Issue sheets on Bill C-15 – Appearance before INDU of January 26, 2026

Views on PIPEDA amendments proposed in Bill C-15

Speaking points

• Bill C-15 would amend PIPEDA to establish a regime for data-mobility frameworks that is nearly identical to what was previously proposed in Bill C-27 (s. 72). As was the case with Bill C-27, I support these changes as they will allow individuals to have greater control over their personal information.
• Some data portability laws provide individuals with a right to receive their personal information in a structured, commonly used, machine-readable format. While this could be provided for in an amendment to the Bill C-15’s mobility provisions in Bill C-15, it could also reasonably be enshrined under PIPEDA’s general right of access (clause 4.9 of Schedule 1), which requires businesses to inform individuals of the existence, use, and disclosure of their personal information and to provide access to it upon request.
• I am also of the view that Bill C-15’s proposed regime for data-mobility frameworks could be strengthened by establishing a clear consultative role for my Office.

Background

• Much like Bill C-15 (clause 389, Division 1.2), s. 72 of the former Bill C-27 would have required that, “subject to the regulations, on the request of an individual, an organization must as soon as feasible disclose the personal information that it has collected from the individual to an organization designated by the individual, if both organizations are subject to a data mobility framework.” Bill C-27 would have also enabled the GIC to make regulations respecting the disclosure of personal information under s. 72.
• In our written submission on Bill C-27, we previously recommended:
  • That s. 72 be expanded to include all personal information about an individual, including derived or inferred information, and
  • That a clear consultative, advisory or approval role be established for the OPC with respect to data mobility frameworks.
• Many data portability laws in other jurisdictions either exempt derived or inferred data from their data portability frameworks (Quebec, EU, UK), or do not provide for such information to be ported to another organization (California and Australia).

Lead: PRPA

---

GIC regulations as a pre-condition for data-mobility frameworks

Speaking points

• For the data mobility right to apply, both the organizations between which data is being transferred must be subject to a data mobility framework.
• The GIC will specify by regulations which organizations are subject to a data mobility framework (see proposed paragraph 10.5(b) of PIPEDA).
• Organizations may approach the government to request that the GIC subject them to a data mobility framework.
• While we do not interpret the amendments to PIPEDA as permitting organizations to informally set up their own data mobility frameworks without government intervention, greater clarity could be provided on this issue.

Background

• The proposed section 10.4 of PIPEDA states that “Subject to regulations, on the request of an individual, an organization shall, as soon as feasible, disclose the personal information that it has collected from the individual to an organization designated by the individual if both organizations are subject to a data mobility framework” (emphasis added).
• The proposed paragraph 10.5(b) of PIPEDA states “The Governor in Council may make regulations respecting the disclosure of personal information under section 10.4, including regulations … (b) specifying organizations that are subject to a data mobility framework”.
• Further clarity could be provided if the proposed section 10.4 of PIPEDA specified that organizations must be subject to a data mobility framework “as prescribed by regulation”.

Lead: Legal

---

Data portability under the GDPR

Speaking points

• The GDPR includes a general right of data portability. Under article 20, individuals have the right to receive personal information concerning themselves which they have provided to a data controller and have that information transferred to another controller.
• The GDPR right applies to all controllers subject to the GDPR. In contrast, Bill C-15 limits the application of its data mobility right to those organizations that are subject by regulation to a data mobility framework.
• Neither the GDPR right nor the Bill C-15 right include personal information that has been inferred or derived.

Background

• The Bill C-15 right leaves the vast majority of details about the scope and application of the right to regulations, which have not yet been issued.
• The GDPR right includes information that has been observed about an individual (i.e. search history, location history, etc.), but it does not include inferred information about the individual (i.e. a personalized recommendation, profiling data, etc.).
• The GDPR right to data portability applies when the processing is based on consent or necessary for the performance of a contract (article 20(1)(a)). It does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (article 20(3)).
• The GDPR right does not specify security requirements, but the general security obligations in article 5(1)(f) of the GDPR would apply.
• Where third-party personal information is captured by a request under article 20 of the GDPR, another legal basis for the processing must be identified (such as the legitimate interest ground under article 6(1)(f) of the GDPR).
• The EU Data Act, which came into force on September 12th, 2025, provides users of “connected products and related services” (i.e. the Internet of Things) with data portability rights to the personal and non-personal data information these users generate when using these products and/or services.
• The GDPR continues to apply to all personal data processing activities under the Data Act, and the GDPR would prevail in the event of a conflict.

Lead: Legal

---

Consumer Data Right in Australia

Speaking points

• Australia’s Consumer Data Right (“CDR”) is similar to the right to data mobility set out in Bill C-15 as it only applies to specific sectors that have been designated by regulation.
• Australia has currently designated authorized deposit-taking institutions, non-bank lenders, the energy sector and the telecommunications sector as subject to the CDR.
• Similar to Bill C-15, the Australian Minister may also make rules for the right in respect of the designated sectors.
• While the CDR includes derived information in the definition of “CDR Data”, the CDR does not require the disclosure of this information to consumers.
• The Australian law also specifies oversight and consultation roles for the Australian Information Commissioner. Bill C-15 does not specify similar roles for the Privacy Commissioner.

Background

• Section 56AC of Australia’s Competition and Consumer Act 2010 sets out the scope of regulatory powers to designate sectors as subject to the CDR.
• Section 56BA of the Act empowers the Australian Minister to make consumer data rules for designated sectors, such as banking and telecommunications. Section 56BB specifies that these rules may deal with matters such as disclosure, collection, use, security, reporting, record keeping and auditing.
• Section 56AI(1)(b) of the Act specifies that CDR data includes information that is “wholly or partly derived” from information that relates to a CDR consumer, but section 56BD(1) provides that this information is not subject to mandatory disclosure.
• Under sections 56AF and 56BR of the Act, the Australian Information Commissioner must analyse and report about an instrument proposing to designate a sector or declare actions and analyse any proposed consumer data rules.
• Under section 56GA of the Act, the Information Commissioner may “consult or advise about any matter relevant to the operation of” the consumer data right.

Lead: Legal

---

Data portability in the United Kingdom

Speaking points

• Under article 20 of the UK GDPR, the UK has the same right to data portability as found in the GDPR.
• The UK GDPR right applies to all controllers subject to the UK GDPR. In contrast, Bill C-15 limits the application of its data mobility right to only those organizations that are subject by regulation to a data mobility framework.
• Both the UK GDPR right and the Bill C-15 right do not include personal information that has been inferred.
• The UK’s Data (Use and Access) Act (DUAA) was enacted in June 2025 and expands the potential scope of data portability in the UK to “customer” and “business” data, which would include both personal and non-personal information.
• The DUAA provides the UK Secretary of State and the Treasury with broad regulatory powers to determine the scope and application of this expanded data portability right.
• Such regulations have not yet been made, which makes it difficult to comment on the practical application of the Act.

Background

• The GDPR has been incorporated into the UK’s domestic laws in the form of the UK GDPR. As the UK-GDPR right is identical to the GDPR right, for further details on the UK right see the “Data Portability under the GDPR” Issue Sheet.
• The DUAA applies to the “business data” and “customer data”, which is colloquially referred to as “smart data”. It is broadly defined and encompasses information relating to “goods, services and digital content” (s. 1).
• The DUAA provides the UK Secretary of State or the Treasury with broad regulatory powers to provide for access and sharing of this data (ss. 2 – 5).
• It is possible that in the future regulations made under the DUAA could provide the legal basis for implementing data portability in the financial, energy, telecommunications or transportation sectors.

Lead: Legal

---

Data portability in Quebec

Speaking points

• Quebec’s private sector privacy law provides a data mobility right that is limited to personal information that is collected from the applicant.
• The right does not include inferred personal information but would include personal information that was indirectly collected from an individual or generated by their activities (e.g., purchase history, travel history, driving habits).
• Unlike Bill C-15, the Quebec right applies broadly to all organizations subject to the Quebec privacy law. It is not limited to organizations subject to a data mobility framework.
• Quebec’s data mobility right also only applies to personal information that is stored in electronic format.

Background

• Section 27 of An Act Respecting the Protection of Personal Information in the Private Sector states that "Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.”
• Guidance from the Commission d’accès à l’information states that the following categories of personal information would be excluded from the right:
  • personal information stored on paper,
  • information created or inferred by an organization through analysis, observation, or obtained through algorithms and correlations,
  • computerized information that an organization obtains from a third party, and
  • the risk level assigned by an insurance company to an individual.
• The Quebec public sector privacy law has an identical right (s. 84).

Lead: Legal

---

Data portability in California

Speaking points

• The California Consumer Privacy Act of 2018 (CCPA) sets out requirements relating to data portability in respect of personal information that a business has collected “about” a consumer.
• Businesses must provide this information to consumers directly or may transfer this information to another entity at the consumer’s request, and the information must be provided in a format that is easily understandable to the average consumer.
• Of note, the CCPA only applies to certain businesses (e.g., businesses with gross revenues exceeding $25 million a year).
• Unlike Bill C-15, the requirements relating to data portability set out in the CCPA includes inferences about an individual that are generated by the business or obtained by the business from another source.

Background

• The Californian requirements relating to portability (see ss. 1798.110(b) and 1798.130(a)(3)(B)(iii), CCPA) apply to information a business has collected “about” a consumer (see section 1798.110, CCPA).
• Businesses are required to “provide the specific pieces of personal information obtained from consumers in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer’s request without hindrance” (1798.130(a)(3)(B)(iii), CCPA).
• The CCPA only applies to businesses that collect information from consumers in California and that either: (1) have gross revenues exceeding $25 million a year; (2) buy, sell or share the personal information of 100,000 or more consumers or households a year; or (3) derive 50 percent or more of their annual revenue from selling or sharing consumers’ personal information (ss. 1798.140(d)(1)(A) to (C)).
• The requirements relating to data portability include inferences about an individual that are generated by the business or obtained by the business from another source (Californian Office of the Attorney General Opinion 20-303, March 2022).
• The definition of “personal information” in the CCPA also explicitly includes inferred information (s. 1798.140(v)(1)(K), CCPA).

Lead: Legal

---

Derived or inferred data in other data-mobility laws

Speaking points

• Data-portability laws in some jurisdictions, such as Quebec, the EU, and the UK, exempt derived or inferred data. Laws in other jurisdictions, such as California and Australia, are more inclusive.
• I recognize that it may be appropriate to exclude derived or inferred data from compelled disclosure to other entities under the consumer-driven banking framework.
• However, in my view, derived or inferred data that constitutes “personal information” should remain subject to individuals’ rights of access and correction under PIPEDA and should be subject to a right to deletion under any revised federal private-sector privacy law.

Background

• The data-mobility right under Bill C-15 would apply only to personal information “collected from” an individual (PIPEDA, s. 10.4). The Consumer-Driven Banking Act (CDBA) would not apply in respect of “derived data” (s. 10(2)).
• “Derived data” would be defined in s. 2 of the CDBA to mean: “subject to the regulations, data about a consumer, product or service that has been enhanced by a participating entity to significantly increase its usefulness or commercial value.”
• Australia’s Consumer Data Right regime applies to certain derived information, including certain “materially enhanced information” in the open-banking context, although its disclosure cannot be required (Competition and Consumer Act 2010, ss. 55AI, 56BD; Authorized Deposit-Taking Institutions Designation, ss. 5, 7, 10).
• “Personal information” under the California Consumer Privacy Act (s. 1798.140(v)(1)(K)) includes “[i]nferences” drawn from other types of personal information listed in that section to create a profile about a consumer. The data-portability right under s. 1798.110(b) thus can include inferred information.
• For the data-portability right under Art. 20 of the EU GDPR and the UK GDPR, the EU’s Article 29 Data Protection Working Party and the UK ICO have each explained that derived or inferred data is generally excluded.
• Quebec’s data-portability right expressly excludes information “created or inferred” from a person’s personal information (Loi sur la protection des renseignements personnels dans le secteur privé, s. 27).

Lead: Legal

---

Joint-account holder / third-party data in other data-mobility laws

Speaking points

• The issue of disclosing third-party data under data-portability laws has been handled in a variety of ways by other jurisdictions.
• In my view, we need a made-in-Canada solution to that issue – one that ensures there is always meaningful consent, and accounts for the nature of the data and the context in which it is being shared.
• Bill C-15 does not directly address the issue of third-party data but regulations under PIPEDA and under the Consumer-Driven Banking Act (CDBA) may do so.
• I expect that my Office will be consulted during the making of those regulations, at which point we would be happy to discuss what meaningful consent looks like.

Background

• The proposed new s.10.5 of PIPEDA would empower the Governor in Council to make regulations respecting the disclosure of personal information in accordance with the proposed data-mobility right under s.10.4.
• The CDBA would empower the Governor in Council to make regulations respecting the express consent that a participating entity must obtain for data-sharing and respecting how a participating entity may use consumer data (ss. 178(k) and (m)).
• Australia’s Consumer Data Right (CDR) regime includes special rules applicable to disclosures of data relating to joint accounts, including rules permitting joint account holders to control which joint account holders’ consent is required for disclosures and whether disclosures are prohibited entirely (CDR Rules, rr. 4A.4 to 4A.15).
• Article 20 of the EU GDPR and the UK GDPR provides that the data-portability right set out in that article “shall not adversely affect the rights and freedoms of others.” The EU’s Article 29 Data Protection Working Party and the UK ICO have each explained that, in practice, this may require limits on the processing of a third party’s data absent that party’s consent to additional processing.
• Quebec’s private-sector law provides that, absent an emergency, a person’s personal information must not be disclosed to them without the consent of a third person if the disclosure would likely reveal that third person’s personal information, or its existence, and the disclosure might “seriously harm” that third person (s. 40).

Lead: Legal

---

Standards / interoperability in other data-mobility laws

Speaking points

• Data-portability laws in other jurisdictions have adopted a variety of approaches to the development of technical standards for data sharing and common rules like security safeguards.
• Bill C-15’s proposed Consumer-Driven Banking Act envisions a single technical standard developed by a standard-setting body designated by the Minister of Finance (s.125), and mandatory security safeguards set out in regulations (ss. 79(1), 178(g)).
• However, the Act does not currently require that my Office be consulted during the development of the technical standard or the security-safeguard regulations, as is the case with my counterpart under Australian law.
• My Office would be pleased to provide privacy expertise to support the development of Canadian standards and regulations.

Background

• Under Australia’s Consumer Data Right (CDR) regime (which applies beyond open banking), a Data Standards Body (within the Department of the Treasury) is responsible for developing technical standards and the Treasurer is responsible for making common rules, but both are required to consult the OAIC (Competition and Consumer Act 2010, ss. 56FA-56FS, 56BA-56BR; CDR Rules, r. 8.9(2)(b)(iii)).
• In the EU, in the open-banking context, the European Banking Authority, in cooperation with the European Central Bank, is responsible for developing draft regulatory technical standards for adoption by the European Commission (PSD2, Arts. 95(4), 98). Member states’ financial regulators then transpose those standards into their national contexts (PSD2, Art. 115(1)).
• In the UK, Open Banking Limited (an industry-created entity) develops data and security standards under the supervision of the Competition and Markets Authority (Retail Banking Market Investigation Order 2017, Art. 10), although it is expected to be replaced by an industry-led “Future Entity” overseen by a joint committee of regulators. The Financial Conduct Authority is also tasked with making technical standards (PSR 2017, reg. 106A). More broadly, the Data (Use and Access) Act 2025 envisions regulations providing for standard-setting “interface bodies” for various Smart Data schemes (open banking is one such scheme) (s. 7).

Lead: Legal

---

Data portability vs. data mobility

Speaking points

• “Data portability” and “data mobility” are complementary concepts:
  • Data portability typically refers to the ability (or right) of an individual to move some or all of their personal information from one business or service to another.
  • Data mobility, on the other hand, is sometimes used to refer to the ability of an individual to request that a business or service move some or all of their personal information elsewhere on their behalf, and is focused on the systems, standards and governance to facilitate that movement.
• Both concepts are linked to informational privacy rights in that they relate to the degree of control that individuals may assert over their data.

Background

• Like the previous Bill C-27, Bill C-15 (clause 389, division 1.2) would amend PIPEDA to provide for the creation of “data mobility frameworks,” the details of which will be set out in regulations.
• The proposed new s.10.5 of PIPEDA would empower the Governor in Council to make regulations respecting the disclosure of personal information under these frameworks, including prescribing safeguards, technical means for ensuring interoperability, the organizations subject to a given framework, and exceptions to the general requirement for disclosure.
• The elements listed in s.10.5 capture many of the components commonly associated with the right to data portability, including the need to ensure appropriate safeguards given the sensitivity of the information that may be ported, and the need for technical interoperability to ensure that data is provided in a structured, commonly used, and machine-readable format.
• The proposed s. 10.6, which clarifies that regulations made under s. 10.‍5 may distinguish among different classes of activities, information, or organizations, suggests that data-mobility frameworks may be established on a sector-by-sector basis (as in Australia, where sector-specific consumer-data rules must be defined prior to any disclosures).

Lead: PRPA

---

Data mobility and open banking

Speaking points

• Bill C-15 provides for the creation of “data mobility frameworks” under PIPEDA whereby subject organizations would be required to disclose personal information that they collect from individuals to other organizations at the request of those individuals.
• In explanatory material released upon tabling of the Budget, Finance Canada has indicated that the consumer-driven banking provisions in C-15 will be the “first iteration” of such a framework.
• When the Government moves forward with other sector-specific data-mobility frameworks, I expect that my Office will be consulted on related regulations insofar as they pertain to the collection, use and disclosure of personal information.

Background

• The proposed s. 10.4 of PIPEDA provides that, subject to regulations and as soon as feasible, an organization must, on the request of an individual, disclose any personal information it has collected from that individual to a designated organization. This requirement applies only if both organizations are subject to a data-mobility framework.
• The proposed s. 10.5 provides that the Governor in Council may make regulations respecting the disclosure of personal information under s. 10.4, including to prescribe safeguards, technical means for ensuring interoperability, organizations subject to a data mobility framework, and exceptions to the general requirement for disclosure (e.g., to protect proprietary or confidential commercial information).
• Australia’s Consumer Data Right (CDR) applies to the banking and energy sectors and is set to be applied to the telecommunications and non-bank lending sectors (Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019; Consumer Data Right (Energy Sector) Designation 2020; Consumer Data Right (Telecommunications Sector) Designation 2022; Consumer Data Right (Non-Bank Lenders) Designation 2022).
• In Australia, the government must, before expanding the application of the CDR regime to other sectors, consult the Office of the Australian Information Commissioner about the likely effect on the privacy or confidentiality of consumers’ information (CCA, s. 56AD (3)).

Lead: PRPA

---

Data mobility and healthcare

Speaking points

• In the health sector, data mobility is closely related to the interoperability of health-information systems; that is, the ability of health information to flow seamlessly between different systems, organizations, and technologies.
• Regulating healthcare data can be challenging given the patchwork of federal and provincial privacy laws that may apply, but recent initiatives recognize the need for greater alignment on improving interoperability.
• I am supportive of measures to modernize digital healthcare in a manner that protects the privacy of Canadians. My provincial and territorial counterparts and I have previously issued a joint resolution encouraging governments to replace unencrypted email and fax with more modern, secure, and interoperable digital alternatives.

Background

• At the provincial/territorial level, interoperability of health data is an ongoing area of development. Progress has been uneven, with Alberta, BC, and Nova Scotia recently implementing platforms to enhance patient access to their health data.
• Canada Health Infoway and the Canadian Institute for Health Information are engaged in initiatives to improve interoperability, including by developing technical standards for health data and advocating for legislative changes.
• In 2023-2024, the previous federal government committed $49.4 billion to the provinces and territories to improve healthcare services, including by adopting common data standards and policies.
• In 2024, the previous federal government tabled Bill C-72, the Connected Care for Canadians Act, which would have required health-information technology vendors to ensure that their services were interoperable while prohibiting vendors from data blocking, which is any act interfering with access, exchange and use of health data.
• Bill C-72 was intended to accelerate the implementation of the Shared Pan-Canadian Interoperability Roadmap, which was developed by Canada Health Infoway and endorsed by FPT governments (except Quebec) in 2023. It set out a 5-year plan for improving connected care through common interoperability and data standards. However, the bill ultimately died on the order paper in January 2025.

Lead: PRPA

---

Engagement with Finance Canada and the Financial Consumer Agency of Canada (FCAC) on consumer-driven banking

Speaking points

• I have been engaged with Finance Canada and the FCAC on consumer-driven banking since the previous government first announced its intention to explore its potential benefits in Budget 2018.
• Although we did not opine on specific legislative proposals, we are pleased to see certain of our advice reflected, such as the regime requiring express consent and an accreditation model.
• As I have repeatedly stressed, my Office welcomes the opportunity to work with other regulators, including the Bank of Canada, to ensure that the proposed framework is implemented in a way that protects and promotes the privacy rights of Canadians.

Background

• C-15 proposes to move oversight for consumer-driven banking (CDB) from the FCAC to the Bank of Canada. Finance Canada will set the overall policy and legislative framework for CDB, while the Bank of Canada is responsible for oversight, implementation, and supervision of the framework. The FCAC supervises federally regulated financial entities and promotes financial literacy.
• In February 2019, the OPC sent a submission to Finance Canada in response to its consultation on the merits of consumer-driven banking, wherein we emphasized the importance of having strong privacy laws to support consumer trust, confidence, and participation in the digital economy.
• In December of 2020, we participated in four advisory committee meetings led by Finance Canada which covered a broad range of topics including privacy and data protection. Between 2021 and 2024, we met regularly with working level officials at Finance Canada on the ongoing development of the framework with a focus on the privacy-related aspects.
• In March 2025, the Commissioner met with FCAC Commissioner Shereen Miller and reiterated our eagerness to collaborate on related initiatives, such as issuing guidance and addressing security breaches.

Lead: PRPA

---

Consumer-Driven Banking Act

Speaking points

• Although much has been left to regulations, I am generally supportive of the Consumer-Driven Banking Act and am encouraged to see that it would incorporate several privacy-protective measures, including a requirement to obtain express consent (s. 85(1)), use-limitations (s. 85(6)), a technical standard (s. 125), an accreditation model (ss. 15, 17, 19, 31-32), and a prohibition on screen scraping (s. 171).
• I am also encouraged that the Government’s Consumer-Driven Banking Framework clarifies that participating entities are required to comply with existing privacy laws.
• However, I believe the legislation could still be improved in certain ways, including by providing for cross-regulatory cooperation, and ensuring meaningful consent and strong consumer authentication.

Background

• Bill C-15, the Budget 2025 Implementation Act, No. 1, would enact a new Consumer-Driven Banking Act (CDBA) under Part 5, Division 9 (clause 224), and would repeal (clause 246) the existing Consumer Driven Banking Act enacted by Bill C-69 (44-1), the Budget Implementation Act, 2024, No. 1. Oversight of the consumer-driven banking regime would be assigned to the Bank of Canada (s. 4).
• A Department of Finance document titled “Budget 2025: Canada’s Consumer-Driven Banking Framework” states: “In terms of privacy, participating entities are already required to comply with applicable legislative frameworks.”
• Similar laws in Australia and New Zealand include provisions expressly addressing the roles of privacy regulators and privacy legislation (Competition and Consumer Act 2010, ss. 56BR, 56EQ; Customer and Product Data Act 2025, ss. 51-52).
• Currently, under the CDBA’s express-consent provisions, a consumer would not need to be informed of the risks of sharing the consumer’s data, although regulations could require the provision of such information (ss. 85(4), 178(k) to (l)).
• The CDBA is currently silent regarding how a participating entity would be required to confirm a consumer’s authentication information before sharing data, although that could also potentially be addressed in regulations (ss. 92(1), 178(t)).

Lead: Legal

---

Collaboration with the Competition Bureau

Speaking points

• My Office collaborates with the Competition Bureau on the enforcement of Canada’s Anti-Spam Legislation as well as by sharing best practices in policy development and current work products.
• Our organizations are co-founders of the Canadian Digital Regulators Forum (CDRF), a group established in June 2023 to strengthen information sharing and collaboration on matters related to digital policy.
• I echo the Bureau’s support for consumer-driven banking in light of how it may help individuals securely transfer their personal information, promote consumer choice, benefit small and medium-sized organizations, and increase competition, although some targeted enhancements could be made.

Background

• In the OPC’s submission on Bill C-27, we recommended expanding the Commissioner’s ability to collaborate with domestic organizations like the Competition Bureau to ensure greater coordination and efficiencies in dealing with matters that raise privacy issues.
• For year three of the CDRF, the Competition Bureau and OPC are developing an article on digital design patterns and how they engage our respective mandates.
• In March 2024, the Competition Bureau sent a submission to Finance Canada’s public consultation to strengthen Canada’s financial sector. In it, they recommended adopting a consumer-driven banking framework as soon as possible as it:
  • would provide a secure means for individuals to transfer their information from one organization to another;
  • could help reduce consumer switching costs;
  • would reduce barriers to entry for new entrants and small and medium-sized organizations, thereby increasing competition.
• On January 15, 2026, the Competition Bureau issued a report entitled “Your Data, Your Control: How Data Portability Can Unlock Competition and Empower Consumers” on which the OPC was consulted (see separate sheet for more details).

Lead: PRPA

---

Competition Bureau report on data portability and competition

Speaking points

• My Office was consulted by the Competition Bureau on a draft of their report on data portability and competition that was just published last week.
• While the scope of the report is broader than my mandate, I agree with the premise of the report that data portability can offer real benefits for consumers and businesses.
• I applaud the Bureau for emphasizing privacy in the report, including noting that “[t]o ensure data portability succeeds, policymakers must make privacy and security considerations a priority.”
• Prioritizing privacy includes ensuring that Canadians benefit from modernized privacy laws that support innovation. As such, we need to update PIPEDA to support safe, effective, and trusted data sharing.

Background

• On January 15th, 2026, the Competition Bureau issued a report entitled “Your Data, Your Control: How Data Portability Can Unlock Competition and Empower Consumers”. In the summer of 2025, the Competition Bureau reached out to the OPC (PRPA), seeking comments on the draft. PRPA provided feedback regarding how to frame PIPEDA and privacy related concepts. All but a few of the OPC’s minor comments are reflected in the final report.
• The report includes the following points: i) Data portability laws can allow individuals to transfer their personal information easily and safely ii) Privacy is a “major concern” for many individuals and a key governance element; iii) Ensuring individuals trust the ecosystem is a key driver for adoption; and iv) Data portability can support innovation, competition, and consumer choice across sectors.
• The OPC’s seven priority recommendations for PIPEDA reform include: (1) establishing stronger enforcement powers, (2) recognizing the fundamental right to privacy, (3) enhancing children’s privacy rights, (4) including a framework for de-identification and anonymization, (5) including a clear and explicit right to deletion and de-listing, (6) requiring organization to implement privacy by design and conduct privacy impact assessments for high risk activities, and (7) instituting specific rules regarding trans-border data flows.

Lead: PRPA

---

Amendments to the Broadcasting Act

Speaking points

• The proposed amendment to the Broadcasting Act restores privacy-protective language that was adopted in the previous Bill C-11 (Online Streaming Act, 44-1) but inadvertently replaced through a numbering error in a coordinating amendment in Bill C-13 (An Act for the Substantive Equality of Canada’s Official Languages, 44-1).
• I wrote the previous minister of Canadian Identity in Culture in September 2025 regarding this oversight, which he promptly acknowledged and assured me that he was working to resolve.
• I support the amendment that Division 24 would restore to the Broadcasting Act, which is consistent with my past advice on Bill C-11.

Background

• Bill C-11, which received royal assent in April 2023, substantively amended the Broadcasting Act (BA), including to clarify the CRTC’s regulatory authority to impose obligations on online streaming services to “ensure the discoverability of Canadian programming services and original Canadian programs” (s. 3(1)(q)(i)).
• In September 2022, you appeared before the Standing Senate Committee on Transport and Communications (TRCM) on C-11, where you recommended amending s. 3 of the BA “to include the protection of the privacy of persons as a policy objective.”
• This recommendation stemmed from a concern that CRTC-imposed discoverability requirements could push online services to adapt “existing algorithms that rely on personal information or the analysis of personal information to determine whether user-generated content is Canadian.”
• TRCM subsequently amended C-11’s interpretation clause (s. 2(3)) to specify that the BA must be construed and applied in a manner that is consistent with “the right to privacy of individuals” (paragraph 2(3)(b)).
• In June 2023, the last government passed Bill C-13, which contained a coordinating amendment to s. 2(3) of the BA that inadvertently replaced this language.
• In September 2025, the OPC wrote then Minister of Canadian Identity and Culture Steven Guilbeault to encourage the government to correct the error in deference to Parliament’s legislative intent. In October 2025, Minister Guilbeault wrote back to assure the Commissioner that work on a legislative solution was already underway.

Lead: PRPA

---

Investigation of X

Speaking points

• In February 2025, after receiving a complaint, my Office commenced an investigation against X Corp. (the operator of the social media platform X) regarding its collection, use, and disclosure of Canadian’s personal information to train artificial intelligence (“AI”) models, including Grok.
• In January 2026, following multiple media reports that the AI chatbot Grok was being used to create and share explicit images of individuals without their consent, my Office expanded its current investigation against X Corp. and launched a related investigation into xAI, the AI company responsible for Grok.
• The expanded investigations will consider whether X Corp. and xAI collected, used, and disclosed personal information via Grok to create deepfakes, including explicit content, in contravention of PIPEDA. This will include examining whether the organizations’ practices were appropriate and whether the organization obtained valid consent.
• I am unable to elaborate further while the investigation is ongoing.

Background

• In April 2025, Ireland launched an investigation into X’s use of EU data to train Grok AI.
• In January 2026, Ofcom, the UK’s media regulator, initiated a formal investigation into X under the Online Safety Act over the use of Grok AI to manipulate images of women and children by removing their clothes.
• The UK Information Commissioner’s Office has sought clarification from X and xAI regarding their compliance with UK data protection law.
• eSafety, Australia’s online safety regulator, is investigating this matter under its image-based abuse scheme.
• Following these reports of explicit imagery, Malaysia and Indonesia have blocked access to Grok AI.
• To address this issue, both X Corp. and xAI announced that they have implemented measures to limit the creation of explicit content.

Lead: CPE

---

OPC’s use of X

Speaking points

• It is a platform that we use as one of the many ways that we share information with Canadians, stakeholders, and media, in support of our mandate to promote and protect privacy.
• The use of a variety of media for communications is important to provide clear, timely, accurate, and objective information from authoritative and trusted sources for all audiences, and this is also an important tool to prevent or counter misinformation and disinformation.

Background

• The OPC uses X, LinkedIn, and Twitter.
• The OPC has our own Social Media Policies and Notices publicly available within the Privacy content of our website.
• We have seen a steady slow decrease of followers on X, now at 17,300 followers.

Lead: Communications

---

Other topics of interest

Bill C-15’s amendments to the Red Tape Reduction Act (RTRA)

Speaking points

• Bill C-15 proposes amendments to the Red Tape Reduction Act that would allow ministers to exempt entities from the application of provisions of Acts of Parliament, subject to certain terms, conditions and timeframes.
• The OPC is strongly supportive of responsible innovation, including with respect to innovating regulatory regimes through the use of sandboxes – which we understand is the goal of these amendments.
• However, to ensure that these efforts are both sufficiently protective and maximally effective, regulators should have a clear role in decision-making and oversight of these exemptions.
• This is present in legislation enabling regulatory sandboxes such as Alberta’s Financial Innovation Act and the EU’s Artificial Intelligence Act but is missing from Bill C-15.

Background

• The amendments are in Division 5 of Part 5 of Bill C-15, which is being studied by the Standing Committee on Government Operations and Estimates (OGGO).
• To issue an exemption, a minister must be of the opinion that: (i) it is in the public interest; (ii) it would enable testing of a product, regulatory measure, etc. to facilitate the design, modification, etc. of a regulatory regime to encourage innovation, competition or economic growth; (iii) the benefits outweigh the harms; (iv) sufficient resources exist and measures are in place to maintain oversight and manage risks; and, (v) a feasible implementation plan has been developed.
• Exemptions can be granted to almost any provision of an Act of Parliament, except for the Criminal Code, and last for up to 3 years (with extensions of another 3 years possible). The exemption will also be subject to “any terms that the minister considers appropriate.”
• Alberta’s Financial Innovation Act allows exemptions to be granted to application of Alberta’s Personal Information Protection Act (PIPA) but only with prior written approval from the Alberta Information and Privacy Commissioner, as well as their agreement on terms, conditions and restrictions.

Lead: PRPA

---

Privacy implications of Bill C-2 (Strong Borders Act)

Speaking points

• Several elements of Bill C-2 have significant implications for privacy rights and interests.
• When assessing the reasonableness of such provisions, key questions include: do they strike an appropriate balance between privacy rights and state interests? Do they provide for adequate oversight, accountability, and transparency? Are thresholds for the exercise of investigative powers appropriate in light of their potential invasiveness?
• The OPC’s assessment is also guided by the principles of necessity and proportionality: in other words, is the intrusion on privacy demonstrably necessary to achieve a legitimate objective, and is the degree of intrusiveness proportional to the benefits to be gained?
• The Minister of Public Safety has acknowledged that Bill C-2 does not achieve the necessary balance between privacy and law-enforcement objectives; I agree.
• My office remains fully committed to working with Public Safety on any privacy-enhancing amendments they may be contemplating.

Background

• Bill C-2 was introduced in the House by the Minister of Public Safety in June 2025. In October 2025 the Minister introduced Bill C-12, which consists of 11 parts originally put forward in Bill C-2 but excludes some of its most controversial elements, notably:
  • amendments to the Canada Post Corporation Act to permit the demand, seizure, detention, or retention of anything in the course of post in accordance with an Act of Parliament and to enable Canada Post to open letter mail (Part 4);
  • amendments to the Criminal Code, the CSIS Act, and a number of other statutes to create or modify a range of investigative powers (including a warrantless “information demand”) (Part 14);
  • the proposed Supporting Authorized Access to Information Act, which would require electronic service providers to have the technical and operational capabilities to facilitate access to information by authorized persons (Part 15); and,
  • amendments to the PCMLTFA that would establish a framework for public-to-private information-sharing whereby reporting entities may collect and use personal information disclosed to them by the RCMP or government entities (Part 16).

Lead: PRPA

---

Scope and objectives of Bill C-8 (cybersecurity)

Speaking points

• The OPC supports the objective of Bill C-8 to protect systems and services that are vital to national security or public safety from cybersecurity threats and vulnerabilities.
• Stronger cybersecurity protections can also promote privacy by reducing the likelihood and impact of breaches involving personal data.
• At the same time, new powers and authorities granted in the name of cybersecurity must be appropriately scoped and subject to suitable guardrails in order to limit the risk of unintended privacy impacts.
• Several amendments to the former Bill C-26 were adopted in this spirit, but C-8’s potential privacy impacts could be further mitigated through the addition of an overarching necessity and proportionality requirement for any collection, use, or disclosure of personal information.

Background

• Part 1 of Bill C-8 would amend the Telecommunications Act (TA) to add promoting the security of Canada’s telecommunications system as a policy objective and to provide the GIC and Minister of Industry with order-making powers to that end.
• It would also amend the TA to create new authorities for the collection and disclosure of information by the Minister of Industry, Public Safety, Foreign Affairs, National Defence, the Chief of the Defence Staff, the Communications Security Establishment, CSIS, and the CRTC.
• Part 2 would enact the Critical Cyber Systems Protection Act (CCSPA), which would authorize the GIC to designate certain services or systems in federally regulated sectors as “vital” (e.g., energy, finance, transportation, and telecommunications); to identify classes of operators that would be subject to cybersecurity directions and regulations; to issue cybersecurity directions; and to require designated operators to establish and implement cybersecurity programs, mitigate supply-chain, and report cybersecurity incidents.
• You appeared before the House Standing Committee on Public Safety and National Security (SECU) on C-8 in October 2025 and sent a follow-up letter shortly thereafter. We subsequently received questions on potential amendments to the bill from the offices of a number of MPs. Clause-by-clause consideration is due to commence at SECU later this month.

Lead: PRPA

---

Privacy considerations with respect to Bill C-12 (Strengthening Canada’s Immigration System and Borders Act)

Speaking points

• Bill C-12 omits some of the most controversial elements of Bill C-2, but certain provisions still engage privacy interests in that they would create or expand authorities to collect, use, or disclose personal information.
• From a privacy perspective, the real risk of significant harm that might arise from such amendments is, in my view, relatively low.
• I am also pleased to be able to say that the House took up my recommendation to amend one of the bill’s more concerning provisions, which might have allowed customs officers to enter the dwelling house of a small business owner who operates out of their home without prior judicial authorization.

Background

• Bill C-12 was passed by the House in December 2025. As originally drafted, Part 1 would have amended the Customs Act to require any person who “transports or causes to be transported within Canada goods destined for export” to give CBSA or RCMP officers free access to “any premises or place under the person’s control” where any goods destined for export are “reported, loaded, unloaded or stored” (s. 97.01).
• Following your November 2025 appearance before the Standing Committee on Public Safety and National Security, the Committee amended Part 1 to specify that if any premises or place referred to in s. 97.01 is a dwelling-house, an officer may not enter without consent, except under the authority of a warrant issued by a judge on reasonable grounds to believe.
• Other elements of Bill C-12 with potential privacy implications include:
  • amendments to the Oceans Act to provide that coast guard services include activities related to security and to authorize the responsible minister to collect, analyze, and disclose information and intelligence (Part 4);
  • expanded information-sharing authorities under the Department of Citizenship and Immigration Act (Part 5);
  • new authorities for FINTRAC to disclose information to the Commissioner of Canada Elections, and new information-collection and -disclosure provisions for a new enrolment process, both under the PCMLTFA (Part 9); and,
  • expanded information-sharing authorities between law-enforcement agencies under the Sex Offender Information Registration Act (Part 11).

Lead: PRPA