Michael Ogbu

Revisiting the Foundation: Reflections on Canada’s 2026 Review of the Privacy Act

Published by

Michael Ogbu

on

I spent part of the Easter holiday doing what I’d call some “egg tapping” of a different kind – quietly poring over the 2026 Review of the Privacy Act. And truth be told, it was worth every minute.

For many of us in the privacy space in Canada, this review feels like long-overdue rain after a dry season. A 43-year-old statute, enacted in 1983 – at a time when government records lived largely on paper – was never designed for the complexity, speed, and scale of today’s data ecosystem. Over the years, it has increasingly been described as not just outdated, but restrictive. So yes, this review is not only timely, but also necessary.

A Reform Moment Canada Couldn’t Afford to Miss
The timing is particularly significant given the suspension of Bill C-27. While that bill primarily targeted private sector reform, it also represented Canada’s most concrete attempt to address the governance of artificial intelligence and automated decision systems.

But with that window now paused, the Privacy Act review quietly steps into a much bigger role. Because the truth is simple – AI is not waiting. And neither are the leading jurisdictions moving swiftly to regulate it.

Encouragingly, this review acknowledges that reality.

Six Themes That Signal a Shift
The review is built around six key themes, reflecting years of stakeholder input dating back to 2016. Together, they offer a blueprint for a more modern, responsive privacy framework:
Enabling Integrated Services: Reducing duplication in data collection by promoting trusted government data sources and enabling responsible data sharing across programs.

Enhancing Accountability and Transparency: Moving toward making Privacy Impact Assessments (PIAs) mandatory, increasing transparency in the use of AI and automated decision systems, and establishing clearer rights to data correction – alongside the creation of centralized registries of personal information holdings.

Advancing Safeguards Across Data Sensitivity: Strengthening breach reporting requirements and rethinking how data is classified – placing greater emphasis on sensitivity and identifiability.

Modernizing the Foundation for Privacy and Trust: Recognizing privacy as a fundamental human right and embedding that principle more firmly within the law.

Indigenous Data Governance: Addressing Indigenous peoples’ access to, and control over, their data – an area that has historically been overlooked but is central to meaningful reform.

Updating the Compliance Framework: Strengthening the role and powers of the Office of the Privacy Commissioner (OPC) to ensure more effective oversight and enforcement.

More Than Reform – A Reset
On reflection, these themes touch the core of what modern privacy governance demands: transparency, accountability, sensitivity, and trust. But what stands out most to me is not just what is being proposed, it’s the posture behind it.

This review signals a shift from reactive policymaking to intentional design. From patchwork fixes to structural thinking. It also reinforces something I’ve long believed: that building a truly effective privacy ecosystem requires looking backward as much as forward.

Data, Identity, and the Weight of History
One of the most commendable aspects of this review is its attention to Indigenous data governance. For too long, data conversations have been framed in purely technical or legal terms, detached from the human realities they represent.

But data is not just information. It is identity. And just like I’ve written previously, identity is deeply rooted in history, culture, and values. Recognizing this is not just good policy, it is necessary for legitimacy.

Final Thoughts
Canada now finds itself at an important crossroads. This review presents an opportunity not just to modernize an aging law, but to redefine what privacy means in a digital, AI-driven society. To build a framework that doesn’t just protect data, but earns trust. The real test, however, will not be in the proposals. It will be in the follow-through. Because in privacy, as in life, intention is good. But implementation is everything.

Leave a comment

Welcome!

I’m Michael

An information and privacy professional passionate about how we manage, protect, and empower through data.

With over a decade of cross-disciplinary experience in librarianship, research, records management, and digital literacy, I work at the intersection of data privacy, information governance, and AI ethics. Whether building systems that protect sensitive information or advocating for equitable access to knowledge, my goal is simple: to help organizations and individuals make smarter, safer decisions in a data-driven world.

This is where insights meet impact. Where storytelling, strategy, and stewardship come together. Let’s explore what it means to govern information with clarity, care, and conscience.

Let’s connect

Join my Newsletter

Stay updated with my writing by joining our newsletter.

Recent posts