CAI–OpenAI report of May 6, 2026: four recommendations to OpenAI, and why you don't have to wait.
What the Commission d'accès à l'information wrote, what it hasn't yet written, and why the tonia architecture renders these recommendations moot by design.
tonia is not an open door. Each request is classified on-site, redacted per your policy, or refused when the policy does not authorize it. The decision and the redacted content are logged locally before any egress.
On May 6, 2026, the CAI made public the report of its joint investigation into OpenAI and ChatGPT. The finding is unusually direct: the manner in which OpenAI first trained and deployed ChatGPT does not comply with federal and provincial laws on the protection of personal information.
The report is addressed to OpenAI. But under Canadian privacy law, the party responsible for the personal information your employees paste into ChatGPT is not OpenAI — it is your organization. When the CAI publishes that a vendor has not fully met its obligations, that report becomes evidence in your file.
OpenAI is the first — not the last.
The report targets OpenAI today. Tomorrow it could target Anthropic, Microsoft Copilot, Google Gemini, AWS Bedrock, or Mistral's hosted API. The grid the CAI applied — excessive collection, validity of consent, transparency, accuracy, retention, accountability — fits every US cloud vendor that handles your data. Switching vendors does not change the Bill 25 analysis; it only shifts the order of the next investigations.
The CAI's four recommendations to OpenAI
- R1 — At the point of collection, implement reasonable measures to meet the duty to inform the data subjects or obtain their consent, where required.
- R2 — Inform users of the free Web version in a timely manner that their chats may be reviewed and used for model training.
- R3 — Change privacy settings so that, by default, user chats are not used for model training.
- R4 — Where personal information is retained for historical reference, inform users — or destroy or anonymize it.
These four recommendations target an architecture tonia does not reproduce: collection at a US vendor, training enabled by default, retention managed by the vendor. With an on-site tonia and opt-in tonia, you no longer depend on OpenAI's timeline — you make the decision yourself.