A joint investigation report by privacy commissioners in Canada says that OpenAI violated Canadian privacy laws in the way it collected and used personal information to train its ChatGPT artificial intelligence system.
The investigation examined how ChatGPT was developed and found that it was trained using massive volumes of data scraped from publicly accessible websites, including personal information belonging to Canadians.
At a news conference in Ottawa on May 6, regulators from the federal government, Quebec, British Columbia, and Alberta discussed the findings of the investigation. They warned that the data ChatGPT was trained on included sensitive information such as health-related content, political opinions, and information involving children.
“Open AI launched ChatGPT without having fully addressed known privacy issues. This exposed Canadians to potential risks of harm such as breaches and discrimination on the basis of information about them,” federal Privacy Commissioner Philippe Dufresne said.
OpenAI—a U.S.-based artificial intelligence company founded in 2015—publicly released the chatbot ChatGPT in 2022. The company is backed by major investors such as Microsoft and has become a leading player in generative AI, with its tools used by hundreds of millions of people worldwide. OpenAI’s rapid growth has been accompanied by increased scrutiny from governments and regulators over issues such as data privacy, copyright, and the societal impact of AI technologies.
British Columbia Privacy Commissioner Michael Harvey said the training approach involved scraping “vast amounts of personal information from publicly accessible websites. … Whether from a child or an adult, all of this publicly sourced information was obtained without any type of consent recognized under [the Personal Information Protection Act].”
The commissioners concluded that OpenAI’s approach resulted in over-collection of personal information without adequate safeguards, and that the company did not obtain valid consent for the collection or use of that data for AI training purposes.
Quebec privacy regulator Naomi Ayotte, vice-chair of the Quebec Access to Information Commission, emphasized that companies cannot treat online data as freely usable, stating: “Data is not public just because it is online.”
Regulators also found major transparency and accountability failures. Users were often unaware their data had been used to train the system, and individuals had limited ability to access, correct, or delete personal information reflected in ChatGPT’s outputs. Concerns were also raised about inaccuracies in responses and the potential for discrimination based on flawed data.
The Epoch Times reached out to OpenAI for comment on the report, but did not receive a reply by publication time.
Dufresne ultimately ruled as “conditionally resolved” its investigation into OpenAI’s data collection and use practices, as OpenAI made commitments during the investigation to improve compliance.
These include reducing the amount of personal data used to train models, improving transparency for users, and strengthening data retention and deletion practices. Regulators said these changes would significantly reduce privacy risks, but emphasized continued oversight.
In a May 6 blog post, OpenAI said it uses safeguards to limit personal data in training, including options to opt out of data collection, and allows users to report inappropriate content.
The company said it “recognize[s] that protecting privacy and addressing serious risks of harm have to work together. We take that responsibility seriously, and we continue to strengthen how we detect and respond to credible threats of violence while maintaining privacy safeguards.”
Regulators across jurisdictions also used the case to press for broader reform of Canada’s privacy framework, warning that existing laws were not designed for generative AI systems. They said consent-based rules often struggle to govern large-scale web scraping used in AI training, and called for modernized legislation with stronger enforcement tools such as order-making powers, mandatory privacy impact assessments, and administrative monetary penalties.
As Harvey put it, the system is increasingly under strain: regulators, he said, are operating under laws “written for a different era” that are now “strained to the breaking point.”
“My office will keep monitoring to ensure that the company continues to limit the impact that its tools have on individuals’ privacy,” Dufresne said.
The case is expected to inform ongoing federal and provincial efforts to modernize privacy laws for the AI era.
Canada’s main proposed AI law is the Artificial Intelligence and Data Act (AIDA), introduced in 2022 as part of Bill C-27 to regulate high-impact AI systems and impose safety and accountability requirements on companies. However, the bill died on the order paper in early 2025 before becoming law, and the federal government is now expected to introduce a revised AI regulatory framework.
Friends Read Free
Copy
Facebook
Tweet
