Canada’s new AI strategy and OPC Annual Report: What organizations need to know
On June 4, 2026, two significant developments landed for Canadian organizations navigating AI and privacy. Prime Minister Carney launched AI for All, Canada’s new national artificial intelligence strategy, and the Office of the Privacy Commissioner of Canada (OPC) tabled its 2025–2026 annual report, Championing Privacy in the Age of AI.
Read together, these announcements signal that AI adoption and privacy enforcement are both accelerating – and that organizations should be preparing now.
AI for All: The national AI strategy
The AI for All strategy targets an additional $200 billion in economic growth and 250,000 new AI-related jobs over the next five years, with a goal of increasing AI adoption from roughly 12% to 60% by 2034.
The strategy is built on three pillars: building trust, creating opportunities and reinforcing Canadian sovereignty.
From a privacy and compliance standpoint, the most immediately relevant commitments include:
- modernizing legislative frameworks for the digital age,
- strengthening protections for Canadians’ personal information against harms such as deepfakes and surveillance pricing, and
- introducing an online safety regime to better protect social media and chatbot users.
The government has also committed to tabling new consumer privacy legislation and expanding the capabilities of the Canadian AI Safety Institute with $50 million in funding. The strategy also contemplates a “Canada Trusted AI Certification” program to identify trustworthy AI products in the marketplace.
View the full strategy document.
OPC Annual Report: Privacy enforcement is intensifying
The same day, Privacy Commissioner Philippe Dufresne tabled his annual report highlighting the OPC’s increasingly active enforcement posture, particularly around AI and children’s privacy.
The numbers are striking:
- PIPEDA complaints more than doubled year-over-year, rising 109% to 3,044, a surge the OPC attributes in part to increased awareness driven by AI-enhanced search engines.
- Privacy Act complaints rose 62% to 3,146.
- On the breach front, the OPC received almost 700 breach reports from businesses, affecting more than 20 million Canadians, and some 450 breach reports from federal institutions, affecting more than 48,000 Canadians.
The report also follows closely on the heels of the OPC’s landmark joint investigation into OpenAI’s ChatGPT, released on May 6, 2026, which found that OpenAI’s initial training of ChatGPT was not compliant with Canadian privacy laws and resulted in a series of significant recommendations around consent, transparency and data minimisation for AI model training.
View the full annual report and related news release.
Key takeaways for organizations
- New legislation is coming. The AI for All strategy commits to modernized privacy and online safety laws. While details remain to be seen, organizations should expect stronger obligations around personal information handling, particularly in AI-driven contexts, and new requirements related to deepfakes, surveillance pricing and children’s privacy.
- The OPC is watching AI closely. The annual report and the ChatGPT investigation make clear that the OPC views AI governance as a top enforcement priority. Organizations deploying AI tools – whether developed in-house or procured from third parties – should ensure they can demonstrate compliance with existing privacy laws, including around consent, transparency, accuracy and data minimization.
- Complaint volumes are surging. The dramatic increase in PIPEDA complaints signals that Canadians are becoming more aware of and willing to exercise their privacy rights, especially as AI tools become more widely used. Organizations should review the adequacy of their complaint-handling and breach-response processes.
- Breach reporting obligations remain critical. With nearly 700 business breach reports received by the OPC last year, organizations need to ensure they have robust breach detection, assessment and reporting mechanisms in place.
- Sovereignty and data residency are in focus. The AI for All strategy emphasizes building sovereign Canadian AI infrastructure and treating Canadian data as a “strategic national asset.” Organizations that rely on foreign cloud or AI services should be alert to potential new data residency or data governance requirements.
Next steps
Organizations should review their current AI governance frameworks and privacy compliance programmes in light of these developments. In particular, we recommend monitoring the introduction of the promised privacy and online safety legislation, reviewing internal AI use policies to ensure alignment with the principles set out in the ChatGPT investigation findings, and assessing breach response and data-handling practices against the OPC’s current expectations. These developments underscore that responsible AI adoption and robust privacy compliance are not competing objectives – they are increasingly inseparable.
Contact one of the authors or a member of our AI and Emerging Technology team for more information or support for your organization.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.
