Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains. 

If 2025 were a hockey game, we spent three periods skating end‑to‑end, dodging geopolitical cross‑checks, an unconventional American bench and more artificial intelligence breakaways than a beer‑league goalie deserves. And yet — somehow — we're still on our skates, swapping lines between privacy, cybersecurity and AI governance, and even plotting a smarter power play for 2026.

On geopolitics: Canadians did what we do best, which is look both ways, then again and then once more for luck. Rumors and realignments had us re‑examining cross‑border data flows, dusting off the playbook on blocking statutes, and revisiting whether "keep it in Canada" is a policy, a posture or a polite way of telling vendors to bring their cloud closer to home. 

That data sovereignty conversation, which felt niche in January, went mainstream by summer. Some regulators leaned in, and we learned that sovereignty isn't a vibe; it's architecture that influences procurement choices, service contracts, and a thousand small design decisions that add up to trust.

ADVERTISEMENT

Radarfirst- Looking for clarity and confidence in every decision? You found it.

Meanwhile, our southern neighbors reminded the world that unconventional can be a governing style. For privacy pros north of the border, that translated into renewed attention to transparency in cross‑border transfers, mutual legal assistance treaties and data processing agreements that actually do what they promise, and realistic vendor due diligence. In other words: fewer hand‑wavy assurances and more receipts.

Then came AI. Again, and again, and again. If 2024 introduced the party, 2025 tried to find the light switch. We saw policy sprints, regulator consultations and serious talk about guardrails that behave more like seatbelts than no-go zones. Age assurance grew up a little. There was less "just promise us you are an adult" and more proportionate checks, minimal data, delete fast and prove it works. De‑identification finally got reasonable treatment, with real guidance, technical depth and less magical thinking. And the conversation about biometrics? Still evolving, with Quebec reminding us that necessity and proportionality aren't decorative clauses. 

If this sounds heavy, it didn't feel that way all year. Privacy still had its characteristically Canadian moments: commissioners doing the province‑wide roadshow; gameshow‑ready regulators — yay!; and a community that somehow finds time to riff on Rick Mercer while filing breach reports and revising vendor clauses. We also kept the human stories front and center, remembering the many leaders who built our growing field, mentoring the next generation and admitting — out loud — the grey areas are where most of us work every day. And maybe we like those mental gymnastics. 

So why end 2025 optimistic? Because the profession's muscles got stronger:

Interdisciplinary is no longer optional. Privacy, AI and cybersecurity now share a kitchen and the governance recipes are getting better.

We need to re‑discover practicality. The consent banner arms race is still with us, but there's hope for more honest explanations, risk‑based decisions and checklists that teams actually use.

If the world decides 2026 is another season of plot twists, our response shouldn't be performative panic or techno‑utopianism. It's the boring but heroic — and distinctly Canadian — middle: clear guardrails, engineering hygiene and ethics that survive contact with production systems. AI won't become "safe" by decree, and geopolitics won't calm because we ask nicely. But we can build systems that are resilient to both, by design.

So, here's my modest wish for 2026: fewer headlines that make privacy look like the villain, and more quiet wins that make Canadians safer, services fairer and innovation genuinely useful. And if your feed is showing ads for the Ottawa Senators, it's because they know you're reading this and they think that you, too, must be waiting for the day we celebrate a Stanley Cup parade in Ottawa.

Enjoy the break, recharge the governance batteries and we'll lace up again in January. Seatbelts on. Skates sharp. Privacy as usual, but even better.

Kris Klein, CIPP/C, CIPM, FIP, is the country leader, Canada, for the IAPP. 

This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.