Statement by the Privacy Commissioner of Canada to the House of Commons Standing Committee on Industry and Technology on Bill C-15

January 26, 2026
Ottawa, ON

Opening statement by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Thank you for the invitation to appear before you today to offer my views on the privacy implications of Part 5, Division 23 of Bill C-15, the Budget 2025 Implementation Act, No. 1. I am accompanied by Marc Chénier, Deputy Commissioner and Senior General Counsel.

Privacy is an important and timely issue for Canada. As more and more personal data is being collected, used, and shared, data protection becomes increasingly significant for Canadians and Canadian organizations.

In the past two years, we have seen many examples of how Canadian law can address major issues that cause serious and long-lasting harms to individuals. For example, protecting against the nonconsensual sharing of intimate images in my investigation into Aylo, which operates Pornhub and other pornographic websites, and addressing the 23andMe breach, which impacted the highly sensitive personal information of 7 million customers, including more than 300,000 Canadians.

My recent investigation with my provincial counterparts into TikTok, meanwhile, highlighted the importance of protecting children’s privacy in today’s online world. The impact of our investigation into this widely used platform went far beyond a report; it also enabled the company to implement improvements to its privacy practices in the best interests of its users, especially children.

I recently announced an expanded investigation into the social media platform X, and its Grok chatbot. This investigation will examine the emerging phenomenon of AI being used to create deepfakes, which can present significant risk to Canadians.

These are some of many examples that demonstrate the importance of privacy for current and future generations. These examples also illustrate how prioritizing privacy is a strategic and competitive asset for organizations.

This is why it is so important to modernize legislation so that we have modern laws in place to support businesses in ensuring that they have appropriate protections.

For organizations, embedding data protection into programs and services can enable responsible innovation, facilitate global operations, improve data security, and mitigate risks, including of major breaches.

Modernizing privacy laws aligns with Canada’s ambition to support growth, to seek opportunities with partners around the world, and to continue to be a voice of modern progress, setting the stage for a safe and secure digital future for Canadians and Canadian industry.

Bill C-15 includes sections that would amend the Personal Information Protection and Electronic Documents Act, or PIPEDA, to provide a right to data mobility to facilitate information sharing across all economic sectors. I support efforts to introduce such right to data mobility in Canada.

A right to data mobility would give Canadians greater control of their personal information by allowing them to make decisions about who they want their information shared with. This would make it easier for them to switch service providers and choose with which organizations they wish to engage. These are important considerations for building trust in today’s digital economy.

Enhancing data-mobility provisions can also support economic growth in Canada.

For example, it would help promote competition and innovation by allowing individuals to take advantage of new business models like consumer-driven banking, and encourage new players in the market, therefore helping to support small and medium-sized organizations.

Specifically, Bill C-15 would add a new Division 1.2 to PIPEDA that would require an organization, upon an individual’s request, to disclose the personal information that it has collected from them to a designated organization. This right would be subject to regulations and would only apply if both organizations are subject to a data-mobility framework.

Bill C-15 would amend PIPEDA to provide the Governor in Council with the authority to make regulations regarding data-mobility frameworks. These regulations would cover key aspects of a mobility framework, including safeguards and technical parameters for ensuring interoperability. They would also specify which organizations are subject to a mobility framework and provide for exceptions to the requirement to disclose information.

Given the extent of issues to be prescribed by regulation, it will be important for my Office to be consulted by the government in the development of those regulations. I certainly look forward to working with the government on these important issues.

Thank you and I would be happy to answer any questions that you may have.