REPORT

Legislative intent and purpose, application and definitions Legislative intent and purpose, application and definitions

June 29, 2026 27 MIN READ
Download the Report [PDF]

Legislative intent and purpose

Highlights

  • Key change from PIPEDA: The PPCDA expressly articulates that privacy is a fundamental right, which was not recognized in PIPEDA or the CPPA.
  • Key change from the CPPA: In addition to the above, the PPCDA does not include a lengthy preamble like the CPPA, and introduces a new overarching obligation for the Commission, Commissioner and the Division to exercise their powers in a proportionate and contextual manner.

Although the PPCDA does not include a preamble, the Act’s operative provisions and purpose clause can be used to interpret legislative intent. The PPCDA provides that:

The purpose of this Act is to establish — in an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information — rules to govern the protection of personal information in a manner that recognizes the fundamental right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances (PPCDA, s. 5).

Notably, the express recognition of privacy as a “fundamental right” in the legislation, which was strongly advocated for by the OPC, is a key change from the CPPA and recognizes the significance of the rights being protected by the PPCDA and balanced against the needs of organizations.

In addition, the PPCDA provides that the Commission, the Commissioner and the Division must take into account all relevant factors when exercising their powers or performing their duties or functions, including

  • the size and revenue of organizations
  • the volume of personal information under the control of organizations and the sensitivity of that information
  • the best interests of children
  • the importance of respecting Canada’s international trade obligations
  • the importance of supporting economic growth, competition and innovation in the Canadian marketplace
  • any other matter of general public interest (ss. 77, 86, 90)

This provision builds proportionality and a contextual analysis into the regulatory framework in a more express manner than under PIPEDA.

Application

Highlights

  • Key change from PIPEDA: The application of the PPCDA has not materially changed from PIPEDA. The PPCDA maintains the definition of “commercial activity” as set out in PIPEDA and the CPPA.
  • Key change from the CPPA: None or not material.

Like PIPEDA, the PPCDA applies to the collection, use and disclosure of personal information in the course of commercial activities, and to personal information of employees and job applicants of federal works, undertakings and businesses.

The PPCDA includes PIPEDA’s definition of “commercial activity,” meaning “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists” (s. 2(1)).

The PPCDA does not apply to certain information, including the following:

  • personal information that the organization collects, uses and discloses outside the scope of the organization’s commercial activities (s. 6(1))
  • anonymized information (s. 6(5))
  • personal information collected, used or disclosed for personal, journalistic, artistic or literary purposes (ss. 6(4)(b)–(c))
  • personal information collected, used or disclosed solely for the purpose of communicating with an individual in relation to their employment, business or profession (s. 6(4)(d))
  • employee personal information in the context of provincially regulated employment relationships

Key Definitions

Highlights

  • Key change from PIPEDA
    • The PPCDA clarifies that personal information includes inferred information about an identifiable individual.
    • The PPCDA introduces a non-exhaustive definition of sensitive personal information that requires a contextual analysis and that specifically identifies certain personal information that may be sensitive, including children’s information and health information. PIPEDA, on the other hand, does not include a specific definition but similarly provides that personal information may be considered sensitive depending on the context.
    • The PPCDA introduces specific definitions to account for different states of data, including de-identified personal information and anonymous information, which are not expressly defined in PIPEDA.
  • Key change from the CPPA
    • The PPCDA clarifies that personal information includes inferred information about an identifiable individual.
    • While the CPPA recognized that the personal information of a minor and certain medical information would be considered sensitive, the CPPA was otherwise silent on the scope of sensitive personal information.
    • The PPCDA includes a revised definition of “anonymize” to that which was originally introduced by the CPPA.

The PPCDA includes key terms that define different types of personal information and other data.

Personal information

Under the PPCDA, the definition of personal information has been clarified to include “information that is inferred about [the identifiable individual]” (s. 2(1)). The express mention of inferred information in the definition is new.

Sensitive personal information

The PPCDA introduces a definition of “sensitive,” which describes personal information in respect of which, taking into account the circumstances, an individual has a heightened expectation of privacy, including, as the case may be

  • a child’s personal information
  • personal information revealing an individual’s racial or ethnic origin, political opinions or religious or philosophical beliefs
  • an individual’s trade union membership
  • genetic information or health information
  • biometric information that is capable of uniquely identifying an individual or
  • information concerning an individual’s sexual orientation (s. 2(1))

De-identified personal information

The PPCDA uses essentially the same definition of de-identified personal information as set out in the CPPA, meaning personal information that has been modified “so that an individual cannot be directly identified from it, although a risk of the individual being identified remains” (s. 2(1)).

The PPCDA provides that all de-identified personal information remains personal information under the PPCDA (s. 2(2)). However, certain obligations under the PPCDA do not apply to de-identified personal information. Specifically, organizations are not required to fulfil the following rights requests in respect of de-identified personal information: disposal; information and access; amendment; and data mobility (ss. 51(3), 63(2), 71(2), 72(2)). Further, the obligation to maintain accuracy does not apply to de-identified personal information (s. 55(2)).

When de-identifying personal information, organizations must consider re-identification risk when applying technical and administrative measures, and ensure those measures are proportionate to the purpose for which the information is de-identified and its sensitivity (s. 74).

Organizations are prohibited from using de-identified personal information — alone or in combination with other information — to identify an individual, except in specified circumstances, including testing the effectiveness of security safeguards, testing the fairness and accuracy of models developed using de-identified personal information, testing de-identification effectiveness and, as an expansion to the CPPA, in circumstances where the personal information was de-identified solely for the purpose of protecting it, where the organization has valid consent or where the organization is otherwise able to rely on a defined exception to consent (s. 75). Knowingly contravening section 75 is an offence that is subject to significant fines.

Anonymized information

Under the PPCDA, “anonymize” means “to irreversibly and permanently modify personal information to ensure that there is no reasonably foreseeable risk in the circumstances that an individual can be identified from the information, whether directly or indirectly, by any means” (s. 2(1)). This change to the definition of “anonymize” brings the term into alignment with the standard for anonymization in legislative schemes across Canadian and certain global jurisdictions. Like the CPPA, the PPCDA confirms that anonymized information falls outside the application of the Act (s. 6(5)).


Next