Canada’s 2023 Privacy Symposium

Canada’s Biggest Privacy Symposium happens every Summer.  

The IAPP’s 2023 Canada Privacy Symposium last week offered enough fodder for thought and sustaining conversations about critical issues in data like the upcoming Bill C-27 in private sector privacy reform in Canada, challenges and opportunities for the public and private sectors across the country and its provinces, and the wider world coming out of EU GDPR’s fifth anniversary and other global privacy milestones including forty years of Canada’s Privacy Act for the federal public sector.

The annual conference kicked off with keynote remarks from Canada’s newest Federal Privacy Commissioner, Philippe Dufresne, who shared latest research the OPC  conducted on the growing privacy concerns of Canadians. Data reveal that over 9 in 10 Canadians are concerned about their privacy, half of Canadians do not feel they have enough information to understand the privacy implications of new technologies, and only 4 in 10 feel that businesses respect their personal data. The Commissioner further discussed his approach to privacy reform resting on the three pillars of staying ahead of technological advancements and its impact on privacy protections (especially with AI and Generative AI), protecting children’s privacy, and preparing for potential law reform to include new powers in the OPC’s mandate to protect the privacy of Canadians.

Dufresne raised the importance of harmonizing public and private sector laws and grounding them in the same principles, at a time where public-private partnerships are only increasing across industries and especially post the pandemic. It was great to see that my course curriculum for a class about Research in Society: Governments and Enterprises, aligned with these updates as my students got to prepare forward-thinking case studies with public-private collaborations in their very first week of summer applying various industries’ codes of conduct to analytical tests. To this effect,  Ontario’s Information Pravacy Comissioner’s Office’s Transparency Challenge shone a light on some open data initiatives that improved the lives of Ontariao residents. Theirs was a living example of how access to open data could make engagement with government attractive for all sectors.

We can have our privacy and innovate too.

Philippe Dufresne

Next up, the IAPP’s Ian Kerr Memorial lecture focused on Dr. Kerr’s legacy of advancing the growth and visibility of the privacy profession best represented by Kristen Thomasen of the University of British Columbia, who was introduced by the Information Privacy Commissioner of Ontario Patricia Kosseim. Thomasen discussed the impact of personal-use technologies at the intersection of public and private spaces. Thomasen most recently wrote a piece onRobots, Regulation, and the Changing Nature of Public Space” in the Ottawa Law Review. Her works at the intersection of robotics and law, have also positioned her as an advocate for those battling the harms of cyberbullying, surveillance crimes, and intimate data violations. The most impacted by such harms are women and children including Indigenous women and Visible Minorities.

While approaching non-consensual distribution of intimate images from a privacy standpoint isn’t perfect, it provides an alternative to the criminal justice system.

Kristen Thomasen

The keynotes were highly relevant to a course I teach on the relationship between the public and private sectors or governments and enterprise to advance stronger data ecosystems and build resilient organizational frameworks, collaborations, and industries.

Personal Information, De-identification and Anonymization

The panel featuring a cross-section of perspectives from Fahad Diwan, Director of Product Management (Privacy Products), Exterro, Khaled El Emam, Professor and Canada Research Chair in Medical AI, Faculty of Medicine and the School of Engineering and Computer Science, University of Ottawa, Christopher Parsons, Senior Technology and Policy Advisor, Information and Privacy Commissioner of Ontario, and Teresa Scassa, Professor, Canada Research Chair in Information Law and Policy, University of Ottawa from legal, technological, industry and regulatory standpoints offered an insightful analysis on the impact of de-identification and anonymization practices and privacy enhancing technologies (PETs). Identifiability and de-identifiability are core components of international and Canadian data protection law. This implies that laws do not govern data that is anonymized or de-identified. While authorities debate the risks of re-identification of personal information that was de-identified, what standards should apply? Absolute standard where there is no risk, or relative standard (moving target, jurisdiction-dependent) which is most common and in use in Canada? Currently, PIPEDA, Canada’s federal private sector law does not address or define anonymization or de-identification. Bill C-27 defines both anonymization and de-identification. Privacy enhancing technologies and privacy preserving techniques do not remove data providers from the scope of data protection laws.

There was a lot of discussion about making the distinction between data that is on the privacy regime and protected by laws versus data that is not governed by laws (e.g. anonymized, pseudonomized or even de-identified data depending on the situation and prevailing legislation). The key point to note here is to make organizational data-handling practices transparent to others and well-documented, as a general best practice, no matter which regulations govern you. The photo below is from draft guidance issued by the UK Information Commissioners Office (ICO) with broader relevance across risk-based contexts, specifically illustrating a “Spectrum of Identifiability” via their decision-tree. This infographic below was reproduced from the ICO document in a panel with Aaron Stevens, Abigail Dubineicki, Fazila Moosa and Constantine Karbaliotis.

Annual Game Show

The IAPP hosts its much-anticipated annual Commissioners’ Game Show with Kris Klein, Managing Director, IAPP Canada and Lawyer, nNovation (image below) that is an educational and entertaining glimpse into the public and personal lives of Canada’s top privacy regulators. This year’s rapid-fire interview format elicited conversational insights about the state of privacy legislation across the provinces and nation.

Artificial Intelligence

The IAPP, whose Certification Advisory Board I’m also proud to lead on alongside others around the world as the governing board of their ANSI, ANAB and ISO supported credentialing program, in the past month launched its own AI Governance Centre, which includes resources and training opportunities in the growing AI governance functions, at the powerful intersection of privacy and AI.

The greatest economic gains from AI will be in China (26% boost to GDP in 2030) and North America (14.5% boost), equivalent to a total of $10.7 trillion and accounting for almost 70% of the global economic impact.

PwC’s Global Artificial Intelligence Study: Exploiting the AI Revolution
What’s the real value of AI for your business and how can you capitalise?

Robin Gould-Soil, Chief Privacy Officer at Pentavere and Tiffany Wong, Senior Manager AI Governance at CIBC further discussed decision-making AI solutions for governance practitioners drawing on principles of responsible AI and other frameworks to guide better implementation. They advised on the challenge of having limited eyes on the ground, “Don’t lose the monitoring auditing and continuous learning. Build out a compliance program that is a complementary offering to your privacy program. We need a more harmonized approach between information privacy and security collaboration. Budget for incremental talent in AI governance and bank on the consolidation of effort.”

The Futures of Privacy AI and trust in society are tied more closely together everyday and highlight the imperative to develop AI governance skills at scale and quickly.

Trevor Hughes, President and CEO, International Association of Privacy Professionals (IAPP)

One of the closing keynote speakers Jason Bero, Privacy, Risk and Compliance Director at Microsoft also discussed the opportunity ahead as Canada becomes among the first countries to make strides towards regulating AI. Learn about Human AI Interaction guidelines that Microsoft developed here, along with Responsible AI principles they follow, their AI Security Guidleines, tools to build Responsible AI Human experiences and an AI Fairness Checklist. Further to all that, working towards building an AI aptitude or competency within your teams could help employees delegate more tasks to AI and automate sections of their work to promote productivity.

Privacy has evolved so much in terms of the types of job skills needed for success in the profession. In the past decade of privacy job searches alone, ChatGPT in a TELUS – OneTrust presentation revealed that there’s a rise in demand for new-age terms like AI ethicists, privacy frameworks, data governance, privacy by design, cloud computing, data localization, cloud computing, data localization, ethical considerations, privacy engineering, versus the traditional baseline roles of audit, vendor management, privacy policies, etc. 

Skills, Talent and Moral Courage

What type of human talent do we want within our midst? The results of the recent global industry skills study spanning the data and insights industries revealed a need for high numeracy, strong communication skills, audience-centricity (e.g. stakeholder, vendor or client/customer-centricity), and ethics and integrity are a big part of that mix. 

We have been talking, debating and hearing a lot about what Ethical AI is, but have we ever had the same intensity of debate about who ethical humans are and are not? Because this will influence the type of technologies that are created, for what purpose, and with what frameworks, risks, benefits and impacts. 

Increasingly, we should be seeking more moral courage in our talent. Moral courage, in how I see and teach about it, is actually the backbone of effective communications. Few have realized the courage to push beyond what is given to discover new things with what they have or even about old things in new or changing times. Businesses and their leaders are holding on to things they think are their “truth” when in reality, it’s only what they settled for.’s knowledge engine and approach Moments of Truth taps into that moral courage aspect to power the success of its core communities and audiences, a quality I have examined at depth, and at the root of powerful impact-led data stories. Walmart Canada‘s Privacy Lead Rene Mendizabal also recommended a book that I think would help individuals and teams in imbibing some of this moral courage we often talk about – Negotiating at an Uneven Table: Developing Moral Courage in Resolving Our Conflicts by Phyllis Beck.

The best data professionals come armed with that instinct for moral courage, steeped in truth-telling, organizational knowledge-and-data-transfer expertise, and strengths in simplifying policies or legalese and their implications to stakeholders, employees, audiences and clientele.  They are building their privacy programs for the next phase of their business to cater to their expansion plans, not living in right now alone, but thinking about tomorrow, in meeting the highest standard they possibly can as they go about operationalizing privacy.  

So, what about the data deluge or commonly known information flood? Every day we create 2.5 quintillion bytes of data according to research by North Eastern University that indicates further this would fill ten million blue-ray disks, the height of which would measure the height of four Eiffel Towers on top of one another!

It makes sense then to embed and champion data literacy throughout your organization, making businesses “data stewards” as you integrate data governance into more strategic planning.  Privacy, as the TELUS and OneTrust team reiterated in their presentation about data enablement, is about a lot more than compliance, but about being data-ready in the face of new sources of information (data deluge!) including a rise in redundant, duplicate and siloed data that can threaten brands which don’t rise up to the data-challenge with the right partners and enablers.

Brent Homan, Deputy Commissioner, Compliance, Office of the Privacy Commissioner of Canada, Barbara Bucknell, Consultant, Innovation, Science and Economic Development Canada and Jill Paterson, Senior Advisor Policy & Privacy and Data Protection Policy Directorate, Innovation, Science and Economic Development convened on another insightful panel that discussed data flows in the global digital economy, and the milestones / efforts of organizations like OECD, Global CBPR Forum, G7 and the General Privacy Assembly at the intersection of Privacy and Competition. They referenced again Canada’s contributions to founding the Cross Border Privacy Rules (CBPR) Forum that was replicated and made fit for purpose to the APEC regions with CBPR APEC System. The four pillars of global privacy and enforcement collaborations across jurisdictions centre on data localisation, regulatory cooperation, trusted government access to data and data sharing.

Communications and Privacy

Teaching research communications and business insights data storytelling to over hundreds of students over at Humber College’s RAP (research analysis) program has allowed me to spend time discussing the poor consequences of bad communications in the data and insights business. We began classes naming and dissecting top communications crises, and progressed into what constitutes good communications while hitting on key elements of purpose, audience and strategy, in charting a stronger narrative for “narrators” across contexts (roles, functions, organizations, etc.). Did you know that justifying your text creates a higher cognitive load on your reader and is a barrier to accessibility?

Anne Marie Hayden‘s panel comprising herself, Trevor Fenton from Plain English Law, Deborah Evans, Chief Privacy Officer at Rogers, and Andrea Corlett from the Information and Privacy Commissioner of Ontario Office thus was an exciting reaffirmation of all the great potential for sound privacy communications across departments, roles and organizations. I will hyperlink to the big whys for good privacy communications from her panel discussion article you should read for the entire list of best practices in privacy communications. Highly agree with the panel on constantly reexamining your data handling practices to check against the “ick” factor. In a previous webinar last year, one of our speakers Brenda McPhaill had also pointed to this constant litmus-test. In summary, if you are communications is a highly valued skill in privacy and grows your business. Transparency and clarity are key elements of the newest pieces of privacy reform legislation and are good practice all the time. If you have trouble explaining your use of people’s information you collect, you should re-examine what you are doing than just your communications.

These were some of my key takeaways on the evolving applications and uses of data and its governance as more regulation and advances in innovation converged in discussions, debate and presentations about privacy and data protection at this IAPP conference. I will be referencing other insights in various articles.

Arundati Dandapani, MLitt, CAIP, CIPP/C is the Founder of

Leave a Reply