Executive Summary: Bill C-15 Changes to PIPEDA
What This Is About
Bill C-15 (the Budget 2025 Implementation Act, No. 1) makes changes to PIPEDA, Canada’s main privacy law that protects personal information. Think of it as updating the rules about how companies handle your personal data.
The Main Change: Data Mobility (Your Right to Move Your Data)
What’s New?
The bill adds a brand new section to PIPEDA called “Mobility of Personal Information.” Here’s what it means in simple terms:
You now have the right to tell a company: “Send my personal information to another company I choose.”
Think of it like this: If you bank with TD and want to switch to RBC, you could tell TD to send your banking information directly to RBC (if both banks are part of the system). No more printing out statements or manually transferring everything yourself.
How It Works
- You make the request – You tell Company A to send your personal info to Company B
- Company A must comply – They have to send it “as soon as feasible”
- Both companies must be in the system – They both need to be part of what’s called a “data mobility framework”
What Gets Protected
The government can make rules about:
- Security measures – How companies keep your data safe when moving it
- Technical standards – Making sure different companies’ systems can talk to each other
- Which companies are included – Deciding which businesses have to offer this
- Exceptions – Times when companies don’t have to share (like protecting business secrets)
Other Important Changes
Stronger Enforcement
The bill updates several enforcement sections to include this new data mobility rule. This means:
- You can file complaints if companies don’t let you move your data
- The Privacy Commissioner can audit companies to make sure they’re following the rules
- Whistleblower protection – Employees who report violations are protected
- Court orders – Judges can force companies to fix their practices
Updates to Existing Rights
All the existing ways you can enforce your privacy rights now also apply to this new data mobility right. This includes:
- Filing complaints with the Privacy Commissioner
- Going to Federal Court if needed
- Having the Commissioner enter compliance agreements with companies
- Protection for employees who speak up about violations
Why This Matters
For Regular People
- More control over your personal information
- Easier to switch between service providers (banks, phone companies, etc.)
- Less hassle – no more manually re-entering all your data
For Businesses
- New obligations to build systems that can transfer customer data
- Compliance costs to implement technical standards
- Competitive pressure – easier customer switching means you need to keep people happy
When Does This Start?
The changes come into force “on a day to be fixed by order of the Governor in Council” – meaning the government will announce the specific start date later.
This gives businesses time to:
- Build the technical infrastructure needed
- Understand the detailed regulations (which haven’t been written yet)
- Train staff on the new requirements
What’s Still to Come
The government needs to create detailed regulations that specify:
- Exactly which industries and companies are included
- The technical standards everyone must follow
- Security requirements for data transfers
- Specific exceptions and special cases
