ARTICLE
12 May 2026

OpenAI Investigation Highlights The Need For Privacy Law Reform In Canada

ML
McMillan LLP

Contributor

McMillan LLP logo
McMillan is a leading business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa and Montréal. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession.
Explore Firm Details
Canada's joint investigation of OpenAI and ChatGPT reveals critical gaps in privacy law compliance for AI development. Regulators found issues with consent requirements, data collection practices...
Canada Privacy
Lyndsay A. Wasser
Your Author LinkedIn Connections
Lyndsay A. Wasser’s articles from McMillan LLP are most popular:
  • with Senior Company Executives, HR and Inhouse Counsel
  • with readers working within the Business & Consumer Services and Retail & Leisure industries

Canadian privacy and data protection laws for the private, non-health sector are structured around consent. Unlike many other privacy laws across the world, including the lauded European General Data Protection Regulation (GDPR), businesses in Canada cannot rely on legitimate interests or other legal bases to process personal information without consent. In recent years, many commentators have questioned the efficacy and appropriateness of the consent model, including based on concerns related to the burden on individuals (and associated “consent fatigue”) as well as the potentially stifling impact on innovation in a time of immense technological change.

Most recently, use of personal information to develop and train artificial intelligence (AI) models has risen to the forefront of privacy law debates among organizations, privacy professionals and regulators. In particular, many have questioned whether it is possible or practicable for such activities to comply with strict privacy laws in some countries.

Answers to some of these questions, for Canada, can be found in the anxiously-awaited report of findings on the Joint Investigation of OpenAI OpCo, LLC1 (the “Investigation”) by the Office of the Privacy Commissioner of Canada (the “OPC”), the Commission d’accès à l’information du Québec (the “CAI”), the Office of the Information and Privacy Commissioner for British Columbia (the “BC Commissioner”), and the Office of the Information and Privacy Commissioner of Alberta (collectively, the “Regulators”), which was released with much fanfare on May 6, 2026.

In the Investigation, the Regulators considered OpenAI OpCo, LLC’s (“OpenAI”) compliance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and its provincial equivalents in Alberta, BC and Quebec, in connection with OpenAI’s collection, use and disclosure of personal information for the purpose of developing, training and deploying ChatGPT.2

Investigation Findings

Although nuances exist under specific statutes, some general lessons that Canadian businesses and other organizations with a real and substantial connection to Canada (or that process personal information about data subjects in Alberta, British Columbia or Quebec) can learn from the Investigation include the following:

1. Appropriate Purpose & Limiting Collection

Under Canadian privacy laws, collection, use and disclosure (collectively, “Processing”) of personal information must be for an appropriate, serious and legitimate purpose (“Appropriate Purposes”), and organizations must limit their collection of personal information to what is necessary to achieve such purposes.

In the Investigation report, the Regulators indicate that development, implementation, advancement, operation and deployment of AI systems can be Appropriate Purposes for Processing personal information. However, Processing of Personal Information for such purposes must be necessary, effective and proportionate, taking into account the sensitivity of the personal information, the legitimate needs of the organization and the risks to individuals. Accordingly, organizations should take the following steps to minimize privacy impact when developing and deploying AI systems:

  • Avoid overbroad collection of personal information, including by using technical measures such as filtering tools that detect and mask personal information contained in publicly accessible internet data and licensed data sets, so that such data is not used for model training;
  • Mask personal information about private individuals, as well as certain details about public figures (such as home addresses) and their family members, so that it is not included in model outputs; and
  • Implement robust measures to prevent unauthorized, inappropriate or potentially harmful uses of the AI system, including for purposes identified as “no go zones” by the OPC.

The Regulators also recognized the necessity and proportionality of using a certain level of user interaction data (e.g., prompts) to improve model outputs. However, organizations should take note of the positive steps taken by OpenAI to mitigate the risks of such activities, including disassociating interactions from user accounts, removing personal identifiers using a third party filtering tool, allowing account users to choose whether their interactions with the tool will be used for model training, informing users not to include sensitive information in their interactions with the tool, instructing human model trainers to exclude personal information from fine-tuning datasets, and only using a small subset of user interactions to train its models.

2. Consent

Consent is required to Process personal information contained in publicly accessible websites and licensed third-party sources, subject to certain narrow exceptions that vary by jurisdiction. Organizations cannot rely on implied consent simply because information is publicly accessible. Both the sensitivity of the information and the reasonable expectations of individuals must be taken into account.

Organizations can rely on a third party to obtain required consents from individuals, provided that they make reasonable efforts to ensure the third party has obtained personal information in a lawful manner, provided appropriate notices to individuals and obtained required consents. Such efforts should include contractual assurances together with monitoring the third party’s compliance with the agreement.

Importantly, the OPC found that public transparency measures can be sufficient to support implied consent under PIPEDA for dataset training activities, where sufficient mitigation measures are implemented to address privacy risks (e.g., to filter out sensitive personal information). However, this finding was based, in part, on current public awareness respecting how AI models are trained. Organizations developing novel technologies (as opposed to longstanding, known technologies) likely cannot rely on implied consent to use publicly accessible information for purposes that would not be within the reasonable expectations of individuals.

The CAI acknowledged that it is possible that users may be informed of, and thereby consent to, their personal information being made accessible on the internet, communicated to third parties and harvested for the purpose of training AI models. However, this is a factual analysis that takes into account information provided to users at the time of collection as well as the website terms of service and privacy policies. Accordingly, for compliance with Quebec’s Act respecting the protection of personal information in the private sector (the “Quebec Act”), organizations should implement checks on the sources from which they collect personal information to ensure that:

  • Individuals are clearly informed, at the time of collection, that their information would be made public and could be collected and used by third parties including for the purpose of training AI models, and
  • Personal information is not being communicated by a third party without consent, including consent from a parent or tutor if the data subject is under the age of 14.

Alberta’s Personal Information Protection Act (“Alberta Act”) and BC’s Personal Information Protection Act (“BC PIPA”) set out specific circumstances where consent is implicit, deemed, or based on notice. Scraping personal information from publicly accessible websites and licensed third-party sources does not fit within such circumstances. Accordingly, the Alberta and British Columbia (BC) Regulators found that OpenAI cannot obtain consent in accordance with the requirements of the current legislation in their provinces.

Finally, express consent should generally be obtained for the use of user interactions to train an AI model. However, in some cases, notice and a choice to opt-out may be sufficient if such notices are prominent, permanent, delivered before the first prompt is entered by the individual, and clearly indicate that personal information will be used to train models and individuals should not input sensitive information.

Organizations should also take note that the Quebec Act mandates certain content for notices delivered when personal information is collected, and that privacy settings for technological services must, by default, be set to the highest level of confidentiality without user intervention. In the Investigation report, the CAI clarifies that the requirement for privacy-protective default settings applies to the entire lifecycle of personal information, and not just to settings related to disclosure of personal information.

3. Openness and Transparency

Organizations must ensure that information about their personal information handling practices is accessible, clear, complete and written in plain language. In particular, organizations that develop AI systems should explain the categories and sources of personal information included in their training datasets. High-level references to publicly available information on the Internet and information licensed from third parties will not generally be sufficient.

Of particular significance is that the OPC’s findings regarding implied consent (as described above) appear to be based, at least in part, on OpenAI’s commitment to enhanced public transparency, including its agreement to publish a Canadian blog post explaining its privacy practices, informing individuals that user interactions may be reviewed and used to train its models, and advising users not to share sensitive information via their interactions with ChatGPT. Accordingly, enhanced transparency can be used to support an implied consent strategy, at least for PIPEDA purposes.

4. Accuracy

Privacy laws contain certain accuracy requirements, which vary by jurisdiction. In general, for compliance with the requirements across Canada, organizations that develop and deploy AI systems should:

  • Exercise caution with respect to sources of training data, especially sites that contain vast amounts of subjective, biased and inaccurate information;
  • Inform individuals about potential inaccuracies in AI model outputs using prominent notices and warnings, including providing specific details on accuracy levels and permanently or consistently reminding users to verify personal information contained in model outputs;
  • Conduct assessments to validate the general accuracy of personal information contained in model outputs; and
  • Provide mechanisms for users to verify the factual accuracy of personal information contained in model outputs, such as links to the relevant sources.

In addition, all organizations should take steps to ensure that they do not rely on AI to make decisions about individuals based on inaccurate personal information.

5. Individual Access and Correction Rights

Developers and providers of AI systems must ensure that procedures exist for individuals to exercise their rights under applicable privacy laws, including to access and correct their personal information. Self-service tools can be used to facilitate access, provided that they are user-friendly, accessible, and the extracted data is understandable. Individuals should also be informed of available recourses to challenge the accuracy and completeness of their information.

Organizations should also develop and deploy features that facilitate correction of personal information contained in AI datasets and model outputs, including by blocking information that an individual has demonstrated is inaccurate and allowing models to retrieve and incorporate into model outputs up-to-date information that is publicly accessible.

6. Retention and Disposal

Organizations are required to establish retention and disposal policies and practices for personal information. They must also destroy, de-identify or anonymize (depending on the relevant legislation) personal information when it is no longer required for the purpose that it was collected.

However, for PIPEDA purposes, it may be acceptable to retain data as a historical benchmark for scientific integrity purposes, provided that:

  • The information is segregated and stored in a locked-down state within a secure archive where access is limited to a small group of the organization’s employees;
  • Strong protections are in place to ensure the data is not used for other purposes, including model development;
  • Data subject rights continue to apply to segregated datasets; and
  • The organization regularly re-evaluates whether it needs to retain each dataset.

Under the Quebec Act, personal information must be destroyed or anonymized for serious and legitimate purposes once the purpose(s) for collection and use have been fulfilled.

7. Accountability

Organizations are accountable for personal information under their control, and must implement policies and practices for compliance with Canadian privacy laws. Among other accountability measures (such as governance policies and employee training), organizations should address known privacy risks before releasing an AI system.

Conclusion and Key Takeaways

The OPC determined that the issues in the Investigation were well-founded but conditionally resolved under PIPEDA, based on changes that OpenAI implemented or agreed to implement to its practices. However, the provincial Regulators found some issues to be unresolved. Of particular note is the finding by the Alberta and BC Regulators that it would not be possible for OpenAI to obtain consent to some of the data processing activities under Investigation.

Organizations that develop AI systems should review the full Investigation report, as it contains detailed information about the requirements of Canadian privacy laws as they apply to such businesses. In particular, AI developers will need to understand the intricacies of different laws that apply to them, as some of the measures described above, which the OPC considered sufficient for PIPEDA purposes, may not be effective for compliance with all of the provincial laws.

For organizations that are not engaged in development of AI technologies, the most notable outcome of this case is the resulting, strong, statements from the Regulators regarding the need for Canadian privacy law reform. In particular, the OPC issued a news release concurrent with the Investigation findings, wherein Commissioner Phillippe Dufresne stated that:

“This investigation also further highlights the need to modernize Canada’s privacy laws for the digital age. As AI is increasingly being integrated into personal and professional applications, and while current privacy laws apply to AI, updated laws would help further support the safe deployment of new technologies to protect Canadians’ fundamental right to privacy.”

In addition, the BC Commissioner, Michael Harvey, wrote a letter to BC’s Minister of Citizens’ Services expressing his belief that the consent provisions in BC PIPA are no longer well-suited to the realities of our data-driven world, and unequivocally stating that:

“There is a clear and pressing need to reform the law so technology advances in a way that protects our values.”

Among other potential reforms, the BC Commissioner advocates for the Province of British Columbia to consider allowing alternate legal bases to Process personal information under BC PIPA, including for “legitimate interests”, with appropriate guardrails.

The unfortunate reality is that facilitating the operation of some legitimate businesses requires stretching the concept of consent under PIPEDA almost to the breaking point, and it may not be possible for some businesses to fully comply with certain aspects of the provincial privacy legislation even where consumers fervently want to use their products and services.

It is unrealistic to expect that Canadian privacy laws will ever fully transform to eliminate consent requirements, and such changes would be inconsistent with global approaches to privacy and data protection. However, many businesses would welcome statutory reforms to facilitate use of data for valuable business purposes that are unlikely to harm individuals or expose them to real risks. Alternatives to consent would also solve a number of problems associated with complex business and IT arrangements and structures in the modern world, where organizations often do not have direct relationships with the individuals whose data they Process and/or individual “choices” are often seen as fictious since consent to a long list of data uses and disclosures is mandatory to access many products and services.

The ball is now in the court of Parliament and the provincial legislatures. Time will tell whether they will heed the call to modernize Canadian privacy and data protection legislation. In the interim, organizations that develop AI systems and models should take note of the findings in the Investigation and reach out to their legal counsel to evaluate the impact of this important development on their businesses.

Footnotes

1 PIPEDA Findings #2026-002

2 Specifically, GPT-3.5 and GPT-4

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2025

[View Source]
Authors
Photo of Lyndsay A. Wasser
Lyndsay A. Wasser
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More