Data & Privacy - Canada

PIPEDA sets nationwide ground rules for how private-sector organizations collect, use and disclose personal information in the course of commercial activity, and also covers employee data of federally-regulated businesses.

Organizations must follow 10 principles in Schedule 1 — accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

The Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA under an ombudsman model — investigating complaints and issuing reports; binding orders and fines (up to CAD 100,000 per violation) come through the Federal Court rather than direct OPC penalties.

Individuals have the right to access personal information held about them, request correction of inaccuracies, and file a complaint with the OPC; consent is generally required for collection, use and disclosure.

Bill C-27 — which would have replaced PIPEDA's private-sector rules with the Consumer Privacy Protection Act and added the Artificial Intelligence and Data Act — died on the Order Paper when Parliament was prorogued on January 6, 2025, so PIPEDA (in force since 2000) remains the governing law.

Bill C-15 (Budget 2025 Implementation Act, No. 1) received Royal Assent on March 26, 2026, adding a new Division 1.2 to PIPEDA creating a right to data mobility, letting individuals require an organization to transfer their personal information to a designated organization, subject to forthcoming regulations.