Keynote remarks at the International Association of Privacy Professionals (IAPP) Canada Privacy Symposium 2024

June 10, 2024
Toronto, Ontario

Address by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Good morning,

It is wonderful to be back in Toronto for my second IAPP Canada Privacy Symposium.

After attending this event last year, what struck me was the level of discourse and diversity of views given the incredible cross-section of participants from industry, the regulatory sphere, government, academia, and civil society.

What I appreciate the most about this annual event is that regardless of what sector we represent, we are all connected by a strong commitment to privacy.

The opportunity to learn from one another, and to discuss approaches and solutions to both the day-to-day privacy protection challenges that we face, as well as the bigger existential questions that we are confronting in today’s data-driven world, is so valuable.

I am also looking forward to the discussions that will be taking place over the next two days.

These topics align closely with the major privacy trends that we have seen in Canada and around the world, such as the ongoing rise in digital connectivity, the increasing threat and severity of cyberbreaches, the proliferation of artificial intelligence (AI), and greater concern for the privacy of young people.

These trends are discussed in my Annual Report, that was tabled in Parliament this past Thursday.

It is no surprise that these trends also dovetail with the strategic privacy priorities that I first spoke about at this symposium last year.

Since that time, I have elaborated on those priorities and related objectives in a strategic plan that will guide the work of my Office through 2027.

Briefly, the priorities are:

• Protecting and promoting privacy with maximum impact;
• Addressing and advocating for privacy in this time of technological change; and
• Championing children’s privacy rights.

In my remarks today, I will highlight some of the activities that are planned and expand on some initiatives that are already underway to achieve the objectives of my strategic plan.

I believe that achieving the goals set for these priorities will be a collective effort that relies on all of us in our various capacities, so that we can create a future where innovation can flourish, and where privacy is protected.

In consulting on my strategic plan earlier this year, I asked stakeholders to provide feedback on how the plan should be implemented to advance my priorities for the next three years. 

Most of the feedback came from industry associations, was generally positive, and those who commented largely agreed that the three priorities are in line with current privacy challenges.

However, something else that I heard and that I am reflecting on, is how the OPC can further support and enable innovation in Canada. I also heard a desire to be consulted, on the guidance and advice that we develop to help organizations prepare for and transition in the event of law reform.

I appreciate all of the feedback that I received on my strategic priorities, which will also help shape this work.

Maximizing OPC Impact

An important aspect enabling my Office to maximize its impact is ensuring that we build capacity to meet the privacy challenges of our time.

I welcomed two new Deputy Commissioners into my organization this year – Isabelle Gervais and Marc Chénier.

Isabelle brings a wealth of cross-regulatory experience to the role of Deputy Commissioner, Compliance, which is essential given the increasing intersection between privacy and other spheres.

Marc, who has held a number of legal leadership roles, takes on the role of Deputy Commissioner and Senior General Counsel, Legal Services. It is a new position that reflects the importance of the legal team to the work of the OPC in a privacy landscape that is increasingly more challenging and complex.

I will continue to review the OPC’s governance and processes to ensure that we are as effective and efficient as we need to be.

To better serve Canadians and fulfill our mandate, we have also bolstered our capacity by hiring experts in user experience, data and information management, technology and AI, and digital service delivery.

I intend for my Office to lead by example by being innovative while also protecting privacy. It is not a zero-sum game.

This is, in part, recognition that, just as data is used to fuel innovation, innovation must also be used to protect data.

Another way that I see my Office maximizing its impact is by advocating for law reform to better protect personal information, and by preparing to implement potential new privacy law for the private sector in Canada.

Since I became Privacy Commissioner two years ago, I have appeared before parliamentary committees more than a dozen times to provide feedback on bills, parliamentary studies, and draft regulations with privacy implications.

Like many of you, I am watching the clause-by-clause consideration of Bill C-27 with interest.

I have proposed 15 key recommendations to strengthen the Bill, including recognizing privacy as a fundamental right and protecting children’s privacy and the best interests of the child.

I was encouraged to see the Committee reflect these recommendations, as well as others, in their amendments to the Bill.

That said, protecting privacy with maximum impact also means using existing laws to address new and increasing challenges.

This is true in the case of generative AI where, along with my Canadian and international colleagues, I have stated very clearly that while new and modern laws on AI may be necessary, our current privacy laws apply, and we will enforce them.

Existing privacy laws also apply to children. A good example of this in action is my current investigation into TikTok with my counterparts in Quebec, British Columbia, and Alberta, which is nearing completion. The investigation is focusing on TikTok’s privacy practices as they relate to younger users, including whether the company obtained valid and meaningful consent from these users for the collection, use, and disclosure of their personal information.

It is also true in the case of online harms. Coincidentally, Bill C-63, the proposed Online Harms Act, was tabled around the time that I issued my report of findings in a complaint against Aylo, which operates Pornhub and other pornographic websites. I reiterated that the non-consensual sharing of intimate images was a serious privacy violation, and that organizations have an obligation under privacy law to prevent and remedy this.

As the federal government develops legislation that coincides with many of the issues raised in these investigations, I hope that these findings can help to inform the policymaking process.

Building partnerships and expanding collaboration

In a world where information flows transcend borders and jurisdictions, I am also prioritizing collaboration with partners and stakeholders across the country and around the world to amplify our collective impact in protecting and promoting the fundamental right to privacy.

To that end, I am announcing today the launch of a joint investigation with U.K. Information Commissioner John Edwards. Together, we will be investigating a privacy breach at the global direct-to-consumer genetic testing company 23andMe.

My Office will also continue to work closely with our counterparts in Quebec, British Columbia, and Alberta as the investigation proceeds.

Given the highly sensitive nature of genetic information, we will leverage our combined resources and expertise to examine the scope of information that was exposed by the breach and potential harms to affected individuals, the adequacy of safeguards that were in place to protect highly sensitive personal information in the company’s control, and the company’s breach notification processes.

In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. For these reasons, ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.

Last week, I also announced with my colleague from B.C. Michael Harvey,  an investigation into Certn, a Victoria, B.C. company that conducts background checks, including tenant screening, for landlords. We are examining the company’s practices with respect to tenant screening to determine if they are compliant with the consent provisions in both federal and B.C. privacy laws. The investigation will also assess whether the company ensures that the information that it collects, uses, and discloses for the purposes of tenant screening is sufficiently accurate, complete, and up to date.  

In addition to working with other jurisdictions on investigations, I have also created a new International, Provincial and Territorial Relations Directorate at the OPC. Among its responsibilities, the new directorate supports the OPC’s growing participation in international privacy protection organizations to help shape and improve global privacy standards.

For example, I currently chair the Global Privacy Assembly’s Working Group on Data Protection and Other Rights and Freedoms. Together with the digital rights advocacy group Access Now, we have created an award to recognize the work done by organizations conducting exemplary work at the intersection of both privacy and other fundamental rights. I look forward to the imminent launch of the nomination process, and to announcing the inaugural Privacy and Human Rights award winner during the RightsCon conference in Taiwan next February.

My team and I are also working with our international partners on joint initiatives so that we can collectively expand our capacity.

For instance, last year I hosted an International Symposium on privacy and AI in conjunction with the 72nd meeting of the International Working Group on Data Protection in Technology. We welcomed experts from academia, industry, civil society, and government as well as fellow data privacy authorities to discuss the opportunities and risks involved in generative AI, and how all sectors can best work together to address them. Many of you were among the participants, and from the feedback that I have heard, the event was very well received.

The symposium positions us well for Canada’s G7 Presidency in 2025, where we can expect the G7 Industry, Technology and Digital Ministers and First Ministers to continue their important work that addresses key issues in technology, innovation, and data flows. I look forward to hosting the G7 Data Protection and Privacy Authorities Roundtable in Ottawa next year. Alongside the roundtable, we plan to host a second international privacy symposium, building on the success of our inaugural event. My Office is in the early planning stages and I will have more details to share in the coming months.

Another important update relates to cross-sectoral regulatory cooperation. I recently assumed the role of Chair of the Canadian Digital Regulator’s Forum for the year.

This partnership with the Competition Bureau and the Canadian Radio-television and Telecommunications Commission was created in spring 2023 to harness the collective expertise and impact of our agencies and strengthen our work to better respond to the scale, speed, and global nature of digital markets.

I look forward to building on the achievements of the first year of this Forum, especially in the area of AI technologies.

Throughout the past year, I have also had the opportunity to speak with professionals and representatives from many different industries and sectors in Canada.

I have heard from industry that there is a desire for more consultation.

I welcome this feedback. While I may not be able to implement every recommendation that I receive, listening to different perspectives helps to inform and shape my Office’s direction.

On this theme, I am pleased to share details about an exploratory consultation that I am launching today on guidance related to privacy and age assurance.

Age assurance is a matter that is being considered in many contexts, domestically and internationally, to limit children’s exposure to potentially harmful online content. However, age-assurance methods also raise privacy implications related to the collection of sensitive personal information.

To support this work, I have decided to consult on this issue earlier in the policy cycle, to seek feedback and input that will inform the subsequent draft guidance that my Office will develop.

I am seeking feedback on a document that I have released today, which sets out the OPC’s preliminary thinking on the use of age-assurance systems. 

I invite you to read our consultation paper and provide feedback on age assurance overall, to support or offer new or different perspectives to the preliminary thinking on the topic, and to help refine an appropriate path forward.

This feedback will inform a first draft of guidance on age assurance that will subsequently be shared for consultation before it is finalized, with a goal of issuing final guidance by the end of the fiscal year.

I believe that this topic is timely and important, as Parliament is currently considering several Bills that touch on this subject.

Addressing the unprecedented scale and speed with which privacy impactful technology is being adopted

Addressing the unprecedented scale and speed with which privacy impactful technology is being adopted is another key objective for me over the next three years, with a particular focus on generative AI – an area that has garnered immense attention, excitement, fear, and anxiety in recent years.

Given this objective, just over a year ago, I launched an investigation into generative AI technologies. Following a complaint against OpenAI’s ChatGPT, the investigation became a joint effort with my Quebec, British Columbia, and Alberta counterparts.

In this investigation, we are examining compliance with requirements under the relevant Canadian privacy laws in relation to consent, openness, access, accuracy, and accountability. As well, the investigation is considering whether OpenAI is collecting, using, and disclosing personal information for an appropriate purpose.

The investigation is a high priority. We are working to complete it in a timely manner, at which point I look forward to sharing the results.

Generative AI was also the subject of a joint federal-provincial-territorial effort in December, when my fellow privacy regulators and I issued a set of principles to advance the responsible, trustworthy, and privacy-protective development and use of the technology.

It lays out how key privacy principles apply when developing, providing, or using generative AI models, tools, products, and services, be it in the public or private sector.

By fostering a culture of privacy, encouraging the use of privacy-by-design principles, and establishing privacy standards, we can encourage innovation while protecting data and the fundamental right to privacy.

On this topic, tomorrow I will have the pleasure of attending the inaugural PICCASO Canada Privacy Awards that will be presented here in Toronto, to recognize excellence and innovation in privacy protection and data security.

As I have said since becoming Privacy Commissioner, it is important not only to identify privacy gaps but also to celebrate and recognize privacy champions and innovators.

We also need to use innovation to protect data. This is especially true with respect to countering cyberbreaches.

According to a recent study, 94% of organizations around the world have experienced a cyberattack of some form in the last year. The rising threat and severity of such attacks is of significant importance to both public and private-sector organizations.

In Canada, the OPC received over 350 reports of cyber incidents from both the private and public sector. For the private sector, cyberbreaches accounted for 46% of all breach reports last year.

According to IBM’s 2023 Cost of a Data Breach Report, the average cost of a single data breach in Canada last year was nearly $7 million. This was the third highest cost in the world, with financial and energy companies among the hardest hit.

I also remain concerned about breaches of federal government institutions, and have cautioned that these organizations are attractive targets for cyberattacks. They must have robust safeguards to mitigate against breaches and protect the sensitive personal information and programs that they manage.

This year, I launched two major cyber breach investigations involving federal government institutions – one that affected Global Affairs Canada, and another that affected the personal information of federal government personnel who used government-contracted relocation services over the past 24 years. I look forward to sharing takeaways of these investigations once they are completed to help others avoid cyberattacks, including private-sector organizations that can also benefit from lessons learned. 

Conclusion

In closing, protecting privacy is one of the paramount challenges of our time.

As Canada’s Privacy Commissioner, I am committed to strong advocacy, education, promotion, and enforcement.

I am also confident that the three strategic priorities that I have established will drive our effects to ensure that the fundamental right to privacy is protected for current and future generations.

Collaboration will be essential, as well as sharing and building on achievements and progress across each of our respective domains.

Thank you all for your commitment and leadership, and I look forward to joining you for the important discussions taking place over the next two days.