Consolidated Issue Sheets on Bill C-15

Views on PIPEDA amendments proposed in Bill C-15

Speaking points

• Bill C-15 would amend PIPEDA to establish a regime for data-mobility frameworks that is nearly identical to what was previously proposed in Bill C-27 (s. 72). As was the case with Bill C-27, I support these changes as they will allow individuals to have greater control over their personal information.
• I am also of the view that Bill C-15’s proposed regime for data-mobility frameworks could be strengthened by establishing a clear consultative role for my Office.
• Some data-portability laws provide individuals with a right to receive their personal information in a structured, commonly used, machine-readable format.
• While this could be provided for in an amendment to the mobility provisions in Bill C-15, it could also reasonably be enshrined under PIPEDA’s general right of access (clause 4.9 of Schedule 1), which requires businesses to inform individuals of the existence, use, and disclosure of their personal information and to provide access to it upon request.

Background

• Much like Bill C-15 (clause 389, Division 1.2), s. 72 of the former Bill C-27 would have required that, “subject to the regulations, on the request of an individual, an organization must as soon as feasible disclose the personal information that it has collected from the individual to an organization designated by the individual, if both organizations are subject to a data mobility framework.” Bill C-27 would have also enabled the GIC to make regulations respecting the disclosure of personal information under s. 72.
• In our written submission on Bill C-27, we previously recommended:
  • that s. 72 be expanded to include all personal information about an individual, including derived or inferred information, and
  • that a clear consultative, advisory or approval role be established for the OPC with respect to data mobility frameworks.
• Many data portability laws in other jurisdictions either exempt derived or inferred data from their data portability frameworks (Quebec, EU, UK), or do not provide for such information to be ported to another organization (California and Australia).

Lead: PRPA

---

Data portability vs. data mobility

Speaking points

• “Data portability” and “data mobility” are complementary concepts:
  • Data portability typically refers to the ability (or right) of an individual to move some or all of their personal information from one business or service to another.
  • Data mobility, on the other hand, is sometimes used to refer to the ability of an individual to request that a business or service move some or all of their personal information elsewhere on their behalf, and is focused on the systems, standards and governance to facilitate that movement.
• Both concepts are linked to informational privacy rights in that they relate to the degree of control that individuals may assert over their data.

Background

• Like the previous Bill C-27, Bill C-15 (clause 389, division 1.2) would amend PIPEDA to provide for the creation of “data mobility frameworks,” the details of which will be set out in regulations.
• The proposed new s.10.5 of PIPEDA would empower the Governor in Council to make regulations respecting the disclosure of personal information under these frameworks, including prescribing safeguards, technical means for ensuring interoperability, the organizations subject to a given framework, and exceptions to the general requirement for disclosure.
• The elements listed in s.10.5 capture many of the components commonly associated with the right to data portability, including the need to ensure appropriate safeguards given the sensitivity of the information that may be ported, and the need for technical interoperability to ensure that data is provided in a structured, commonly used, and machine-readable format.
• The proposed s. 10.6, which clarifies that regulations made under s. 10.‍5 may distinguish among different classes of activities, information, or organizations, suggests that data-mobility frameworks may be established on a sector-by-sector basis (as in Australia, where sector-specific consumer-data rules must be defined prior to any disclosures).

Lead: PRPA

---

Consumer Data Right in Australia

Speaking points

• Australia’s Consumer Data Right (“CDR”) is similar to the right to data mobility set out in Bill C-15 as it only applies to specific sectors that have been designated by regulation.
• Australia has currently designated authorized deposit-taking institutions, non-bank lenders, the energy sector and the telecommunications sector as subject to the CDR.
• Similar to Bill C-15, the Australian responsible Minister may also make rules in respect of the designated sectors.
• While the CDR includes derived information in the definition of “CDR Data”, the CDR does not require the disclosure of this information to consumers.
• The Australian law also specifies oversight and consultation roles for the Australian Information Commissioner. Bill C-15 does not specify similar roles for the Privacy Commissioner.

Background

• Section 56AC of Australia’s Competition and Consumer Act 2010 sets out the scope of regulatory powers to designate sectors as subject to the CDR.
• Section 56BA of the Act empowers the Australian Minister to make consumer data rules for designated sectors, such as banking and telecommunications. Section 56BB specifies that these rules may deal with matters such as disclosure, collection, use, security, reporting, record keeping and auditing.
• Section 56AI(1)(b) of the Act specifies that CDR data includes information that is “wholly or partly derived” from information that relates to a CDR consumer, but section 56BD(1) provides that this information is not subject to mandatory disclosure.
• Under sections 56AF and 56BR of the Act, the Australian Information Commissioner must analyse and report about an instrument proposing to designate a sector or declare actions and analyse any proposed consumer data rules.
• Under section 56GA of the Act, the Information Commissioner may “consult or advise about any matter relevant to the operation of” the consumer data right.

Lead: Legal

---

Data portability in California

Speaking points

• The California Consumer Privacy Act of 2018 (CCPA) sets out requirements relating to data portability in respect of personal information that a business has collected “about” a consumer.
• Businesses must provide this information to consumers directly or may transfer this information to another entity at the consumer’s request, and the information must be provided in a format that is easily understandable to the average consumer.
• Of note, the CCPA only applies to certain businesses (e.g., businesses with gross revenues exceeding $25 million a year).
• Unlike Bill C-15, the requirements relating to data portability set out in the CCPA includes inferences about an individual that are generated by the business or obtained by the business from another source.

Background

• The Californian requirements relating to portability (see ss. 1798.110(b) and 1798.130(a)(3)(B)(iii), CCPA) apply to information a business has collected “about” a consumer (see section 1798.110, CCPA).
• Businesses are required to “provide the specific pieces of personal information obtained from consumers in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer’s request without hindrance” (1798.130(a)(3)(B)(iii), CCPA).
• The CCPA only applies to businesses that collect information from consumers in California and that either: (1) have gross revenues exceeding $25 million a year; (2) buy, sell or share the personal information of 100,000 or more consumers or households a year; or (3) derive 50 percent or more of their annual revenue from selling or sharing consumers’ personal information (ss. 1798.140(d)(1)(A) to (C)).
• The requirements relating to data portability include inferences about an individual that are generated by the business or obtained by the business from another source (Californian Office of the Attorney General Opinion 20-303, March 2022).
• The definition of “personal information” in the CCPA also explicitly includes inferred information (s. 1798.140(v)(1)(K), CCPA).

Lead: Legal

---

Data portability under the GDPR

Speaking points

• The GDPR includes a general right of data portability. Under article 20, individuals have the right to receive personal information concerning themselves that they have provided to a data controller, and to have that information transferred to another controller.
• The GDPR right applies to all controllers subject to the GDPR. In contrast, Bill C-15 limits the application of its proposed data mobility right to those organizations that are subject, by regulation, to a data mobility framework.
• Neither the GDPR right nor the proposed Bill C-15 right include personal information that has been inferred or derived.

Background

• The Bill C-15 right leaves the vast majority of details about the scope and application of the right to regulations, which have not yet been issued.
• The GDPR right includes information that has been observed about an individual (i.e. search history, location history, etc.), but it does not include inferred information about the individual (i.e. a personalized recommendation, profiling data, etc.).
• The GDPR right to data portability applies when the processing is based on consent or necessary for the performance of a contract (article 20(1)(a)). It does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (article 20(3)).
• The GDPR right does not specify security requirements, but the general security obligations in article 5(1)(f) of the GDPR would apply.
• Where third-party personal information is captured by a request under article 20 of the GDPR, another legal basis for the processing must be identified (such as the legitimate interest ground under article 6(1)(f) of the GDPR).
• The EU Data Act, which came into force on September 12th, 2025, provides users of “connected products and related services” (i.e. the Internet of Things) with data-portability rights to the personal and non-personal information these users generate when using these products and/or services.
• The GDPR continues to apply to all personal data processing activities under the Data Act, and the GDPR prevails in the event of a conflict.

Lead: Legal

---

Data portability in Quebec

Speaking points

• Quebec’s private sector privacy law provides a data-mobility right that is limited to personal information that is collected from the applicant.
• The right does not include inferred personal information but would include personal information that was indirectly collected from an individual or generated by their activities (e.g., purchase history, travel history, driving habits).
• Unlike Bill C-15, the Quebec right applies broadly to all organizations subject to Quebec’s privacy law. It is not limited to organizations subject to a data mobility framework.
• Quebec’s data mobility right also only applies to personal information that is stored in electronic format.

Background

• Section 27 of An Act Respecting the Protection of Personal Information in the Private Sector states that "Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.”
• Guidance from the Commission d’accès à l’information states that the following categories of personal information would be excluded from the right:
  • personal information stored on paper;
  • information created or inferred by an organization through analysis, observation, or obtained through algorithms and correlations;
  • computerized information that an organization obtains from a third party; and,
  • the risk level assigned by an insurance company to an individual.
• The Quebec public sector privacy law has an identical right (s. 84).

Lead: Legal

---

Data portability in the United Kingdom

Speaking points

• Under article 20 of the UK GDPR, the UK has the same right to data portability as found in the EU GDPR.
• The UK GDPR right applies to all controllers subject to the UK GDPR. In contrast, Bill C-15 limits the application of its proposed data mobility right to only those organizations that are subject by regulation to a data mobility framework.
• Both the UK GDPR right and the proposed Bill C-15 right do not include personal information that has been inferred.
• The UK’s Data (Use and Access) Act (DUAA) was enacted in June 2025 and expands the potential scope of data portability in the UK to “customer” and “business” data, which would include both personal and non-personal information.
• The DUAA provides the UK Secretary of State and the Treasury with broad regulatory powers to determine the scope and application of this expanded data portability right.
• Such regulations have not yet been made, which makes it difficult to comment on the practical application of the Act.

Background

• The GDPR has been incorporated into the UK’s domestic laws in the form of the UK GDPR. As the UK-GDPR right is identical to the GDPR right, for further details on the UK right see the “Data Portability under the GDPR” Issue Sheet.
• The DUAA applies to the “business data” and “customer data”, which is colloquially referred to as “smart data”. It is broadly defined and encompasses information relating to “goods, services and digital content” (s. 1).
• The DUAA provides the UK Secretary of State or the Treasury with broad regulatory powers to provide for access and sharing of this data (ss. 2 – 5).
• It is possible that, in the future, regulations made under the DUAA could provide the legal basis for implementing data portability in the financial, energy, telecommunications or transportation sectors.

Lead: Legal

---

Derived or inferred data in other data-mobility laws

Speaking points

• Data-portability laws in some jurisdictions, such as Quebec, the EU, and the UK, exempt derived or inferred data. Laws in other jurisdictions, such as California and Australia, are more inclusive.
• I recognize that it may be appropriate to exclude derived or inferred data from compelled disclosure to other entities under the consumer-driven banking framework.
• However, in my view, derived or inferred data that constitutes “personal information” should remain subject to individuals’ rights of access and correction under PIPEDA and should be subject to a right to deletion under any revised federal private-sector privacy law.

Background

• The proposed data-mobility right under Bill C-15 would apply only to personal information “collected from” an individual (PIPEDA, s. 10.4). The Consumer-Driven Banking Act (CDBA) would not apply in respect of “derived data” (s. 10(2)).
• “Derived data” would be defined in s. 2 of the CDBA to mean: “subject to the regulations, data about a consumer, product or service that has been enhanced by a participating entity to significantly increase its usefulness or commercial value.”
• Australia’s Consumer Data Right regime applies to certain derived information, including certain “materially enhanced information” in the open-banking context, although its disclosure cannot be required (Competition and Consumer Act 2010, ss. 55AI, 56BD; Authorized Deposit-Taking Institutions Designation, ss. 5, 7, 10).
• “Personal information” under the California Consumer Privacy Act (s. 1798.140(v)(1)(K)) includes “[i]nferences” drawn from other types of personal information listed in that section to create a profile about a consumer. The data-portability right under s. 1798.110(b) thus can include inferred information.
• For the data-portability right under Art. 20 of the EU GDPR and the UK GDPR, the EU’s Article 29 Data Protection Working Party and the UK ICO have each explained that derived or inferred data is generally excluded.
• Quebec’s data-portability right expressly excludes information “created or inferred” from a person’s personal information (Loi sur la protection des renseignements personnels dans le secteur privé, s. 27).

Lead: Legal

---

Joint account holder/third-party data in other data-mobility laws

Speaking points

• The issue of disclosing third-party data under data-portability laws has been handled in a variety of ways by other jurisdictions.
• In my view, we need a made-in-Canada solution to that issue – one that ensures that there is always meaningful consent, and accounts for the nature of the data and the context in which it is being shared.
• Bill C-15 does not directly address the issue of third-party data but regulations under PIPEDA and under the Consumer-Driven Banking Act (CDBA) may do so.
• I expect that my Office will be consulted during the making of those regulations, at which point we would be happy to discuss what meaningful consent looks like.

Background

• The proposed new s.10.5 of PIPEDA would empower the Governor in Council to make regulations respecting the disclosure of personal information in accordance with the proposed data-mobility right under s.10.4.
• The CDBA would empower the Governor in Council to make regulations respecting the express consent that a participating entity must obtain for data-sharing and respecting how a participating entity may use consumer data (ss. 178(k) and (m)).
• Australia’s Consumer Data Right (CDR) regime includes special rules applicable to disclosures of data relating to joint accounts, including rules permitting joint account holders to control which joint account holders’ consent is required for disclosures and whether disclosures are prohibited entirely (CDR Rules, rr. 4A.4 to 4A.15).
• Article 20 of the EU GDPR and the UK GDPR provide that the data-portability right set out in each of those articles “shall not adversely affect the rights and freedoms of others.” The EU’s Article 29 Data Protection Working Party and the UK ICO have each explained that, in practice, this may require limits on the processing of a third party’s data absent that party’s consent to additional processing.
• Quebec’s private-sector law provides that, absent an emergency, a person’s personal information must not be disclosed to them without the consent of a third person if the disclosure would likely reveal that third person’s personal information, or its existence, and the disclosure might “seriously harm” that third person (s. 40).

Lead: Legal

---

Standards/interoperability in other data-mobility laws

Speaking points

• Data-portability laws in other jurisdictions have adopted a variety of approaches to the development of technical standards for data sharing and common rules like security safeguards.
• Bill C-15’s proposed Consumer-Driven Banking Act envisions a single technical standard developed by a standard-setting body designated by the Minister of Finance (s.125), and mandatory security safeguards set out in regulations (ss. 79(1), 178(g)).
• However, the proposed Act does not currently require that my Office be consulted during the development of the technical standard or the security-safeguard regulations, as is the case with my counterpart under Australian law.
• My Office would be pleased to provide privacy expertise to support the development of Canadian standards and regulations.

Background

• Under Australia’s Consumer Data Right (CDR) regime (which applies beyond open banking), a Data Standards Body (within the Department of the Treasury) is responsible for developing technical standards and the Treasurer is responsible for making common rules, but both are required to consult the OAIC (Competition and Consumer Act 2010, ss. 56FA-56FS, 56BA-56BR; CDR Rules, r. 8.9(2)(b)(iii)).
• In the EU, in the open-banking context, the European Banking Authority, in cooperation with the European Central Bank, is responsible for developing draft regulatory technical standards for adoption by the European Commission (PSD2, Arts. 95(4), 98). Member states’ financial regulators then transpose those standards into their national contexts (PSD2, Art. 115(1)).
• In the UK, Open Banking Limited (an industry-created entity) develops data and security standards under the supervision of the Competition and Markets Authority (Retail Banking Market Investigation Order 2017, Art. 10), although it is expected to be replaced by an industry-led “Future Entity” overseen by a joint committee of regulators. The Financial Conduct Authority is also tasked with making technical standards (PSR 2017, reg. 106A). More broadly, the Data (Use and Access) Act 2025 envisions regulations providing for standard-setting “interface bodies” for various Smart Data schemes (open banking is one such scheme) (s. 7).

Lead: Legal

---

Data mobility and healthcare

Speaking points

• In the health sector, data mobility is closely related to the interoperability of health-information systems; that is, the ability of health information to flow seamlessly between different systems, organizations, and technologies.
• Regulating healthcare data can be challenging given the patchwork of federal and provincial privacy laws that may apply, but recent initiatives recognize the need for greater alignment on improving interoperability.
• I am supportive of measures to modernize digital healthcare in a manner that protects the privacy of Canadians. My provincial and territorial counterparts and I have previously issued a joint resolution encouraging governments to replace unencrypted email and fax with more modern, secure, and interoperable digital alternatives.

Background

• At the provincial/territorial level, interoperability of health data is an ongoing area of development. Progress has been uneven, with Alberta, BC, and Nova Scotia recently implementing platforms to enhance patient access to their health data.
• Canada Health Infoway and the Canadian Institute for Health Information are engaged in initiatives to improve interoperability, including by developing technical standards for health data and advocating for legislative changes.
• In 2023-2024, the federal government committed $49.4 billion to the provinces and territories to improve healthcare services, including by adopting common data standards and policies.
• In 2024, the federal government tabled Bill C-72, the Connected Care for Canadians Act, which would have required health-information technology vendors to ensure that their services were interoperable while prohibiting vendors from data blocking, which is any act interfering with access, exchange and use of health data.
• Bill C-72 was intended to accelerate the implementation of the Shared Pan-Canadian Interoperability Roadmap, which was developed by Canada Health Infoway and endorsed by FPT governments (except Quebec) in 2023. It set out a five year plan for improving connected care through common interoperability and data standards. However, the bill ultimately died on the order paper in January 2025.

Lead: PRPA

---

Data mobility and Consumer-Driven Banking

Speaking points

• Bill C-15 provides for the creation of “data mobility frameworks” under PIPEDA whereby subject organizations would be required to disclose personal information that they collect from individuals to other organizations at the request of those individuals.
• In explanatory material released upon tabling of the Budget, Finance Canada indicated that the consumer-driven banking provisions in C-15 will be the “first iteration” of such a framework.
• When the Government moves forward with other sector-specific data-mobility frameworks, I expect that my Office will be consulted on related regulations insofar as they pertain to the collection, use and disclosure of personal information.

Background

• The proposed s. 10.4 of PIPEDA provides that, subject to regulations and as soon as feasible, an organization must, on the request of an individual, disclose any personal information it has collected from that individual to a designated organization. This requirement applies only if both organizations are subject to a data-mobility framework.
• The proposed s. 10.5 provides that the Governor in Council may make regulations respecting the disclosure of personal information under s. 10.4, including to prescribe safeguards, technical means for ensuring interoperability, organizations subject to a data mobility framework, and exceptions to the general requirement for disclosure (e.g., to protect proprietary or confidential commercial information).
• Australia’s Consumer Data Right (CDR) applies to the banking and energy sectors and is set to be applied to the telecommunications and non-bank lending sectors (Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019; Consumer Data Right (Energy Sector) Designation 2020; Consumer Data Right (Telecommunications Sector) Designation 2022; Consumer Data Right (Non-Bank Lenders) Designation 2022).
• In Australia, the government must, before expanding the application of the CDR regime to other sectors, consult the Office of the Australian Information Commissioner about the likely effect on the privacy or confidentiality of consumers’ information (CCA, s. 56AD(3)).

Lead: PRPA

---

The Consumer Driven Banking Act

Speaking points

• Although much has been left to regulations, I am generally supportive of the Consumer-Driven Banking Act and am encouraged to see that it would incorporate several privacy-protective measures, including a requirement to obtain express consent (s. 85(1)), use-limitations (s. 85(6)), a technical standard (s. 125), an accreditation model (ss. 15, 17, 19, 31-32), and a prohibition on screen scraping (s. 171).
• I am also encouraged that the Government’s Consumer-Driven Banking Framework clarifies that participating entities are required to comply with existing privacy laws.
• I believe the legislation could still be improved in certain ways, including by providing for cross-regulatory cooperation, and ensuring meaningful consent and strong consumer authentication.

Background

• Bill C-15, the Budget 2025 Implementation Act, No. 1, would enact a new Consumer-Driven Banking Act (CDBA) under Part 5, Division 9 (clause 224), and would repeal (clause 246) the existing Consumer Driven Banking Act enacted by Bill C-69 (44-1), the Budget Implementation Act, 2024, No. 1. Oversight of the consumer-driven banking regime would be assigned to the Bank of Canada (s. 4).
• A Department of Finance document titled “Budget 2025: Canada’s Consumer-Driven Banking Framework” states: “In terms of privacy, participating entities are already required to comply with applicable legislative frameworks.”
• Similar laws in Australia and New Zealand include provisions expressly addressing the roles of privacy regulators and privacy legislation (Competition and Consumer Act 2010, ss. 56BR, 56EQ; Customer and Product Data Act 2025, ss. 51-52).
• Currently, under the CDBA’s express-consent provisions, a consumer would not need to be informed of the risks of sharing the consumer’s data, although regulations could require the provision of such information (ss. 85(4), 178(k) to (l)).
• The CDBA is currently silent regarding how a participating entity would be required to confirm a consumer’s authentication information before sharing data, although that could also potentially be addressed in regulations (ss. 92(1), 178(t)).

Lead: PRPA

---

Engagement with Finance Canada and the Financial Consumer Agency of Canada (FCAC) on Consumer-Driven Banking

Speaking points

• I have been engaged with Finance Canada and the FCAC on consumer-driven banking since the previous government first announced its intention to explore its potential benefits, in Budget 2018.
• Although we did not opine on specific legislative proposals, we are pleased to see certain of our advice reflected, such as the regime requiring express consent and an accreditation model.
• As I have repeatedly stressed, my Office welcomes the opportunity to work with other regulators, including the Bank of Canada, to ensure that the proposed framework is implemented in a way that protects and promotes the privacy rights of Canadians.

Background

• C-15 proposes to move oversight for consumer-driven banking (CDB) from the FCAC to the Bank of Canada. Finance Canada will set the overall policy and legislative framework for CDB, while the Bank of Canada is responsible for oversight, implementation, and supervision of the framework. The FCAC supervises federally regulated financial entities and promotes financial literacy.
• In February 2019, the OPC sent a submission to Finance Canada in response to its consultation on the merits of consumer-driven banking, wherein we emphasized the importance of having strong privacy laws to support consumer trust, confidence, and participation in the digital economy.
• In December 2020, we participated in four advisory committee meetings led by Finance Canada that covered a broad range of topics, including privacy and data protection. Between 2021 and 2024, we met regularly with working level officials at Finance Canada on the ongoing development of the framework, with a focus on the privacy-related aspects.
• In March 2025, the Commissioner met with FCAC Commissioner Shereen Miller and reiterated our eagerness to collaborate on related initiatives, such as issuing guidance and addressing security breaches.

Lead: PRPA

---

Collaboration with the Competition Bureau

Speaking points

• My Office collaborates with the Competition Bureau on the enforcement of Canada’s Anti-Spam Legislation as well as by sharing best practices in policy development and current work products.
• Our organizations are co-founders of the Canadian Digital Regulators Forum (CDRF), a group established in June 2023 to strengthen information sharing and collaboration on matters related to digital policy.
• I echo the Bureau’s support for consumer-driven banking in light of how it may help individuals securely transfer their personal information, promote consumer choice, benefit small and medium-sized organizations, and increase competition, although some targeted enhancements could be made.

Background

• In the OPC’s submission on Bill C-27, we recommended expanding the Commissioner’s ability to collaborate with domestic organizations like the Competition Bureau, to ensure greater coordination and efficiencies in dealing with matters that raise privacy issues.
• For year three of the CDRF, the Competition Bureau and the OPC are developing an article on digital design patterns and how they engage our respective mandates.
• In March 2024, the Competition Bureau sent a submission to Finance Canada’s public consultation to strengthen Canada’s financial sector. In it, they recommended adopting a consumer-driven banking framework as soon as possible as it:
  • would provide a secure means for individuals to transfer their information from one organization to another;
  • could help reduce consumer switching costs;
  • would reduce barriers to entry for new entrants and small and medium-sized organizations, thereby increasing competition.

Lead: PRPA