Data & Privacy · Canada
Data protection & privacy laws in Canada (2026)
Canada shaded by its data & privacy status
Canada has a comprehensive private-sector data-protection regime under PIPEDA, which governs the collection, use and disclosure of personal information in commercial activity nationwide and is built on 10 fair information principles. The Office of the Privacy Commissioner of Canada oversees compliance using an ombudsman model. A major reform bill (C-27, including the proposed Consumer Privacy Protection Act) died on prorogation in January 2025, so PIPEDA — recently amended by Bill C-15 (2026) to add a data-mobility right — remains the operative law.
Key points
PIPEDA sets nationwide ground rules for how private-sector organizations collect, use and disclose personal information in the course of commercial activity, and also covers employee data of federally-regulated businesses.
Organizations must follow 10 principles in Schedule 1 — accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.
The Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA under an ombudsman model — investigating complaints and issuing reports; binding orders and fines (up to CAD 100,000 per violation) come through the Federal Court rather than direct OPC penalties.
Individuals have the right to access personal information held about them, request correction of inaccuracies, and file a complaint with the OPC; consent is generally required for collection, use and disclosure.
Bill C-27 — which would have replaced PIPEDA's private-sector rules with the Consumer Privacy Protection Act and added the Artificial Intelligence and Data Act — died on the Order Paper when Parliament was prorogued on January 6, 2025, so PIPEDA (in force since 2000) remains the governing law.
Bill C-15 (Budget 2025 Implementation Act, No. 1) received Royal Assent on March 26, 2026, adding a new Division 1.2 to PIPEDA creating a right to data mobility, letting individuals require an organization to transfer their personal information to a designated organization, subject to forthcoming regulations.
Timeline - major decisions & events
A joint investigation by the federal OPC and the Quebec, BC, and Alberta authorities found TikTok collected sensitive data, including biometric and profiling data, from hundreds of thousands of Canadian children; TikTok agreed to strengthen age assurance and stop targeting users under 18.
Office of the Privacy Commissioner of Canada ↗When Parliament was prorogued, Bill C-27 (the Digital Charter Implementation Act, 2022) died on the Order Paper, killing the proposed Consumer Privacy Protection Act and Artificial Intelligence and Data Act; Canada remains governed by the 2000-era PIPEDA.
LEGISinfo, Parliament of Canada ↗In Canada (Privacy Commissioner) v. Facebook, 2024 FCA 140, the court overturned a lower ruling and found Facebook failed to obtain meaningful consent and to safeguard data in the Cambridge Analytica matter, clarifying the 'reasonable consumer' standard for consent.
Office of the Privacy Commissioner of Canada ↗In its first review since 2001, the European Commission concluded PIPEDA continues to provide protection 'essentially equivalent' to the EU, preserving unrestricted EU-to-Canada data flows for organizations subject to PIPEDA.
European Commission ↗A joint federal-provincial investigation found the Tim Hortons app tracked users' location every few minutes—even when closed—without meaningful consent, collecting 'vast amounts' of sensitive data via a US provider, Radar.
Office of the Privacy Commissioner of Canada ↗Quebec became the first Canadian jurisdiction to substantially modernize its privacy regime, adding breach notification, consent, data portability, and significant penalties; provisions phased in through 2022-2024, raising the bar nationally.
National Assembly of Québec ↗A joint federal-provincial investigation concluded Clearview AI's scraping of billions of facial images from the internet was unlawful mass surveillance violating PIPEDA; commissioners ordered it to stop collecting and to delete images of Canadians.
Office of the Privacy Commissioner of Canada ↗Organizations became legally required to report breaches posing a 'real risk of significant harm' to the Privacy Commissioner, notify affected individuals, and keep breach records—Canada's first nationwide mandatory breach regime for the private sector.
Canada Gazette ↗This amendment to PIPEDA introduced mandatory breach reporting and recordkeeping obligations and strengthened consent requirements, laying the groundwork for the breach rules that took effect in 2018.
Justice Laws Website, Government of Canada ↗The Commission ruled that PIPEDA provided adequate protection under the EU Data Protection Directive, enabling cross-border EU-to-Canada data transfers—a key external driver for Canada's privacy framework.
EUR-Lex, European Union ↗Canada - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →