The Privacy Compact
What Canadians Were Promised
January 29, 2026 (Data Privacy Week)
Introduction: A Foundation Built on Principles
In September 2022, Canada’s federal, provincial, and territorial (FPT) Privacy Commissioners issued a Joint Resolution on Digital Identity that established clear conditions for digital trust and identity systems.[1] This resolution was a warning. Without a privacy-protective design, Canadians would not realize the benefits of digital trust and identity because they would not trust systems enough to use them.
The timing was deliberate. Digital trust and identity initiatives were accelerating across Canada and globally. The COVID-19 pandemic demonstrated both the potential and the risks of digital credentials. Governments were investing heavily in digital service delivery. Private sector identity verification was expanding rapidly. The commissioners recognized that foundational privacy decisions made at this moment would shape Canada’s digital infrastructure for decades.
Four years later, on World Data Privacy Day 2026, we’re assessing how well Canada is meeting these standards and setting the path forward. This article launches “Privacy in Practice,” a 13-week series that examines each principle the commissioners established and evaluates where Canadian digital trust and identity stands against those benchmarks.
This series focuses on honest assessment, shared accountability, and collaborative action. Privacy-respecting digital trust and identity requires sustained commitment from government, industry, civil society, and regulators working together.
The Seven Conditions: Understanding What Commissioners Asked
The FPT Joint Resolution established seven conditions that digital trust and identity systems must meet to earn public trust.[1] These conditions drew on decades of privacy law, international best practices, and hard-won lessons from identity systems worldwide.
- Voluntariness: Adoption must be genuinely voluntary, with equivalent non-digital alternatives available without penalty. This principle recognizes that meaningful choice requires genuine alternatives. A system that is technically optional but practically required is not voluntary in any meaningful sense.
- Data Minimization: Systems must collect only the information necessary for each transaction and only as much as is proportional to the purpose. This principle addresses the tendency of digital systems to collect more data simply because they can. Every piece of information collected carries a risk of a breach, misuse, or functional creep.
- Anti-Tracking: Digital trust and identity must not enable tracking or tracing of individuals across services. This principle addresses the potential harm of digital trust and identity: the creation of a comprehensive surveillance infrastructure under the guise of convenience.
- Security: Robust technical and organizational measures must protect against unauthorized access and misuse. This principle acknowledges that digital systems create new attack surfaces and require commensurate protection.
- Transparency: Individuals must understand how their information is collected, used, and disclosed. This principle recognizes that informed consent requires genuine understanding, not just legal notice.
- Accessibility: Systems must be equitably accessible to all Canadians. This principle ensures that digital trust and identity serve everyone, not just those with the newest devices, strongest connectivity, and highest digital literacy.
- Independent Oversight: Appropriate oversight mechanisms must ensure accountability. This principle recognizes that self-regulation alone is insufficient for systems that affect fundamental rights.
These seven conditions form the privacy compact and the promises Canadians were given in exchange for their participation in digital trust and identity systems. They represent the minimum standards for trustworthy digital trust and identity.
Where Canada Is Succeeding: Celebrating Genuine Achievement
Honest assessment requires acknowledging success as clearly as identifying challenges. Canada has genuine achievements to celebrate that demonstrate privacy-protective digital trust and identity is technically feasible, commercially viable, and publicly beneficial.
Provincial Wallet Leadership
British Columbia and Alberta have demonstrated that governments can achieve privacy-protective digital trust and identity at scale. These production capabilities are serving real citizens today.
BC Wallet enables users to “prove things about themselves, like their age, without providing the information itself.”[2] This selective disclosure capability represents a fundamental advance in privacy protection. Users can verify they are over 19 without revealing their birthdate, address, or any other information. The government explicitly commits that “no one, other than the party you’re interacting with, knows when or how you’re using BC Wallet.”[3] This architectural commitment means the government cannot track where citizens use their credentials in private sector transactions.
Alberta Wallet similarly emphasizes user control with strong encryption and selective sharing capabilities. Alberta’s documentation states: “Only you know where and when information is shared. Issuers are not able to track or monitor where digital documents are used.”[4] These are examples of architectural facts enforced by technical design.
Quebec’s Legislative Leadership
Quebec merits particular recognition. Bill 82, adopted October 2025, represents Canada’s most comprehensive digital identity legislation, explicitly banning profiling and surveillance, mandating selective disclosure, and requiring public consultation on biometrics.[5][6] Quebec has demonstrated that strong privacy protection and digital innovation are complementary goals.
The legislation emerged from extensive consultation with privacy advocates, industry stakeholders, and the public. It provides a model for other jurisdictions considering digital trust and identity frameworks.
Cross-Sector Industry Standards Development
DIACC’s Pan-Canadian Trust Framework (PCTF) has matured through genuine partnership between government and industry. Industry surveys indicate that Canadian organizations conduct hundreds of thousands of identity verification transactions annually, representing a significant opportunity to bring more of this activity under certified trust framework industry standards. This progress represents collaborative standards development at its best, policy guidance translated into operational certifications that industry can implement.
The PCTF certification process provides validation that organizations meet defined privacy and security standards. This creates accountability while providing clear guidance on implementation.
Private Sector Innovation
Private sector innovation has been equally crucial to Canada’s progress. Identity verification providers have developed selective disclosure implementations that protect user privacy while meeting business requirements. Financial institutions have modernized KYC processes to reduce data collection while maintaining regulatory compliance. Telecommunications companies have pioneered on-device biometric processing that keeps sensitive data local.
These investments demonstrate that privacy-protective design is commercially viable. Organizations are finding that privacy protection creates a competitive advantage by building customer trust.
Where Challenges Remain: Honest Assessment
Honest assessment also requires acknowledging where Canada falls short. These challenges affect government and industry alike and are shared problems that require collaborative solutions.
Federal Legislative Gap
Bill C-27’s collapse leaves Canada with privacy legislation designed for a different era. PIPEDA’s framework, while foundational, predates modern digital trust and identity architectures. The legislation does not adequately address issues such as algorithmic decision-making, cross-border data flows, or the specific risks posed by identity verification and credential systems.
This gap affects everyone. Government agencies lack clear guidance on emerging privacy challenges. Industries operate under uncertainty about compliance requirements. Regulators struggle with enforcement authority designed for a pre-digital world. Privacy advocates cannot point to clear statutory protections.
Modernized privacy legislation would serve all stakeholders by providing clear rules, robust enforcement mechanisms, and appropriate flexibility to accommodate technological change.
Breach Reality
The OPC’s 2024-2025 annual report noted that breach reports from federal institutions increased to 615 from 561 the previous year, while the number of individuals affected more than doubled to 309,865.[7] These numbers represent real harm to real Canadians, including identity theft, fraud, and erosion of trust.
Every breach involves data that was collected and retained. This underscores the importance of data minimization: information that is never collected cannot be breached. It also highlights the need for continued investment in security by both government and private sector organizations.
Implementation Variability
Privacy-by-design adoption remains uneven across sectors. Some organizations lead; others lag. The gap between stated commitments and actual practice, the implementation gap, requires sustained attention.
This variability exists within both government and industry. Some government agencies have implemented sophisticated privacy protections; others rely on outdated systems and practices. Some private sector organizations invest heavily in privacy; others treat it as a compliance checkbox.
Closing this gap requires more than policy statements. It requires investment, accountability, and sustained commitment.
DIACC’s Privacy Scorecard: Measuring What Matters
To ground this series in accountability, DIACC introduces the Privacy Scorecard. The Privacy Scorecard is a simple self-assessment tool measuring digital trust and identity services against Canada’s federal, provincial, and territorial privacy commissioners’ joint expectations. This scorecard is a learning tool to help you explore privacy principles. It is not a compliance checklist or legal advice. Use it to spark conversation, explore unfamiliar concepts, and identify areas worth digging into further.
The scorecard examines four dimensions for each privacy principle:
- Architectural Implementation: Do technical choices enforce privacy? Privacy protection embedded in system architecture is more reliable than privacy protection dependent on policy compliance. Assess whether systems are designed to make privacy violations difficult or impossible, rather than merely to prohibit them.
- Policy Alignment: Do stated commitments match actual practice? Many organizations have strong privacy policies that are inconsistently implemented. Assess the gap between what organizations say and what they do.
- User Experience: Can individuals exercise meaningful control? Privacy rights are meaningless if individuals cannot practically exercise them. Assess whether privacy controls are accessible, understandable, and practical.
- Ecosystem Coverage: How broadly are standards adopted? Individual organizational excellence is insufficient if the broader ecosystem lacks protection. Assess how comprehensively privacy standards are implemented across the digital trust and identity landscape.
Access the Privacy Scorecard to reveal shortcomings and improve services.
What This Series Will Examine
Over the next twelve weeks, each article will examine one dimension of privacy-respecting digital trust and identity:
- Week 2: Voluntary Adoption – Is digital trust and identity adoption truly optional, or are non-digital alternatives disappearing? We will examine the spectrum from genuine choice to practical compulsion.
- Week 3: Data Minimization – Are systems collecting only what they need? We will examine selective disclosure technology and the organizational changes required to implement it.
- Week 4: Anti-Tracking – Do architectures prevent surveillance? We will examine how privacy-protective wallets function within broader ecosystems that may create tracking risks.
- Week 5: Security – How do we protect identity without creating honeypots? We will examine the relationship between security architecture and privacy protection.
- Week 6: AI Integration – What happens when AI meets identity? We will examine both the opportunities and the responsibilities created by AI-powered verification.
- Week 7: International Lessons – What can Canada learn from the EU Digital Identity Wallet? We will examine successes to emulate and challenges to anticipate.
- Week 8: Accessibility – Does digital trust and identity serve all Canadians? We will examine who might be left behind and how to ensure inclusion.
- Week 9: Oversight – Who watches the watchers? We will examine accountability mechanisms and DIACC’s own limitations as an industry coalition.
- Week 10: Cross-Border Issues – How do we maintain privacy when credentials cross borders? We will examine the Canada-EU collaboration and its implications.
- Week 11: Youth Protection – How do we protect young Canadians while respecting their privacy? We will examine age verification approaches that achieve both goals.
- Week 12: Implementation – How do we close the gap between principle and practice? We will examine what serious implementation requires.
- Week 13: Call to Action – Where do we go from here? We will synthesize the series and issue comprehensive recommendations for all stakeholders.
Throughout the series, we will celebrate genuine achievements across government and industry. We will acknowledge challenges and limitations honestly. We will propose practical paths forward that serve Canadians’ interests.
The Global Context: Why This Moment Matters
Canada is not alone in grappling with digital trust and identity. Around the world, governments and industry are building systems that will shape how people prove their identity for decades to come. The choices made now will be difficult to reverse.
The European Union is deploying the EU Digital Identity Wallet across 27 member states. India’s Aadhaar system covers over a billion people and offers cautionary lessons about the erosion of voluntariness. Australia, Singapore, and the United Kingdom are all advancing digital trust and identity initiatives with varying approaches to privacy.
Canada has an opportunity to learn from these experiences while charting its own path. Our federal structure, bilingual reality, and strong tradition of privacy create both unique challenges and opportunities. We can demonstrate that privacy protection and digital innovation reinforce each other.
The December 2025 memorandum of understanding between Canada and the European Union on digital credentials positions Canada for international interoperability. This creates both opportunity and responsibility: opportunity for Canadian citizens and businesses, responsibility to ensure Canadian privacy standards are maintained in cross-border contexts.
The Economic Case for Privacy
Some view privacy protection as a cost and an obstacle to efficiency and innovation. This view is mistaken.
Privacy protection creates economic value. Consumers are more likely to adopt services they trust. Businesses that demonstrate privacy leadership build competitive advantage. Jurisdictions with strong privacy frameworks attract investment from organizations seeking regulatory clarity.
The cost of privacy failures, by contrast, is substantial. Breaches destroy customer trust and impose direct financial costs. Regulatory penalties are increasing globally. Reputational damage can be permanent.
Privacy-by-design, building privacy protection into systems from the outset, is more cost-effective than retrofitting protection onto existing systems. Organizations that invest early in privacy architecture avoid the expensive remediation that follows privacy failures.
The economic case for privacy aligns with the ethical case. This is not a tradeoff between doing well and doing good. Privacy-respecting digital trust and identity serve both goals.
The Promise of Privacy-Respecting Digital Trust and Identity
Privacy-respecting digital trust and identity is the foundation for sustainable success. Systems that earn public trust will thrive. Systems that do not will struggle, regardless of their technical sophistication.
The privacy commissioners understood this when they issued their Joint Resolution. They were trying to ensure digital trust and identity succeed. Building public trust is a continuous goal.
Canada has the technical capability, institutional capacity, and public expectations to lead globally in privacy-respecting digital trust and identity. Provincial implementations prove it is possible. Private sector innovation proves it is commercially viable. Public demand proves it is necessary.
The privacy compact, the seven conditions the commissioners established, represents the terms under which Canadians will participate in digital trust and identity systems. Meeting those terms is not optional for organizations that want to succeed in this space.
Building that trust is the shared responsibility of government and industry working together. Neither sector can succeed alone. Government provides the regulatory framework and public infrastructure. Industry provides innovation and implementation capacity. Civil society provides accountability and advocacy. Regulators provide oversight and enforcement.
This series is one of DIACC’s contributions to that shared effort. We invite engagement, criticism, and collaboration from all stakeholders.
Next Week
Article 2 examines voluntariness: Is the adoption of digital trust and identity truly optional, or are non-digital alternatives disappearing? We will assess where Canada gets it right and where erosion threatens meaningful choice.
Footnotes:
[2] Government of British Columbia, BC Wallet
[3] Government of British Columbia, BC Wallet Privacy Policy
[4] Government of Alberta, Alberta Wallet
[6] DIACC, Statement on Quebec’s Adoption of National Digital Identity Legislation, October 28, 2025
[7] Office of the Privacy Commissioner of Canada, Annual Report to Parliament 2024-2025
The Privacy Scorecard
A practical tool for measuring digital identity services against the FPT privacy principles. Assess your organization’s implementation across architecture, policy, user experience, and ecosystem coverage. It is not a compliance checklist or legal advice. Use it to spark conversation, explore unfamiliar concepts, and identify areas worth digging into further.