Privacy Commissioner Philippe Dufresne told the Standing Committee on Access to Information, Privacy and Ethics on February 2, 2026 that addressing the privacy impacts of AI is one of his strategic priorities. If you run a business in Canada, Privacy Commissioner Canada AI is no longer a niche policy beat. It is a near-term compliance pressure.
TL;DR
- The Privacy Commissioner addressed Parliament on February 2, 2026 as part of the ETHI committee’s study on AI.
- He confirmed AI privacy is one of his strategic priorities and that a significant majority of Canadians are concerned about how their personal information is used.
- Canadian businesses should stop waiting for legislation and start writing internal AI privacy policy now.
What happened
The statement
On February 2, 2026, Philippe Dufresne delivered an opening statement to the Standing Committee on Access to Information, Privacy and Ethics in Ottawa.
He told MPs that AI privacy is a significant focus of his domestic, international, and cross-regulatory work given how broadly AI has been adopted by individuals and organizations in Canada and globally.
The Canadian sentiment data
Dufresne told the committee that a survey conducted by his office found a significant majority of Canadians are concerned about how their personal information is used.
What that means in practice
Trust is the binding constraint. The OPC is signalling that AI deployments without trust will face enforcement pressure regardless of where the federal legislation lands.
The broader regulatory direction
The statement reinforced several themes already visible across other Canadian regulators in early 2026:
- The ISED National Sprint Report released February 3, 2026 highlighting concerns on privacy, safety, transparency, accountability, governance, and bias
- Ontario IPC’s January 21, 2026 Principles for the Responsible Use of AI
- The Alberta Privacy Commissioner’s recommendation for a provincial AI law
Why it matters in Canada
PIPEDA is the live regime
There is no comprehensive federal AI law in Canada. There is PIPEDA. There is Quebec Law 25. There is provincial privacy guidance.
The OPC has the mandate, the staff, and the political backing to act.
Trust is now a procurement variable
What buyers are already asking
Canadian enterprise buyers are adding privacy questions to vendor reviews:
- Are your AI tools PIPEDA-aligned?
- Where is customer personal information stored when processed by AI?
- Have you done a privacy impact assessment on your AI use?
If you cannot answer cleanly, you lose deals.
Business impact
The cost of doing nothing is rising
The OPC has spent three years investigating OpenAI. The ruling came in May 2026. That investigation timeline tells you what to expect: scrutiny is slow, sustained, and eventually public.
Companies caught without policy when scrutiny lands pay the full cost. Public-relations cost. Customer-trust cost. Audit cost. Potential class-action cost.
The cost of getting ahead is small
A one-page AI use policy. A privacy impact assessment template. A list of approved tools. A short training session for staff.
The total time investment for a 50-person company is roughly a week of focused work. The total cost is in the low five figures, including legal review.
What leaders should do next
1. Run a privacy impact assessment on your existing AI use
Cover what data goes in, where it is stored, who can access it, and what happens at end of contract.
2. Publish a one-page AI use policy this quarter
Name approved tools. Prohibit personal accounts for work tasks involving personal information. Name a single point of accountability.
3. Audit consent language in your customer-facing communications
If AI processes customer data, your privacy policy needs to say so in plain language.
4. Brief your board on the OPC’s public position
The OPC’s Parliamentary statements are public record. Use them to anchor the board conversation.
Why this works
Boards respond to regulators, not to internal IT memos. Quote the Commissioner.
5. Train customer-facing staff on what to say
If a customer asks how AI is used in your service, the answer should be consistent and accurate.
The skeptic’s view
The “PIPEDA has no teeth” argument
Some legal advisors will note that PIPEDA penalties remain modest compared to the GDPR or the EU AI Act. The OPC’s enforcement powers are mostly investigative and persuasive, not punitive in the same league.
Where the skeptic gets it wrong
PIPEDA is being modernized. Successor legislation to Bill C-27 is on the horizon. Enforcement powers are likely to expand.
More importantly, the reputational cost of an OPC investigation lands long before any formal penalty. The cost is the front-page coverage, the customer churn, and the procurement deals that quietly walk away.
What to watch
- The ETHI committee’s report on AI when it lands later in 2026
- Successor legislation to Bill C-27 from the new government
- The OPC’s annual report and any new investigations into AI vendors
- Provincial moves from Alberta, Ontario, and BC in the privacy space
The Privacy Commissioner has told Parliament what is coming. The smart Canadian business move is to act on it now, while the policy is still cheap to implement.