Blakes Data Governor: Winter 2026

Happy Data Privacy Week 2026, and welcome to the Winter 2026 issue of Blakes Data Governor, published by the Blakes Privacy & Data Protection group. Blakes Data Governor provides actionable insights and practical overviews of recent developments impacting privacy, cybersecurity, access to information and artificial intelligence (AI) governance law in Canada.

In This Issue

• 2026 Canadian Privacy Law Outlook. Our overview of current legal developments across the country and expectations for privacy law reform in Canada.
• AI Sovereignty in Practice. What AI sovereignty means and how the federal government’s digital sovereignty focus may affect businesses in 2026.
• Lessons Learned From the PowerSchool Breach. Insights from new findings issued by Ontario and Alberta’s privacy commissioners, with practical lessons for data protection agreements involving public-sector service providers.
• Top Five Tips for Biometric Compliance. Key considerations for reducing privacy risks when adopting biometric technologies.
• Regulatory Round-Up. New reports and guidance from Canadian regulators impacting privacy, cybersecurity, access to information and AI governance.

Scanning the Horizon

2026 Canadian Privacy Law Outlook

2026 is shaping up to be a significant year for privacy law reform in Canada.

As noted in Blakes Data Governor: Fall 2025, comprehensive AI regulation at the federal level is unlikely to reappear soon. However, with Parliament resuming this week, legislation to reform the Personal Information Protection and Electronic Documents Act (PIPEDA) may be forthcoming.

Based on recent federal budget measures and ministerial statements, new privacy reform legislation will likely revive elements of the Consumer Privacy Protection Act from 2022’s unsuccessful Bill C-27. It may also incorporate new protections related to children’s privacy and address AI-related harms such as the creation of deepfakes — both priority areas for the Office of the Privacy Commissioner of Canada (OPC), as reflected in the Commissioner’s recent expansion of its investigation into X Corp. (X) to include AI-generated sexualized deepfakes, and the OPC’s joint resolution with provincial counterparts emphasizing the importance of protecting children and youth privacy in educational technologies.

Several provinces are likely to introduce legislative reforms or new regulations impacting privacy and AI governance. These efforts follow Quebec’s lead after the adoption of Law 25 in 2021, which significantly amended that province’s privacy regime.

For example, in September 2025, Nova Scotia passed its Bill 150, which, in addition to modernizing the province’s public-sector privacy law, will repeal the Personal Information International Disclosure Protection Act (PIIDPA) in 2027. The PIIDPA currently sets limits on transferring personal information outside of Canada and will be replaced with new regulations prescribing how public bodies may disclose, store or permit access to personal information outside of Canada.

Alberta also completed its legislative review of its Personal Information Protection Act (PIPA) in 2025. We anticipate that amendments, based on the report’s recommendations, will be tabled to modernize the legislation, including with specific protections targeting the use of personal information in AI systems. British Columbia may pursue similar amendments to its own PIPA.

In December, Ontario launched consultations on two proposed regulations under the Enhancing Digital Security and Trust Act, 2024:

• The Cyber Security Regulation would establish requirements to designate cybersecurity points of contact, complete and submit cybersecurity maturity assessments, and report critical cybersecurity incidents for institutions, including acute care facilities, hospitals, school boards, children’s aid societies, colleges and universities.
• The Digital Technology Affecting Individuals Under 18 Regulation would require school boards to notify students and parents/caregivers when students’ personal information is disclosed to software companies through school-based applications. The scope of this regulation is limited to school boards.

Both proposals remain open for public comment until February 9, 2026.

Overall, provincial and federal legislators and regulators seem ready to introduce new measures to strengthen protections for children’s privacy and the use of personal information in AI systems.

Insights Radar

What Is AI Sovereignty?

Amid a fast-changing and volatile geopolitical backdrop, the federal government recently announced several initiatives related to digital sovereignty. In our Blakes Bulletin: AI Sovereignty: What Canadian Businesses Need to Know, we address five key questions relevant to businesses operating in Canada regarding AI sovereignty and the current state of data localization regulations.

Ontario and Alberta Privacy Commissioners Issue PowerSchool Investigation Reports

Reports released from Ontario’s Information and Privacy Commissioner and Alberta’s Office of the Information and Privacy Commissioner considered whether Ontario and Alberta public-sector PowerSchool customers had reasonable measures in place to prevent unauthorized access to personal information processed by PowerSchool on their behalf. In our Blakes Bulletin: What Can Service Providers to the Public Sector Learn From the PowerSchool Privacy Incident?, we discuss privacy obligations of service providers and what service providers to public-sector institutions may expect when contracting with such institutions in light of these reports.

Biometric Data: Privacy Compliance in Practice

Businesses are increasingly adopting biometric technologies for a wide range of uses — from controlling access to digital and physical spaces and verifying identity online, to detecting customer sentiments and estimating user ages on social media. Check out our Five Under 5: Biometric Data: Privacy Compliance in Practice to learn five key compliance tips for implementing biometrics.

Regulatory Watch

New Decisions and Guidance

• OPC Report on Staples Canada: The OPC issued findings on Staples Canada’s device-resale program, determining that a full factory reset is required to properly wipe personal information before resale. The report also emphasizes the need for employee training and clear, consistent and standardized procedures.
• Competition Bureau Data Portability Study: A new Bureau study found that implementing a data portability framework in the insurance sector could yield billions of dollars in consumer savings.
• British Columbia OIPC Surveillance Guidelines: The Information and Privacy Commissioner for British Columbia released new public-sector surveillance guidelines.
• Ontario IPC-OHRC AI Principles: The Information and Privacy Commissioner of Ontario (IPC) and Ontario Human Rights Commission (OHRC) published joint Principles for the Responsible Use of Artificial Intelligence for the public and broader public sector. The principles are intended to assist institutions in responsibly implementing AI innovations while ensuring the protection of privacy, human rights, human dignity and public trust for Ontarians.
• Ontario IPC Privacy Impact Assessment Guide: The IPC of Ontario published an updated guide for conducting privacy impact assessments under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act.

Contact Us

Please do not hesitate to contact your usual Blakes contact or any member of the Blakes Privacy & Data Protection group.

To receive Privacy & Data Protection group Insights directly to your inbox, including Blakes Data Governor, sign up here.