Notes from the IAPP Canada: Guidance is the new governance

There is a moment familiar to anyone who has ever assembled IKEA furniture without the pictures. You are holding two identical-looking pieces, the instructions are technically helpful but not decisive, and you realize the real challenge is not following the steps but figuring out how the steps fit together. Individually, everything makes sense. Collectively, things can get — creative.

That is where Canadian privacy governance finds itself this week.

The real momentum is not coming from brand-new statutes landing fully formed on our desks. Instead, it is emerging through consultations, guidance documents, regulator statements and enforcement signals that quietly shape what "good" looks like in practice. The law still matters, of course. But increasingly, organizations are building privacy programs to regulator expectations rather than waiting for legislative perfection. Guidance is doing a lot of the governing.

The Office of the Privacy Commissioner of Canada is a good example. Rather than waiting for federal reform to resolve itself, the OPC is actively examining how its guidance is developed and how useful it is for organizations trying to comply in the real world. That may sound procedural, but it is not. Guidance is how abstract legal principles turn into operational reality, from consent design to artificial intelligence governance and data-sharing practices. You have just a few more days to tell the OPC how you think they can improve their approach to guidance development.

Ontario is telling a parallel story. The Information and Privacy Commissioner's Office continues to publish principles and guidance on AI, cybersecurity and digital trust, particularly for public-sector and health organizations. And they're holding a series of workshops right now, which I think fall into the category of "guidance" as well. None of this is legislation, but all of it influences procurement, system design and risk decisions today. 

Québec, meanwhile, is already well past the "direction of travel" stage. Law 25 is now firmly in its operational phase, with enforcement mechanisms active and expectations increasingly concrete. For many organizations, the most significant shift has not been the size of potential penalties, but the clarity around governance, documentation and accountability. The rules are no longer hypothetical. They are showing up in decisions that shape behavior well beyond Québec's borders.

Put together, Canadian privacy governance is increasingly shaped by an accumulation of guidance and lived enforcement experience rather than by a single dramatic legislative moment. That has advantages. Guidance can move faster than statutes and respond more quickly to new technologies.

But it also introduces a growing risk. Guidance does not always line up neatly. And it tends to muddle "musts" and "shoulds," whereas organizations need clear information on what is a compliance requirement versus a best practice. Different regulators can frame similar issues in different ways or emphasize different priorities. 

For organizations operating across jurisdictions, this can create confusion, duplication, extra cost and more than a little dismay when teams discover they are building the same control multiple times to satisfy slightly different expectations.

In a legal world that already values interoperability, coherence matters. In this good-faith but looser, faster-moving world of guidance, it matters even more. As guidance increasingly fills the void between old laws and emerging technologies, regulators need to work together more closely than ever to ensure their signals are aligned, complementary and intelligible to the people expected to implement them.

If guidance is now doing much of the governing, then how well it all fits together may be just as important as what any single document says on its own.