Issue sheets on the 2024-25 Main Estimates

Appearance before the Standing Senate Committee on National Finance

---

Corporate

OPC budget

Key messages

• The total proposed funding for my office in the 2024-25 Main Estimates is $34 million.
• This represents an increase of $4.5 million over the previous year, which is attributable to the additional funding resulting from the renewal of collective bargaining agreements ($2.1 million) and the temporary funding received as part of Budget 2023 ($2.4 million).
• This temporary funding has enabled my office to reduce the complaints backlog and to undertake more in-depth investigations of privacy breaches, but we will need a more permanent solution if we are to address the full volume and complexity of privacy issues in the current environment.
• That is why I have recommended that, at a minimum, the temporary breach and backlog funding of $5.7 million be made permanent.
• We use this funding to protect and promote privacy rights, including by investigating complaints, assessing compliance, providing advice and recommendations, and working with stakeholders in other jurisdictions.

Background

• The office’s 2024-25 Main Estimates of $34M break down as follows

  Budgetary	2023-24		2024-25
  	$M	%	$M	%
  Personnel expenditures (including EBP)	24.3	83	28.3	83
  Operating expenditures	4.7	15	5.2	15
  Contributions program	0.5	2	0.5	2
  Total reference levels	29.5	100	34.0	100

Lead: Corporate

---

OPC funding under Budget 2023

Key messages

• Budget 2023 provided $5.7 million over two years to undertake more in-depth investigations of privacy breaches across public and private organizations and to improve response rates to privacy complaints from Canadians.
• This temporary funding has enabled real headway on these priorities, but we will need a more permanent solution if we are to address the full volume and complexity of privacy issues in the current environment.
• That is why I have recommended that, at a minimum, the temporary breach and backlog funding of $5.7 million be made permanent.
• The Budget also announced an additional $15 million over five years to help our office prepare to implement our expanded responsibilities under Bill C-27.
  • Additional long-term funding will also be necessary if Bill C-27 is adopted.

Background

• Budget 2023 provided an additional $5.7M over two years for the office to deal with a growing number of reported privacy breaches and the complaints backlog.

  2023-24	2024-25
  2.84M	2.84M

• Budget 2023 provided the following temporary new $15M over 5 years funding to support the office in implementing its new obligations under Bill C-27:

  2023-24	2024-25	2025-26	2026-27	2027-28
  2M	4M	4M	3M	2M

Lead: Corporate

---

Budget 2024: Implications for the OPC

Key messages

• Budget 2024 announced several funding commitments and legislative initiatives that could have privacy implications.
  • These include new investments in artificial intelligence, online safety, cybersecurity, and legislative amendments to enable greater information-sharing to combat money laundering and terrorist financing, with an oversight role for the OPC.
• Despite the various impacts such proposals might have on my office, the Budget included no additional resources for us.
• We did receive temporary new funding under Budget 2023 to prepare for Bill C-27 and to address our complaints backlog. However, we will need a longer-term solution to keep pace with the full volume and complexity of privacy issues in the new environment.

Background

• Budget 2024, which was presented in the House of Commons on April 16, announced several proposals that may have implications for our office, including:
  • a $2.4B investment to “strengthen Canada’s AI advantage,” and a further $50M to create an AI Safety Institute
  • $52M to implement the Online Harms Act
  • Amendments to enable greater information sharing under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, which will entail an expanded oversight role for the office
  • The implementation of a new reporting framework for crypto-asset transactions to facilitate information-sharing between OECD member countries
  • $84M for the Treasury Board Secretariat and Library and Archives Canada to “to maintain the access to information and privacy regime”
• Budget 2023 provided $15M over five years to support our office in implementing its new obligations under Bill C-27, and $5.7M over two years to deal with a growing number of reported privacy breaches and the complaints backlog.

Lead: PRPA

---

Resource implications of Bill C-27

Key messages

• Bill C-27 would expand my office’s existing responsibilities, introduce new ones, and also grant some discretion in how we do our work.
• The 2020 Fall Economic Statement included $80 million over five years, of which a portion has been earmarked for my office, to support the implementation and enforcement of what is now Bill C-27.
  • More recently, Budget 2023 provided $15 million over five years for us to ramp up operations in preparation for the potential adoption of the new legislation.
• We estimate that the full implementation of Bill C-27 will require ongoing annual funding of approximately $25 million; the Government has currently allocated us less than half that amount.

Background

• Budget 2023 provided the following temporary new funding for this purpose:

  2023-24	2024-25	2025-26	2026-27	2027-28
  2M	4M	4M	3M	2M

• Our current estimate of the total implementation cost of Bill C-27 is approximately $25 million (excluding the Employee Benefit Plan) – more than twice the amount that has been allotted to us in permanent funding under the fiscal framework.

Lead: Corporate

---

OPC resource allocation

Key messages

• My office continues to allocate its resources in a way that is forward-looking to prevent privacy issues before they arise as opposed to addressing them only after the fact.
• One of our guiding strategic priorities is to maximize the reach and impact of our efforts to protect and promote privacy rights.
• Given our current funding level, this is not always possible when a significant portion of our resources must be focused on the investigation of individual complaints.
• To ensure an appropriate balance between the need to promote and enforce compliance, we currently split our budget almost equally between our promotion and compliance programs.

Background

• The following table summarizes the Main Estimates for full-time-equivalent employees by area of responsibility in the office’s Departmental Results Framework (2023-24 is provided for comparison):

  Program area	2023-24		2024-25
  	$M	FTEs	$M	FTEs
  Promotion	11.2	79	12.1	77
  Compliance	10.5	74	12.9	90
  Internal services	7.8	54	9.0	54
  Total reference levels (Main Estimates)	29.5	207	34.0	221

• Of the 2024-25 amounts, $30.6M requires parliamentary approval; the remaining $3.4M relates to statutory forecasts for employee benefits and is provided for information only.

Lead: Corporate

---

Contracting (spending on professional and special services)

Speaking points

• The scope of OPC’s operational environment is vast, requiring knowledge of fields such as privacy, law, communications, information technology, finance, people management and security management.
• The OPC uses professional services mainly to increase the capacity of the organization on an ad hoc basis and spends on average $3.2 millions of dollars in professional and special services.
• My office carries out a continuous review and assessment of our use of professional and special services in order to maximize the impact on the delivery of our mandate.
• The OPC implemented several changes on the management of contracts for professional services following the updates to the Treasury Board Directive on the Management of Procurement.

Background

• In 2024, in order to maintain a culture of accountability and transparency, the OPC reviewed its contracting data published on the Open Government Portal to ensure that it is complete, accurate and up to date.
• Moving forward, the OPC business owners (managers) will further document and justify the use of professional services.
• For all professional services contracts that exceed $40,000 (including applicable taxes and fees), the following will apply:
  • Managers will validate and document that no other alternatives approaches to procurement are available; and
  • OPC will integrate an attestation from the business owners as per the new mandatory procedures, starting September 30, 2024.

Lead: Corporate

---

Finding efficiencies

Key messages

• Protecting and promoting the fundamental right to privacy with maximum impact is one of the key guiding priorities that I have set for my office under our current strategic plan.
• In the last year, we have undertaken several initiatives to this end, including a restructuring of our operations, the introduction of our strategic plan, and an increasingly strategic use of our investigative powers, such as joint investigations.
• In keeping with our strategic plan, we continually look for ways to enable greater efficiency, adaptability, and preparedness in the constantly evolving privacy landscape.

Background

• Restructuring: last year we created two new positions: Deputy Commissioner and Senior General Counsel (to address the increasingly complex privacy landscape) and Chief Services and Digital Officer (to implement a new digital vision and agenda). We also created a new Directorate of International, Provincial, and Territorial Relations to bolster engagements with other regulators and privacy organizations.
• Results focus: In January we launched a strategic plan that lays out three key priorities that will guide our work through 2027: (1) protecting and promoting privacy with maximum impact, (2) addressing and advocating for privacy in this time of technological change, and (3) championing children’s privacy rights.
• Strategic use of powers: We are making greater use of Commissioner-initiated investigations, legal powers and enforcement collaboration to achieve maximum impact more expeditiously.
• Digital transformation: We continue to refine cloud technologies supporting a hybrid work model and have initiated a digital strategy to support OPC and its employees now and into a future based on sound cybersecurity, data and modern information management.

Lead: Corporate

---

Funding models of agents of Parliament

Key messages

• As an agent of Parliament, my office operates independently of government to provide non-partisan advice and recommendations to the House and Senate.
• Given my role scrutinizing government compliance with privacy law, decisions regarding the funding level of my office should not rest solely with the government of the day.
• That is why I would welcome greater parliamentary involvement in funding determinations for my office, which would reinforce our independence, promote greater transparency, and help ensure sufficient resources for us to fulfill our mandate.

Background

• Not all agents of Parliament are funded like the OPC.
  • The funding procedure for the Conflict of Interest and Ethics Commissioner and the Parliamentary Budget Officer specifically excludes any role for Treasury Board in the development or review of budget proposals.
  • Similarly, the Office of the Chief Electoral Officer receives much of its funding by statutory authority under the Canada Elections Act.
• In January 2019, the OPC, the Office of the Information Commissioner (OIC), and other agents of Parliament sent a letter to the Clerk of the Privy Council calling on PCO to engage with them on alternative funding mechanisms.
• In its June 2023 report on The State of Canada’s Access to Information System, ETHI recommended that the Government establish an independent funding mechanism for the OIC and those agents of Parliament that currently lack one.
• In 2005, following a recommendation in an ETHI report on funding for agents of Parliament, Treasury Board launched a pilot project to establish an advisory House committee to consider funding proposals prepared by certain agents. A subsequent 2008 report concluded that the pilot project had been successful and recommended that the model be made permanent.

Lead: Corporate

---

Expertise within the OPC

Key messages

• The scope of OPC’s operational environment is vast, requiring knowledge of fields such as privacy, IT, finance, national security, and law.
• As a result, we try to recruit employees from diverse backgrounds and prioritize employee training and development given the pace with which our environment changes.
• We seek to hire employees with the knowledge and skill set that can help us achieve the ambitious goals we have set ourselves in our strategic plan such as experts on children’s privacy.
• This also includes strengthening our technology-analysis function by hiring staff with expertise in AI and generative AI. This is a priority in which our needs for training and expertise are exponential.

Background

• Given privacy expertise is in high demand with the growing pressures on the labour market, we are adopting innovative retention strategies and efficient recruitment practices and continue to develop internal talent to retain skills, commitment, and organizational knowledge.
• We are increasing access to technology-related training content to ensure we are keeping up with and staying ahead of technological advancements and their impact on privacy, particularly with respect to AI and generative AI and children’s privacy.
• We are assessing the adequacy of the OPC’s framework supporting training, learning and development program and activities to ensure it enables and supports the OPC in achieving its mandate and objectives.
• We are conducting a review of the structure and key job descriptions in Compliance.

Lead: Corporate

---

Recruitment, retention, and people management

Key messages

• My office needs a stable, long-term source of funding to develop, attract, and retain the talent and expertise we need to deliver our mandate.
• I am proud to say that the OPC remains an employer of choice, in no small part because of our investments in employee training and development, well-being, and technologies that support collaboration.
• We remain committed to promoting the values of the public service and to strengthening our culture of accountability, equity, diversity, and inclusion to leverage the full potential of our employees and produce better results for Canada and Canadians.

Background

• Human Resources Strategic Plan: We are currently developing a new, integrated strategic HR Plan to be implemented later this year that will encompass various aspects of HR, including EDI initiatives, well-being, and official languages.
• Recruitment Activities: We continue to leverage established internal and external pools of qualified candidates. We have staffing processes underway and plans to continue to build an inventory for job opportunities at level for key positions while continuing to utilize various social networks, such as LinkedIn and GCconnex, to attract talent while enhancing our utilization of data to inform recruitment and retention strategies.
• Hybrid work: We continue to strengthen our hybrid work model to ensure successful onboarding of new employees and creating a sense of belonging. We will also continue to ensure employees have the necessary information, adapted and modern tools to facilitate maximum flexibility and productivity of both telework and office work.

Lead: Corporate

---

Return to office

Speaking points

• We have fully implemented the updated Direction on prescribed presence in the workplace as of September 9, 2024.
• Both OPC offices – our headquarters in Gatineau and our regional Office in Toronto – are well-equipped, and have sufficient space to accommodate employees in accordance with the updated Direction.
• We have created activity-based work spaces within our office and expanded our availability of reserving closed office space to ensure maximum benefit from onsite presence.
• We have updated our hybrid work guidelines and delegation instruments, and have defined our organization’s values in a charter that will help guide how we apply the model at the OPC to ensure maximum collaboration and compliance.

Background

• The Direction on Prescribed Presence in the Workplace was updated in May 2024 and sets out the requirement for deputy heads to implement a minimum requirement of three days per week in the workplace for employees and four days per week in the workplace for excecutives.
• The updated Direction was to be fully implemented no later than September 9, 2024.
• Monitoring compliance at the individual level is the responsibility of managers and will be based on their observation and employee self-reporting. The OPC will verify organizational compliance at an aggregate level using turnstile data.

Lead: Corporate

---

2022-2023 Departmental Results Report highlights

Key messages

• We continue to strive to meet the ambitious targets we have set ourselves under our departmental plan.
• We have deliberately set our sights high and feel that we must remain bold in our aspirations given the interests at stake.
• In 2022-23, we continued our work towards preparing our Office for the anticipated changes to our mandate, while also working towards the achievement of our Departmental Results Framework targets.

Background

• The latest available Departmental Results Report is for fiscal year 2022-2023 (see ToC #3 for the Full Departmental Results)
  • Targets met: 2
    • Percentage of formal OPC recommendations implemented by departments and organizations.
    • Percentage of federal and private sector organizations that find OPC’s advice and guidance to be useful in reaching compliance.
  • Targets missed: 6
  • Indicators with no target: 2
    • The 2 indicators that measure our guidance to businesses and information to Canadians on key privacy issues had no target, considering the possibility of a transformed legal framework and the fact that our guidance is grounded in legislation and could quickly become outdated following such reform.
• At the program level, the OPC met 2 of its targets.
• Outcome-level and Program-level results are published on GC Infobase. (See ToC #4 for the consolidated table of all results for the last three fiscal years).

Lead: Corporate

---

2024-2027 Strategic Plan highlights

Key messages

• In January, my office launched a strategic plan that lays out three key priorities that will guide our work over the next three years.
• Our three strategic priorities are
  • protecting and promoting privacy with maximum impact;
  • addressing and advocating for privacy in this time of technological change; and,
  • championing children’s privacy rights.
• These priorities, which crystallized over the course of the first year of my seven-year mandate, were informed by engagements with a wide range of stakeholders.
• The strategic plan reflects our commitment to a future where innovation can flourish and fundamental privacy rights are upheld.

Background

• Priority one focuses on adapting as our operational context changes, such as through potential legislative reforms, and the pursuit of the most effective and efficient use of our resources and powers for optimal results for Canada and Canadians.
• Priority two focuses on bolstering our ability to address the privacy impacts of the fast-moving pace of technological advancements, especially in the world of artificial intelligence (AI) and generative AI and encouraging privacy protective technological innovations.
• Priority three is about doing more to promote and protect the privacy rights of children, who are particularly vulnerable in the digital age.
• The OPC sought feedback from the public on the plan from January 22 to March 31, 2024, which is informing how the plan is implemented.

Lead: Corporate

---

Privacy Act Extension Order

Key messages

• In July 2022, the Privacy Act’s scope of application was extended to allow foreign nationals to request access to their personal information under the control of a federal government institution and to submit related complaints to my office.
  • Previously, only Canadian citizens and those present in Canada had such rights.
• After two years of implementation, my office has received a modest but growing number of complaints as a result of the extension order – approximately 300 in total.
• However, we anticipate that the number of complaints will continue to grow in the coming years, which will put additional pressure on our operations since we have received no permanent funding for this purpose.

Background

• The Privacy Act Extension Order was published on July 14, 2021, and came into force a year later. At the time, it was expected that it might result in hundreds of thousands of personal information requests across government, particularly at Immigration, Refugees and Citizenship Canada (IRCC).
• We also anticipated a significant number of complaints against IRCC. This has not yet materialized, but we continue to monitor and anticipate a higher volume as dissatisfied requesters pursue complaints under the Order.
• If the volume becomes unmanageable within existing resources, we will engage with the Department of Finance to determine how best to address the increase in requests.

Lead: CIRD

---

Compliance

Investigations under the Privacy Act (general)

Key messages

• Pursuant to subsection 29(1) of the Privacy Act, I receive and investigate complaints from individuals who may have been denied the right to access and correct their personal information, or who allege that personal information has been collected, used, retained, or disclosed in contravention of the Act.
• I may also choose to initiate a complaint, under subsection 29(3), when I am satisfied that there are reasonable grounds to investigate. I can also decide, at my discretion, to carry out investigations under subsection 37(1) against a federal institution or organization covered by the Act.
• Section 63 prevents me from discussing or disclosing the details of ongoing investigations. However, I can confirm that my Office is currently investigating the following:
  • The contracting practices related to ArriveCAN, and more specifically the measures that were in place to protect personal information during the development of the app;
  • A privacy breach resulting from unauthorized access to Global Affairs Canada’s virtual private network; and,
  • A cyberattack which resulted in a breach of the personal information of federal government personnel who used government-contracted relocation services over the past 24 years.

Background

• Under section 63 of the Privacy Act, the Privacy Commissioner and every person acting on behalf or under the direction of the Commissioner shall not disclose any information that comes to their knowledge in the performance of their duties and functions under this Act.

Lead: Compliance

---

Brookfield Global Relocation Services (BGRS) and Sirva Canada LP

Speaking points

• In November 2023, I began investigating a cyberattack that resulted in a breach affecting the personal information of current and former Government of Canada employees, members of the Canadian Armed Forces, and Royal Canadian Mounted Police personnel, who used government-contracted relocation services as far back as 1999.
• The breach involves personal information that was held by BGRS and Sirva Canada LP. These affiliated companies are contracted by the Government of Canada to provide relocation services for employees.
• There are investigations under both Acts given that the parties are from both the private and public sectors:
  • Under PA, we are examining whether the government institutions met their obligations regarding the safeguard of personal information for their employees.
  • Under PIPEDA, we are also assessing the adequacy of the safeguards that BGRS/Sirva had in place at the time of the breach to protect the personal information of the personnel who used relocation services.
• As the investigation is ongoing. I cannot provide further details or comments at this time.

Background

• Government of Canada departments are investigated under the Privacy Act, and BGRS, a private sector institution, is subject to investigation under PIPEDA.

Lead: Compliance

---

Global Affairs Canada breach

Speaking points

• In February 2024, I announced the launch of an investigation into a data breach at Global Affairs Canada (GAC), following receipt of several complaints by my Office about the matter.
• This breach involves a cyberattack on GAC’s internal network. As a result, the personal information of users, including employees, was compromised after unauthorized individuals accessed the department’s virtual private network.
• The investigation is examining the adequacy of the safeguards that were in place at the time of the breach to protect the personal information under GAC’s control.
• As the investigation is ongoing, I cannot provide further details or comments at this time.

Background

• Media reports stated that this was a month-long security breach affecting “many” government employees
• CBC reported that they obtained a copy of an email which noted that the internal systems had been vulnerable between December 20, 2023 and January 24, 2024. The OPC was notified of the breach on January 26.
• As noted in a media article, a GAC memo to staff said that email traffic and files on personal and shared drives “may have been compromised.”

Lead: Compliance

---

ArriveCan

Speaking points

• In March 2024, my Office launched an investigation against the Canada Border Services Agency (CBSA), following a complaint received related to the development of the ArriveCAN mobile app.
• The investigation, which is underway, is reviewing the contracting practices related to ArriveCAN; specifically the measures that were in place during the development of the app to protect personal information, as required under the Privacy Act.
• The investigation will also take into consideration the issues raised in the motion tabled by the House of Commons Standing Committee on Government Operations and Estimates (OGGO).

Background

• On March 14, 2024, OGGO adopted a motion calling upon my Office to investigate the ArriveCAN app, including the work of all contractors and subcontractors, to determine whether the privacy and personal information of Canadians was adequately protected.
• In correspondence dated May 16, 2024, we acknowledged OGGO’s motion and confirmed that our ongoing investigation of the CBSA will take into consideration the issues raised therein.
• The OPC had previously investigated the ArriveCAN app as part of a special pandemic report, following a complaint about inaccurate information. The OPC had recommended that the CBSA correct the information in their database.
  • On May 30, 2023, when the Special Report was tabled in Parliament, the CBSA informed the OPC that it has corrected the information.

Lead: Compliance

---

FINTRAC data breach

Speaking points

• On March 5, 2024, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) reported a breach of its data environments to the OPC as a result of a cyber incident that impacted certain of its online reporting systems.
• Following the report, the OPC conducted an assessment of the breach, based on the information submitted by FINTRAC, to determine its scope and impact on personal information.
• FINTRAC recently advised my Office of the measures it has taken to address the breach. The OPC is satisfied with FINTRAC’s response.
• My Office will continue to monitor FINTRAC’s implementation of measures to mitigate harm to affected individuals and to prevent future breaches.

Background

• Under section 4.2.8 of the TBS Policy on Privacy Protection, federal organizations subject to the Privacy Act must report privacy breaches to the OPC and to TBS where there is a real risk of significant harm to an affected individual.
• Pursuant to the TBS Directive on Privacy Practices, FINTRAC is required to determine appropriate mitigation measures to reduce the risk of harm to affected individuals and to enact appropriate prevention measures to reduce the risk of future breaches.
• FINTRAC’s engagement with the OPC regarding the breach has been positive. FINTRAC has been proactively sharing information to assist the OPC in its assessment of the incident and of FINTRAC’s response.
• While the OPC has previously received other privacy breach reports from FINTRAC, this was the first cyber incident related breach that has been reported to my Office.

Lead: Compliance

---

FINTRAC audit

Speaking points

• Under section 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the Privacy Commissioner must review, on a biennial basis, the measures taken by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to protect the personal information that it collects or receives.
• FINTRAC has resolved several issues identified in past reviews, but a 2021 review found that two significant areas of concern persisted:
  • FINTRAC’s over-collection of personal information from reporting entities; and,
  • its retention of information.
• A review that my office launched in 2023 is currently ongoing and will reassess each of these issues. This review will be completed in the coming weeks, but I cannot comment further at this time.

Background

• The PCMLTFA requires that the reports for these reviews be submitted to Parliament within three months after they are completed.
• Given that Shared Services Canada houses FINTRAC’s information technology infrastructure, we also engaged with them as part of these reviews to facilitate our assessment of how FINTRAC safeguards the personal information on its networks.

Lead: Compliance

---

Investigations under PIPEDA (general)

Key messages

• Pursuant to s. 12(1) of PIPEDA, I investigate complaints filed by individuals against organizations engaged in commercial activity. If there are reasonable grounds to investigate a matter under the Act, I can also initiate a complaint under s. 11(2) of PIPEDA.
• Key investigations include:
  • Certn: In May 2024, I commenced an investigation with my counterpart in BC, into Certn, a tenant screening service that performs background checks.
  • MindGeek: In February 2024, I issued findings following my Office’s investigation into Aylo, the operator of Pornhub and other pornographic websites.
  • Loblaws: In July 2024, I commenced an investigation after receiving several complaints in which individuals alleged that they were unable to delete their PC optimum accounts.
  • 23andMe: In June 2024, I commenced an investigation along with my counterpart in the UK, into a breach at 23andMe, a direct-to-consumer genetic testing website.
  • ChatGPT: In May 2023, I commenced a joint investigation with my counterparts from QC, AB and BC into OpenAI, the company behind the AI-powered chatbot, ChatGPT.
  • TikTok: In February 2023, I commenced a joint investigation, with privacy authorities in QC, AB and BC, to examine TikTok’s privacy practices, in particular as they relate to its younger users.

Background

• Where investigations are ongoing, due to confidentiality obligations, the OPC cannot provide further details. However, in each instance (other than in Aylo because we have already done so), we intend to issue our findings in the coming months.

Lead: Compliance

---

Aylo

Key messages

• In February 2024, my Office concluded its investigation into a complaint against Aylo (formerly MindGeek), which operates Pornhub and other popular pornographic websites.
• The complaint was from a woman whose ex-partner had uploaded, without her knowledge or consent, an intimate video and images of her as well as other identifying information, to Pornhub and other Aylo-owned websites.
• Our key finding was that Aylo failed to ensure the complainant’s consent had been obtained prior to allowing the upload and disclosure of her images.
• In the investigation report, we made a number of recommendations, including that Aylo stop sharing user-created intimate content until it implements measures to obtain express, meaningful consent directly from each individual who appears in uploaded content.
• We are currently in discussions with Aylo with a view to securing a commitment to implement measures that will comply with our recommendations and Canadian privacy legislation.

Background

• When the Report of Findings was nearing completion in May 2023, Aylo launched a judicial review application with the Federal Court seeking to challenge our findings and recommendations and prevent us from finalizing and releasing the report. Aylo was ultimately unsuccessful and we were able to issue our final report.
• In March 2024, after the release of our report, Aylo published a blog post in which it indicated that it had made changes to its “co-performer” consent requirements in January 2024. It did not advise our Office.

Lead: Compliance

---

TikTok

Key messages

• In February 2023, my Office, along with my counterparts in Quebec, British Columbia, and Alberta, launched a joint investigation into TikTok.
• We are examining whether TikTok’s practices comply with Canadian privacy legislation, including whether valid and meaningful consent is being obtained for the collection, use, and disclosure of personal information.
• Given the importance of protecting children’s privacy, which is one of my three strategic priorities, the joint investigation has had a particular focus on TikTok’s privacy practices as they relate to younger users.
• We intend to release the results of the investigation in the coming months.

Background

• The investigation was initiated in the wake of now-settled class-action lawsuits in the United States and Canada, as well as numerous media reports related to TikTok’s collection, use and disclosure of personal information.
• Subsection 11(2) of PIPEDA states that “[i]f the Commissioner is satisfied that there are reasonable grounds to investigate a matter under [Part I of PIPEDA], the Commissioner may initiate a complaint in respect of the matter.”
• Through collaboration with provincial counterparts, we are able to leverage our limited resources and distinct capabilities and share best practices and comparative strengths to more effectively and efficiently enforce privacy laws.
• Children’s information is particularly sensitive, requires special consideration and even greater privacy safeguards. If it is not realistic to expect adults to understand and be accountable for complex privacy consent forms and rules, it is unacceptable to put this burden on children, particularly where TikTok’s own policies prohibit youth under 13 from using the platform, who still make use of it nonetheless.

Lead: Compliance

---

ChatGPT

Key messages

• In May 2023, my Office commenced a joint investigation with my counterparts in Alberta, British Columbia, and Quebec into the practices of OpenAI in relation to its ChatGPT service.
• Among the issues under examination are consent and transparency, accuracy, accountability, appropriate purposes, and limiting collection.
• We are aiming to release our findings in the coming months.
• It is essential that AI and other related emerging technologies be developed and deployed in a responsible, privacy-preserving manner, which is why my Office has made it a strategic priority to address the privacy impacts of such fast-moving developments.

Background

• ChatGPT is a natural language processing tool (or chatbot) driven by AI technology. The language model can answer questions and assist users with a range of tasks, such as composing emails and essays.
• In April 2023, the OPC launched an investigation into ChatGPT after receiving a complaint alleging that the company collected (“scraped”), used, and disclosed the complainant’s personal information for the purpose of its commercial text-generation service without first obtaining consent. We closed this investigation in May 2023 in order to pursue a broader, joint commissioner-initiated complaint.
• Several data protection authorities around the world, including various European authorities, have undertaken investigations of ChatGPT. The European Data Protection Board, which launched a dedicated taskforce on ChatGPT to “exchange information on possible enforcement actions,” issued a report in May 2024 to share preliminary views on the interpretation of the applicable provisions of the GDPR in relation to ongoing taskforce investigations.
• As a member of the Global Privacy Assembly’s working groups on AI and International Enforcement Cooperation, we are exchanging information and learning from the experiences of our counterparts.

Lead: Compliance

---

Ticketmaster

Key messages

• Between April 2 and May 18, 2024, a malicious threat actor breached Ticketmaster’s third-party cloud solution, gaining access to the personal information of millions of individuals.
• Canadians are the second-largest demographic group impacted by the breach, with over 7.4 million affected individuals.
• Following the breach notification, my Office received a complaint and in July 2024, we launched an investigation into Ticketmaster.
• Our investigation aims to determine whether Ticketmaster had adequate safeguards in place to protect the personal information of impacted individuals, and whether Ticketmaster notified them as soon as feasible where it was reasonable to believe that a breach of security safeguards had created a real risk of significant harm.
• As this is an ongoing investigation, I am limited as to what I can share at this time.

Background

• The nature of the personal information involved is sensitive and includes contact and payment card information. For a subset of individuals, date of birth, passport number and purchase history have also been accessed.
• Ticketmaster’s parent company, Live Nation Entertainment Inc., uses Snowflake’s cloud database environment to manage client information and transactions. It is possible -- although not confirmed -- that some of Ticketmaster’s employee accounts may have been used to access the database through credential stuffing (that is, using already compromised usernames and passwords to access the application).

Lead: Compliance

---

Certn

Key messages

• In May 2024, I launched a joint investigation with my counterparts in Alberta and British Columbia into Certn (Canada) Inc., a company that offers background-check services, including tenant-screening services, to landlords.
• My Office has received numerous privacy-related complaints from tenants against landlords, property managers, and third-party property-management service providers.
• Requiring prospective tenants to consent to extensive background checks could have profound implications on the ability of Canadians to secure housing, particularly in a challenging rental market.
• Accordingly, we are examining whether Certn’s collection, use, and disclosure of personal information is for an appropriate purpose, that consent is valid and meaningful, and that the information obtained is accurate.

Background

• Certn operates across Canada and internationally. It promotes itself as a tech company “innovating every part of the background screening process.”
• Certn publicly claims to collect, use, and disclose vast amounts of personal information – much of which may be sensitive –by way of over 100,000 databases from over 200 countries and territories. It states that many of these sources are “publicly available.”
• Certn’s services include criminal records checks, credit checks, education and employment verification, international background checks, social media scans, and what it calls “Softcheck,” or real-time searches of publicly available datasets that it promotes as suitable for tenant screening.

Lead: Compliance

---

23andMe

Speaking points

• In June 2024, my Office initiated a joint investigation with the UK Information Commissioner’s Office (ICO), into a data breach at 23andMe, a direct-to-consumer genetic testing service.
• Our investigation will examine the adequacy of 23andMe’s safeguards to protect the highly sensitive DNA and associated personal information in the company’s control, the extent of impact on affected individuals and whether the company adequately notified our Offices and affected individuals.
• As part of this investigation, we will aim to understand the events that led to the breach, as well as the mitigation measures implemented by 23andMe to remediate the breach and mitigate the risk of a future breach.
• We are investigating this matter jointly with the UK ICO to leverage our Office’s joint resources to complete this investigation more efficiently with greatest impact.

Background

• In October 2023, the OPC received notification of a breach affecting a large number of Canadian in addition to millions of individuals around the world, including in the UK.
• The Commissioner initiated an investigation pursuant to ss. 11(2) of PIPEDA, determining that he had reasonable grounds to do so.

Lead: Compliance

---

Global Privacy Enforcement Network (GPEN) Privacy Sweep

Speaking points

• In July 2024, my Office released the findings of our Privacy Sweep on the use of deceptive design patterns in websites and apps. The Sweep is an annual initiative of the GPEN.
• My office coordinated this year’s Sweep, in which 26 privacy enforcement authorities from across Canada and around the world reviewed more than a thousand websites and mobile apps.
  • For the first time, the Sweep was also coordinated with the International Consumer Protection and Enforcement Network.
• We found that the vast majority of websites and apps reviewed used deceptive design patterns to influence privacy choices, including sites targeting children that we specifically reviewed in coordination with our counterparts in Alberta and British Columbia.
• We notified, or will be notifying, organizations where we found their website or app to have several deceptive design patterns.

Background

The Sweep focused on five deceptive design patterns:

1. Complex and confusing language – technical and/or excessively long privacy policies;
2. Obstruction – unnecessary steps between users and their privacy-related goals;
3. Interface Interference – design elements that can influence users’ perception and understanding of their privacy options;
4. Nagging – repeated prompts for users to take specific actions that may undermine their privacy interests; and,
5. Forced Action – requiring or tricking users into disclosing more personal information than is necessary to provide that service.

Lead: Compliance

---

Enforcement collaboration

Key messages

• In the digital economy, protecting privacy against global risks is a common goal amongst Data Protection Authorities. Collaboration allows regulators to expand their capacity and amplify their impact.
• My Office is a leader in enforcement collaboration, chairing or co-chairing fora such as the Domestic Enforcement Collaboration Forum (DECF), the Global Privacy Enforcement Network (GPEN) and the Global Privacy Assembly (GPA).
• My Office is also currently investigating OpenAI (creator of ChatGPT), TikTok and Certn, jointly with provincial counterparts, and the 23andMe breach jointly with the UK Information Commissioner.
• This past year, we also coordinated the GPEN Sweep into website and app deceptive design patterns. We also issued a Joint Statement, with 12 global privacy authorities, on our expectations for online platforms to safeguard against unlawful data scraping.

Background

• The OPC is currently engaged in 6 joint investigations, including Open AI, TikTok and Certn.
• Since 2021, we have concluded two joint investigations: Clearview AI (AB, BC, QC) in February 2021; and Tim Hortons (AB, BC, QC) in June 2022.
• DECF: Facilitates info sharing and collaborative enforcement with substantially-similar provincial data protection authorities.
• GPA: The International Enforcement Collaboration Working Group (IEWG) brings together global authorities to advance collaboration on enforcement of mutual interest. The IEWG has undertaken several joint activities towards enhancing global privacy compliance such as Credential Stuffing guidance; Facial Recognition Technology principles; and a joint statement on data scraping.
• GPEN: We host the website and led this year’s Sweep, a collaborative review of over 1000 websites and apps by 26 authorities worldwide into the use of deceptive design patterns that may push users to make less privacy-protective choices.

Lead: Compliance

---

Breach statistics and trends

Key messages

• Under section 4.2.8 of the TBS Policy on Privacy Protection, federal organizations subject to the Privacy Act (PA) must report privacy breaches to my office where there is a real risk of significant harm to an individual.
• In accordance with section 10.1(1) of PIPEDA, organizations subject to that Act are also required to report breaches to my office.
• In 2023-24, the OPC received 561 breach reports under PA and 693 under PIPEDA (1,254 total), a 28% increase over the previous year. Privacy breaches reported in 2023-24 affected close to 25 million Canadian accounts, twice as many as the previous year.
• Almost half (46%) of reports from the private sector received in 2023-24 cited cyberattacks resulting from malware, compromised credentials, hacking, or phishing schemes.
• While the OPC has seen a 15% increase in breach reports compared to the same period (April 30-August 30) last year, my office remains concerned that privacy breaches may be going undetected, mis-assessed, and ultimately unreported.

Background

• The number of reported breaches resulting from cyberattacks on critical-infrastructure companies has increased significantly in recent years:

  Breaches reported to the OPC

  FY	PIPEDA	PA	Total	Critical infrastructure breaches
  2023-24	693	561	1,254	205
  2022-23	681	298	979	44

• Bill C-26 (the Critical Cyber Systems Protection Act) – currently at Second Reading stage in the Senate – would require providers of vital services in federally regulated industries to report cybersecurity incidents to the Communications Security Establishment.

Lead: Compliance

---

Complaints statistics and trends

Key messages

• A core function of my office is to receive and investigate complaints about the personal information-handling practices of federal government institutions and private sector businesses.
• In 2023-24, we received a significant volume of complaints:
  • nearly 1,750 under the Privacy Act (of which 1,113 were accepted), and
  • over 1,100 under PIPEDA (of which 446 were accepted).
• In 2023-24, we concluded 1,278 investigations under the PA and 405 under PIPEDA for a total of 1,683 (up 22% from the previous year).
• Almost 90% of these were completed through our early resolution process or summary investigations.

Background

• Complaints received and accepted over the past three years:

  FY	Privacy Act		PIPEDA		Total
  	Received	Accepted	Received	Accepted	Received	Accepted
  2023/24	1,749	1,113	1,108	446	2,857	1,559
  2022/23	1,461	1,241	946	454	2,407	1,695

• A complaint may not be accepted for various reasons, including when it is outside OPC jurisdiction.
• The number of complaints under PIPEDA that are accepted overall is lower since the OPC has greater discretion to investigate (or not), and because many complaints received fall within provincial jurisdiction.
• Early resolution aims to resolve a complaint matter promptly, to the satisfaction of the complainant and respondent.
• A summary investigation is undertaken when early resolution is not possible but when facts can be ascertained and a finding can be established without expansive efforts.

Lead: Compliance

---

Compliance backlog (investigations and breaches)

Key messages

• The OPC received temporary funding in Budget 2023 to improve its response rates to privacy complaints and breach reports.
• At the end of 2023-24, the investigative backlog represented 20% (152) of all ongoing investigations – a decrease from 2022-23, when 24% (239) of ongoing investigations were active for over 12 months.
  • In 2023-24, the OPC completed 1,683 investigations, a 22% increase over 2022-23, when 1,383 investigations were concluded.
• On breaches, so far this year we have assessed and closed 67% of breach reports received within our new service standard of 6 months, compared to 54% in 2023-24.
• While we are committed to working on innovative ways to improve efficiencies, we continue to receive a high volume of complaints and breaches, including several related to complex privacy issues.
• So far this fiscal, we have seen a 40% increase in complaints and a 14% increase in breaches compared to the same period last year.
• Without additional permanent funding and legislative changes to provide us with more discretion to investigate complaints, and to improve breach reporting, the backlog is at risk of remaining high or even increasing.

Background

Backlog of investigations incomplete after 12 months

FY	PA cases	PIPEDA cases	Total backlog
2023-24	86	66	152
2022-23	215	24	239

Backlog of breach report incomplete assessments after 6 months

FY	PA cases	PIPEDA cases	Total backlog
2023-24	88	132	220
2022-23	107	239	346

Prepared by: Compliance

---

Promotion

Government Advisory: Activities, statistics, and trends

Key messages

• Support requests to the Government Advisory (GA) Directorate, the main point of contact for federal departments seeking guidance for initiatives involving personal information, continue to be high.
• GA also advises Treasury Board Secretariat on the development of central government policies, directives, and standards operationalizing the Privacy Act.
• Recent trends we have seen in PIAs/consultations include: use of digital services, data sharing across government, use of AI and facial recognition systems.
• Our outreach sessions on privacy issues are always in great demand and well attended by federal government employees; a privacy awareness week event co-hosted with TBS in May 2024 attracted over 1000 registrants.

Background

• Volume of work: During fiscal year 2023-2024:
  • GA received 265 PIA submissions, requests for consultation and advice from federal institutions, an increase of almost 20 percent over the previous year.
  • In addition, we received 572 notifications of disclosures under section 8(2)(m) of the Privacy Act.
  • In 2024-25 thus far, we are being contacted on average over a dozen times a month for consultations, PIA submissions and inquiries, and we are receiving approximately 42 8(2)m notifications a month.
• TBS: We provided advice to TBS on multiple files for central government guidance on personal information handling including guidance on Generative AI, a new guide to the Privacy Act, and new directions on how PIAs are to be undertaken.
• Outreach: To date, we have increased privacy knowledge and capacity departments through six outreach events with at least five more planned this financial year.

Lead: GA

---

Business Advisory: Activities, statistics, and trends

Key messages

• A key function of my office is to provide advice to businesses of all sizes to help them meet their privacy obligations under PIPEDA.
• In recent years, we have seen increased interest from small and medium-sized organizations as they explore new technologies and other innovations.
• As the privacy landscape continues to evolve, my office will continue to engage with businesses to help support technological innovation while also protecting privacy as a fundamental right.

Background

• BA advises businesses of all sizes under two program lines: (1) voluntary advisory consultations and (2) promotional outreach.
• In 2023-24, BA undertook 16 advisory engagements and 79 promotional activities (privacy clinics, exhibits, presentations, stakeholder meetings, targeted promotion sessions, etc.)
• In 2023-24, 71% of all cases involved small and medium-sized enterprises, which play a critical role in economic growth and job creation. (Such cases were up from approximately 55% to 60% in previous years.)
• BA continues to engage with organizations that are using new and advanced technologies and novel data-use and -sharing models in a range of sectors, including neurotech, health tech, fintech, retail, marketing, transport, and public safety. For example, in 2023-24, 40% of our cases involved AI.
• To maximize our impact, BA leveraged partnerships through innovation hubs and business accelerators. For example, BA worked with 14 partners to reach over 500 businesses in Atlantic Canada and the Yukon.
• BA also organized and hosted the OPC Privacy Forum in Toronto, which was attended by nearly 100 privacy professionals and experts from across Canada.

Lead: BA

---

Guidance development

Key messages

• The guidance we provide is fundamental to our role in effectively promoting compliance with the law and in helping individuals understand and exercise their privacy rights.
• We continue to see increased need from organizations for advice and guidance on their privacy obligations.
• We expect this trend to accelerate if Bill C-27 is adopted, and we are modernizing our guidance-development processes with that scenario in mind.
• We would welcome parallel guidance responsibilities with respect to public sector organizations under a reformed Privacy Act.

Background

• The OPC has conducted international benchmarking on how other data-protection authorities develop guidance, which has informed our plans to implement processes that are evidence based, forward looking, and that will result in practical, concrete, and accessible guidance.
• In addition to preparing for potential law reform, we are finalizing draft guidance on processing biometrics for the public and private sectors and a position on age assurance following public consultation.
• S.110(1) of Bill C-27 would require the Commissioner to consult stakeholders, including any relevant federal government institutions, when developing guidance materials and tools for organizations with a view to promoting compliance. We are currently examining our consultation processes and intend to engage with stakeholders to seek their feedback.
• In the context of Privacy Act modernization, the Department of Justice has proposed that the OPC have the authority to engage in public education and to issue guidance on the interpretation and enforcement of the Act, in consultation with government. We support this recommendation, assuming this function will be appropriately resourced.

Lead: PRPA

---

Parliamentary Affairs: Activities, statistics, and trends

Key messages

• As an Agent of Parliament and the federal privacy ombudsman, I am frequently called upon to provide advice and recommendations to various committees as well as individual Parliamentarians.
• As noted during my earlier appearance on the Main Estimates this year, between April 2023 and March 2024, my office:
  • appeared 10 times before various Parliamentary committees,
  • monitored and reviewed 38 bills and studies; and,
  • responded to 14 requests from individual Parliamentarians.
• On average, I appear fourteen times a year before Committees in both Chambers.

Background

• In 2023-24, we had the following key appearances on government bills:
  • May 3, 2023: C-47, Budget Implementation Act, 2023, No. 1.
  • October 19, 2023: C-27, Digital Charter Implementation Act, 2022.
  • February 12, 2024: C-26, An Act Respecting Cyber Security and Amending the Telecommunications Act.
  • May 23, 2024: C-69, Budget Implementation Act, No. 1.
  • May 27, 2024: S-210 (Protecting Young Persons from Exposure to Pornography Act)
• We anticipate being occupied with a range of initiatives and priorities in this session, including continued monitoring of progress on the following bills:
  • C-27 (Digital Charter Implementation Act, 2022)
  • C-63 (Online Harms Act)
  • C-65 (Electoral Participation Act)

Lead: PRPA

---

International relations: Key activities

Key messages

• Stronger global privacy rights and international partnerships help ensure that Canadians’ personal information remains protected when it crosses Canada’s borders.
• The OPC participates in international networks and works with counterparts to leverage resources, develop common policy positions, and share enforcement best practices.
• One of these networks is the G7 Data Protection and Privacy Authorities’ (DPA) Roundtable, which I will be hosting in 2025. In preparing to take on this role, I am engaging with key government partners to support Canada’s broader vision for its G7 presidency.

Background

• G7 DPA Roundtable: The 2024 G7 DPA Roundtable will be in Rome in October. The three working groups are Data Free Flow with Trust, Enforcement Collaboration, and Emerging Technologies, which OPC chairs.
  • OPC is currently engaging with Global Affairs Canada and ISED on topics of mutual interest in support of Canada’s G7 objectives.
• Global Privacy Assembly (GPA): OPC chairs working groups on Data Protection and Other Rights and Freedoms, International Enforcement Cooperation, and Digital Citizens and Consumers. We also sit on 8 other groups, including Ethics in AI and Digital Education.
  • Key 2023 resolutions: Privacy and Human Rights Award (sponsor); AI and Employment (co-sponsor), and Generative AI Systems (co-sponsor).
• Other key networks: (1) Global Privacy Enforcement Network (GPEN); (2) Asia Pacific Privacy Authorities (APPA) Forum; (3) Association francophone des autorités de protection des données personnelles (AFAPDP); and (4) Berlin Working Group.
• Participation in International government fora: (1) Asia-Pacific Economic Cooperation (APEC) Data Privacy Subgroup; (2) Global Cross Border Privacy Rules Forum; (3) OECD Working Party on Data Governance and Privacy in the Digital Economy.
• Memoranda of Understanding (MOU): OPC has signed ten bilateral MOUs, including most recently with the US Federal Communications Commission, and three multilateral MOUs. We also participate in the APEC Cooperation Arrangement for Cross-Border Privacy Enforcement, the GPA Cross Border Enforcement Cooperation Arrangement, and the Global Cooperation Arrangement for Privacy Enforcement.

Lead: IPT

---

International relations: Statistics and trends

Key messages

• It can be difficult to compare the powers and authorities of the OPC to other data protection authorities globally. The scope of mandates can vary and privacy legislation is at varying levels of maturity worldwide.
• However, in some respects my Office is a global outlier. For example, we do not have the power to issue orders or impose penalties for privacy violations. Bill C-27 would remedy this with respect to the private sector, and we remain hopeful that Parliament will reform PIPEDA to give my Office these important tools.
• Similarly, whereas mandatory privacy breach reporting is the international standard, I note that in Canada the Privacy Act contains no such requirement for the public sector.

Background

Data based on the 2023 Global Privacy Assembly (GPA) Census, which surveyed 2002 data from 78 Data Protection Authorities (DPAs):

• Funding: 71% of DPAs reported a budget increase compared to 2021, with only 13% experiencing a budget decrease. 63% of DPAs increased their staff compared to the previous year.
• Enforcement Powers: 74% of DPAs can impose fines or penalties for privacy violations. 90% have the power to investigate and sanction civil/administrative breaches.
• Enforcement Cooperation: 63% of DPAs have a mechanism for cooperation with other regulatory authorities.
  • Under PIPEDA, OPC can cooperate and share information with international counterparts subject to certain conditions, most notably a requirement for a written arrangement. OPC has 10 bilateral and 3 multilateral MOUs in place.
• Breach reporting: 87% of DPAs have mandatory breach-notification requirements in their jurisdiction. 68% publish information on the notifications they receive, for example, the total number of notifications received, the breakdown by sector or the details of which give rise to formal action.

Lead: IPT

---

Technology Analysis: Activities, statistics, and trends

Key messages

• Addressing the privacy impacts of technological advancements is one of my office’s strategic priorities.
• In support of this, my office studies different technologies to assess their potential privacy implications.
• OPC has a team of IT analysts who use their extensive technological expertise to examine malware, hardware components, mobile applications, and Internet-of-things devices with a view to promoting privacy through the safe and secure use of digital technologies by Canadians.
• OPC’s technology analysis lab also supports compliance investigations and research related to emerging technologies, including artificial intelligence, biometrics, digital ID, as well as privacy-enhancing technologies like de-identification.

Background

• The Technology Analysis (TA) Directorate supports the work of the Office, including activities related to Canada’s anti-spam legislation.
• TA also analyzes emerging technologies, such as generative AI and age-verification techniques, in collaboration with other jurisdictions both within Canada and abroad.
• TA continues to support various investigations, breaches, and government initiatives related to technology, privacy, and cybersecurity.
• Through the publication of blog posts, TA also aims to raise public awareness of the privacy implications of different technologies. In 2023-24, TA published blog posts on quantum computing, homomorphic encryption, and algorithmic fairness.

Lead: TA

---

Communications: Key activities, statistics, and trends

Key messages

• Pursuant to our mandate to protect and promote privacy as a fundamental right, my office continues to deliver communications on a range of privacy issues, including youth privacy, major investigations, and domestic and international efforts to address the privacy impacts of new technologies.
• Given significant shifts in the communications landscape, our communications team is constantly working to better understand and address the evolving information needs, interests, and expectations of Canadians.
• We also respond to requests for information from the public and organizations through the OPC’s Information Centre.

Background

• Key communications statistics from 2023-24 include:
  • 64 speeches or presentations delivered by Commissioner or OPC personnel
  • 106 media releases, announcements, and speeches published
  • 11,000 copies of OPC publications distributed (e.g., educational comic booklets)
  • 120 media requests responded to
  • 3.1 million unique visits to our website
• Work undertaken in 2023-24 to better understand and address shifts in the information and communications landscape included public opinion research (Canadian businesses), a public environment analysis and educational scan related to youth privacy, research on user needs, and usability testing on our website.
• Notable updates from the first half of this fiscal year (2024-25), include more than 30 media products and speeches, as well as the release of the Commissioner’s Annual Report to Parliament on June 6, 2024.

Lead: COMMS

---

Contributions program

Key messages

• My office administers a contributions program that provides up to $500,000 a year for research and public education initiatives on a range of privacy issues related to PIPEDA.
• These independent projects generate new information, expertise, and understanding to help organizations strengthen privacy protections and assist Canadians in understanding and exercising their privacy rights in their interactions with the commercial sector.
• Each year’s call for applications focuses on a particular theme that aligns with the priorities of the office. This year’s themes are addressing the privacy impacts of new technologies and protecting children’s privacy.

Background

• Established in 2004, the contributions program has provided nearly $10 million in funding to different organizations for privacy research.
• The program has funded a wide diversity of projects, including from the First Nations Information Governance Centre (on data sovereignty and PIPEDA); the Canadian National Institute for the Blind (on consent and inclusion, diversity, equity and accessibility); and the University of Western Ontario (on deceptive design).
• All projects must relate to PIPEDA since the program was established under that Act. Proposals are evaluated based on merit by OPC subject-matter experts and, where necessary or appropriate, external peer reviewers. In most years, approximately $50,000 is allocated to successful applicants, up to a maximum of $100,000.
• In 2020-21, the program’s terms and conditions were renewed for five years by the Minister of Justice (until March 31, 2025). We are currently working on updating the terms and conditions for renewal.
• The full list of funded projects is published on the OPC website, along with summaries of completed projects from previous years.

Lead: PRPA

---

Children’s privacy

Key messages

• Ensuring that children’s privacy is protected and that young people understand and are able to exercise their privacy rights is one of my key strategic priorities.
• In furtherance of this priority my Office has undertaken a number of key activities including:
  • Launched an investigation into TikTok with counterparts in Alberta, Quebec and British Columbia to examine whether its practices comply with PIPEDA, particularly with respect to its younger users.
  • Issued a joint resolution with FPT counterparts calling on governments and organizations to put the best interests of young people first and recommending the adoption of specific practices to this end.
  • Held a consultation on age assurance, which can help to protect young people online. We now plan to prepare guidance on this topic, informed by our public consultation.

Background

• In line with the OPC’s strategic plan, we are further developing our expertise by conducting research and outreach with young people to identify privacy harms and better understand their own perceptions of their privacy rights.
• Children’s privacy was a primary theme for our office’s 2024-2025 contributions program. We have announced funding for four projects that focus on young people’s privacy, which will help inform our work in the area.
• The OPC sits on the Global Privacy Assembly’s working group on Digital Education and an international age-assurance working group, where we collaborate and share best practices with our international counterparts.

Lead: PRPA

---

Age-assurance consultation

Speaking points

• Age assurance can be an effective technique to promote online safety for young people. In addition to restricting access to harmful content, age assurance could be used to direct young people to a version of a service that uses data practices tailored to youth and children.
• However, age assurance can also have significant privacy implications for all Internet users.
• In June 2024, in support of my Office’s strategic priorities of advocating for privacy in a time of technological change and championing children’s privacy rights, the OPC launched an exploratory consultation on the topic of age assurance.
• Our consultation will increase our understanding both of the challenges posed, and opportunities created, by this technology.

Background

• Potential privacy impacts of age assurance include tracking of Internet usage and disclosure of identity information (e.g., via a breach).
• Our consultation closed on September 10, 2024. We received a total of 35 submissions from civil society and academia, age-assurance providers, online services, Canadian industry associations, and interested individuals.
• Anticipated next steps will include, at a minimum, developing guidance on the use and design of age-assurance systems, which could be released this fiscal year.

Lead: PRPA

---

Canadian Digital Regulators Forum (CDRF)

Speaking points

• The CDRF was created in June 2023 to harness the collective knowledge and expertise of its members. Its purpose is to strengthen information sharing and collaboration, where appropriate, on subjects of common interest that relate to digital markets and platforms.
• In addition to my Office, membership consists of the Competition Bureau, the Canadian Radio-Television and Telecommunications Commission, and the Copyright Board.
• As the current CDRF chair, I am looking to build on the forum’s first year by further exploring policy issues related to AI, with a view to developing joint work that will be published at the end of this fiscal year.
• Members will also identify other issues that cut across regulatory boundaries as we work to fulfill our individual mandates through increased partnership and cooperation on a long term basis.

Background

• The CDRF is led by a Chair that rotates annually and is determined by unanimous agreement of member heads. In consultation with other members, the Chair is responsible for setting strategic priorities, agendas, and deadlines; presiding over meetings; and obtaining agreement from members on forum activities. The Chair is supported by a secretariat and a core working group.
• The Copyright Board’s membership was announced on September 10th in a press release on both the OPC and the CDRF’s websites.
• In 2024, the CDRF became a member of the International Network for Digital Regulation Cooperation, an international forum that aims to facilitate information-sharing and best practices for cross-regulatory cooperation. Members include organizations from the UK, Ireland, Australia and the Netherlands.

Lead: PRPA

---

TBS Directive on Privacy Impact Assessment

Key messages

• The TBS Directive on Privacy Impact Assessment requires government institutions to conduct a PIA when a program or activity may impact personal information. It also requires institutions to share completed PIAs with my office.
• Under the TBS Policy on Privacy Protection, institutions must notify my office of any new or existing programs or activities that could impact privacy – regardless of whether a PIA is planned.
• Despite these requirements, we are not always consulted or made aware of potentially privacy-impactful initiatives until after the fact.
• TBS is in the process of updating their PIA-related policy instruments in consultation with my office. Although greater clarity is always welcome in policy instruments, the requirement to conduct PIAs should be enshrined in law.

Background

• PIAs have been a policy requirement since 2002 but do not currently have the force of law.
• In its November 2020 consultation paper on Privacy Act modernization, the Department of Justice proposed adding a risk-based obligation to complete PIAs to the Act, together with a requirement for federal entities to share completed PIAs with the OPC.
• The Office supported this proposal but underlined that the OPC should retain discretion as to whether to issue recommendations on submitted PIAs.
• In spring 2024, the Office reviewed and provided comments on preliminary drafts of TBS’s updated policy instruments related to PIAs. It is expected that TBS will publish the new documents in September 2024.

Lead: PRPA

---

Legal

Recent litigation: Facebook (Meta)

Key messages

• The OPC welcomes the Federal Court of Appeal’s landmark decision on Facebook – which is an acknowledgement that international data giants, whose business models rely on users’ personal information, must respect Canadian privacy law and protect individuals’ fundamental right to privacy.
• As my Office had done in its 2019 investigation, the Federal Court of Appeal concluded that the social media platform had breached the requirement to obtain meaningful consent from users and had failed to appropriately safeguard users’ personal information.
• In accordance with the Court’s instructions, we will work with Facebook on an agreement on the terms of a remedial order.

Background

• In March 2018, the OPC received a complaint about Facebook arising from media reports that Cambridge Analytica had accessed the personal information of Facebook users without their consent via a third party application (TYDL App).
• The OPC and the Office of the Information and Privacy Commissioner for British Columbia jointly investigated and found that Facebook had not obtained meaningful consent from its users before disclosing their personal information and that it had not implemented adequate safeguards.
• The OPC filed an application with the Federal Court under s. 15 of PIPEDA seeking, in particular, an order requiring Facebook to correct its practices to comply with PIPEDA as Facebook didn’t agree to implement the OPC recommendations.
• On April 13, 2023, the Federal Court dismissed the Commissioner’s s. 15 application and the OPC appealed this decision to the Federal Court of Appeal.
• On September 9, 2024, the Federal Court of Appeal allowed the OPC’s appeal with costs and declared that Facebook’s practices between 2013-2015 breached PIPEDA. The OPC and Facebook must report back within 90 days on whether they have agreed on the terms of a consent remedial order.
• The Court remains seized of the matter. Should no agreement be reached, the Court will invite the parties to submit further submissions on the question of remedy.

Lead: LEGAL

---

Recent litigation: Aylo (MindGeek)

Key messages

• In April 2023, Aylo (formerly MindGeek) brought an application for judicial review in Federal Court, arguing that my Office’s intent to publish its Report of Findings regarding a complaint received against the company was unreasonable and unfair.
• Aylo then sought an injunction that would have prevented my Office from issuing and publishing the final Report of Findings while the judicial review application was pending.
• In August 2023, the Federal Court dismissed Aylo’s injunction request, in particular because it had not demonstrated that it would be irreparably harmed by the issuance and publication of the report. Aylo appealed that decision.
• In February 2024, the Federal Court of Appeal unanimously dismissed Aylo’s appeal. That same day, my Office issued and published the final Report of Findings.

Background

• In April 2020, the OPC received a complaint against Aylo stemming from its alleged failure to obtain consent from everyone depicted in intimate content posted on its various websites.
• The report found that Aylo contravened PIPEDA by enabling intimate content to be shared on its websites without the direct knowledge or consent of everyone depicted. My Office recommended that Aylo immediately stop the collection, use and disclosure of user-generated intimate images and videos until it has implemented measures to ensure compliance with its obligations under PIPEDA.
• We are currently in discussions with Aylo with a view to securing a commitment to implement measures that will comply with our recommendations and Canadian privacy law.

Lead: LEGAL

---

Litigation costs

Key messages

• Litigation remains a key tool for my Office in its work to protect and promote privacy. That said, initiating a court application or responding to a judicial review can be very costly, despite best efforts to be judicious in the use of resources.
• There was a substantial increase in litigation costs incurred by the OPC in 2023-24. While costs have generally been increasing over the past six years, in the last year, they more than doubled.
  • This was due to a particular set of circumstances, with costs incurred for 2 cases in Federal Court and 3 at the Federal Court of Appeal.
  • The great majority of these costs were incurred for the Aylo matter, which significantly advanced privacy.
• While rates of judicial review of OPC decisions have remained relatively stable, should Bill C-27 be adopted, I anticipate increased litigation activity in the early years through challenges of OPC decisions to issue orders, to recommend administrative monetary penalties, and to issue investigative findings that give rise to a new right for individuals to institute proceedings to obtain damages.

Background

• OPC litigation expenditures for retainers with external counsel by fiscal year:

  2018-19	2019-20	2020-21	2021-22	2022-23	2023-24
  $67,523.19	$130,597.50	$114,930.49	$212,329.02	$284,277.14	$771,381.86

• The OPC resolves many complaints in early resolution or through its investigative findings and recommendations, and litigation is but one available tool.
• OPC intervention in cases raising significant CPPA interpretations issues is also likely to temporarily increase litigation costs should Bill C-27 be adopted.

Lead: LEGAL

---

Bills and amendments

Bill C-27

Key messages

• Bill C-27 addresses many of the concerns that my office and other experts have raised with respect to PIPEDA. For example, it expands requirements for obtaining informed consent and the list of contraventions subject to administrative monetary penalties.
• However, I believe that it must go further to ensure that Canadians’ privacy rights are better protected in the digital environment, to promote innovation, and to avoid leaving too much to regulation.
• My office has proposed 15 recommendations to strengthen the bill, including recognizing privacy as a fundamental right and protecting children’s privacy and the best interests of the child.
• I was greatly encouraged to see the Standing Committee on Industry and Technology (INDU) adopt some of these recommendations during their clause by clause consideration of the Bill. We continue to closely monitor the Bill’s progress.

Background

• INDU began its clause-by-clause consideration of Bill C-27 on April 8, 2024. To date, they have held 10 meetings and adopted 10 amendments, most of which broadly align with our recommendations. These include:
  • embedding the preamble of the bill in the Consumer Privacy Protection Act and amending it to recognize the fundamental right to privacy and the importance of protecting minors and their best interests;
  • amending the definition of “anonymize” to remove “generally accepted best practices” and add the standard of “no reasonably foreseeable risk in the circumstances” for re-identification;
  • amending the French definition of “de-identify” to better align with the English;
  • adding definitions of: lawful authority, minor, profiling, sensitive information, and significant impact; and
  • amending the definition of “personal information” to include inferred information.

Lead: PRPA

---

Privacy Act reform

Key messages

• While private sector law reform continues, the Privacy Act remains fundamentally unchanged since coming into force over 40 years ago.
• To the extent appropriate, given their different contexts, federal privacy laws should be broadly consistent with one another, and with other global data-protection frameworks.
• Aligning public and private sector laws provides predictability, interoperability, and consistency. Common standards also support public-private partnerships and cross-border data flows.

Background

• In 2021, the Department of Justice published a consultation paper proposing a range of reforms to the Privacy Act. Specific proposals supported by our office included:
  • the addition of a purpose clause recognizing the broad scope of the right to privacy as a human right;
  • more meaningful oversight, along with quick, effective remedies, such as order-making powers and expanded rights of recourse; and,
  • an expanded definition of personal information.
• Our office also submitted several recommendations in response, including:
  • the inclusion of a definition of automated decision-making, a right to meaningful explanation and human intervention, standards for the level of explanation required, and legal obligations for traceability;
  • the new “reasonably required” standard proposed for collection clearly indicate that the privacy impacts must be proportionate to public interests at stake; and,
  • government institutions be required to consult the OPC on draft legislation and regulations with privacy implications before they are brought forward.
• The most recent public update from the Department of Justice since the launch of the consultation was the publication of a “what we heard” report in August 2021 and a report on 2022 engagement with Indigenous Peoples published in October 2023.

Lead: PRPA

---

Bill C-65 (Electoral Participation Act)

Key messages

• Bill C-65, tabled in March 2024, adds new aspects to the required privacy policies that political parties must submit as they register with Elections Canada (under the Canada Elections Act).
• I have long recommended that political parties should be subject to substantive privacy rules (e.g. those found in the Privacy Act or PIPEDA) which include recourse for individuals, independent review, and compliance mechanisms.
• I look forward to sharing my views with Parliamentarians when Bill C-65 is studied in detail at Committee.

Background

• Privacy aspect of legislation: C-65 adds new elements to privacy policies that political parties must develop as part of their registration with Elections Canada (under the Canada Elections Act), including that:
  • a registered or eligible party and those acting on the party’s behalf must comply with the party’s policy for the protection of personal information;
  • failure to comply with a party’s privacy policy is considered a violation; and,
  • a requirement for notification by parties to individuals be in place, in the event of a privacy breach, where there is real risk of significant harm.
• Prior appearances: when you appeared on this issue in May 2023 before the Senate Legal and Constitutional Affairs Committee (on C-47) you noted that:
  • Despite amendments enacted by Bill C-47, there were no minimum privacy requirements for political parties to govern handling of personal information,
  • Parties should adhere to internationally recognized privacy principles, including recourse to an independent third party with authority to verify and enforce compliance and provide remedies.
  • Rather, C-47 authorized parties and their affiliates to collect, use, retain, disclose, and dispose of personal information according to their own policies.

Lead: PRPA

---

Bill C-63 (Online Harms Act)

Key messages

• The government tabled Bill C-63, the Online Harms Act, with the stated goal of holding social media platforms accountable for addressing harmful content on their platforms and to create a safer online space that protects all people in Canada, especially for kids.
• I have made championing children’s privacy rights a strategic priority of my Office, as children need to be able to navigate online spaces securely. This priority intersects with areas of C-63 relating to developing age-appropriate design for regulated services.
• C-63 also addresses intimate images communicated without consent, which is of interest to my Office given my findings related to the Aylo investigation.
  • In it, I recommended that Aylo must obtain meaningful consent from each individual appearing in intimate images and videos before the content can be uploaded to its sites.
• I look forward to discussing the privacy implications of Bill C-63 should I be called to comment on the Bill before Parliament.

Background

• Bill C-63 legislates a duty to protect children. As part of this duty, s. 65 states that “an operator must integrate into a regulated service that it operates any design features respecting the protection of children, such as age appropriate design, that are provided for by regulations.” S. 140(o) outlines that regulations respecting design features may include privacy settings for children.
• Bill C-63 also establishes a duty to make certain content inaccessible. Regulated services, whether it be content flagged by the service itself or by a user, must take down content it has reasonable grounds to suspect is content that sexually victimizes a child or revictimizes a survivor or intimate content communicated without consent within 24 hours of identifying it (s. 67). The content must remain offline until the service has made a decision on whether the content should remain inaccessible.

Lead: PRPA

---

Bill S-210 (Protecting Young Persons from Exposure to Pornography Act)

Speaking points

• Bill S-210 would make it an offence to make sexually explicit material available online to young people. One of the primary defences to such a charge would be for an organization to implement a prescribed age-verification system.
• The Bill does not provide for an oversight role for the OPC. However, as I noted when I appeared before the House Committee on Public Safety and National Security, my Office would welcome the opportunity to provide advice on regulations that pertain to privacy and the protection of personal information, including with respect to prescribed age-assurance methods.
• Mandating the use of age assurance could have a range of privacy impacts. It may also require my Office to allocate additional resources to proactive or reactive examinations of different age-assurance technologies.

Background

• Age verification – or the broader term “age assurance” – is the determination of an Internet user’s age through one of many possible methods, such as review of an identity document or estimation of age based on analysis of an image of their face. Regardless of the method used, age assurance has privacy implications for both adults and youth.
• Section 7 of Bill S-210 provides that the Governor-in-Council may designate an agency, division, or branch of government as the enforcement authority. Some stakeholders have inquired about whether the OPC should be the enforcement authority, including during the Commissioner’s appearance before the House Committee on Public Safety and National Security.
• Potential privacy impacts of age assurance include tracking of Internet usage or disclosure of identity information (e.g., via a breach).

Lead: PRPA

---

Bill S-231 (Increasing the Identification of Criminals Through the Use of DNA Act)

Speaking points

• In November 2023, the Senate Legal and Constitutional Affairs Committee (LCJC) invited my Office to appear on Bill S-231.
• Officials from my Office noted at that time that the Bill considerably increased the scope of DNA collection for forensic purposes and broadened use of the federal DNA Databank to include familial searching.
• We recommended against this change, and after hearing testimony from witnesses and experts, the Committee removed the provisions on familial searches from the Bill.

Background

• Bill S-231 is sponsored by Senator Claude Carignan, Chair of NFFN.
• Increased scope: Bill S-231 as originally drafted would potentially subject any individual to law enforcement scrutiny because they have a biological relative whose DNA profile is in the National DNA Data Bank (NDDB) and a partial match was made to their relatives’ profile. Bill S-231 also requires the collection of DNA samples from individuals who committed offences that are not violent or particularly serious (e.g. perjury, libel, or mischief). The Bill has now been referred to the House for further study before committee.
• Familial search techniques: Familial searching refers to the deliberate search of a DNA database to identify biological relatives (e.g. parent, child, sibling) of an unknown forensic profile, obtained from crime scene evidence, based on partial genetic matches. The technique raises concerns about the reasonable expectations of privacy of affected family members, as well as exacerbating systemic racism in the criminal justice system. Testimony on these risks was cited by the LCJC members who voted to remove those provisions of the bill at committee stage.
• OPC involvement with NDDB: The OPC, under the DNA Identification Act regulations, has had a role on the NDDB Advisory Committee since 2000, giving privacy advice on law enforcement use of biometric data like DNA. We have also reviewed and provided advice relating to the NDDB through our Government Advisory role, including reviewing PIAs and consulting with the RCMP.

Lead: PRPA

---