
Canada has a comprehensive set of data protection laws enforced by the Office of the Privacy Commissioner of Canada. The country has at least 29 federal, provincial, and territorial privacy statutes that govern the protection of personal information in the private, public, and health sectors. The Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) are the two federal privacy laws. The Privacy Act covers how the federal government handles personal information, while PIPEDA sets the rules for private-sector organizations. However, there have been recent attempts to modernize federal private-sector privacy legislation, such as Bill C-27, which aimed to replace PIPEDA and introduce the Artificial Intelligence and Data Act.
| Characteristics | Values |
|---|---|
| Number of federal, provincial and territorial privacy statutes | 29+ |
| Federal privacy laws | Privacy Act, Personal Information Protection and Electronic Documents Act (PIPEDA) |
| Provincial privacy laws | PIPA BC, PIPA Alberta, Quebec Private Sector Act, Ontario's Personal Health Information Protection Act (PHIPA), Alberta's Health Information Act (HIA) |
| Provincial privacy law amendments | Ontario Employment Standards Act, 2000 |
| Federal privacy regulator | Privacy Commissioner of Canada |
| Federal privacy legislation | The Bank Act |
| Provincial privacy legislation | Provincial laws governing credit unions |
| Provincial privacy legislation with similarities to PIPEDA | PIPA BC, PIPA Alberta, Quebec Private Sector Act |
| Provincial privacy legislation with differences to PIPEDA | Ontario's PHIPA, Alberta's HIA |
| Privacy protection for AI systems | Bill C-27, Artificial Intelligence and Data Act |
| Privacy protection for government information | Information Commissioner of Canada |
| Privacy protection for consumer credit reporting | Acts that impose an obligation on credit reporting agencies |
| Privacy protection for health information | Specific health information privacy statutes |
| Privacy protection for employee personal information | PIPEDA |
| Privacy protection for personal information | PIPEDA, Privacy Act |
| Privacy protection for commercial electronic messages | Requirements for obtaining consent |
Explore related products
What You'll Learn

The Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada has two federal privacy laws enforced by the Office of the Privacy Commissioner of Canada: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act relates to a person's right to access and correct personal information held by the federal government of Canada. It also applies to the government's collection, use, and disclosure of personal information in the course of providing services. The Act only applies to federal government institutions listed in the Privacy Act Schedule of Institutions.
The Personal Information Protection and Electronic Documents Act (PIPEDA) sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of commercial activities across Canada. Federally-regulated organizations conducting business in Canada are subject to PIPEDA and must apply the act to their employees' personal information. PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities.
PIPEDA was implemented in three stages. In 2001, the law applied to federally regulated industries such as airlines, banking, and broadcasting. In 2002, the law was expanded to include the health sector. Finally, in 2004, any organization that collects personal information in the course of commercial activity was covered by PIPEDA, except in provinces with "substantially similar" privacy laws.
In 2015, the Digital Privacy Act (Senate Bill S-4) amended PIPEDA to include a business transaction exemption, mandatory breach notification requirements, and enhanced powers for the Privacy Commissioner. PIPEDA does not create an automatic right to sue for violations of the law's obligations. Instead, it follows an ombudsman model in which complaints are taken to the Office of the Privacy Commissioner of Canada. Section 14 of PIPEDA provides the complainant with the right to apply to the Federal Court of Canada for a hearing regarding the subject matter of the complaint.
Used Vehicle Replacement: Indiana's Lemon Law Explained
You may want to see also
Explore related products

Provincial privacy laws
Canada has at least 29 federal, provincial, and territorial privacy statutes that govern the protection of personal information in the private, public, and health sectors. Each province and territory in Canada has a commissioner or ombudsman responsible for overseeing provincial and territorial privacy legislation.
The federal government enforces two privacy laws: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act covers how the federal government handles personal information, while PIPEDA covers how businesses handle personal information. PIPEDA is the overarching privacy law for private sector companies that collect, use, or disclose personal information in Canada. However, when processing data in a province with its own privacy law, such as Alberta, British Columbia, or Quebec, the provincial law takes precedence over the federal PIPEDA.
Some provinces have passed privacy laws that apply to employee information. For example, Ontario has made amendments to the Ontario Employment Standards Act, 2000, that impose notice obligations related to employee monitoring. Alberta, British Columbia, and Quebec have their own privacy laws: PIPA BC, PIPA Alberta, and the Quebec Private Sector Act, respectively. These laws apply to both consumer and employee personal information practices of organizations within these provinces that are not otherwise governed by PIPEDA.
Quebec's Law 25 (formerly Bill 64) is another example of a provincial privacy law. It came into effect in 2023 and applies to enterprises that perform the collection, holding, use, or communication to third parties of personal information of a Quebec resident. Under Law 25, organizations may be liable for significant penalties for violations.
In May 2022, the Office of the Privacy Commissioner of Canada (OPC) issued recommendations for federal privacy legislation that would protect digital innovation while recognizing privacy as a fundamental human right. This led to the proposal of the Canadian Consumer Privacy Protection Act (CPPA) as part of Bill C-27, which aimed to modernize and strengthen privacy protection for Canadian consumers and provide clear rules for private-sector organizations. However, Bill C-27 died on the order paper when Parliament was prorogued in January 2025, leaving Canada's federal privacy regime unchanged for the foreseeable future.
Trusts: Can They Be Created Inadvertently?
You may want to see also
Explore related products

Health sector privacy laws
Canada has a comprehensive set of privacy laws that govern the protection of personal information in various sectors, including the health sector. While there is no single, comprehensive federal law that specifically covers health sector privacy, there are several federal and provincial laws that address this issue.
At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of commercial activities across Canada. PIPEDA applies to organizations that conduct business in Canada and must be followed by federally-regulated organizations and their employees. However, it does not generally apply to hospitals, which are covered by provincial laws.
Each province and territory in Canada has its own privacy legislation, and some have enacted health-related privacy laws that are substantially similar to PIPEDA with respect to health information. For example, PIPA BC, PIPA Alberta, and the Quebec Private Sector Act apply to both consumer and employee personal information practices in their respective provinces. Additionally, provinces like Ontario have amended existing laws, such as the Ontario Employment Standards Act, 2000, to include notice obligations related to employee monitoring.
The federal government has also introduced bills to strengthen privacy protection for Canadian consumers. For instance, Bill C-27 aimed to modernize privacy protection and provide clear rules for private-sector organizations, but it did not pass before Parliament was prorogued in 2025.
In summary, while there is no single, comprehensive federal law specifically for health sector privacy in Canada, a combination of federal laws like PIPEDA and provincial privacy laws work together to protect personal information in the health sector.
Attracting Abundance: Using the Law of Attraction for Success
You may want to see also
Explore related products

Bill C-27 and the Artificial Intelligence and Data Act
Canada has at least 29 federal, provincial, and territorial privacy statutes that govern the protection of personal information in the private, public, and health sectors. Some of the notable data protection laws in Canada include the Privacy Act, the Personal Information Protection and Electronic Documents Act (PIPEDA), PIPA BC, PIPA Alberta, and the Quebec Private Sector Act.
On June 16, 2022, the federal government introduced Bill C-27, a wide-reaching piece of legislation intended to modernize and strengthen privacy protection for Canadian consumers and provide clear rules for private-sector organizations. It was the second attempt to modernize federal private-sector privacy legislation. Bill C-27 would have replaced PIPEDA with legislation specific to consumer privacy rights and electronic documents.
Bill C-27, also known as the Digital Charter Implementation Act, 2022, would have also introduced the Artificial Intelligence and Data Act (AIDA). The AIDA is designed to protect individuals and communities from the adverse impacts associated with high-impact AI systems and to support the responsible development and adoption of AI across the Canadian economy. It aims to create rules around the deployment of AI technologies and establish common requirements for the design, development, and use of AI systems, including measures to mitigate the risks of harm and biased output. The AIDA also authorizes the Minister to publish information about AI systems that pose a serious risk of harm and to order a person to publish information related to their compliance with the Act.
The AIDA represents an important milestone in implementing the Digital Charter and ensuring that Canadians can trust the digital technologies they use every day. It is intended to protect Canadians, ensure the development of responsible AI in Canada, and prominently position Canadian firms and values in global AI development. The risk-based approach in AIDA was designed to reflect and align with evolving international norms in the AI space, including the EU AI Act, the OECD AI Principles, and the US National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).
Federal Courts: Collateral Attacks on State Law Decisions
You may want to see also
Explore related products

Personal Information Protection Act (PIPA)
Canada has several data protection laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers how businesses handle personal information. Federally regulated organizations conducting business in Canada are subject to PIPEDA and must apply the act to their employees' personal information. PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities.
In addition to PIPEDA, each province and territory in Canada has its own privacy legislation, with at least 29 federal, provincial, and territorial privacy statutes governing the protection of personal information in the private, public, and health sectors. For example, PIPA BC, PIPA Alberta, and the Quebec Private Sector Act apply to consumer and employee personal information practices in British Columbia, Alberta, and Quebec, respectively.
The Personal Information Protection Act (PIPA) is a law that governs the collection, use, and disclosure of personal information by organizations. PIPA requires organizations to notify affected individuals whenever a breach of their personal information occurs. PIPA defines "personal data" as an individual's first name or initial and last name, combined with other sensitive information such as account numbers, medical data, or unique biometric data. Organizations must designate individuals responsible for ensuring compliance with PIPA and make their contact information publicly available.
PIPA also establishes rules for handling confidential information, such as encrypting confidential data, restricting storage on personal devices, and prohibiting the use of commercial search engines to index confidential websites. PIPA's purpose is to balance individuals' rights to protect their personal information with organizations' needs to collect and use such information for reasonable purposes.
Executive Branch: Can They Declare Laws Unconstitutional?
You may want to see also
Frequently asked questions
Yes, Canada has federal privacy laws enforced by the Office of the Privacy Commissioner of Canada.
The federal privacy laws in Canada are the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Privacy Act covers how the federal government handles personal information. It also applies to the government's collection, use, and disclosure of personal information in the course of providing services.
PIPEDA covers how businesses and private-sector organizations handle personal information. It sets out the ground rules for how organizations collect, use, and disclose personal information in the course of commercial activities.

























![Information Privacy Law [Connected eBook] (Aspen Casebook)](https://m.media-amazon.com/images/I/61uzGXF8G1L._AC_UL320_.jpg)








![Privacy, Law Enforcement, and National Security [Connected eBook] (Aspen Select Series)](https://m.media-amazon.com/images/I/81p8RTMIT9L._AC_UL320_.jpg)


![Information Privacy Law: [Connected Ebook] (Aspen Casebook)](https://m.media-amazon.com/images/I/61KUKAMt-5L._AC_UL320_.jpg)





