The OBA held its annual Privacy Law Summit on October 15, bringing together privacy lawyers and professionals from across the country. Over 20 experts in the field spoke on a wide range of timely topics, from the rapid evolution of artificial intelligence (“AI”) to practical privacy governance within organizations. This article sums up some of the key insights shared by these highly regarded speakers and highlights important takeaways to keep in mind as we head into 2026.
Regulation of AI struggling to keep up with technological evolution
The summit opened with a panoramic overview of the current legal landscape. AI has transformed from an exciting novelty into a key investment consideration for organizations. Yet at the same time, AI regulation across the globe is fragmented, disjointed, and everchanging. This means that the advice given to clients on this topic comes with two uncomfortable realities. First, will compliance today be superseded by future legislation? Second, will compliance in Canada necessarily equate compliance across the border? These ambiguities make lawyers’ lives that much more complex in an already uncertain era. A further complication is the lack of federal AI-specific legislation, making privacy legislation the de facto regulation governing AI. This is an imperfect substitute for proper AI legislation, given that privacy laws only pertain to personal information. It is therefore crucial for professionals in this space to stay on top of regulatory developments, remain proactive, and make sure partners — not only immediate business partners but also third or fourth partners — are thoroughly vetted.
Hesitancy to regulate in fear of losing the AI race
A question then emerges as to if and when Canada will have AI-specific legislation. The Artificial Intelligence and Data Act (“AIDA”), which was proposed in Bill C-27 during Justin Trudeau’s tenure as Prime Minister, attempted to comprehensively regulate AI. However, after the election earlier this year, the bill died on paper. Our first Minister of Artificial Intelligence and Digital Innovation has indicated that he is in no rush to revive AIDA and is instead focusing on growth and innovation in this sector. In fear of stifling such innovation, it is likely that he will take time to observe what other countries are doing before resurrecting regulation efforts. As previously mentioned, while our privacy laws represent Canada’s de facto AI regulation, this is not a perfect substitute. For the time being, practitioners can look to Canada’s Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems as well as Quebec’s unique AI-specific regulatory framework as a sneak peek of what may come with future federal AI legislation.
The importance of asking questions
In both morning breakout sessions, the importance of probing the use of data was emphasized. In the breakout room discussing privacy considerations for biometrics, the panelists emphasized asking lots of questions to challenge the use of biometric data. Assessing the necessity of the deployment of biometric technology is crucial not only externally, but also within the organization across departments. In the due diligence breakout room, we learnt that this same consideration comes into play in M&A transactions. As a first step, regardless of whether you are acting for the buyer or seller, you need to fully understand the target and the target’s business. You need to map their privacy practices and figure out how they deal with the inbound and outbound flow of personal information. Red flags pertaining to privacy compliance can be revealed early on during such extensive questioning. What are their privacy retention practices? How do they represent their compliance to the market? Have they been the subject of any privacy complaints or regulatory investigations that have gone unreported? Every privacy professional should be prepared to probe and dig deeper into the use of data from the outset.
Looking forward: more action items for privacy management
Throughout the day and more fulsomely in the afternoon, the panelists showed us how to turn policy into a tangible privacy management plan for your organization. It starts with governance, which should be transparent and documented. The mere existence of policies is simply not good enough in an era of rapid evolution in tandem with piling risks. Any organization should ideally have evidence, logs, training, and actual application of risk management. This also applies to AI, which can be regulated through an internal AI governance policy. Consent, notice, and impact assessments are all items that should be central to such policies. In this moment of rapid change and fragmented laws, it is crucial that practitioners stay up to date with legislative changes and make sure that both them and their clients are heavily probing the use of data — both internally and externally.
Thank you to all of the speakers and attendees for an engaging and informative summit, and a warm congratulations to Lyndsay A. Wasser on her well-deserved Karen Spector Memorial Award for Excellence in Privacy Law.
Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.