Canada Steps Toward Open Banking: Bill C-15 Delivers Data Portability (With Lingering Questions)

12.05.2026

With the passage of Bill C-15, the federal government’s budget implementation bill, Canada takes a decisive step toward a consumer-driven banking framework. This article examines the bill’s data portability provisions, including a new data mobility regime added to PIPEDA, and the concerns raised by privacy authorities before Parliament.

A Long-Awaited Milestone for Canadian Consumers

After years of consultations, pilot frameworks, and pressure from a fintech sector that has long outpaced regulatory conditions, Canada has taken a step toward open banking, this time tucked inside a budget implementation bill. Bill C-15, the federal omnibus legislation enacting measures from the most recent budget, received Royal Assent on March 26, 2026. Among its fiscal and policy measures, it brings into force a new Consumer Driven Banking Act (the CDBA) and, through Division 23 of Part 5, introduces a parallel data mobility regime in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, under which the Canadian banking sector is regulated. For Canadians, the promise is straightforward: the ability to securely direct participating entities to share their financial data with accredited third parties (such as budgeting apps, lenders, and account aggregators) without resorting to screen scraping.

 

What Bill C-15 Changes

Although the open banking measures are only one part of a much broader budget implementation bill, they are also among its most consequential. The CDBA establishes a national, mandatory open-banking framework that applies to both individuals and businesses and covers a broad range of financial products, including deposit and transaction accounts, payment products, lending and credit products, and certain investment accounts. Participation is mandatory for designated large banks and voluntary for other financial institutions and service providers, subject to accreditation by the Bank of Canada. The regime is being rolled out in phases: Phase 1, now enacted, enables read-only access, allowing consumers to securely direct participating entities to share their financial data with accredited data recipients; Phase 2, expected to follow, will introduce write-access use cases such as payment initiation and account switching, subject to further regulatory development and supporting infrastructure.

Alongside the CDBA, Bill C-15 amends PIPEDA by adding a new Division 1.2 (“Mobility of Personal Information”). New section 10.4 requires an organization, on an individual’s request and as soon as feasible, to disclose personal information it has collected about that individual to another organization designated by the individual, where both organizations are subject to a prescribed data mobility framework. Further amendments authorize the Governor in Council, after consulting the Office of the Privacy Commissioner, to make regulations defining those frameworks, including required security safeguards and the technical parameters for interoperability between organizations. The PIPEDA amendments therefore create the cross-sectoral statutory hook for data portability, while the CDBA supplies the first sector-specific framework (banking) to be plugged into it.

Significantly, a number of foundational details remain to be filled in by future regulations and orders, including the list of banks required to be participating entities, the designation of a technical standards body, accreditation and security standards, data-sharing protocols, the specific requirements for consent and authorization, and, on the PIPEDA side, the scope and content of the data mobility frameworks themselves.

 

The Privacy Commissioner’s Concerns

In appearances before the Standing Senate Committee on Banking, Commerce and the Economy, and before the House of Commons Standing Committee on Industry and Technology, the Privacy Commissioner of Canada welcomed the policy direction but pressed Parliament on a tightly connected set of concerns:

  1. Privacy by design, not by retrofit. Data portability rights should be built on PIPEDA’s fair information principles, particularly meaningful consent, purpose limitation, and data minimization-rather than bolted onto them, so that portability does not become a vehicle for secondary uses consumers never reasonably contemplated.
  2. Meaningful, revocable consent. Consumers must understand what data is shared, with whom, for how long, and on what basis, and must be able to revoke consent as easily as they grant it-without the “consent fatigue” produced by lengthy, generic onboarding disclosures.
  3. Treatment of derived data. The status of derived or inferred data generated by an institution about a customer rather than provided by the customer remains contested: excluding it risks hollowing out portability, while including it raises competitive and security questions that the technical standards must address head-on.
  4. Oversight and enforcement gaps. Federal private sector privacy law continues to lag international peers, and grafting an open banking regime onto PIPEDA without strengthening the OPC’s order-making and penalty powers leaves Canadians under-protected when something goes wrong.
  5. Regulator coordination. With the FCAC, OSFI, the OPC, and provincial regulators each touching different aspects of consumer-driven banking, clear information-sharing and complaint-handling pathways are needed so consumers are not bounced between authorities.
  6. Express consent preserved. A revision between First and Second Reading confirms that, notwithstanding the open-banking framework, a data provider must still obtain express consent from consumers before disclosing data to a data recipient as required under applicable laws, so the CDBA operates alongside, rather than displacing, existing privacy law consent requirements on clarity, scope, and revocability.

 

Implications for Industry and Consumers

For incumbent financial institutions, Bill C-15 means there is need for concrete investment in API infrastructure, accreditation compliance, and revised privacy management programs. For fintechs, accreditation will be the price of admission, but it should also displace the legally precarious practice of screen scraping. For consumers, the framework should in principle translate into more competitive products, easier switching, and clearer recourse when their data is misused.

 

Another Step, Not the Final One

Bill C-15 is rightly being celebrated as a long-overdue advance for Canadian consumers and for the competitiveness of the country’s financial services sector, moving consumer-driven banking decisively from policy aspiration to legal reality. But as the Privacy Commissioner’s two appearances before Parliament make clear, open banking is only as trustworthy as the privacy regime underpinning it. The practical impact will be shaped by forthcoming regulations, technical standards, Bank of Canada guidance, and the long-promised modernization of PIPEDA itself.

 

Article provided by INPLP member: Wendy Wagner (Gowling WLG, Canada)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.