Skip to main content

Government decisions and oversight

Privacy and personal information law

Canada's federal private-sector privacy law governs how organizations handle personal information. AI systems trained on or deployed against personal data sit squarely inside its scope, and Bill C-36's proposed Protecting Privacy and Consumer Data Act would replace and modernize the private-sector framework.

Briefing dossier

Context, evidence, and live source matches in one file.

Start with the standing explainer, check the current evidence receipt, then open the live source stream when there are matching stories.

Topic overview

Briefing summary

Canadian AI governance often moves through privacy law before it moves through AI-specific law. PIPEDA remains the federal private-sector privacy statute in force, and privacy regulators have already used existing law to examine AI training data, consent, transparency, safeguards, and children's privacy.

  • Privacy law is the main enforceable AI-governance tool Canada already has in force for many private-sector uses of personal information.
  • Bill C-36 and Bill C-34 are important proposed-law signals, but their final duties depend on Parliament and later regulations.
  • OPC reports and findings help separate real oversight evidence from general AI-governance promises.
Read the full context

Bill C-36 would create the Protecting Privacy and Consumer Data Act, or PPCDA, as a replacement path for private-sector privacy rules. It is proposed legislation, not law, but its official backgrounder points directly at AI-relevant changes: automated-decision transparency, stronger handling of children's personal information, deletion and mobility rights, cross-border privacy-risk assessment, and a new Digital Safety and Data Protection Commission of Canada.

Bill C-34 is a separate proposed digital-safety bill. Its AI relevance is narrower but direct: regulated services, including certain AI chatbot services, would face child-safety and responsible-action duties. That should be described as a chatbot/platform safety proposal, not as coverage for every AI system.

The OPC's June 2026 Grok finding is a sharper enforcement example. The Commissioner found xAI and X failed to obtain valid consent before Grok generated sexualized deepfakes, treated those outputs as personal information, and found the practice inappropriate under PIPEDA.

The Office of the Privacy Commissioner's 2025-2026 annual report shows what oversight looks like in practice. It includes formal enforcement work, youth privacy initiatives, warnings about AI-generated harms, and proactive engagements with LinkedIn over AI-training practices and Magna over an autonomous-delivery pilot. The LinkedIn and Magna examples are proactive engagement, not formal wrongdoing findings.

People, organisations, and source pathsVerification layer

Key people

  • Philippe Dufresne - Privacy Commissioner of Canada - Office of the Privacy Commissioner of Canada
  • Evan Solomon - Minister of Artificial Intelligence and Digital Innovation - Government of Canada
  • Marc Miller - Minister of Canadian Identity and Culture - Government of Canada

Key organisations

Source-linked reading

Evidence briefing

Building the topic evidence view

Connecting to the current story-match feed. The latest match snapshot is still shown below.

Latest match snapshot

The live story mix will appear when the topic feed returns current stories.

Matched stories
2

stories matched to this topic

Stories checked
50

latest story review

Count status
Available

latest cache status

Last checked
Jul 14, 3:13 a.m. CDT

freshness

Source: Topic story dataThe live source and timeline mix appears only when current topic stories are available.

Live source stream

Live feed

Current stories matched to Privacy and personal information law. Refreshes automatically every two minutes when topic matching is available.

Loading topic stories...