Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
If you've been following Canada's privacy law — and let's be honest, who isn't? — you might have noticed that the Personal Information Protection and Electronic Documents Act has been doing a little wardrobe change behind the scenes.
Thanks to the federal government's Budget 2025 Implementation Act, we're seeing amendments that previously lived in the now-defunct Bill C-27. Think of it as recycling, but for legislation and only with some plastics — not all of them.
Here's the gist: Sections 72 and 123 from Bill C-27 have been resurrected; Section 124 is back too, with a slight facelift; and the big headline? A data mobility framework is coming to town.
What were these sections about?
Section 72 introduced the idea of data mobility, giving individuals the right to securely transfer their personal information from one organization to another. Think of it as portability with guardrails, so you can switch service providers without feeling like you're breaking up with someone who still has your Netflix password.
Section 123 was all about regulatory powers — basically giving the government the ability to make rules for compliance agreements, complaints and enforcement. In other words, the "how" behind the "what."
Section 124 addressed codes of practice and certification programs, letting organizations adopt approved privacy codes or certification programs to show they're playing by the rules. Bonus: The privacy commissioner is responsible for approving and monitoring these programs, so no one's handing out gold stars without oversight.
Why the rush?
The government seems keen to push forward with consumer-directed finance under the Consumer-Driven Banking Act, proposed to be amended under the budget act to ensure individuals and businesses "can safely and securely share their data with the participating entities of their choice." Translation: they want Canadians to have more control over their financial data, and they're not waiting for a full PIPEDA overhaul to make it happen.
Rumor has it a new bill to reform PIPEDA could drop soon — maybe even this fall. For now, these amendments are the appetizer before the main course.
What should privacy pros do?
- Keep an eye on these regulations. They'll shape how data mobility works in practice.
- Start thinking about what consumer-directed finance means for your organization. To be clear, it's not just about banks.
- And maybe, just maybe, brace yourself for more legislative déjà vu when that new PIPEDA bill finally arrives.
In short: PIPEDA is changing at a slow, old-school pace of a Brian Adams ballad. If you're in privacy, you'd better keep your dancing shoes handy because things might pick up to at least a Michael Bublé pace.
Why this matters
- Data mobility will change how organizations handle personal information. Start planning for secure transfer processes now.
- Consumer-directed finance isn't just for banks. Any organization holding financial data could be impacted.
- Certification programs may become a competitive advantage. Consider whether your organization should pursue one.
- Expect more changes soon. These amendments are likely just the beginning of a broader privacy law overhaul.
Kris Klein, CIPP/C, CIPM, FIP, is the country leader, Canada, for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
