top of page

Data Privacy Laws in Canada

Updated: May 20, 2023

Data security has become a global issue in recent times. Many countries are formulating and implementing stringent data privacy laws — one country with strict data privacy regulations in Canada. The security of personal information in the private, public, and health sectors is governed by 28 federal, provincial, and territory privacy acts in Canada.

Although each act’s scope, standards, and enforcement provisions vary, they establish a comprehensive system for gathering, using, and disclosing personal information.

Canada’s federal government has several laws about privacy rights. Many government organizations and agencies are in charge of enforcing these laws. Let’s learn about them in detail.

What are the provisions of federal privacy laws?

The Office of the Privacy Commissioner of Canada, also known as OPC, manages Canada’s two federal privacy laws, which are as follows:

  1. The Privacy Act: Manages the Federal Government’s handling of personal data.

  2. The Personal Information Protection and Electronic Documents Act (PIPEDA): Controls how companies handle customer information.

There is also a new law enacted in recent times.

The Consumer Privacy Protection Act (CPPA): Strengthens the transparency standards for using algorithms and AI systems.

What is the Privacy Act?

The Privacy Act covers the right of an individual to access and modify personal information that the Government of Canada has gathered about them. The act governs the acquisition, use, and dissemination of personal data by the government in connection with the delivery of services like:

  • Retirement benefits

  • Employment protection

  • Border protection

  • Safety for the public and federal policing

  • Tax returns and tax collection

What is covered under the Privacy Act?

The Privacy Act covers only the institutions mentioned in the Privacy Act Schedule of Institutions. It protects every piece of private data the federal government gathers, uses, and concedes. In addition, it also covers the personal data of federal employees. However, the Privacy Act does not protect politicians, political parties, and their representatives.

What is PIPEDA?

The interprovincial and global acquisition and processing of personal data are governed by the federal private sector law known as PIPEDA. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all personal information stored by banks, airlines, railways, telecommunications firms, and internet service providers in the nation, including employee data.

What is covered under the PIPEDA?

PIPEDA generally applies to personal data maintained by private sector businesses operating in the following jurisdictions but not subject to federal regulation:

  • Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Yukon, Ontario, Prince Edward Island, Saskatchewan and Nunavut.

The PIPEDA applies to all federally regulated businesses operating in Canada, and these businesses must also comply with its requirements concerning the personal information of their employees.

What does PIPEDA not cover?

Organizations that don’t engage in commercial, for-profit operations are exempt from the PIPEDA. PIPEDA usually does not apply to the following entities unless they are doing commercial operations that are not essential to their task and include personal information:

  • Nonprofit and charitable organizations

  • Political organizations and parties.

Organizations that are only based in British Columbia, Alberta, and Quebec are exempt from the PIPEDA’s application unless the personal information is transferred across provincial or national borders.

These three provinces have general private-sector regulations compared to PIPEDA and were found to be quite similar. They are as follows:

  • PIPA Alberta (Personal Information Protection Act)

  • PIPA BC, or the Personal Information Protection Act (British Columbia),

  • The Quebec Privacy Act

While the Privacy Commissioner of Canada is responsible for ensuring that PIPEDA and the Privacy Act are being followed, each federal, provincial, and territorial jurisdiction in Canada has a separate autonomous Information and Privacy Commissioner who reports to their corresponding legislature and is in charge of enforcing the relevant and essential data protection laws that are in force there.

Furthermore, the Attorney General may bring charges for a few offences. Some laws affect data protection in Canada that are general and sector-specific.

Mandatory Reports of Data Breach

Implementing compulsory data breach notifications was one of the significant new regulations by the PIPEDA amendment. As of November 1, 2018, businesses subject to PIPEDA are required to notify the Canadian Privacy Commissioner of any breaches of security measures involving personal data that constitute a genuine risk of serious harm to individuals.

Companies are also required to notify those impacted by such violations. Whether the breaches are announced to the Privacy Commissioner of Canada, organizations must preserve records of all security safeguard violations for two years. Businesses must create a system to analyze the likelihood of suffering significant harm due to data breaches.

What is the new Consumer Privacy Protection Act (CPPA)?

Following its announcement to bring in a new privacy law on November 17, 2020, the Canadian government has joined the regulator’s list. The Digital Charter Implementation Act, 2020, or simply Bill C-11, was presented to the House of Commons for consideration in 2020 by the federal Minister of Innovation, Science and Industry of Canada.

As per this law, The federal privacy commissioner would be able to look into and bring legal action against any company that disobeyed the CPPA’s rules. Additionally, the sanctions would be stiffer than those set forth by PIPEDA. It is one of the harshest privacy regulations in the world.

What is included in these new rules?

New data privacy standards would apply to any business that collects personal information:

  • New criteria for user’s permission regarding the gathering, using or disclosing of personal data.

  • A person would have the right to ask for access to confidential information about them that an organization keeps.

  • Request the organization to remove all of the person’s personal information gathered about them if required.

  • In response to a request, an employer must disclose to the person whether or not and how personal information about them has been utilized. It should also let the person know if it has been revealed with a few limitations.

Essential Elements of the CPPA

  • The CPPA seeks to standardize consent while keeping it at the core of Canadians’ rights to their data privacy. Consent is always required for collecting, using, and disseminating personal data.

  • Regarding employing algorithms and artificial intelligence systems, the CPPA establishes additional transparency regulations.

  • It would have explicit rules for data de-identification, which would be necessary based on the de-goal identification and how sensitive the personal data is.

  • A person has the right to ask for the transfer of their data from one organization to another under the CPPA.

  • According to the CPPA, any organization” that gathers, employs, or disseminates personal data for commercial purposes is subject to its provisions.


Canadian privacy law aims to safeguard people’s right to privacy and accessibility to information collected about them. The laws are leading the way in the field of data protection and guaranteeing that Canadian businesses can continue to serve internationally while protecting the privacy of their personal information.

22 views0 comments


Commenting has been turned off.
bottom of page