Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

AMENDMENTS NOT IN FORCE

• — 2026, c. 3, s. 389

  • 389 The Personal Information Protection and Electronic Documents Act is amended by adding the following after section 10.3:

    DIVISION 1.2Mobility of Personal Information

    • Data mobility framework

      10.4 Subject to the regulations, on the request of an individual, an organization shall, as soon as feasible, disclose the personal information that it has collected from the individual to an organization designated by the individual if both organizations are subject to a data mobility framework.

    • Regulations

      10.5 The Governor in Council may, after consulting with the Office of the Privacy Commissioner, make regulations respecting the disclosure of personal information under section 10.4, including regulations

      • (a) respecting data mobility frameworks and prescribing

        • (i) safeguards that must be put in place by organizations to enable the secure disclosure of personal information under section 10.4 and the secure collection of that information, and

        • (ii) parameters for the technical means for ensuring interoperability in respect of the disclosure and collection of that information;

      • (b) specifying organizations that are subject to a data mobility framework; and

      • (c) providing for exceptions to the requirement to disclose personal information, including exceptions related to the protection of proprietary or confidential commercial information.

    • Distinguishing among classes

      10.6 Regulations made under section 10.5 may distinguish among different classes of activities, information or organizations.

• — 2026, c. 3, s. 390

  • 390 Subsection 11(1) of the Act is replaced by the following:

    • Contravention

      • 11 (1) An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1, 1.1 or 1.2 or for not following a recommendation set out in Schedule 1.

• — 2026, c. 3, s. 391

  • 391 Subsection 14(1) of the Act is replaced by the following:

    • Application

      • 14 (1) A complainant may, after receiving the Commissioner’s report or being notified under subsection 12.2(3) that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1 or 1.1, in subsection 5(3) or 8(6) or (7), in section 10 or in Division 1.1 or 1.2.

• — 2026, c. 3, s. 392

  • 392 Paragraph 16(a) of the Act is replaced by the following:

    • (a) order an organization to correct its practices in order to comply with Divisions 1 to 1.2;

• — 2026, c. 3, s. 393

  • 393 Subsection 17.1(1) of the Act is replaced by the following:

    • Compliance agreement

      • 17.1 (1) If the Commissioner believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute a contravention of a provision of Division 1, 1.1 or 1.2 or a failure to follow a recommendation set out in Schedule 1, the Commissioner may enter into a compliance agreement, aimed at ensuring compliance with this Part, with that organization.

• — 2026, c. 3, s. 394

  • 394 The portion of subsection 18(1) of the Act before paragraph (a) is replaced by the following:

    • To ensure compliance

      • 18 (1) The Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization if the Commissioner has reasonable grounds to believe that the organization has contravened a provision of Division 1, 1.1 or 1.2 or is not following a recommendation set out in Schedule 1 and for that purpose may

• — 2026, c. 3, s. 395

  • 395 Paragraph 24(c) of the Act is replaced by the following:

    • (c) encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with Divisions 1 to 1.2; and

• — 2026, c. 3, s. 396

  • 396 Subsection 27(1) of the Act is replaced by the following:

    • Whistleblowing

      • 27 (1) Any person who has reasonable grounds to believe that a person has contravened or intends to contravene a provision of Division 1, 1.1 or 1.2 may notify the Commissioner of the particulars of the matter and may request that their identity be kept confidential with respect to the notification.

• — 2026, c. 3, s. 397

  • 397 Paragraphs 27.1(1)(a) to (c) of the Act are replaced by the following:

    • (a) the employee, acting in good faith and on the basis of reasonable belief, has disclosed to the Commissioner that the employer or any other person has contravened or intends to contravene a provision of Division 1, 1.1 or 1.2;

    • (b) the employee, acting in good faith and on the basis of reasonable belief, has refused or stated an intention of refusing to do anything that is a contravention of a provision of Division 1, 1.1 or 1.2;

    • (c) the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order that a provision of Division 1, 1.1 or 1.2 not be contravened; or