PIPEDA gains a data-portability framework — but amendments are not yet in force

Plain-language summary · AI-assisted · not legal advice

Parliament has enacted a new Division 1.2 ("Mobility of Personal Information") that, once brought into force, will require organizations subject to a data mobility framework to transfer an individual's personal information to another organization of the individual's choosing, as soon as feasible upon request. The Governor in Council will set the detailed rules — including security safeguards, interoperability standards, which organizations are covered, and any exceptions for proprietary or confidential commercial information — through future regulations developed after consulting the Privacy Commissioner. Complaints, court applications, compliance agreements, audits, whistleblower protections, and the Commissioner's enforcement and outreach powers are all extended to cover the new Division 1.2 alongside the existing privacy obligations. These changes appear in the consolidated text as "amendments not in force," meaning organizations are not yet legally required to comply — but businesses that handle consumer data should begin assessing readiness for portability obligations and watch for the enabling regulations.

Who this affects: organizations subject to PIPEDA that collect personal information from individuals · businesses that may be designated under a future data mobility framework · privacy and compliance officers · individuals seeking to transfer their personal data between service providers · Privacy Commissioner of Canada