**
A comprehensive three-year inquiry led by Canadian privacy authorities has concluded that OpenAI breached privacy regulations during the rollout of its ChatGPT technology. The investigation revealed significant lapses in how the San Francisco-based firm handled personal data, although it also noted that OpenAI has since implemented corrective measures to enhance user privacy.
Investigation Findings
The report, released on Wednesday, highlighted that OpenAI collected extensive personal information without sufficient safeguards or the informed consent of users. Many individuals were reportedly unaware that their data was being utilized to train AI models. The regulators expressed particular concern over OpenAI’s inadequate mechanisms for allowing Canadians to amend or delete their personal information. Furthermore, the findings indicated that OpenAI launched ChatGPT without addressing previously identified privacy risks and failed to adequately inform users about potential inaccuracies in the responses generated by the AI.
The inquiry was initiated in April 2023 in response to a formal complaint, with federal and provincial privacy regulators from Quebec, Alberta, and British Columbia joining forces shortly thereafter.
Changes Implemented by OpenAI
Since the investigation began, OpenAI has introduced several changes aimed at addressing the privacy violations identified by regulators. These include enhancements to filter and mask personal data, development of technical tools to prevent the AI from disclosing sensitive information about public figures, and the establishment of a formal policy regarding data retention and deletion.
OpenAI has also committed to further improvements over the next few months, which will involve increased transparency about its privacy policies and the sources of data used to train its models. Users accessing the web version of ChatGPT will also receive clearer notifications indicating that their interactions may be employed in future AI training and will be advised against sharing sensitive information.
“I have concluded that the measures that have been and will be implemented by OpenAI will address the concerns identified during the investigation,” stated Philippe Dufresne, Canada’s Privacy Commissioner, during a press briefing.
Regulatory Response and Future Considerations
While Quebec’s privacy authority possesses the power to impose financial penalties for breaches, it opted against such measures in this case, favouring recommendations instead. “We have decided to make recommendations instead,” remarked Naomi Ayotte, vice-president at the Commission d’accès à l’information du Québec. Legal experts, such as Teresa Scassa from the University of Ottawa, highlighted the importance of collaborative efforts between regulators and industry to foster improved privacy protections.
The generative AI applications like ChatGPT are primarily built on extensive datasets sourced from the internet, including information from social media and blogs. As part of the training process, companies are expected to filter out personal data and harmful content. However, the regulators’ report noted that OpenAI’s previous third-party filtering methods were insufficient, prompting the need for more robust strategies to safeguard user information.
The Need for a Modernised Privacy Framework
The report underscores a pressing issue: policymakers are struggling to keep pace with the rapid advancements in AI technology. Michael Geist, a law professor at the University of Ottawa, pointed out that the investigation’s findings reflect outdated practices that may no longer be relevant.
The federal government had introduced a new privacy and data bill in 2022, which unfortunately stalled when Parliament was prorogued in January 2025. A revised version has yet to be tabled. Federal AI minister Evan Solomon emphasised the necessity of modernising Canada’s privacy framework, stating, “The technology landscape is evolving rapidly, and Canadians deserve a comprehensive framework that keeps pace.”
Issues surrounding consent for data collection remain contentious, particularly when AI companies scrape data from the public domain. Emily Laidlaw, an associate law professor at the University of Calgary, argues for a shift in focus from individual consent to establishing robust principles and accountability measures for AI.
In a similar vein, Diane McLeod, Alberta’s Information and Privacy Commissioner, advocated for enhanced oversight, monetary penalties, and mandatory impact assessments before new technologies hit the market to ensure adequate privacy protections are in place while fostering innovation.
Why it Matters
The findings of this investigation have significant implications for the future of AI and data privacy in Canada. As generative AI tools like ChatGPT become increasingly integrated into daily life, the necessity for robust privacy safeguards cannot be overstated. The cooperation between regulators and industry players aims to strike a balance between innovation and the fundamental rights of individuals to have their personal information protected. This case serves as a critical reminder that as technology evolves, so too must our frameworks for governance and accountability.
