Industry and Technology Committee on Jan. 26th, 2026

Thank you, Mr. Chair.

Thank you for the invitation to appear today to share my views on the privacy impacts of division 23 of part 5 of Bill C‑15, budget 2025 implementation act, no. 1.

Privacy is an important, topical issue in Canada. As more and more personal data is collected, used and shared, protecting it becomes increasingly important to Canadians and Canadian organizations.

In the past two years, we've seen many examples of how Canadian privacy law can address major issues that cause serious and long-lasting harms to individuals—for example, protecting against the non-consensual sharing of intimate images in my investigation into Aylo, which operates Pornhub and other pornographic websites, and addressing the 23andMe breach, which impacted the highly sensitive personal information of seven million customers, including more than 300,000 Canadians.

My recent investigation with my provincial counterparts into TikTok, meanwhile, highlighted the importance of protecting children's privacy in today's online world. The impact of our investigation into this widely used platform went far beyond a report. It also enabled the company to implement improvements to its privacy practices in the best interests of its users, especially children.

I recently announced an expanded investigation into the social media platform X and its Grok chatbot. This investigation will examine the emerging phenomenon of AI being used to create deepfakes, which can present significant risks to Canadians.

These are just a few of the many examples that show the importance of privacy for current and future generations. The examples also illustrate how prioritizing privacy is a strategic and competitive asset for organizations.

That's why it's so important to modernize the legislation so that we can have modern laws to help businesses make sure they have adequate protections.

For organizations, embedding data protection into programs and services can enable responsible innovation, facilitate global operations, improve data security and mitigate risks, including of major breaches. Modernizing privacy laws aligns with Canada's ambition to support growth, to seek opportunities with partners around the world and to continue to be a voice of modern progress, setting the stage for a safe and secure digital future for Canadians and Canadian industry.

Bill C‑15 includes clauses that would amend the Personal Information Protection and Electronic Documents Act to include a right to data mobility to facilitate information sharing among all economic sectors. I support efforts to introduce the right to data mobility in Canada.

A right to data mobility would give Canadians greater control over their personal information and let them decide who their information can be shared with. It would also make it easier for them to switch service providers and choose the organizations they want to deal with. These are important considerations in building trust in today's digital economy.

Enhancing data mobility provisions can also support economic growth in Canada. For example, it would help promote competition and innovation by allowing individuals to take advantage of new business models, like consumer-driven banking, and by encouraging new players in the market, therefore helping to support small and medium-sized organizations. Specifically, Bill C-15 would add a new division 1.2 to PIPEDA that would require an organization, upon an individual's request, to “disclose the personal information that it has collected” from them to a designated organization. This right would be subject to regulations and would only apply “if both organizations are subject to a data mobility framework.”

Bill C-15 would amend PIPEDA to provide the Governor in Council with the authority to make regulations regarding data mobility frameworks. These regulations would cover key aspects of a mobility framework, including safeguards and technical parameters for ensuring interoperability. They would also specify which organizations are subject to a framework and would provide for exceptions to the requirement to disclose information.

Given the scope of the issues that will be regulated, the office of the commissioner absolutely must be consulted by the government as the regulations are developed. I look forward to working with the government on these important issues.

With that, we look forward to your questions. Thank you.

I believe that my office should be consulted in the development of those regulations. That's why I'm setting out my expectation here, as I did in the other place when I appeared there to discuss this.

I think the legislation provides for the framework and the important topics, safeguards and parameters, and it specifies organizations and exceptions. For my role in this, I will be reaching out to the government to make sure that my office is consulted, and I expect this to not be an issue.

That's a decision for Parliament to make. Certainly, there is always a balance between having elements in legislation, with more debate and more parliamentary accountability.... Having some elements in regulation allows for faster development and more adaptation, so it's up to Parliament to strike the right balance.

In this instance, I do not have concerns with the way it is provided. However, this is based on my expectation that the government will consult with my office in the drafting.

The more we publish before it comes into force and consult with industry and the regulator, the more awareness industry and Canadians will have so they can prepare for the implementation and provide their feedback.

I think the challenge is making sure you have something that will work for Canadians, that will work for industry and that allows key elements. We see some of that in the bill in terms of consumer banking, consent, safeguarding, and making sure that if there is a privacy breach, it is reported quickly to the authorities, to the regulator. There's a big role for the Bank of Canada in the banking sector to approve entities and report breaches.

I think it's going to be important for the Bank of Canada, my office and other affected entities and regulators to work together, and I look forward to doing that.

My overall recommendation is to modernize PIPEDA, to modernize private sector privacy legislation. That is a mandate of this committee. That is an area where the Minister of AI has said publicly that the government will look to introduce, at some point, modernized legislation. There were attempts in the past.

My main message is that we need to modernize and we need to give my office enforcement authorities. This is a major gap in the enforcement regime. I can only issue recommendations. I cannot issue orders and I cannot issue fines. We are standing out among international partners in this respect. That is an easy fix that Parliament can do. There are other elements that need to be modernized as well, but that would give me the enhanced tools I need.

In the meantime, I have been using and will continue to use existing tools to deal with those issues. That's what I did in dealing with Pornhub and that's what I am doing in dealing with the investigation of X and deepfakes, but the fact remains that I cannot issue orders at the end of those investigations.

Well, I won't say too much on X, because I launched my investigation last week. We're going to proceed swiftly on it, we're going to use the tools and we're going to draw our conclusions on it.

I think there's a challenge, if I look to our concluded investigation of Pornhub on the similar and related issue of online-based abuse and the sharing of intimate videos without the consent of individuals in the context of revenge porn and other types of situations. We investigated. We made a finding that this breached privacy law. We made strong recommendations that there needed to be a solution from now on, forward looking, but what do you do with what has already been posted? We also wanted that to be taken down. We wanted the takedown mechanisms to be faster and to be user-friendly. The company refused to do that.

Now we are in Federal Court trying to enforce this, but it is slow and expensive, and in the meantime those images continue to be available. That's where amending PIPEDA and giving my office order-making powers and the ability to issue or recommend fines would allow a much more immediate remedy, which could then be challenged in front of the court. That's the challenge.

You're often going to have responsive complaints or proactive complaints. In the context of Grok, I initiated it myself, but what's important is that once those are concluded, you get a real and meaningful remedy if there has been a violation.

I think that is an important part of any new law, rule or regulation the government adopts. It's important to hear from industry. It's important that the department hear from industry. It's important that industry itself is able to make its concerns and realities known, and a small or medium-sized enterprise in particular.

From my standpoint as a regulator, I also need and want to know what the challenges of industry are. What are the hurdles? For regulation to be effective, it has to be practical. It has to be doable by small and medium-sized enterprises, and of course, it has to protect Canadians. Building in privacy at the outset and making sure that we have good frameworks, good involvement of the regulator and good dialogue with industry allow industry to build this in from the beginning. It's more effective, it's less expensive and it leads to more trust from consumers.

This is going to be key, in my view, in data mobility and consumer banking. Canadians need to trust this, and they will trust it if they can see that privacy is built in from the start.

I believe we need to use all of the tools at our disposal. The financial penalties, the orders and the enforcement should always be a last resort. We should always try to prevent, resolve, educate and work together, so that's what we're doing at my office. I'm trying to resolve things quickly and informally, with letters of engagements, commitments and compliance agreements.

However, in situations where there is a disagreement or a major violation, you need the capability to enforce and also, I would argue, the possibility of fines to help decision-makers, CEOs, boards and investors invest the necessary sums to protect privacy. If there's the risk of financial consequences, it gives argument to the privacy champions in those organizations to build protections for Canadians, so it serves everyone in the end.

I want the ability to issue fines. I hope to rarely, if ever, have to issue them, but the existence of that possibility will make it easier for my office to convince organizations to prevent issues and take the necessary steps.

In terms of recommendations, we've highlighted a number of priority recommendations for law reform, which I think are relevant in the context of what you do to protect the mobility of Canadians.

You need to make sure there is strong enforcement if there is non-compliance. You need to make sure there is a proper assessment, whether it's a privacy impact assessment or privacy by design, and make sure you bring this to the forefront. There are good elements of that in Bill C-15 in terms of consumer-based banking and making the consent express and user-friendly. These are things we always recommend and want to see.

Things like preventing the identifying of privacy breaches are major challenges to society all over the world, not just in Canada, and we're seeing them increase in number and magnitude. I talked about the 23andMe major breach I investigated with my counterparts from the U.K. There was very sensitive genetic information, and hundreds of thousands of individuals were impacted. We need to work on that.

This also costs money to organizations, so it's bad for everyone. The regulations need to provide for good safeguards and good reporting mechanisms in consumer-based banking. They're talking about immediately advising the entity responsible. We need to do all of those things, and there needs to be good and strong collaboration between regulators when there's potential overlap, as there would be here.

I look forward to working with the Bank of Canada as I am working already with the Competition Bureau and the CRTC. Digital issues and mobility issues don't stop at the border of one regulator or even one jurisdiction, so that collaboration is essential.