// Blog / News

Canada's privacy watchdog just made AI a top priority: what it means for you

Compliance 6 min read intrasec

Canada's privacy regulator just told every business in the country what it intends to watch, and the headline is artificial intelligence. On June 4, the Privacy Commissioner tabled an annual report that puts AI governance at the centre of its enforcement priorities, and the numbers underneath it should get any small business owner's attention.

What the report says

On June 4, 2026, Privacy Commissioner Philippe Dufresne presented his 2025-2026 annual report, pointedly titled "Championing Privacy in the Age of AI." Its core message is that AI governance is now a top enforcement priority, and that using AI does not suspend the privacy rules you already have to follow. Alongside that message, the report logged nearly 700 breach reports from businesses, affecting more than 20 million Canadians, and a 109% jump in PIPEDA complaints, to 3,044, in a single year. In the Commissioner's words, "prioritizing privacy is more important than ever at a time when new technologies are being developed and AI is being integrated into a wide range of applications."

Why a small business should care

It's easy to read "the regulator" and assume this is a big-tech story. It isn't:

  • Privacy law has no size threshold. PIPEDA, and Quebec's Law 25 if you handle any Quebec resident's data, applies to virtually every business that holds personal information, no matter how few employees you have. The breach-reporting obligation is already yours.
  • Complaints more than doubled. More Canadians are complaining, partly, the OPC notes, because AI tools have made the complaint process easier to find and use. A busier regulator is a more active one.
  • AI use is explicitly in scope. If your team uses AI tools that touch customer or staff data, the expectation is that you can show the basics: consent, transparency, accuracy, and not collecting more than you need.
  • It covers the AI you buy, not just the AI you build. The OPC expects you to assess third-party AI tools too, which for a small business is essentially all of them.

What to actually do

You don't need a legal department. You need the fundamentals in order:

  • Know what personal data you hold and where it flows, including into any AI tool your team has started using.
  • Keep personal and client data out of public AI tools, and use business-tier tools with the right settings (our companion guide walks through exactly how).
  • Make sure you can detect and report a breach. Reporting is mandatory; the middle of an incident is the wrong time to learn the process.
  • Write down the basics: a short privacy practice, a named person responsible, and one clear rule for AI use.

Sources:Office of the Privacy Commissioner of Canada, Privacy Commissioner of Canada's annual report highlights actions taken to protect Canadians' privacy in the age of AIMLT Aikins, Canada's new AI strategy and OPC Annual Report: What organizations need to know

Not sure where AI and privacy leave your small business?

Talk to us

Related

Guide Artificial Intelligence

How to use AI without leaking your client data

What data should never go into a chatbot, consumer vs business AI tiers, and the short rule set that keeps you onside.

Read article →
News Compliance

What Canada's ChatGPT privacy ruling means for small business

Canada's regulators found ChatGPT was trained on personal data without consent. What the OpenAI ruling changes for AI users.

Read article →
Service

Cybersecurity Strategy

We get the privacy and AI basics in order: what data you hold, the guardrails around it, and a breach plan that works.

Learn more →