There is the potential. Under the Privacy Act, government institutions come into coverage of the Privacy Act by being listed in the schedule, so if there's a crown corporation that is not listed in the schedule, it is not subject to the Privacy Act. PIPEDA begins to apply if you're a federal work, undertaking, or business, or are engaged in commercial activity. Then it says that if you are subject to the Privacy Act, you're not in.
So you can have a crown corporation that is not engaged in commercial activity and that is not listed in the schedule which is not covered by any privacy legislation. I can imagine that happening.
Just to bring your two scenarios together, we have an increased number of programs being delivered jointly by the federal government and the provincial governments—the Canada-Ontario Business Service Centre, Canada/Nova Scotia Business Services Centre, and the like—and the provincial legislation and the federal legislation don't specifically delineate who is responsible for the information when it's collected by a contractor on behalf of both governments.