Ottawa revises Privacy Act for first time in overs 40 years

Earlier this spring, the President of Canada's Treasury Board launched a review of the Privacy Act. While this step is not unusual, given the rapid pace of technological evolution that produces mini versions of human tasks, the policy has remained unchanged for over 40 years.

Passed by the House in 1983 as Bill C-43, the legislation was raised to regulate how the Canadian federal government collects, uses, discloses, and disposes of personal information. It also grants the right to access and correct personal information.

While the 1980's saw the beginnings of digitisation, the Pierre Trudeau government set out to establish rules ensuring that the federal public sector collects only personal information directly related to government programs or activities.

The Privacy Act is separate from the Personal Information Protection and Electronic Documents Act (PIPEDA), which defines privacy obligations amongst the private sector. Bill C-36, introduced to the House on June 15, would be the most significant overhaul of private-sector privacy regulation in a quarter-century.

A policy paper published in April outlines 23 proposals for the public-sector review across six themes to update the act for the first time since the Commodore 64 reigned supreme.

On the government side, the changes would allow departments to share data more freely, eliminating the frustration of Canadians having to hand over the same information to multiple programs. It would also make privacy impact assessments a legal requirement for the first time, create a public registry of government data holdings, and force institutions to explain how automated decision systems influenced rulings affecting individuals.

On the enforcement side, the paper proposes giving the Privacy Commissioner binding order-making powers to replace the current advisory-only role, as well as new offences for intentionally re-identifying anonymised data.

A dedicated category of Indigenous personal data is also proposed, along with a framework that would allow Indigenous governments to obtain copies of their citizens' data from federal programs to support data sovereignty goals.

"Everything has to change. The way we interact, I mean, even on the cloud side, it is little light in regards to how protection of data will happen. We're talking about antiquity versus modern agentic AI, and there's a big gap. I'm concerned as a security professional," said Fritz Jean-Louis, a Principal Cybersecurity Advisor at Info-Tech Research Group.

He added that the move is a positive step, but the sheer scale and difficulty of updating Canada's very old privacy legislation to match today's technology landscape is an "elephant of a problem."

"You want to establish certain best practices that are meant to mitigate and control the event of a potential breach. Various government entities are almost isolated from each other - there is very little data sharing, but that's not evidence of security per se. If anything, it might make breach response even more difficult, especially if each one of those entities do not have the technical know-how in regards to incident management."

Canada's Privacy Commissioner Philippe Dufresne was vocal about the need to reform both PIPEDA and the Privacy Act. Especially as other allied nations have put forth reforms years ago.

In a May 14, 2025, Op-Ed for the Hill Times, he stated, "We need modernized privacy laws that advance the public interest and foster a strong Canadian economy. This means entrenching privacy as a fundamental right and aligning Canada's privacy laws with the modern laws of our international trading partners."

This comment came after the commission's landmark joint investigation into ChatGPT, released this May, found that OpenAI's initial training of ChatGPT was non-compliant with Canadian privacy laws, resulting in significant recommendations regarding consent, transparency, and data minimisation for AI model training.

"I expect that the findings of this investigation will inform and advance the privacy-protective design of other AI-powered technologies. This investigation also further highlights the need to modernize Canada's privacy laws for the digital age," stated Dufresne at the time.

The OPC's freshly tabled 2025-26 annual report, released earlier this month, shows that Privacy Act complaints rose 62 per cent to 3,146 compared with the previous year. 

While the launch of powerful AI models like Anthropic's Mythos has raised concerns about jailbreak power accelerating at a public scale, Jean-Louis said one of the biggest risks to the government is foreign threat actors not in it for the publicity. 

Canada's National Cyber Threat Assessment for 2025-2026 stated that "with CaaS, specialised threat actors sell stolen and leaked data and ready-to-use malicious tools to other cybercriminals online, enabling their illicit activities." While the report focused on non-governmental organisations being attacked, Jean-Louis said the government is still a huge target.

South of the border, Russian SVR hackers compromised a software update mechanism and gained access to the U.S. Treasury, State Department, DHS, and parts of the Pentagon between 2019 and 2020. They were inside the systems for roughly nine months before being discovered. On April 15, 2021, the U.S. government formally attributed "the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform" to Russia's SVR, with high confidence. 

"[Nation-state threat actors] are not really interested in you finding out that you've been breached. They're interested in burying deep in your infrastructure - you might be going for years without knowing that your system has been compromised. That's why I said the absence of evidence doesn't mean you haven't been breached because you haven't seen the result of it," said Jean-Louis. "If you look at the tools and tactics of nation-state threat actors, they get in, they burrow deep, they hide their tracks really well, and then for political gain or to impact critical infrastructure they come in."

The Carney government is collecting comments and feedback on the policy paper through the online submission form until July 10 while it conducts reviews with industry experts and federal institutions.