Issue sheets on the 2024-25 Main Estimates

Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI)

OPC budget

Key messages

The total proposed funding for my office in the 2024-25 Main Estimates is $34 million.
This represents an increase of $4.5 million over the previous year, which is attributable to the additional funding resulting from the renewal of collective bargaining agreements ($2.1 million) and the temporary funding received as part of Budget 2023 ($2.4 million)
This temporary funding has enabled my office to reduce the complaints backlog and to undertake more in-depth investigations of privacy breaches, but we will need a more permanent solution if we are to address the full volume and complexity of privacy issues in the current environment.
That is why I have recommended that, at a minimum, the temporary breach and backlog funding of $5.7 million be made permanent.
We use this funding to protect and promote privacy rights, including by investigating complaints, assessing compliance, providing advice and recommendations, and working with stakeholders in other jurisdictions.

Background

The office’s 2024-25 Main Estimates of $34M break down as follows (2023-24 is provided for comparison):

	2023-24		2024-25
Budgetary	$M	%	$M	%
Personnel expenditures (including EBP)	24.3	83	28.3	83
Operating expenditures	4.7	15	5.2	15
Contributions Program	0.5	2	0.5	2
Total reference levels	29.5	100	34.0	100

Prepared by: Corporate

Funding under Budget 2023

Key messages

Budget 2023 provided $5.7 million over two years to undertake more in-depth investigations of privacy breaches across public and private organizations and to improve response rates to privacy complaints from Canadians.
This temporary funding has enabled real headway on these priorities, but we will need a more permanent solution if we are to address the full volume and complexity of privacy issues in the current environment.
That is why I have recommended that, at a minimum, the temporary breach and backlog funding of $5.7 million be made permanent.
The Budget also announced an additional $15 million over five years to help our office prepare to implement our expanded responsibilities under Bill C-27, which we have not accessed yet.
- Additional long-term funding will also be necessary if Bill C-27 is adopted.

Background

Budget 2023 provided an additional $5.7M over two years for the office to deal with a growing number of reported privacy breaches and the complaints backlog.

2023-24 2024-25

2.84M 2.84M
Budget 2023 provided the following temporary new funding to support the office in implementing its new obligations under Bill C-27:

2023-24 2024-25 2025-26 2026-27 2027-28

2M 4M 4M 3M 2M

2023-24	2024-25
2.84M	2.84M

2023-24	2024-25	2025-26	2026-27	2027-28
2M	4M	4M	3M	2M

Prepared by: Corporate

Resource implications of Bill C-27

Key messages

Bill C-27 would expand my office’s existing responsibilities, introduce new ones, and also grant some discretion in how we do our work.
The 2020 Fall Economic Statement included $80 million over five years, of which a portion has been earmarked for my office, to support the implementation and enforcement of what is now Bill C-27.
- More recently, Budget 2023 provided $15 million over five years for us to ramp up operations in preparation for the potential adoption of the new legislation.
We estimate that the full implementation of Bill C-27 will require ongoing annual funding of approximately $25 million; the Government has currently allocated us less than half that amount.

Background

(Redacted)
Budget 2023 provided the following temporary new funding for this purpose:

2023-24 2024-25 2025-26 2026-27 2027-28

2M 4M 4M 3M 2M
Our current estimate of the total implementation cost of Bill C-27 is approximately $25 million (excluding the Employee Benefit Plan) – more than twice the amount that has been allotted to us in permanent funding under the fiscal framework.

2023-24	2024-25	2025-26	2026-27	2027-28
2M	4M	4M	3M	2M

Prepared by: Corporate

Resource allocation

Key messages

My office continues to allocate its resources in a way that is forward-looking to prevent privacy issues before they arise as opposed to addressing them only after the fact.
One of our guiding strategic priorities is to maximize the reach and impact of our efforts to protect and promote privacy rights.
Given our current funding level, this is not always possible when a significant portion of our resources must be focused on the investigation of individual complaints.
To ensure an appropriate balance between the need to promote and enforce compliance, we currently split our budget almost equally between our promotion and compliance programs.

Background

The following table summarizes the Main Estimates for full-time-equivalent employees by area of responsibility in the office’s Departmental Results Framework (2023-24 is provided for comparison):

	2023-24		2024-25
Program area	$M	FTEs	$M	FTEs
Promotion	11.2	79	12.1	77
Compliance	10.5	74	12.9	90
Internal services	7.8	54	9.0	54
Total reference levels (Main Estimates)	29.5	207	34.0	221

Of the 2024-25 amounts, $30.6M requires parliamentary approval; the remaining $3.4M relates to statutory forecasts for employee benefits and is provided for information only.

Prepared by: Corporate

Funding models of agents of Parliament

Key messages

As an agent of Parliament, my office operates independently of government to provide non-partisan advice and recommendations to the House and Senate.
Given my role to scrutinize government compliance with privacy law, decisions regarding the funding level of my office should not rest solely with the government of the day.
That is why I would welcome greater parliamentary involvement in funding determinations for my office, which would reinforce our independence, promote greater transparency, and help ensure sufficient resources for us to fulfill our mandate.

Background

Not all agents of Parliament are funded like the OPC. For example, the funding procedure for the Conflict of Interest and Ethics Commissioner and the Parliamentary Budget Officer specifically excludes any role for Treasury Board in the development or review of budget proposals. Similarly, the Office of the Chief Electoral Officer receives much of its funding by statutory authority under the Canada Elections Act.
In January 2019, the OPC, the Office of the Information Commissioner (OIC), and other agents of Parliament sent a letter to the Clerk of the Privy Council calling on PCO to engage with them on alternative funding mechanisms.
In its June 2023 report on The State of Canada’s Access to Information System, ETHI recommended that the Government establish an independent funding mechanism for the OIC and those agents of Parliament that currently lack one.
In 2005, following a recommendation in an ETHI report on funding for agents of Parliament, Treasury Board launched a pilot project to establish an advisory House committee to consider funding proposals prepared by certain agents. A subsequent 2008 report concluded that the pilot project had been successful and recommended that the model be made permanent.

Prepared by: Corporate

Expertise within the OPC

Key messages

The scope of OPC’s operational environment is vast, requiring knowledge of fields such as privacy, IT, finance, national security, and law.
As a result, we try to recruit employees from diverse backgrounds and prioritize employee training and development given the pace with which our environment changes.
We seek to hire employees with the knowledge and skill set that can help us achieve the ambitious goals we have set ourselves in our strategic plan such as experts on children’s privacy.
This also includes strengthening our technology-analysis function by hiring staff with expertise in AI and generative AI. This is a priority in which our needs for training and expertise are exponential.

Background

Given privacy expertise is in high demand with the growing pressures on the labour market, we are adopting innovative retention strategies and efficient recruitment practices and continue to develop internal talent to retain skills, commitment, and organizational knowledge.
We will increase access to technology-related training content to ensure we are keeping up with and staying ahead of technological advancements and their impact on privacy, particularly with respect to AI and generative AI and children’s privacy.
We will assess the adequacy of the OPC’s framework supporting training, learning and development program and activities to ensure it enables and supports the OPC in achieving its mandate and objectives.
We are conducting a review of the structure and key job descriptions in Compliance.

Prepared by: Corporate

Recruitment, retention, and people management

Key messages

My office needs a stable, long-term source of funding to develop, attract, and retain the talent and expertise we need to deliver our mandate.
I am proud to say that the OPC remains an employer of choice, in no small part because of our investments in employee training and development, well-being, and technologies that support collaboration.
We remain committed to promoting the values of the public service and to strengthening our culture of accountability, equity, diversity, and inclusion to leverage the full potential of our employees and produce better results for Canada and Canadians.

Background

Human Resources Strategic Plan: We are extending the HR Plan, the Equity, Diversity, and Inclusion (EDI) Plan, and the Official Languages Plan until a new integrated strategic HR Plan is implemented later this year that will encompass various aspects of HR, including EDI initiatives, well-being, and official languages.
Recruitment Activities: We continue to leverage established internal and external pools of qualified candidates. We have staffing processes underway and plans to create an inventory for job opportunities at level for key positions while continuing to utilize various social networks, such as LinkedIn and GCconnex to attract talent while enhancing our utilization of data to inform recruitment and retention strategies.
Hybrid work: We continue to strengthen our hybrid work model to ensure successful onboarding and creating a sense of belonging, but also cultivate a positive brand image and reputation for our organization. We will also continue to ensure employees have the necessary information, adapted and modern tools to facilitate maximum flexibility and productivity of both telework and office work.

Prepared by: Corporate

Finding efficiencies

Key messages

Protecting and promoting the fundamental right to privacy with maximum impact is one of the key guiding priorities that I have set for my office under our current strategic plan.
In the last year, we have undertaken several initiatives to this end, including a restructuring of our operations, the introduction of our strategic plan, and an increasingly strategic use of our investigative powers, such as joint investigations.
In keeping with our strategic plan, we continually look for ways to enable greater efficiency, adaptability, and preparedness in the constantly evolving privacy landscape.

Background

Restructuring: last year we created two new positions: Deputy Commissioner and Senior General Counsel (to address the increasingly complex privacy landscape) and Chief Services and Digital Officer (to implement a digital vision and agenda). We also created a new Directorate of International, Provincial, and Territorial Relations to bolster engagements with other regulators and privacy organizations.
Results focus: In January we launched a strategic plan that lays out three key priorities that will guide our work through 2027:
1. protecting and promoting privacy with maximum impact,
2. addressing and advocating for privacy in this time of technological change, and
3. championing children’s privacy rights.
Strategic use of powers: We are making greater use of Commissioner-initiated investigations, enforcement powers and enforcement collaboration to achieve maximum impact more expeditiously.
Digital transformation: We continue to refine cloud technologies supporting a hybrid work model and have initiated a digital strategy to support OPC and its employees now and into a future based on sound cybersecurity, data and modern information management.

Prepared by: Corporate

2022-2023 Departmental Results Report highlights

Key messages

We continue to strive to meet the ambitious targets we have set ourselves under our departmental plan.
We have deliberately set our sights high and feel that we must remain bold in our aspirations given the interests at stake.
In 2022-23, we continued our work towards preparing our Office for the anticipated changes to our mandate, while also working towards the achievement of our Departmental Results Framework targets.

Background

The most recent results that are publicly available are for 2022-23 (see ToC #3 for the Full Departmental Results)
- Targets met: 2
  - Percentage of formal OPC recommendations implemented by departments and organizations.
  - Percentage of federal and private sector organizations that find OPC’s advice and guidance to be useful in reaching compliance.
- Targets missed: 6
- Indicators with no target: 2
  - The 2 indicators that measure our guidance to businesses and information to Canadians on key privacy issues had no target, considering the possibility of a transformed legal framework and the fact that our guidance is grounded in legislation and could quickly become outdated following such reform.
At the program level, the OPC met 2 of its targets.
Outcome-level and Program-level results are published on GC Infobase. (See ToC #4 for the consolidated table of all results for the last three fiscal years).

Prepared by: Corporate

2024-2027 Strategic Plan highlights

Key messages

In January, my office launched a strategic plan that lays out three key priorities that will guide our work over the next three years.
Our three strategic priorities are (1) protecting and promoting privacy with maximum impact, (2) addressing and advocating for privacy in this time of technological change, and (3) championing children’s privacy rights.
These priorities, which crystallized over the course of the first year of my seven-year mandate, were informed by engagements with a wide range of stakeholders.
The strategic plan reflects our commitment to a future where innovation can flourish and fundamental privacy rights are upheld.

Background

Priority one focuses on adapting as our operational context changes, such as through potential legislative reforms, and the pursuit of the most effective and efficient use of our resources and powers for optimal results for Canada and Canadians.
Priority two focuses on bolstering our ability to address the privacy impacts of the fast-moving pace of technological advancements, especially in the world of artificial intelligence (AI) and generative AI and encouraging privacy protective technological innovations.
Priority three is about doing more to promote and protect the privacy rights of children, who are particularly vulnerable in the digital age.
The OPC sought feedback from the public on the plan from January 22 to March 31, 2024, and the feedback received will inform how the plan is implemented.

Prepared by: Corporate

Privacy Act Extension Order

Key messages

In July 2022, the Privacy Act’s scope of application was extended to allow foreign nationals to request access to their personal information under the control of a federal government institution and to submit related complaints to my office. Previously, only Canadian citizens and those present in Canada had such rights.
To date, my office has received a modest number of complaints as a result of the extension order – approximately 270 in total.
However, we anticipate that the number of complaints will continue to grow in the coming years, which will put additional pressure on our operations since we have received no permanent funding for this purpose.

Background

The Privacy Act Extension Order was published on July 14, 2021, and came into force a year later. At the time, it was expected that it might result in hundreds of thousands of personal information requests across government, particularly at Immigration, Refugees and Citizenship Canada (IRCC).
We also anticipated a significant number of complaints against IRCC. This has not yet materialized, but we continue to monitor and anticipate a higher volume as dissatisfied requesters pursue complaints under the Order.
Under Budget 2022, temporary (one-year) contingency funding (redacted) was set aside for the OPC, which can be accessed through a reprofile request if we see a marked increase in complaints.
The office will engage with the Department of Finance to determine how best to address the increase in requests if the volume becomes unmanageable within existing resources.

Prepared by: Corporate

Investigations under the Privacy Act (general)

Key messages

Pursuant to subsection 29(1) of the Privacy Act, I receive and investigate complaints from individuals who may have been denied the right to access and correct their personal information, or who allege that their personal information has been collected, used, retained, or disclosed in contravention of the Act.
I may also choose to initiate a complaint, under subsection 29(3), when I am satisfied that there are reasonable grounds to investigate or decide, at my discretion to carry out investigations, under subsection 37(1), against any federal institution or organization covered by the Act.
Section 63 prevents me from discussing or disclosing the details of ongoing investigations. However, I can confirm that my Office is investigating:
- The contracting practices related to ArriveCAN, and more specifically the measures that were in place to protect personal information during the development of the app;
- A privacy breach resulting from unauthorized access to Global Affairs Canada’s virtual private; and,
- A cyberattack which resulted in a breach of the personal information of federal government personnel who used government-contracted relocation services over the past 24 years.

Background

Under section 63 of the Privacy Act, the Privacy Commissioner and every person acting on behalf or under the direction of the Commissioner shall not disclose any information that comes to their knowledge in the performance of their duties and functions under this Act.

Prepared by: Compliance

Investigations under PIPEDA (general)

Key messages

Pursuant to s. 12(1) of PIPEDA, I investigate complaints filed by individuals against organizations engaged in commercial activity.
If there are reasonable grounds to investigate a matter under the Act, I can initiate a complaint under s. 11(2) of PIPEDA.
MindGeek: In February 2024, I issued findings from my Office’s investigation into Aylo, operator of Pornhub and other websites.
TikTok: In February 2023, I commenced a joint investigation, with privacy authorities in QC, AB and BC, to examine TikTok’s privacy practices, in particular as they relate to its younger users.
ChatGPT: In May 2023, I commenced a joint investigation with my counterparts from QC, AB and BC into OpenAI, the company behind the AI-powered chatbot, ChatGPT.
Give-Send-Go: We are currently investigating the February 2022 breach, via the Give-Send-Go crowd funding website, of so-called “Freedom Convoy” donors’ personal information.
Where investigations are ongoing, due to confidentiality obligations, I cannot provide further details, but in each instance, we intend to issue our findings in the coming months.

Background

The Commissioner initiated complaints into OpenAI’s ChatGPT and TikTok, pursuant to s. 11(2) of PIPEDA (redacted).
The Give-Send-Go investigation was commenced in April 2022 and is ongoing. Our office recently completed information gathering, (redacted) and is drafting our preliminary report.

Prepared by: Compliance

ChatGPT

Key messages

In May 2023, my Office commenced an investigation with counterparts in Alberta, British Columbia and Quebec into the practices of OpenAI in relation to its ChatGPT service.
Among the issues we are examining are consent and transparency, accuracy, accountability, appropriate purposes and limiting collection.
As this is an ongoing investigation, I am limited as to what I can share at this time.
That said, I can say that through this investigation we seek to ensure that AI is developed and deployed in a responsible, privacy-preserving manner, consistent with one of of my Office’s three strategic priorities.

Background

ChatGPT is a natural language processing tool, or chatbot, driven by AI technology. The language model can answer questions and assist users with tasks such as composing emails and essays.
In April 2023, the OPC commenced an investigation into ChatGPT, after receiving a complaint that alleged that the company collected (“scraped”), used, and disclosed the complainant’s personal information for the purpose of its commercial text generation service, without obtaining consent. We closed this investigation in May 2023 to pursue a broader joint Commissioner-Intitiated Complaint. (redacted)
Several data protection authorities around the world, including various European authorities (such as the Italian Garante), have commenced investigations into ChatGPT. The European Data Protection Board launched a dedicated task force on ChatGPT, to "exchange information on possible enforcement actions".
As a member of the Global Privacy Assembly’s AI Working Group, we are exchanging information and learning from the experiences of our counterparts.

Prepared by: Compliance

TikTok

Key messages

My Office, along with the privacy protection authorities for Québec, British Columbia, and Alberta, launched a joint investigation into TikTok in February 2023.
We are examining whether TikTok’s practices comply with Canadian privacy legislation and in particular, whether valid and meaningful consent is being obtained for the collection, use, and disclosure of personal information.
Given the importance of protecting children’s privacy, which is one of my Office’s three strategic priorities, the joint investigation has had a particular focus on TikTok’s privacy practices as they relate to younger users.
We are aiming to release the results of the investigation within the coming months.

Background

The investigation was initiated in the wake of now-settled class-action lawsuits in the United States and Canada, as well as numerous media reports related to TikTok’s collection, use and disclosure of personal information.
Subsection 11(2) of PIPEDA states that “[i]f the Commissioner is satisfied that there are reasonable grounds to investigate a matter under [Part I of PIPEDA], the Commissioner may initiate a complaint in respect of the matter.”
Through collaboration with provincial counterparts, we are able to leverage our limited resources and distinct capabilities and share best practices and comparative strengths to more effectively and efficiently enforce privacy laws.
Children’s information is particularly sensitive, requires special consideration and requires even greater privacy safeguards. If it is not realistic to expect adults to understand and be accountable for complex privacy consent forms and rules, it is simply unacceptable to put this burden on children.

Prepared by: Compliance

Aylo (MindGeek)

Key messages

In February 2024, my Office concluded its investigation into a complaint against Aylo (formerly MindGeek), which operates Pornhub and other popular pornographic websites.
The complaint was from a woman whose ex-partner had uploaded an intimate video and images of her, along with other identifying information, to Pornhub and other Aylo-owned websites without her knowledge or consent.
Our key finding was that Aylo failed to ensure the complainant’s consent prior to allowing the upload and disclosure of her images.
We made a number of recommendations, including that Aylo stop sharing user-created intimate content until it implements measures to obtain express, meaningful consent directly from each individual who appears in uploaded content.

Background

When the Report of Findings was nearing completion in May 2023, Aylo launched a judicial review application with the Federal Court seeking to challenge our findings and recommendations and prevent us from finalizing and releasing the report.
- Aylo was ultimately unsuccessful and we were able to issue our final report.
We are aware of a blog post released in March 2024, after the release of our report, wherein Aylo indicates changes were made to its “co-performer” consent requirements in January 2024.
To date, we have not had an opportunity to evaluate these changes to determine if and to what extent they may comply with our recommendations or Canadian privacy law.

Prepared by: Compliance

Enforcement collaboration

Key messages

In the digital economy, protecting privacy against global risks is a common goal amongst Data Protection Authorities. Collaboration allows regulators to expand their capacity and amplify their impact.
Our office is a leader in enforcement collaboration, chairing or co-chairing in fora such as the Domestic Enforcement Collaboration Forum (DECF), the Global Privacy Assembly (GPA) and the Global Privacy Enforcement Network (GPEN).
Collaborative enforcement actions in the last year include joint investigations with our provincial colleagues into OpenAI (creator of ChatGPT) and TikTok, as well as a Joint Statement, with twelve global privacy authorities, regarding expectations for online platforms to safeguard against unlawful data scraping.

Background

OPC has launched five joint investigations since June 2022: Tiktok (AB, BC, QC) February 2023; Open Ai (AB, BC, QC) May 2023; (redacted).
In the last three years (since 2021), the OPC has concluded two joint investigations: Clearview AI (AB, BC, QC) in February 2021; and Tim Hortons (AB, BC, QC) in June 2022.
Two other concluded investigations included information sharing with parthers: Corefour (ON; concluded June 2021) and Biron (QC; May 2022).
DECF: Facilitates information sharing and collaborative enforcement with sub-sim provinces.
Global Privacy Assembly: The Intn’l Enforcement Collaboration WG (IEWG) brings together global authorities to advance collaboration enforcement of mutual interest.
GPEN: We host the website and led this year’s Sweep, a collaborative review of over 1000 websites and apps by 26 authorities worldwide into the use of deceptive design patterns that may push users to make less privacy-protective choices.
Recent non-formal enforcement examples: The IEWG has undertaken several joint activities towards enhancing global privacy compliance such as Credential Stuffing guidance; Facial Recognition Technology principles; and a joint statement on data scraping.

Prepared by: IPT + Compliance

Compliance breach statistics and trends

Key messages

In accordance with section 10.1(1) of PIPEDA and section 4.2.8 of the TBS Policy on Privacy Protection, organizations subject to PIPEDA or the Privacy Act (PA) must report privacy breaches to my office where there is a real risk of significant harm to an individual.
In 2023-24, we received 561 breach reports under the PA and 693 under PIPEDA (1,254 total), an increase of 28% over the previous year (979). The breaches reported in 2023-24 affected close to 25 million Canadian accounts.
Almost half (46%) of reports from the private sector cited cyberattacks resulting from malware, compromised credentials, hacking, or phishing schemes.
My office remains concerned that privacy breaches may be going undetected, mis-assessed, and ultimately unreported.

Background

The number of reported breaches resulting from cyberattacks on critical-infrastructure companies has increased significantly in recent years:
Breaches reported to the OPC

FY PIPEDA PA Total Critical infrastructure breaches

2023-24 693 561 1,254 205

2022-23 681 298 979 44
Bill C-26 (the Critical Cyber Systems Protection Act), which the Standing House Committee on Public Safety and National Security (SECU) recently reported back to the House, will require providers of vital services in federally regulated industries to report cybersecurity incidents to the Communications Security Establishment.
In our February 2024 SECU appearance on C-26, we called for flexibility to coordinate with other regulatory bodies where breaches involve personal information.

Breaches reported to the OPC
FY	PIPEDA	PA	Total	Critical infrastructure breaches
2023-24	693	561	1,254	205
2022-23	681	298	979	44

Prepared by: Compliance

Complaints statistics and trends

Key messages

A core function of my office is to receive and investigate complaints about the personal information-handling practices of federal government institutions and private sector businesses.
In 2023-24, we received a significant volume of complaints:
- nearly 1,750 under the Privacy Act (of which 1,113 were accepted), and
- over 1,100 under PIPEDA (of which 446 were accepted).
In 2023-24, we concluded 1,278 investigations under the PA and 405 under PIPEDA for a total of 1,683 (up 22% from the previous year).
Almost 90% of these were completed through summary investigations or early resolution, which aims to resolve matters to the satisfaction of complainants and respondents.
- A summary investigation is undertaken when early resolution is not possible but the facts can be addressed without a more expansive effort.

Background

Complaints received and accepted over the past three years:

	*Privacy Act*		PIPEDA		Total
FY	Received	Accepted	Received	Accepted	Received	Accepted
2023-24	1,749	1,113	1,108	446	2,857	1,559
2022-23	1,461	1,241	946	454	2,407	1,695
2021-22	2,923	906	894	427	3,817	1,333

Note: The higher-than-normal volume of Privacy Act complaints received in 2021-22 is related to visa applications to Immigration, Refugees and Citizenship Canada.
The number of complaints under PIPEDA that are accepted overall is lower since the office has greater discretion as to when to take up a complaint and because many of the complaints received are outside of our jurisdiction to investigate.

Prepared by: Compliance

Compliance backlog

Key messages

The OPC received temporary funding in Budget 2023 to improve its response rates to privacy complaints and breach reports.
In 2022-23, the OPC carried out a diagnostic examination, which looked at how resources were allocated within the Compliance Sector and identified process improvements including the use of automation (ex: updating our online breach and complaint forms to reduce data entry efforts).
At the end of 2023-24, the investigative backlog represented 20% (152) of all ongoing investigations. This is a decrease from 2022-23, when 24% (239) of ongoing investigations had been active for over 12 months.
In 2023-24, the OPC completed 1,683 investigations, representing a 22% increase over 2022-23, when 1,383 investigations were closed.
While the OPC continues to identify innovative ways to improve efficiencies, we continue to receive a high volume of complaints, many with increasingly complex privacy issues.
Without additional permanent funding to retain the talent and expertise, and legislative changes to provide the OPC with more discretion to investigate, the backlog is at risk of remaining high.

Background

Backlog of investigations incomplete after 12 months
FY	PA cases	PIPEDA cases	Total backlog
2023-24	86	66	152
2022/23	215	24	239
2021/22	73	28	101

Prepared by: Compliance

Government Advisory: Activities, statistics, and trends

Key messages

Support requests to the Government Advisory (GA) Directorate, the main point of contact for federal departments seeking guidance for initiatives involving personal information, continue to be high.
GA also relays OPC’s advice to TBS on the development of central government policies, directives, and standards operationalizing the Privacy Act.
We are seeing increasing interest in digital services and artificial intelligence across government, particularly for border control, immigration, and law enforcement. Use of AI for staffing and for monitoring employee data is also growing.
Our outreach sessions on privacy issues are always in high demand and well attended by federal government employees. For example, a May 2023 privacy awareness week event co-hosted with TBS attracted over 900 attendees.

Background

Volume of work: Last year we received a total of 265 PIAs, consults and inquiries from federal institutions up from 216 in the previous year. This included 123 PIAs, which is an increase of 38% since 2019, and 572 notifications of disclosures under section 8(2)(m) of the Privacy Act (public interest or benefiting the individual) continuing a trend of high volumes of 8(2)(m)s, with OPC regularly receiving over 400 a year.
TBS: We consulted with TBS on over a dozen files for central government guidance on personal information handling across government, including guidance on Generative AI and a plain language guide to the Privacy Act.
Outreach: We increased privacy knowledge and capacity in 127 departments through ten outreach events focused on privacy risk assessment and PIAs.

Prepared by: GA

ETHI study: Federal government’s use of technological tools capable of extracting personal data from mobile devices and computers

Key messages

I commend the committee for its ongoing work on this important topic, which has underlined the need to bring our public sector privacy law into the modern era.
My office learned only through media reports that certain federal departments and agencies were using digital forensics tools.
We are continuing to engage with institutions on updating existing privacy impact assessments or developing new ones where necessary. This is an ongoing process, but our conversations thus far have been positive.

Background

In December 2023, ETHI adopted a motion to study the federal government’s use of technological tools capable of extracting personal data from mobile devices and computers following a Radio-Canada report about the use of “spyware” by 13 federal departments and agencies. ETHI has since held six meetings on the topic.
The Commissioner appeared before the committee on February 1, where he summarized the office’s initial findings, namely that:
- only 3 of the institutions had completed a formal PIA while 8 noted that they had begun work on a new PIA or are contemplating updating an existing PIA to cover use of the new technology
Our office has since met with three of the institutions named in the media report about their plans to complete PAIs related to the tools.
Our office also wrote to all thirteen institutions (as requested by ETHI) to request responses to three follow-up questions. We shared our findings with ETHI in a letter submitted to the Committee on March 8.
The committee last met on this study on March 21, where it heard from Treasury Board president Anita Anand, who emphasized that institution heads are responsible for implementing the requirements of the Privacy Act and TBS policies.
She also indicated that TBS intends to publish an updated Directive on PIAs this summer; my Officials are being consulted on an early draft of this Directive.

Prepared by: PRPA/GA

Business Advisory: Activities, statistics, and trends

Key messages

A key function of my office is to provide advice to businesses of all sizes to help them meet their privacy obligations under PIPEDA.
In recent years, we have seen increased interest from small and medium-sized organizations as they explore new technologies and other innovations.
As the privacy landscape continues to evolve, my office will continue to engage with businesses to help support technological innovation while also protecting privacy as a fundamental right.

Background

BA advises businesses of all sizes under two program lines: (1) voluntary advisory consultations and (2) promotional outreach. In 2023-24, BA undertook 16 advisory engagements and 79 promotional activities (privacy clinics, exhibits, presentations, stakeholder meetings, targeted promotion sessions, etc.)
In 2023-24, 71% of all cases involved small and medium-sized enterprises, which play a critical role in economic growth and job creation. (Such cases were up from approximately 55% to 60% in previous years.)
BA continues to engage with organizations that are using new and advanced technologies and novel data-use and -sharing models in a range of sectors, including neurotech, health tech, fintech, retail, marketing, transport, and public safety. For example, in 2023-24, 40% of our cases involved AI.
To maximize our impact, BA leveraged partnerships through innovation hubs and business accelerators. For example, BA worked with 14 partners to reach over 500 businesses in Atlantic Canada and the Yukon.
BA also organized and hosted the OPC Privacy Forum in Toronto, which was attended by nearly 100 privacy professionals and experts from across Canada.

Prepared by: BA

Guidance development

Key messages

The guidance we provide is fundamental to our role in effectively promoting compliance with the law and in helping individuals understand and exercise their privacy rights.
We continue to see increased demand from organizations for advice and guidance on their privacy obligations.
We expect this trend to accelerate if Bill C-27 is adopted, and we have recently modernized our guidance-development processes with that scenario in mind.
We would welcome parallel responsibilities with respect to issuing guidance for public sector organizations under a reformed Privacy Act.

Background

The office has conducted international benchmarking on how other data-protection authorities develop guidance, which has informed our plans to implement processes that are evidence based, forward looking, and that will result in practical, concrete, and accessible guidance.
In addition to preparing for law reform, we are finalizing draft guidance on processing biometrics for the public and private sectors following a public consultation. We also plan to develop guidance for organizations on age assurance.
In the context of Privacy Act modernization, the Department of Justice has proposed that the OPC have the authority to engage in public education and to issue guidance on the interpretation and enforcement of the Act, in consultation with government.
S.110(1) of Bill C-27 would require the Commissioner to consult stakeholders, including any relevant federal government institutions, when developing guidance materials and tools for organizations with a view to promoting compliance. We are currently examining our consultation processes and plan to engage with stakeholders to seek their feedback.

Prepared by: PRPA

Parliamentary Affairs: Activities, statistics, and trends

Key messages

As an Agent of Parliament and the federal privacy ombudsman, I am frequently called upon to provide advice and recommendations to parliamentary committees and individual MPs.
Since my previous appearance before this committee on the Main Estimates in May 2023, my office has:
- appeared 10 times before standing committees, including four times before this Committee;
- monitored and reviewed nearly 38 bills and studies; and,
- responded to 14 requests from individual MPs.
On average, I appear fourteen times a year before different House and Senate committees.

Background

In 2023-24, we had the following key appearances on government bills:
- May 3, 2023: C-47, Budget Implementation Act, 2023, No. 1.
- October 19, 2023: C-27, Digital Charter Implementation Act, 2022.
- February 12, 2024: C-26, An Act Respecting Cyber Security and Amending the Telecommunications Act.
We anticipate being occupied with a range of initiatives and priorities in this session, including monitoring the progress of the following bills:
- C-27 (Digital Charter Implementation Act, 2022)
- C-63 (Online Harms Act)
- C-65 (Electoral Participation Act)
- C-26 (Critical Cyber Systems Protection Act)
- S-231 (Increasing the Identification of Criminals Through the Use of DNA Act)

Prepared by: PRPA

Budget 2024: Implications for the OPC

Key messages

Budget 2024 announced several funding commitments and legislative initiatives that could have privacy implications.
- These include new investments in artificial intelligence, online safety, cybersecurity, and legislative amendments to enable greater information-sharing to combat money laundering and terrorist financing, with an oversight role for the OPC.
Despite the various impacts such proposals might have on my office, the Budget included no additional resources for us.
We did receive temporary new funding under Budget 2023 to prepare for Bill C-27 and to address our complaints backlog. However, we will need a longer-term solution to keep pace with the full volume and complexity of privacy issues in the new environment.

Background

Budget 2024, which was presented in the House of Commons on April 16, announced several proposals that may have implications for our office, including:
- a $2.4B investment to “strengthen Canada’s AI advantage,” and a further $50M to create an AI Safety Institute
- $52M to implement the Online Harms Act
- Amendments to enable greater information sharing under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, which will entail an expanded oversight role for the office
- The implementation of a new reporting framework for crypto-asset transactions to facilitate information-sharing between OECD member countries
- $84M for the Treasury Board Secretariat and Library and Archives Canada to “to maintain the access to information and privacy regime”
Budget 2023 provided $15M over five years to support our office in implementing its new obligations under Bill C-27, and $6M over two years to deal with a growing number of reported privacy breaches and the complaints backlog.

Prepared by: PRPA

International relations: Key activities

Key messages

Stronger global privacy rights, and international partnerships, helps to ensure that Canadians’ personal information remains protected when it is processed outside of Canada’s borders.
The OPC takes part in international networks and cooperates with counterparts to leverage resources, develop common policy positions and share best enforcement practices.
One of these networks is the G7 DPA roundtable, which my office looks forward hosting in 2025. In support of taking on this role, we are engaging with key government partners to support and promote Canada’s broader vision for its G7 presidency.

Background

G7 DPA Roundtable: Annual meeting will be in Rome in October. Three working groups: (1) Data Free Flow with Trust; (2) Enforcement Collaboration; (3) Emerging Technologies, which OPC chairs.
- Latest update: on April 25, we reached out Global Affairs Canada and ISED to engage on the planning process and facilitate collaboration in support of Canada’s G7 objectives at the G7 DPA Roundtable.
Global Privacy Assembly (GPA): Chair of the Data Protection and Other Rights and Freedoms WG; Int’l Enforcement Cooperation WG; and Digital Citizens and Consumers WG. Member of 8 other GPA working groups including on Ethics in AI and on Digital Education.
- Key 2023 Resolutions: on Privacy and Human Rights Award (sponsor); on AI and Employment (co-sponsor), and on Generative AI Systems (co-sponsor).
Other key networks: (1) Global Privacy Enforcement Network (GPEN); (2) Asia Pacific Privacy Authorities Forum; (3) Association francophone des autorités de protection des données personnelles; (4) Common Thread Network; and (5) Berlin Working Group.
Participation in International Government fora: (1) Asia-Pacific Economic Cooperation (APEC) Data Privacy Subgroup; (2) Global Cross Border Privacy Rules Forum; (3) OECD Working Party on Data Governance and Privacy in the Digital Economy.
MOUs: OPC has signed nine bilateral MOUs and three multilateral MOUs that cover mutual assistance in enforcement: (1) APEC Cooperation Arrangement for Cross-Border Privacy Enforcement; (2) GPA Cross Border Enforcement Cooperation Arrangement; (3) Global Cooperation Arrangement for Privacy Enforcement (Global CAPE)

Prepared by: IPT

International relations: Statistics and trends

Key messages

It is difficult to compare the OPC to other data protection authorities globally. The scope of mandates can vary and privacy legislation is at varying levels of maturity world wide.
That said, my Office is a global outlier in that we do not have the power to issue orders or impose penalties for privacy violations. Bill C-27 would remedy this and we remain hopeful that Parliament will reform PIPEDA to give my Office this important tool.
Mandatory breach reporting is the international standard. Although Canada has mandatory reporting in the private sector, I continue to call for this in the public sector.

Background

Data based on the 2023 GPA Census, which surveyed GPA members’ 2022 data:

Funding: 71.1% of DPAs reported a budget increase compared to the previous year, with only 12.8% experiencing a budget decrease. 62.8% of DPAs increased their staff compared to the previous year.
- OPC received $6m in temporary funding over 2 years in Budget 2023 to address backlog and breaches, and $15m over five years to operationalize the CPPA (not yet accessible).
Enforcement Powers: 74% of DPAs can impose fines or penalties for privacy violations. 90% have the power to investigate and sanction civil/administrative breaches.
- C-27 would give OPC increased enforcement powers but until PIPEDA is reformed, Canada federally remains an outlier.
Enforcement Cooperation: 63% of DPAs have a mechanism for cooperation with other regulatory authorities.
- Under PIPEDA, OPC can cooperate and share information with international counterparts subject to certain conditions, most notably a requirement for a written arrangement with the other party. OPC has 9 bilateral and 3 multilateral MOUs in place.
Breach reporting: 87% of authorities have mandatory breach notification requirements in their jurisdiction. 68% publish information on the infringement notifications they receive, for example, the total number of notifications received, the breakdown by sector or the details of which give rise to formal action.

Prepared by: IPT

Technology Analysis: Activities, statistics, and trends

Key messages

Addressing the privacy impacts of technological advancements, particualry concerning AI, is one of my office’s strategic priorities.
In support of this, my office studies different technologies to assess their potential privacy implications.
OPC has a team of IT analysts who use their extensive technological expertise to examine malware, hardware components, mobile applications, and Internet-of-things devices with a view to promoting privacy through the safe and secure use of digital technologies by Canadians.
OPC’s technology analysis lab also supports compliance investigations and research related to emerging technologies, including artificial intelligence, biometrics, digital ID, as well as privacy-enhancing technologies like de-identification.

Background

The Technology Analysis Directorate (TAD) supports the work of the Office, including activities related to Canada’s anti-spam legislation.
TAD also analyzes emerging technologies, such as generative AI and age-verification techniques, in collaboration with other jurisdictions both within Canada and abroad.
TAD continues to support various investigations, breaches, and government initiatives related to technology, privacy, and cybersecurity.
Through the publication of blog posts, TAD also aims to raise public awareness of the privacy implications of different technologies. In 2023-24, TAD published blog posts on quantum computing, homomorphic encryption, and algorithmic fairness.

Prepared by: TAD

Communications: Activities, statistics, and trends

Key messages

Pursuant to our mandate to protect and promote privacy as a fundamental right, my office continues to deliver communications on a range of privacy issues, including youth privacy, major investigations, and domestic and international efforts to address the privacy impacts of new technologies.
Given significant shifts in the communications landscape, our communications team is constantly working to better understand and address the evolving information needs, interests, and expectations of Canadians.
We also respond to requests for information from the public and organizations through the OPC’s Information Centre.

Background

Key communications statistics from 2023-24 include:
- 2,548 requests for information received by the Information Centre
- 64 speeches or presentations delivered by Commissioner or OPC personnel
- 106 media releases, announcements, and speeches published
- 11,000 copies of OPC publications distributed (e.g., educational comic booklets)
- 120 media requests responded to
- 3.1 million unique visits to our website
Work undertaken in 2023-24 to better understand and address shifts in the information and communications landscape included public opinion research (Canadian businesses), a public environment analysis and educational scan related to youth privacy, research on user needs, and usability testing on our website.

Prepared by: COMMS

Contributions Program

Key messages

My office provides up to $500,000 a year for research and public education initiatives on a range of privacy issues related to PIPEDA through our Contributions Program.
These independent projects generate new information, expertise, and understanding that can help organizations strengthen privacy protections and assist Canadians in exercising their privacy rights in their interactions with the commercial sector.
Each year’s call for applications focuses on a particular theme that aligns with the priorities of the office. This year’s themes are addressing the privacy impacts of new technologies and protecting children’s privacy.

Background

Established in 2004, the Contributions Program has provided nearly $10 million in funding to different organizations for privacy research.
The program has funded a wide diversity of projects, including from the First Nations Information Governance Centre (on data sovereignty and PIPEDA); the Canadian National Institute for the Blind (on consent and inclusion, diversity, equity and accessibility); and the University of Western Ontario (on dark patterns).
All projects must relate to PIPEDA since the program exists under that Act. Proposals are evaluated based on merit by OPC subject-matter experts and, where necessary or appropriate, external peer reviewers. In most years, approximately $50,000 is allocated to successful applicants, up to a maximum of $100,000.
In 2020-21, the program’s terms and conditions were renewed for five years by the Minister of Justice (until March 31, 2025).
The full list of funded projects is published on the OPC website, along with summaries of completed projects from previous years.

Prepared by: PRPA

Children’s privacy

Key messages

Ensuring that children’s privacy is protected and that young people understand and are able to exercise their privacy rights is one of my key strategic priorities.
Last year, my counterparts in Alberta, Quebec and British Columbia and I launched an investigation into TikTok to examine whether the organization’s practices are in compliance with privacy legislation, with a particular focus on TikTok’s privacy practices as they relate to younger users.
We have heard from organizations that it would be helpful to clarify our expectations related to children’s privacy. We have undertaken activities with this goal in mind:
- Last October, my provincial and territorial counterparts and I issued a joint resolution calling on governments and organizations to put the best interests of young people first and recommending the adoption of specific practices in support of this.
- My office is developing guidance and will be consulting on topics such as age assurance.

Background

In line with the OPC’s strategic plan, we will further develop our expertise by conducting research and outreach with young people to identify privacy harms and better understand their perceptions of their privacy rights.
Children’s privacy was a primary theme for our office’s 2024-2025 Contributions Program. This will fund important research to further our understanding of young people’s privacy.
OPC sits on the Global Privacy Assembly’s Digital Education Working Group and an international age-assurance working group, where we collaborate and share best practices with our international counterparts.

Prepared by: PRPA

TBS Directive on Privacy Impact Assessment

Key messages

The TBS Directive on Privacy Impact Assessment requires government institutions to conduct a PIA when a program or activity may impact personal information. It also requires institutions to share completed PIAs with my office.
Under the TBS Policy on Privacy Protection, institutions must notify my office of any new or existing programs or activities that could impact privacy – regardless of whether a PIA is planned.
Despite these requirements, we are not always consulted or made aware of potentially privacy-impactful initiatives until after the fact.
Treasury Board is now in the process of updating their directive and has consulted my office. Greater clarity is always welcome, but the requirement to conduct PIAs should also be enshrined in law.

Background

PIAs have been a policy requirement since 2002 but do not currently have the force of law under the Privacy Act.
In March 2024, Treasury Board president Anita Anand appeared before ETHI in connection with its ongoing study of the federal government’s use of technological tools capable of extracting personal data from mobile devices and computers, where she likened PIAs to a “checklist” and indicated that they are “not mandatory.”
At the same appearance, Treasury Board deputy minister (and chief information officer of Canada) Dominic Rochon acknowledged that, in its current form, the Directive on PIA affords departments some “leeway” in determing whether to conduct a PIA when implementing new technology or software.
In its most recent consultation paper on Privacy Act modernization, DOJ proposed that a risk based obligation to complete a PIA could be introduced into the Act as well as a requirement for PIAs to be shared with the OPC for views and recommendations, which the OPC would have to provide within a mandated timeline.
TBS has shared a preliminary draft of an updated directive on PIA with our office for our comment, and we continue to liaise with them on it. It is expected to be released this summer.

Prepared by: PRPA

Ongoing litigation: Facebook (Meta)

Key messages

In March 2018, the OPC received a complaint about Facebook that arose amid media reports that Cambridge Analytica had accessed the personal information of Facebook users without their consent via a third-party application (TYDL App).
The issues at the heart of this case are directly related to the fundamental privacy rights of Canadians and their ability to participate with trust in our digital society.
The OPC appealed the Federal Court’s decision because the matter raises important questions with respect to the interpretation and application of privacy law in Canada that will benefit from clarification by the Federal Court of Appeal.

Background

The OPC and the Office of the Information and Privacy Commissioner for British Columbia jointly investigated and found that Facebook had not obtained meaningful consent from its users before disclosing their personal information and that it had not implemented adequate safeguards.
The OPC filed an application with the Federal Court under s. 15 of PIPEDA seeking, in particular, an order requiring Facebook to correct its practices to comply with PIPEDA as Facebook didn’t agree to implement the OPC recommendations.
In April 2020, Facebook filed an application seeking judicial review of the OPC’s investigation process and the resulting Report of Findings.
On April 13, 2023, the Federal Court dismissed Facebook’s application for judicial review. The Court found that the OPC had not breached procedural fairness and that the investigation was not out of time. This decision is not being appealed.
On April 13, 2023, the Court also dismissed the Commissioner’s s. 15 application, finding that there was insufficient evidence to conclude that Facebook had failed to comply with PIPEDA. The OPC appealed to the Federal Court of Appeal.
The appeal was heard on February 21, 2024. A decision is pending.

Prepared by: Legal

Ongoing litigation: Aylo (MindGeek)

Key messages

In April 2023, Aylo (formerly MindGeek) brought an application for judicial review in Federal Court, arguing that my Office’s intent to publish its Report of Findings regarding a complaint received against the company was unreasonable and unfair.
Aylo then sought an injunction that would have prevented my Office from issuing and publishing the final Report of Findings while the judicial review application was pending.
In August 2023, the Federal Court dismissed Aylo’s injunction request, in particular because it had not demonstrated that it would be irreparably harmed by the issuance and publication of the report. Aylo appealed that decision.
In February 2024, the Federal Court of Appeal unanimously dismissed Aylo’s appeal. That same day, my Office issued and published the final Report of Findings.

Background

In April 2020, the OPC received a complaint against Aylo stemming from its alleged failure to obtain consent from everyone depicted in intimate content posted on its various websites. After investigating, the OPC informed Aylo in March 2023 of its intention to issue and publish the Report of Findings into the complaint.
The report found that Aylo contravened PIPEDA by enabling intimate content to be shared on its websites without the direct knowledge or consent of everyone depicted.
My Office recommended that Aylo immediately stop the collection, use and disclosure of user-generated intimate images and videos until it has implemented measures to ensure compliance with its obligations under PIPEDA. To date, Aylo has not agreed to comply with the recommendations.

Prepared by: Legal

Litigation costs

Key messages

Litigation remains a key tool for my Office in its work to protect and promote privacy. That said, initiating a court application or responding to a judicial review can be very costly, despite best efforts to be judicious in the use of resources.
There was a substantial increase in litigation costs incurred by the OPC in 2023-24. While costs have generally been increasing over the past six years, in the last year, they more than doubled.
- This was due to a particular set of circumstances, with costs incurred for 2 cases in Federal Court and 3 at the Federal Court of Appeal.
- The great majority of these costs were incurred for the Aylo matter, which significantly advanced privacy.
While rates of judicial review of OPC decisions have remained relatively stable, should Bill C-27 be adopted, the OPC anticipates increased litigation activity in the early years through challenges of OPC decisions to issue orders, to recommend administrative monetary penalties; and to issue investigative findings that give rise to a new right for individuals to institute proceedings to obtain damages.

Background

OPC litigation expenditures for retainers with external counsel by fiscal year:

2018-19 2019-20 2020-21 2021-22 2022-23 2023-24

$67,523 $130,598 $114,930 $212,329 $284,277 $771,382
The OPC resolves many complaints in early resolution or through its investigative findings and recommendations, and litigation is but one available tool.
OPC intervention in cases raising significant CPPA interpretations issues is also likely to temporarily increase litigation costs should Bill C-27 be adopted.

2018-19	2019-20	2020-21	2021-22	2022-23	2023-24
$67,523	$130,598	$114,930	$212,329	$284,277	$771,382

Prepared by: Legal

Bill C-27

Key messages

Bill C-27 addresses many of the concerns that my office and other experts have raised with respect to PIPEDA. For example, it expands requirements for obtaining informed consent and the list of contraventions subject to administrative monetary penalties.
However, I believe that it must go further to ensure that Canadians’ privacy rights are better protected in the digital environment, to promote innovation, and to avoid leaving too much to regulation.
My office has proposed 15 recommendations to strengthen the bill, including recognizing privacy as a fundamental right and protecting children’s privacy and the best interests of the child.
I was greatly encouraged to see the Committee reflect these recommendations, as well as others made by my Office, in their amendments to the Bill. We continue to closely monitor the Bill’s progress.

Background

The Standing Committee on Industry and Technology (INDU) began its clause-by-clause consideration of Bill C-27 on April 8, 2024. To date, INDU has held 7 meetings and adopted 8 amendments, most of which broadly align with our recommendations. These include:
- embedding the preamble of the bill in the Consumer Privacy Protection Act and amending it to recognize the fundamental right to privacy and the importance of protecting minors and their best interests;
- amending the definition of “anonymize” to remove “generally accepted best practices” and add the standard of “no reasonably foreseeable risk in the circumstances” for re-identification;
- amending the French definition of “de-identify” to better align with the English;
- adding definitions of “lawful authority,” “minor,” and “profiling;”
- amending the definition of “personal information” to include inferred information.

Prepared by: PRPA

Privacy Act reform

Key messages

As private sector law reform continues to move forward, the Privacy Act has unfortunately not changed substantively since it came into force over 40 years ago.
To the extent appropriate, given their different contexts, federal privacy laws should be broadly consistent with one another, and with other global data-protection frameworks.
Better aligning public and private sector laws would provide greater predictability, interoperability, and consistency.
- Common standards would also be more conducive to public-private partnerships and cross-border data flows.

Background

In 2021, the Department of Justice published a consultation paper proposing a range of reforms to the Privacy Act. Specific proposals supported by our office included:
- the addition of a purpose clause recognizing the broad scope of the right to privacy as a human right;
- more meaningful oversight, along with quick, effective remedies, such as order-making powers and expanded rights of recourse; and,
- an expanded definition of personal information.
Our office also submitted several recommendations in response, including:
- the inclusion of a definition of automated decision-making, a right to meaningful explanation and human intervention, standards for the level of explanation required, and legal obligations for traceability;
- the new “reasonably required” standard proposed for collection clearly indicate that the privacy impacts must be proportionate to public interests at stake; and,
- government institutions be required to consult the OPC on draft legislation and regulations with privacy implications before they are brought forward.
The most recent public update from the Department of Justice since the launch of the consultation was the publication of a “what we heard” report in August 2021 and a report on 2022 engagement with Indigenous Peoples published in October 2023.

Prepared by: PRPA

Bill C-63 (Online Harms Act)

Key messages

The government tabled Bill C-63, the Online Harms Act, with the stated goal of holding social media platforms accountable for addressing harmful content on their platforms and to create a safer online space that protects all people in Canada, especially for kids.
I have made championing children’s privacy rights a strategic priority of my Office, as children need to be able to navigate online spaces securely. This priority dovetails with areas of C-63 relating to developing age-appropriate design for regulated services.
C-63 also addresses intimate images communicated without consent, of interest to my Office given my findings related to the Aylo investigation.
- In the report of findings that I issued, I recommended that Aylo must obtain meaningful consent from each individual appearing in intimate images and videos before the content can be uploaded to its sites.
I am happy to further discuss the privacy implications of Bill C-63 should I be called to comment on the bill in Parliament.

Background

Bill C-63 legislates a duty to protect children. As part of this duty, s. 65 states that “an operator must integrate into a regulated service that it operates any design features respecting the protection of children, such as age appropriate design, that are provided for by regulations.” S. 140(o) outlines that regulations respecting design features may include privacy settings for children.
Bill C-63 also establishes a duty to make certain content inaccessible. Regulated services, whether it be content flagged by the service itself or by a user, must take down content it has reasonable grounds to suspect is content that sexually victimizes a child or revictimizes a survivor or intimate content communicated without consent within 24 hours of identifying it (s. 67). The content must remain offline until the service has made a decision on whether the content should remain inaccessible.

Prepared by: PRPA

Bill C-65 (Electoral Participation Act)

Key messages

Bill C-65, tabled in March 2024, adds new elements to privacy policies that political parties are required to have as part of their registration with Elections Canada (under the Canada Elections Act).
In previous appearances on this issue, I have recommended that political parties should be subject to substantive privacy rules (e.g. those found in the Privacy Act or PIPEDA) that include recourse, independent review, and compliance mechanisms.
I look forward to sharing my views with Parliamentarians when Bill C-65 is studied in detail at committee.

Background

Privacy aspect of legislation: C-65 adds new elements to privacy policies that political parties must develop as part of their registration with Elections Canada (under the Canada Elections Act), including that:
- a registered or eligible party and those acting on the party’s behalf must comply with the party’s policy for the protection of personal information;
- failure to comply with a party’s privacy policy is considered a violation; and,
- a requirement for notification by parties to individuals be in place, in the event of a privacy breach, where there is real risk of significant harm.
Prior appearances: when you appeared on this issue in May 2023 before the Senate Legal and Constitutional Affairs Committee (on C-47) you noted that:
- Despite amendments enacted by Bill C-47, there were no minimum privacy requirements for political parties to govern handling of personal information nor independent oversight of their privacy practices.
- Rather, C-47 authorized parties and their affiliates to collect, use, retain, disclose, and dispose of personal information according to their own policies.

Prepared by: PRPA

Date modified:: 2024-08-30

Issue sheets on the 2024-25 Main Estimates

Table of Contents

OPC budget

Key messages

Background

Funding under Budget 2023

Key messages

Background

Resource implications of Bill C-27

Key messages

Background

Resource allocation

Key messages

Background

Funding models of agents of Parliament

Key messages

Background

Expertise within the OPC

Key messages

Background

Recruitment, retention, and people management

Key messages

Background

Finding efficiencies

Key messages

Background

2022-2023 Departmental Results Report highlights

Key messages

Background

2024-2027 Strategic Plan highlights

Key messages

Background

Privacy Act Extension Order

Key messages

Background

Investigations under the Privacy Act (general)

Key messages

Background

Investigations under PIPEDA (general)

Key messages

Background

ChatGPT

Key messages

Background

TikTok

Key messages

Background

Aylo (MindGeek)

Key messages

Background

Enforcement collaboration

Key messages

Background

Compliance breach statistics and trends

Key messages

Background

Complaints statistics and trends

Key messages

Background

Compliance backlog

Key messages

Background

Government Advisory: Activities, statistics, and trends

Key messages

Background

ETHI study: Federal government’s use of technological tools capable of extracting personal data from mobile devices and computers

Key messages

Background

Business Advisory: Activities, statistics, and trends

Key messages

Background

Guidance development

Key messages

Background

Parliamentary Affairs: Activities, statistics, and trends

Key messages

Background

Budget 2024: Implications for the OPC

Key messages

Background