Key obligations by theme Key obligations by theme

Reasonable and appropriate purposes

Section 12(1) of the PPCDA carries forward PIPEDA’s reasonable person standard: an organization may “collect, use or disclose personal information only in a manner and for purposes that a reasonable person would consider appropriate in the circumstances.” Section 12(2) sets out a non-exhaustive list of factors to be taken into account, if applicable, in making a determination on appropriateness:

• the sensitivity of the personal information
• whether the purposes represent legitimate business needs of the organization
• the degree of effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs
• whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits
• whether the individual’s loss of privacy is proportionate to the benefits in light of the measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual

This approach largely codifies the four-part reasonableness analysis developed by courts under PIPEDA and that formed the basis for the OPC’s Guidance on inappropriate data practices.

A contravention of section 12(1) is now subject to a penalty of up to the higher of $10 million or 3% of gross global revenue (ss. 113(1)(c), 114).

Purpose identification and data minimization

Sections 12(3) and (4) require an organization to determine, at or before the time of collection, the purposes for which personal information is or is to be collected, used and disclosed, and to record these purposes (s. 12(3)). Any new purpose must be recorded before using or disclosing personal information for the new purpose (s. 12(4)).

Section 13 limits collection to the personal information that is “necessary” for the purposes recorded under s. 12(3).

These obligations largely restate existing PIPEDA requirements to identify, document and limit collection, but replace them in binding provisions of the Act rather than in Schedule 1 under PIPEDA. Section 13 does not carry forward PIPEDA’s requirement that information be collected by “fair and lawful means.”

Collection of personal information beyond what is necessary can attract penalties of up to the higher of $10 million or 3% of gross global revenue (ss. 113(1)(c)–(d), 114).

Accountability provisions

The PPCDA clarifies the concept of an “accountable organization” and sets out several provisions relating to demonstrable accountability. Similar to PIPEDA, organizations are “accountable” for personal information under their control (s. 7(1)). The PPCDA clarifies that personal information is under the control of an organization that “decides to collect it and that determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization” (s. 7(2)).

Organizations are required to designate one or more individuals as responsible for compliance with the Act (s. 8(1)). They must also implement and maintain a privacy management program that includes policies, practices and procedures to fulfill their obligations under the Act and that takes into account the volume and sensitivity of personal information under their control (ss. 9(1)–(2)).

Upon request (i.e., without needing reasonable grounds), the Commission may require organizations to provide access to their privacy management program materials (s. 10(1)). After review, the Commission may provide guidance or recommend corrective measures (s. 10(2)). Organizations may also voluntarily request guidance regarding their program (s. 76(c)(v)).

Importantly, the Commissioner cannot use information obtained through the program review mechanism (s. 10 or s. 76(c)(v)) to initiate a complaint or carry out an audit, unless the Commissioner considers that the organization has willfully disregarded the corrective measures recommended in relation to its program (ss. 10(1), 76(c)(v), 87).

Failure to implement or maintain a privacy management program is an enumerated contravention attracting penalties of up to the higher of $10 million or 3% of gross global revenue (s. 113(1)(a)).

Service providers

The PPCDA introduces a new definition of “service provider,” which means an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes (s. 2(1)).

Service providers are only directly subject to the PPCDA’s safeguarding requirements, and obligation to notify the accountable organization of a breach of security safeguards as soon as feasible (ss. 56, 61). Service providers are not subject to other obligations — including those relating to accountability, consent, retention, accuracy, rights of access, transparency, data mobility and other requirements — in respect of personal information transferred to it by an accountable organization (s. 11(2)). However, a service provider that collects, uses or discloses personal information for any purpose other than the purposes for which the information was transferred to it becomes an accountable organization subject to all of the obligations under the PPCDA (s. 11(2)).

Accountable organizations that transfer personal information to service providers do not need to obtain the consent of the concerned individuals for the transfer (s. 19). However, they must ensure, by contract or otherwise, that the service provider provides a level of protection “equivalent” to that which the organization is required to provide under the Act (s. 11(1)). This is a higher standard than under PIPEDA, which requires a “comparable” level of protection.

Where an organization disposes of personal information at an individual’s request, it must inform any service provider to which it has transferred the information and ensure that the service provider disposes of the information (s. 54(5)).

Failure to ensure equivalent protection is an enumerated contravention attracting penalties of up to the higher of $10 million or 3% of gross global revenue (s. 113(1)(b)).

Transfers and disclosures outside Canada

Before transferring or disclosing personal information outside of Canada, organizations must

• carry out a privacy impact assessment in accordance with prescribed requirements (s. 57(1)(a))
• implement measures to mitigate risks identified in the assessment (e.g., contractual safeguards, adherence to an approved code of practice or certification program, or other prescribed measures) (s. 57(1)(b))
• provide a copy of the assessment to the Commission upon request (s. 57(2))

The organization must also be transparent about whether or not it transfers or discloses personal information interprovincially or outside of Canada that may have foreseeable privacy implications (s. 62(2)), as detailed in the “Openness and Transparency” section below.

While the PPCDA does not prescribe model clauses to be used for international data transfers, it does contemplate that the Commission may work with any person to develop model contracts or other documents relating to the interprovincial or international transfer of personal information (s. 81(2)(c)).

Codes of practice and certification programs

The PPCDA provides statutory recognition of codes of practice and related certification programs (ss. 92–96).

The key criteria for codes and certification programs will be set out in regulations, but the substance of any code or certification program must provide “substantially the same or greater protection of personal information as some or all of the protection provided” under the PPCDA (s. 93(1)). Certification programs run by entities will need to include independent verification mechanisms and disciplinary measures for non-compliance with the code (ss. 93(1)(d), 93(2)).

Entities, including government institutions and any organization, may apply to the Division for approval of a code or certification program (ss. 92(2), 93(1)). The Division may formally grant approval if it is satisfied that the code or certification program meets the criteria set out in the regulations (ss. 92(3), 93(2)). The decision by the Division must be issued within the time frame set out in the regulations and must be made public (ss. 94 and 95).

Compliance with a code or certification program does not relieve an organization of its obligations under the PPCDA (s. 96).

The PPCDA provides the Commissioner with powers to request information from an entity operating an approved certification program, cooperate with an entity operating an approved certification program, recommend to the entity that an organization’s certification be withdrawn in prescribed circumstances, and revoke the approval of a certification program, in prescribed circumstances as set out in regulations (ss. 85(2)(a)–(d)).

The Commissioner also has the power to decline to investigate a complaint where, among other grounds, the complaint raises an issue covered by an approved certification program and the organization is certified under that program (s. 98(1)).

Of note, a penalty cannot be imposed if an organization was in compliance with an approved certification program at the time of the contravention (s. 113(3)(a)). However, the private right of action is still available for the contravention (s. 132).

Children’s personal information

PPCDA introduces express provisions regarding children’s personal information.

Definition of a “child”

PPCDA defines a “child” as an individual who is under 18 years of age (s. 2(1)) and includes a child’s personal information within the definition of “sensitive” (s. 2(1)).

The sensitivity of information impacts certain requirements under the PPCDA, including those relating to privacy management programs, “appropriate” purposes, form of consent, retention periods, security safeguards, breach reporting and notification, transparency, and de-identification technical and administrative measures (ss. 9(2), 12(2)(a), 15(5), 52(2), 56(1), 58(8)(a), 62(2)(e), 74(b)).

Rights and recourse

The PPCDA contains protections specific to children. While there is no express parental consent requirement, rights and recourse under the Act could be exercised on a child’s behalf by a parent, guardian or tutor, unless the child wishes to exercise those rights personally and is capable of doing so (s. 4(a)).

Children also benefit from a stronger right of disposal: an organization cannot refuse a request to dispose of a child’s personal information on the basis that disposal would have an undue adverse effect on the accuracy or integrity of information necessary to the ongoing provision of a product or service to the individual (s. 54(2)(d)).

Best interests of children

The “best interests of children” is a mandatory interpretive factor that the Commission, the Commissioner and the Division must each consider in exercising their powers or performing duties or functions under the PPCDA (ss. 77(d), 86(d), 90(d)).

While there is no penalty specifically tied to any requirement relating to children’s data, not appropriately accounting for the sensitivity of this information could result in a finding that an organization had failed to comply with consent, transparency, accountability, breach reporting, or other requirements under the PPCDA, and may result in an organization being exposed to the imposition of a penalty up to the higher of $10 million or 3% of gross global revenue (s. 113(1)(g)).

Consent requirements and withdrawal

Under the PPCDA, organizations may only collect, use or disclose personal information with consent, unless a statutory exception applies (s. 15(1)). This approach entrenches consent as the primary legal authority under the Act for processing personal information, as it was under PIPEDA.

Form of consent

The PPCDA establishes that the default form of consent required to collect, use and disclose personal information must be “expressly obtained” (i.e., opt-in consent) (ss. 15(1), 15(5)). Implied consent operates as an exception to this general requirement and may only be relied upon where “appropriate,” taking into account an individual’s reasonable expectations and the sensitivity of the personal information (s. 15(4)). This approach to consent is broadly consistent with how the OPC has interpreted and enforced PIPEDA’s consent requirements.

The PPCDA further provides that reliance on implied consent is “not appropriate” if the personal information is collected or used under a consent exception for prescribed “business activities” or the personal information is collected, used or disclosed under a consent exception for “legitimate interests” (s. 15(6)). See Exceptions to consent.

Requirements for valid consent

The PPCDA introduces specific requirements regarding both the substance and accessibility of the information organizations must provide to individuals when seeking consent for the collection, use or disclosure of their personal information. Under the PPCDA, organizations must, at or before the time consent is obtained, and in “plain language,” provide the following information to individuals

• the purposes for the collection, use or disclosure as determined and recorded under sections 12(3) or (4) of the PPCDA
• the manner in which the personal information is to be collected, used or disclosed
• any reasonably foreseeable consequences
• the specific type of personal information to be collected, used or disclosed
• the names of any third parties or types of third parties to which the organization may disclose the information (ss. 15(3)–(4))

These requirements reflect guidance previously published by the OPC in its Guidelines for obtaining meaningful consent as well as the meaning of a “valid” consent under PIPEDA which requires that an individual understand the “nature, purpose and consequences” of the collection, use or disclosure of their personal information.

Consent obtained through deception

The PPCDA introduces an expanded prohibition against organizations obtaining — or attempting to obtain — an individual’s consent by providing false or misleading information or using deceptive or misleading practices (s. 16). Any consent obtained through such means will be considered invalid and cannot be relied upon by an organization as a lawful authority for its collection, use or disclosure of personal information.

An organization that violates this prohibition may be exposed to the imposition of a penalty up to the higher of $10 million or 3% of gross global revenue (s. 113(1)(g)).

Withdrawal of consent

Similar to PIPEDA, the PPCDA recognizes that individuals may, on giving reasonable notice to the organization, withdraw their consent to the collection, use or disclosure of their personal information, subject to the PPCDA, federal or provincial law, and the reasonable terms of a contract (s. 17(1)). Organizations must inform individuals of the consequences of their withdrawal, and as soon as is feasible, cease the collection, use or disclosure of the personal information to which the withdrawal relates (s. 17(2)).

Exceptions to consent (including business activities and legitimate interest)

Business activities

The PPCDA introduces a new exception to consent for the collection and use of personal information for standard business activities (s. 18(1)). Organizations may rely upon this exception for their use — but not disclosure — of personal information where such use falls within the scope of business activities contemplated by section 18(2). However, reliance on this exception is subject to two cumulative conditions:

• the collection must be for a purpose that a reasonable person would expect (s. 18(1)(a))
• the personal information at issue must not be collected or used “for the purpose of influencing the individual’s behaviour or decisions” (s. 18(1)(b))

The prescribed business activities are drafted in technology-neutral terms and are non-exhaustive, as additional activities may be added by regulation. At present, the activities include

• activities necessary to provide a product or service requested by the individual
• activities necessary to protect the security of the organization’s information; systems or networks
• activities necessary to ensure the safety of a product or service provided by the organization. Once enacted, this exception will provide organizations with a statutory basis for operational processing activities that were previously addressed through reliance on implied consent under PIPEDA.

Legitimate interests

The PPCDA introduces a new exception permitting organizations to collect, use or disclose personal information without consent where the processing is for the purpose of an activity in which the organization has a legitimate interest that outweighs any reasonably foreseeable adverse effect on the individual (s. 18(3)). Reliance on this exception is subject to two cumulative conditions:

• A reasonable person would expect the collection, use or disclosure for such an activity.
• The personal information is not collected, used or disclosed for the purpose of influencing the individual’s behaviour or decisions (ss. 18(3)(a)–(b)).

Once an organization has determined that its intended collection, use or disclosure of personal information will satisfy the conditions mentioned above, the PPCDA requires that the organization take additional steps including

• identify and describe its legitimate interest in the proposed activity
• carry out, in accordance with the prescribed requirements, a privacy impact assessment in which the organization must identify any reasonably foreseeable adverse effect on the individual that is likely to result from the collection, use or disclosure
• identify and take reasonable measures to reduce the likelihood that the effects will occur or to mitigate or eliminate them (s. 18(4))

The organization must maintain a record of the description of its legitimate interest, and a copy of this record must be provided to the Commissioner upon request (s. 18(5)).

Service provider transfers

The PPCDA introduces an express statutory exception to the consent requirement for transfers of personal information to service providers (s. 19). This provision largely codifies the OPC’s longstanding position under PIPEDA that a transfer of personal information to a service provider, where the information is used only for the purposes for which it was originally collected, is generally considered a use by the organization rather than a disclosure requiring separate consent.

Organizations must comply with accountability obligations when transferring personal information to a service provider. See Service providers.

De-identification and anonymization

The PPCDA creates an express exception to consent that permits organizations to use personal information to de-identify or anonymize the information (s. 20).

Internal research, analysis and development

The PPCDA provides an exception to the consent requirement for the use of personal information for an organization’s internal research, analysis and development purposes, provided that the information is de-identified (in accordance with the standard under the PPCDA) before being used for such purposes (s. 21). The scope of “internal research, analysis and development purposes” is broad and therefore could be interpreted to include activities such as analytics, artificial intelligence, machine learning and other data-driven development activities.

Business transactions

The PPCDA sets out an exception to the consent requirement for the use and disclosure of personal information in connection with prospective or completed business transactions (s. 22). Similar to PIPEDA, this provision permits parties to a transaction to share personal information where specified conditions are met, including requirements relating to safeguarding the information and providing notice to affected individuals following completion of the transaction.

However, the PPCDA significantly narrows this exception by requiring that personal information be de-identified before it is used or disclosed in connection with a prospective transaction and remain de-identified until completion of the transaction. This de-identification requirement does not apply where

• de-identification would undermine the objectives of carrying out the transaction
• the organization has taken into account the risk of harm to the individual that could result from the use or disclosure of the information (s. 22(2))

Fraud detection

The PPCDA introduces an express exception to the consent requirement for collection and use of personal information for the purposes of detecting, suppressing or preventing fraud (s. 27(2)). This provision addresses a technical gap in PIPEDA’s fraud-related exception, which expressly permitted disclosure of personal information to another organization for these purposes but did not contain a corresponding exception for the collection or use of personal information.

Anti-money laundering and terrorist financing disclosure

Similar to PIPEDA, the PPCDA contains a consent exception permitting the disclosure (and corresponding collection and use) of personal information without consent where the disclosure is made to another organization in accordance with section 11.01(1) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (s. 41).

A failure to obtain valid consent, or to use or disclose personal information for a secondary purpose without consent (or the application of an exception) (s. 14(1); s. 15(1)) could expose an organization to the imposition of a penalty up to the higher of $10 million or 3% of gross global revenue (s. 113(1)(f)).

Transparency and openness

The PPCDA requires organizations to make information explaining their policies and practices “readily available, in plain language” (s. 62(1)). PIPEDA imposes a lesser standard that requires organizations to be open about policies and to make information readily available in a form that is “generally understandable” (Schedule 1, Principle 4.8).

The PPCDA supplements PIPEDA’s transparency requirements by setting out the following new mandatory content (s. 62(2))

• how the organization applies consent exceptions, including a description of any processing based on legitimate interest (s. 62(2)(b))
• a general account of any automated decision systems used to make predictions, recommendations or decisions about an individual that could have a legal or similarly significant effect on individuals (s. 62(2)(c))
• whether the organization transfers or discloses personal information interprovincially or outside Canada with reasonably foreseeable privacy implications (s. 62(2)(d))
• retention periods applicable to sensitive personal information (s. 62(2)(e))
• how individuals may request disposal of their information (s. 62(2)(f))

In addition, the transparency requirement under the PPCDA requires organizations to provide notice about the organization’s policies and practices put in place “to fulfill its obligations under this Act.” The latter phrase is distinct from PIPEDA, which provides that organizations must provide notice about its policies and practices “with respect to the management of personal information.”

Failure to comply with the openness and transparency obligations in section 62(1) of the PPCDA is an enumerated contravention attracting penalties of up to the higher of $10 million or 3% of gross global revenue (ss. 113(n), 114).

Automated decision systems

Like other modern privacy law frameworks, including the Québec Act respecting the protection of personal information in the private sector (the Québec Privacy Act), the PPCDA introduces requirements regarding the use of “automated decision systems,” defined as “any technology that assists or replaces the judgement of human decision makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning and a neural network or other technique” (s. 2(1)). The use of the word “assist” indicates that these requirements are not limited to fully automated decisions — for example, an algorithm used to flag applications for human review could potentially fall within scope.

Where automated decision systems are used to make predictions, recommendations or decisions about individuals that could have a legal or similarly significant effect, the following requirements are triggered:

• Openness: Organizations must make readily available a general account of their use of any such system as part of their transparency and openness obligations (s. 62(2)(c)).
• Access/explanation: Upon request, organizations must provide a plain language explanation of any prediction, recommendation or decision, which must indicate the type of personal information used, the source of the information, and the reasons or principal factors that led to the prediction, recommendation or decision (ss. 63(4)–(5), 66(1)).
• Written representations: Provide the individual with an opportunity to make written representations to an employee who can review the prediction, recommendation or decision (s. 63(6)). This requirement was not found in the CPPA, though it mirrors a requirement of the Québec Privacy Act.

Unlike certain international privacy frameworks, for example the E.U.’s General Data Protection Regulation (GDPR), the PPCDA does not provide an express right to object to automated decisions.

Failure to comply with openness and transparency obligations regarding the use of automated decision systems could cause an organization to be exposed to the imposition of a penalty up to the higher of $10 million or 3% of gross global revenue (s. 113(1)(n)).

Breaches of security safeguards

The PPCDA contains a security breach notification framework that remains substantially similar to the current PIPEDA regime.

Organizations must report to the Commission and notify affected individuals of any breach of security safeguards involving personal information under their control where it is reasonable in the circumstances to believe the breach creates a “real risk of significant harm” to an individual (s. 58). Both the report and the notification are required as soon as feasible after the organization determines the breach has occurred. Whether the threshold is met turns on the sensitivity of the information, the probability of misuse and any other prescribed factor (s. 58(8)).

Where another organization or government institution may be able to reduce the risk of harm, the organization must also notify it (s. 59). Separately, organizations must keep a record of every breach, regardless of whether the “real risk of significant harm” threshold is met (s. 60).

PPCDA codifies the obligation on a service provider to notify the organization that controls the information as soon as feasible after determining that a breach of security safeguards has occurred, and this obligation is not qualified by the “real risk of significant harm” threshold (s. 61).

Form, content and recordkeeping requirements are left to regulation.

The Commission may impose penalties for breaching the notification requirements (s. 58) or safeguarding requirements (s. 56(1)), with fines of up to the higher of $10 million or 3% of gross global revenues (s. 113(1)). Knowing contraventions of the breach notification (s. 58) or recording requirements (s. 60(1)) may be prosecuted as offences, carrying fines of up to the higher of $25 million or 5% of gross global revenues (s. 145).

Rights of information, access and amendment

Like PIPEDA, the PPCDA gives individuals a right to access the personal information an organization holds about them and to have inaccurate information corrected.

On request, an organization must inform the individual whether it holds personal information about them, how it uses and discloses the information, and give the individual access to that information (s. 63(1)). If the organization has disclosed the information, the organization must identify the third parties or types of third parties to which the disclosure was made (s. 63(3)).

An organization is not required to act on an access request in respect of de-identified personal information (s. 63(2)).

Form of request, assistance and plain language

Like PIPEDA, the PPCDA provides that a request must be made in writing, and the organization must assist any individual who needs help preparing a request (s. 64). The organization must provide the requested information in plain language and give access in an alternative format to an individual with a sensory disability where a version already exists or its conversion is reasonable and necessary (s. 66(1)–(2)).

Time limits and cost

An organization must respond with due diligence and no later than 30 days after receiving the request (s. 67(1)), with the possibility to extend that time limit for a maximum of 30 days in limited circumstances, which are essentially unchanged from PIPEDA (s. 67(2)).

An organization that refuses a request must give written reasons and advise the individual of available recourse; a failure to respond within the time limit is deemed a refusal (ss. 67(3)–(4)). An organization must not charge for responding to a request unless it has informed the individual of the approximate cost and the cost is minimal (s. 68).

Refusal of access

The PPCDA substantially preserves the exceptions to access set out in PIPEDA (ss. 70(1), 70(7)).

Amendment of personal information

Where an individual has been given access to their personal information and demonstrates that it is not accurate, up to date or complete, the organization must amend the information as required (s. 71(1)). An organization is not required to amend de-identified personal information (s. 71(2)). Where appropriate, the organization must transmit the amended information to any third party with access to it (s. 71(3)). Where the organization and individual do not agree on the amendments, the organization must record the disagreement and, where appropriate, inform such third parties of it (s. 71(4)).

Penalties

The access and amendment provisions (ss. 63–71) are not enumerated contraventions attracting administrative monetary penalties under section 113(1). However, knowingly failing to retain information that is the subject of an access request (s. 69) may be prosecuted as an offence, exposing an organization to a fine of up to the higher of $25 million or 5% of gross global revenues on indictment (s. 145).

Right of disposal (deletion)

The PPCDA establishes a statutory right of disposal of personal information. In a technical briefing held shortly after the introduction of Bill C-36 (on June 17, 2026), Government of Canada representatives framed this right as a “new right to request deletion,” including to enable Canadians to ask that an organization “take down” deepfakes based on their likeness.

A new statutory right

On an individual’s written request, an organization is required to dispose of that individual’s personal information where

• the information was collected, used or disclosed in contravention of the PPCDA
• the individual has withdrawn consent, in whole or in part, to its collection, use or disclosure; or
• the information is no longer necessary for the continued provision of a product or service the individual requested (s. 54(1)(a)–(c))

To “dispose” means to permanently and irreversibly delete personal information or to anonymize it (s. 2(1)). Disposal must occur “as soon as feasible” after the request, and the organization must inform any service provider to which it transferred the information “as soon as feasible” of the request and ensure that the service provider also disposes of it (ss. 54(1), 54(5)).

PIPEDA does not contain an express, standalone right to request disposal. Under PIPEDA, organizations may only retain personal information for as long as necessary to fulfil identified purposes and must thereafter destroy, erase or anonymize the information, and individuals have the right to withdraw their consent to the collection, use or disclosure of their personal information, subject to legal or contractual restrictions. In some circumstances, the right to withdraw consent effectively results in a corresponding obligation to delete the individual’s personal information where the organization no longer has any purpose for retaining it.

Refusal of requests

Where a request to dispose of personal information is grounded in the individual’s withdrawal of consent or information no longer being necessary (and not grounded in the collection, use or disclosure taking place in contravention of the Act), an organization may refuse disposal where

• it would also dispose of another individual’s personal information that cannot be severed without imposing an undue burden on the organization
• legislative requirements or reasonable terms of a contract prevent disposal
• the information is necessary for the organization to establish a legal defense or exercise other legal remedies
• the information does not relate to a child and disposal would have an undue adverse effect on the accuracy or integrity of information necessary to the ongoing provision of a product or service to the individual
• the request is vexatious or made in bad faith; or
• disposal would have an undue adverse effect on the organization that outweighs any potential adverse effect on the individual resulting from the retention of the information (ss. 54(2)(a)–(f))

An organization is not required to dispose of de-identified personal information (s. 54(3)). This exemption has no analogue in PIPEDA, which does not address disposal of de-identified information.

Where an organization refuses a request, it must inform the individual in writing, setting out the reasons and any recourse the individual may have — that is, to challenge compliance or to file a complaint with the Commissioner (ss. 54(4)(a), 73, 97(1)).

Where an organization refuses a request on the basis that the disposal would have an undue adverse effect on the organization that outweighs any potential adverse effect on the individual resulting from the retention of the information, the organization would also be required to inform the Commission (ss. 54(2)(f), 54(4)(b)).

This balancing test and notice provision replaces a refusal ground under the CPPA that would have permitted refusal where information that did not relate to a minor was already scheduled for disposal under the organization’s retention policy and the organization informed the individual of the remaining period for which the information would be retained.

Contravention of requirements relating to retention and disposal periods, compliance with disposal requests, and ensuring service provider compliance with disposal requests could expose an organization to a penalty of up to the higher of $10 million or 3% of gross global revenues (ss. 114, 52, 54(1), 54(5)).

Right of data mobility

The PPCDA introduces a concept of a data mobility right (similar to the statutory portability rights under the Québec Privacy Act and under the GDPR). This new right requires an organization that has collected personal information from an individual to disclose such personal information to another organization “as soon as feasible” upon the individual’s request.

The data mobility right is subject to a “data mobility framework” prescribed by regulations to be drafted by the Governor in Council. The disclosing and receiving organizations would both need to be subject to the data mobility framework for the disclosure to take place. These regulations will establish safeguards that must be put in place to enable the secure disclosure (and corresponding collection) of personal information, as well as prescribed technical interoperability parameters and exceptions to the disclosure requirement.

The regulations will also specify certain organizations that will be subject to a data mobility framework and may distinguish among different “classes” of “activities, government institutions or parts of government institutions, information, organizations or entities” (s. 141).

Of note, the PPCDA expressly provides that an organization is not required to disclose de-identified personal information.

Open banking is the first federal use case operationalizing the data mobility provisions under PIPEDA. The federal government passed the Consumer-Driven Banking Act (CDBA) in 2024. The CDBA creates a framework to both enable consumers, including small businesses, to securely share prescribed types of financial data among defined participating entities, and to foster competition in the financial sector in the interests of consumers.

---