One-on-one: OPC's Dufresne on state of AI, privacy landscape in Canada

It has been a week full of headlines for Privacy Commissioner of Canada Philippe Dufresne. 

On 4 May, he delivered his annual address to delegates at the IAPP Canada Symposium 2026 in Toronto, during which he announced new OPC guidance on age assurance technologies, released a report containing all of the stakeholder feedback in response to the agency's public consultation for developing the proposed Children's Privacy Code and spoke on several other pressing global digital issues. 

Days later, Dufresne announced the results of a three-year OPC-led investigation into OpenAI, along with several provincial data protection authorities in a press conference. Before the assembled media, he said regulators found OpenAI launched ChatGPT "without having fully addressed known privacy issues," leaving Canadians exposed to "potential risks of harm such as breaches and discrimination on the basis of information about them."

The string of announcements represents a snippet of Dufresne's busy and full workload, which also includes duties as the current chair of the Global Privacy Assembly. On the sidelines of Symposium, Dufresne spoke to the IAPP about the what is on the horizon for his country's digital governance frameworks.

Federal privacy reforms

There were calls from the OPC and stakeholders to modernize the Personal Information Protection and Electronic Documents Act long before Dufresne was appointed to lead the office in 2022. He has continued to offer steady advocacy for reforms since, despite the Parliament of Canada's struggle to arrive at a consensus proposal for updates.

Dufresne said he is "optimistic" lawmakers will introduce successor legislation to the prior framework in Bill C-27, which came short of the finish line before the last federal election April 2025.

"Our lawmakers are working on it," Dufresne told the IAPP. "I think there's a general sense that Canada needs those modernized laws, both in the public sector and in the private sector. The government is moving ahead with a consultation on public sector privacy law reform, so I will remain optimistic and give my advice (where sought)."

Dufresne previously wrote to the Senate Standing Committee on Legal and Constitutional Affairs in October of last year on the need to update both PIPEDA and the public sector Privacy Act. He said a number of the OPC's recommendations were added to the draft bill proposing to reform the Privacy Act as part of government's public consultation, such as giving the OPC "order-making" power and enshrining privacy as a fundamental right into public sector business. Once comprehensive private sector privacy legislation is introduced, he said he is hopeful lawmakers incorporate his recommendations he previously made to Parliament. 

"The (Privacy Act) consultation that has just started has incorporated a number of my recommendations," Dufresne said. "So, I hope that it will be a similar approach for the private sector. Certainly there have been good exchanges, and we'll continue to push for the best law possible for Canadians."

AI strategy

After a recent CBC report detailed the six core pillars of Canada's proposed national AI strategy, Minister of Artificial Intelligence and Digital Innovation Evan Solomon recently said the framework will be published soon after an original deadline last year. Solomon said the delayed release stems from revisiting consultations due to the ever-changing nature of AI.

Dufresne said the key to making the strategy successful will be how AI technologies can be used to innovate, while also not threatening citizens' fundamental rights. The CBC's report said proposals contained in the pillars call for "giving access to AI training and education for all Canadians" and "modern privacy and online safety laws, strong national AI safety capabilities, and secure government systems."

"The focus is very much about encouraging innovation and making sure Canada can be a leader and a hub for AI, but also at the same time, doing that in a way that's safe and that's where privacy fits in," Dufresne said. "In fact, (Solomon) has said the acceptance of innovation moves at the speed of trust. This is where privacy will give that trust to Canadians, to consumers who use new technology, including AI."

While many privacy observers in Canada believe the inclusion of the proposed AI and Data Act was a significant contributing factor to why C-27 ultimately failed to pass, Dufresne indicated he is focused on ensuring that AI models function in a way that respect existing privacy laws on the books. 

In the meantime, he said cooperation among Canada's regulators will be critical to ensure AI adoption does not usurp individuals’ rights and existing law. 

"You can deal with AI in standalone legislation, or you can, in certain cases, use existing laws, but it's important for all the regulators in that space to work together," Dufresne said. "I'm not sure that we’re going to be going in the direction of one overall law that captures everything to do with AI. I think that different regimes are going to have to be interoperable."

Canada's GPA leadership

Dufresne is in middle of the first year of his two-year term as GPA chair following his September 2025 appointment. He sees Canada as being a "bridge" between the major global economies around the world with its extensive trade relationships with Europe, leading Asian nations, South America and the rest of North America.

"We are a middle power, but Canada understands the interest, the implications and cultures of all regions in the world," he said. "Being at the table in these important discussions make sure Canada's culture and values can shape the discussion and approaches to (data privacy). It strengthens not just Canada, but in all countries, because data crosses borders all the time and no one country can deal with this alone."

The ongoing conflict in the Middle East has resulted in the GPA's annual conference being moved from Dubai to Brussels. And for the first time, the GPA's conference and the IAPP's Europe Congress will take place alongside one another in November.

Dufresne said his personal hope while chairing the GPA is to push for members to step up their efforts to advance children's privacy policies, the implications of emerging technology and making cross-border data transfers more frictionless, amid a push by countries to pursue their own digital sovereignty agendas.

"Cross border data transfers are more important than ever for strong economies," Dufresne said. "My hope as Chair is to amplify the voice of the GPA so that it can bring better, clearer privacy principles all over the world, while also supporting and strengthening individual data protection authorities."