of our time. We are poised to meet this challenge through strong advocacy, collaboration, education, promotion, and enforcement. This Strategic Plan forms our commitment toward a future where innovation can flourish, and fundamental privacy rights are upheld.

 

Philippe Dufresne
Privacy Commissioner of Canada

---

Strategic Plan at a glance

The strategic priorities build on the Privacy Commissioner’s overarching vision for privacy, anchored in three pillars which are: privacy as a fundamental right; privacy supporting the public interest and Canada’s innovation; and privacy as an accelerator of trust.

Strategic priorities

1. Protecting and promoting privacy with maximum impact	2. Addressing and advocating for privacy in this time of technological change	3. Championing children’s privacy rights
Maximizing the OPC’s impact in fully and effectively promoting and protecting the fundamental right to privacy	Addressing the privacy impacts of the fast-moving pace of technological advancements, especially in the world of AI	Ensuring that children’s privacy is protected and that young people are able to exercise their privacy rights
Initiatives to advance this priority: Increase the use of information and data to identify trends and assist with decision-making Provide focused guidance and outreach Cultivate and leverage strategic partnerships Plan for the effective implementation of potential new privacy legislation	Initiatives to advance this priority: Strengthen our tech-focused alignment Augment our capacity around advanced and emerging technologies Maximize external partnerships involved in tech Establish privacy standards for technologies	Initiatives to advance this priority: Enhance our knowledge and expertise Engage youth for informed education and outreach Apply a children’s privacy lens to compliance work Cultivate networks and partnerships
What we intend to achieve: Optimized programs and services that respond to the needs of Canada and Canadians and our evolving operating context Increased compliance in areas with the biggest impact on privacy Federal privacy law reforms and regulations that are positively influenced by our interventions and an effective transition to new mandate obligations	What we intend to achieve: Timely and aligned guidance, advice, and compliance activities An enhanced capacity to proactively anticipate, evaluate, and swiftly respond to privacy challenges in emerging technologies Partnerships that complement our areas of involvement and our technological capacity	What we intend to achieve: Deepened understanding and appreciation of youth-related audiences, privacy risks, and issues Meaningful engagements and partnerships that increase reach Positive changes among organizations, parents/caregivers, and youth to uphold children’s right to privacy

Guiding principles

Risk management and understanding

Use of data to inform decisions

Partnerships

Centre of excellence

Capacity building

 

---

Who we are and what we do

The OPC’s work is grounded in our mission and mandate. The Privacy Commissioner of Canada is an independent Agent of Parliament, reporting directly to the House of Commons and the Senate, with the critical role of advising Parliament on privacy matters, including legislation, policies, and emerging issues.

The office was established through the Privacy Act, which came into force in 1983 and covers the personal information-handling practices of federal government institutions. In 2001, our mandate expanded with the introduction of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law. Since 2014 we also handle certain aspects of Canada’s anti-spam law (CASL).

The OPC operates independently from the Government and is dedicated to its mission of protecting and promoting privacy rights. This mission underscores our commitment to ensuring that privacy rights are respected and upheld.

In fulfilling our role, we:

• Investigate complaints, conduct audits, and may pursue court action to advance privacy interests;
• Assess organizations’ responses to privacy data breaches, and conduct breach record inspections;
• Provide privacy advice to support the compliance efforts of both public and private sector entities;
• Publicly report on organizations’ personal information-handling practices;
• Support, undertake, and publish research and guidance on privacy issues; and
• Promote public awareness and understanding of privacy issues, which includes providing input to Parliament on proposed legislation and participating in studies affecting privacy rights.

In this dynamic landscape, should privacy laws change, elements of our mandate, powers, and activities will adapt to address contemporary privacy challenges.

---

Operational context

Our operating environment is constantly evolving, given the speed of technological change, the array of business models emerging, and the different ways that organizations use data. Following is a snapshot of some of the technological, legal, economic, and socio-cultural factors at play.

Technological advancements – In today’s fast-paced technological age, the sheer breadth of digital advancements, notably in AI, is reshaping our world. With rapid adoption of emerging technologies by businesses, federal institutions and individuals, it is a landscape teeming with exciting possibilities and unprecedented challenges. New technologies promise improvements to our lives, but there is also a pressing need to consider and protect the personal information involved in innovations that are intensely data-dependent. And, despite the many benefits, children and young people are particularly vulnerable in the digital world, facing risks that can limit their development and compromise their well-being. Technological changes add complexity to our investigations, which intensifies when laws remain unchanged, leaving us without the full slate of regulatory tools to ensure compliance and address breaches. Navigating this dynamic landscape requires keeping pace with the rapid evolution of technology, as well as providing advice, guidance and solutions that are clear and practical.

Legislative reforms – Laws to regulate the collection, use, and disclosure of personal information are changing worldwide with, for example, new privacy laws in provinces like Quebec and efforts to regulate AI in Canada, the EU and US. More than 20 years ago, the Personal Information Protection and Electronic Documents Act (PIPEDA) positioned us among pioneers. Bill C-27, the Digital Charter Implementation Act, 2022 marks a major stride toward federal private-sector privacy law modernization and AI regulation in Canada. The Bill is currently before Parliament. It is an exciting time for privacy in Canada. Anticipating law reform, this period prompts us to prepare for operational and structural changes. However, the situation calls for adaptability and innovation, to ensure that we have a meaningful impact regardless of the legislative outcome. If reform does not materialize, we must continue to innovate within the limits of existing laws. The prospect of reforms to public sector legislation also stresses the need for adaptability and preparedness.

Funding constraints – As a small organization, our current funding levels present a challenge in adapting to the evolving operational context and fully delivering on our mandate in the way that we aspire. Temporary funding has helped reduce investigative backlogs and conduct investigations into complex emerging technologies and novel business practices. However, the thorough and timely review and response to privacy breach reports and other key activities remain underfunded. To fulfill our existing mandate and any new legislative requirements, additional, timely, and stable funding is crucial. We will continue to present fiscally responsible funding requests. We will maximize our agility and cost-effectiveness through continuous assessment and by streamlining program and service delivery. At times, difficult choices about resource allocation may be necessary given the number of issues demanding our attention and the realities of funding constraints.

Socio-cultural factors – In an era where Canadians are increasingly active online, our biennial surveys suggest that most of the population (93%) has some level of concern about their privacy. This widespread apprehension is rooted in worries related to, for example, identity theft, profiling by social media platforms, and the potential misuse of online information by businesses, including in making decisions impacting jobs, residence, insurance or health coverage. Only 4 in 10 Canadians say they feel that businesses, particularly in sectors like social media, big tech, retailers, and telecommunications, respect their privacy. These figures underscore our critical role in advocating for individuals’ privacy and in guiding organizations toward privacy-protective innovation, enabling trust in the digital economy.

---

Strategic priority 1:
Protecting and promoting privacy with maximum impact

Maximizing the OPC’s impact in fully and effectively promoting and protecting the fundamental right to privacy

This priority serves as the bedrock for fulfilling our existing mandate and preparing for potential changes to federal privacy laws. In the evolving privacy landscape, this priority involves a series of key initiatives emphasizing efficiency, adaptability, and preparedness. To maintain our commitment to excellence and innovation we must continue to deepen our understanding of issues and perspectives by analyzing data and business intelligence, as well as by listening to stakeholder and community insights to inform both our promotion and enforcement activities. Nurturing partnerships and networks will translate into meaningful collaborations and amplify our impact. We intend to continue to optimize our methods for assessing and aiding organizations and institutions with compliance, and empowering individuals to understand and exercise their privacy rights. The following strategic initiatives are designed to ensure the maximum impact of our efforts in protecting and promoting the fundamental right to privacy, with or without changes to privacy law, and some focus specifically on preparing for any legislative shifts.

Areas of focus

To advance this priority, we will leverage data and partnerships to understand stakeholder needs, optimize service delivery, and assess our impact. Our approach includes harnessing data, business intelligence, and partnerships to produce focused guidance and outreach, as well as to address compliance issues in the public and private sectors. We will pursue timely, constructive, and strategic engagements to continue to help shape federal privacy laws and regulations. We will ensure that we have dedicated capacity, delineated roles and responsibilities, and a clear roadmap for the timely implementation of a potential new law.

Strategic initiatives

1. Increase the use of information and data to identify trends and assist with decision-making:

• Use business intelligence and a robust risk management framework across the OPC to make key decisions and strategic choices, given limited resources.
• Address strategic issues horizontally for alignment across the OPC and greater effectiveness.
• Use insights gained to optimize service delivery, including ongoing innovations to ensure fair, accessible and timely handling of complaints and assessment of breach reports.
• Institute comprehensive impact measurement to evaluate outcomes and refine our services and strategic direction.

2. Provide focused guidance and outreach informed by data, business intelligence, and stakeholder input:

• Conduct research, analyze data, leverage business intelligence, and engage with diverse groups to deepen our understanding of the context and stakeholder perspectives.
• Channel efforts to develop new or updated privacy advice and guidance where it is most needed, informed by insights gained.
• Use knowledge acquired to identify new opportunities for tailored and proactive promotional, educational, and outreach initiatives.

3. Cultivate and leverage strategic partnerships:

• Invest in our partnerships and joint initiatives, for instance with provincial, territorial, and international privacy and data protection authorities, other regulators, and federal institutions with a privacy leadership role.
• Strengthen channels with external communities and networks to enhance collaboration and information exchange.
• Expand involvement into new forums, working groups, and platforms to enrich our perspective and insights.
• Leverage partnerships to deepen our understanding of constituencies and tailor our efforts, further relying on partnerships to help deliver on our mandate if law reforms do not materialize.

4. Plan for the effective implementation of potential new privacy legislation:

• Continue to contribute advice and expertise to inform federal privacy law reforms, the development of regulations, and their implementation.
• Create a dedicated internal horizontal task force to plan and execute the implementation of a new law, with a clear transformation roadmap to ensure readiness at all key stages.
• Review, refine, and enhance organizational structures, roles and teams, as well as our processes, in order to align with any new obligations.
• Learn from and leverage knowledge, guidance, training, and other resources from privacy and data protection authorities and other organizations with law reform experiences.
• Develop a plan to provide timely information and support on new requirements to the public and stakeholders.

---

Strategic priority 2:
Addressing and advocating for privacy in this time of technological change

Addressing the privacy impacts of the fast-moving pace of technological advancements, especially in the world of artificial intelligence (AI) and generative AI

We are experiencing a technological revolution. As technology advances at an unprecedented pace, individuals and organizations eagerly embrace its transformative potential. The boundless opportunities offered by innovations such as AI and generative AI promise efficiency, convenience and global connectivity, inspiring widespread participation. While people seek to benefit from all that technology affords, from innovative solutions to enhanced communications, there is a pressing need to address the escalating risks to privacy. The extensive collection and use of personal information fuelling technological advancements can raise significant concerns for privacy, while embedding privacy in their design and implementation can result in technologies that are responsible, trustworthy, and privacy protective. Rapid technological evolution demands a vigilant approach to understand, identify and mitigate the associated risks, and to hold organizations accountable through enforcement where necessary. By fostering a culture of privacy, encouraging the use of privacy-by-design principles, and establishing privacy standards, we aim to encourage innovation while protecting the fundamental right to privacy.

Areas of focus

To advance this priority, we will focus on enhancing our internal capacity and capabilities, forging strategic partnerships, and fostering technological knowledge and experience-building initiatives. We will cultivate a robust foundation for horizontal decision-making to address privacy challenges related to new technologies. We will prioritize investments and establish ourselves as responsible adopters, exemplifying how our organization can leverage technology effectively while also protecting privacy.

Strategic initiatives

1. Strengthen tech-focused internal awareness and alignment:

• Enhance internal awareness, knowledge, and expertise in relation to emerging technologies, including AI and generative AI, leveraging and sharing business intelligence for strategic decision-making.
• Analyze and leverage business intelligence to inform compliance actions aimed at improving businesses’ and institutions’ compliance with privacy laws.
• Optimize existing resources and use dedicated working groups, stakeholder relationships, and international coordination to promote privacy solutions and best practices.

2. Augment our capacity around advanced and emerging technologies:

• Expand our internal capacity to understand and use emerging technologies through exchanges, knowledge-sharing, ongoing training, and experience.
• Address resource scarcity, strengthen networks, and prepare for upcoming challenges via resources such as the Treasury Board Secretariat GC Digital Talent and consider strategically leveraging external resources.
• Provide training and disseminate knowledge of privacy issues related to technology via toolkits, Tech alerts, and other approaches.

3. Maximize external partnerships involved in tech for broader impact:

• Evaluate and enhance existing partnerships in tech for increased efficiency and value, amplifying our collective reach.
• Develop a more comprehensive network, broadening relationships to include more business groups, technology companies, civil society experts, and academia.
• Partner with organizations, such as universities, engaged for example in privacy-by-design projects to avoid duplication and foster technological innovation.

4. Establish concrete privacy standards for existing and emerging technologies:

• Define, use, and promote, in a timely way, privacy standards for technology that are clear and practical, for example in the form of templates and tools such as model privacy-friendly contract clauses.
• Promote privacy-by-design principles and privacy standards through, for example, concrete recommendations in investigations and advice on privacy impact assessments involving new technologies.
• Position privacy standards as a competitive advantage, fostering an environment where Canadians expect and value robust privacy practices.

---

Strategic priority 3:
Championing children’s privacy rights

Ensuring that children’s privacy is protected and that young people are able to exercise their privacy rights

The online world offers young people opportunities for innovation, creativity, and self-expression, but it also brings unprecedented challenges to their privacy. Embracing new technologies increases the risk of being targeted, manipulated or harmed online. Upholding children’s fundamental right to privacy enables them to benefit from technology without compromising their well-being.

Organizations must embed privacy measures in their products and services, recognizing the unique vulnerabilities and rights of children in the digital world, and they should be held to account when they do not. Parents and caregivers may need more awareness of privacy risks to model good practices and support young people’s privacy education. Young people may not fully grasp the long-term consequences of agreeing to have their data collected.

Legislation should align with the best interests of the child, recognizing their data as sensitive, with age-appropriate privacy tools and safeguards against unauthorized access.

The OPC has been advocating for laws that explicitly acknowledge children’s rights and compel organizations to embed privacy into their products and services by design and as a norm. Our commitment to this issue stems from the belief that children deserve to be children, even in the digital realm, free from deceptive practices and with the freedom to navigate online spaces securely. Organizations will benefit from more guidance to meet their obligations to respect children’s privacy and to design services and products with children’s privacy in mind. Empowering children and their parents to be more knowledgeable about the implications of their privacy choices will help build a generation of children and adults with strong and inherent privacy awareness.

Areas of focus

To advance this priority, we will continue our efforts to advance privacy rights, while also concentrating specific initiatives on the needs of children and young people. We will deepen our understanding of youth privacy, learn from young people and those that advocate for them about their privacy concerns and rights, and identify key opportunities through research and engagement.

Our focus is on increasing knowledge regarding key children’s privacy risks, issues, and gaps, as well as better understanding how and where children consume content. We aim to enhance internal capacity and expand partnerships to amplify the uptake of resources, guidance and advice. We will also apply a children’s privacy lens to our enforcement activities and leverage our findings to inform and incentivize organizations to develop products and services with better privacy protections for children.

Strategic initiatives

1. Enhance our knowledge and expertise in children’s privacy:

• Analyze and leverage internal data, for example via investigations and information requests, as well as existing research on youth privacy.
• Fill knowledge gaps by conducting comprehensive research and collaborating with relevant specialists including, for example, sociologists and behavioural scientists.
• Share findings across the organization and with partners to inform a consistent understanding and guide strategic initiatives focused on children’s privacy.

2. Engage youth for informed education and outreach:

• Engage with and hear from a diverse range of children and youth directly, for instance, through consultations or other means.
• Identify and produce resources, guidance, and advice tailored to the information-seeking and content consumption behaviours of young people, as well as businesses and parents/caregivers.
• Based on research and insights gained, design impactful public education, outreach and advertising campaigns, employing diverse and relevant channels, tactics, and language.

3. Apply a children’s privacy lens to compliance work:

• Leverage youth-related investigations to increase awareness of children’s privacy risks and rights and to help drive change in organizations’ specific behaviours.
• Prioritize investigations and assessment of data breaches involving children’s privacy, taking demographics into consideration, to assess compliance and inform businesses and government institutions of expectations regarding children’s data.
• Collaborate domestically and internationally to identify emerging threats to children’s privacy, engaging in joint enforcement activities for broader impact.

4. Cultivate networks and partnerships for insights and impact:

• Broaden our relevant partnerships with federal, provincial, territorial and international entities, academia, and youth councils.
• Share resources and best practices relevant to children’s privacy through expanded networks.
• Collaborate with others to leverage their expertise and effectively reach our targeted audiences where they are.

---

The way forward

The OPC’s Strategic Plan will serve as our guide for the next three years as we endeavour to make a concrete difference in each of our three interconnected strategic priority areas.

We are steadfast in our commitment to maximizing our impact by fully and effectively promoting and protecting privacy; to addressing the privacy impacts of the fast-moving pace of technological advancements; and to championing children’s privacy rights and enabling young people to exercise those rights. Several activities are underway under all three priorities.

Working in tandem with our Departmental Results Framework, this plan operates at a high-level and is not meant to be an extensive inventory of all our future activities. Instead, it serves as a tool to inform our choices, directing our energies toward areas where we see the greatest risk and potential impact.

It defines our strategic priorities and the types of initiatives crucial to their advancement, laying groundwork for tactics that will be developed in our annual business plans, along with metrics to benchmark and measure progress.

While this document sets a clear direction in broad strokes, we must also make room for ongoing review, reflection, and adaptation, recognizing the dynamic nature of this field. We will remain agile, so that we can adjust to all circumstances, irrespective of potential reforms to the law. The plan also considers the reactive aspect of our mandate, including responding to the complaints brought to us by those who believe that their privacy has been violated by a federal government institution or private sector organization, as well as reviewing and responding to breaches of personal data.

We are committed to transparency in tracking and regularly communicating our progress toward our goals, including in our annual reports to Parliament and our Departmental Results Reports.

Just as important as the priorities themselves are the cross-cutting guiding principles we adhere to that help us achieve them, such as data-informed decision making, risk management, capacity building, excellence, and collaboration.

Emphasized throughout is the acknowledgment that we cannot do it alone. We place immense value on working with diverse partners, networks, and experts to collectively navigate the opportunities and challenges ahead and to protect and promote the fundamental right privacy to the best of our ability. We look forward to these collaborations and to all the important work ahead.