Data Protection in Canada

Data protection laws in Canada

In Canada there are at least 29 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in the private, public and health sectors. Although each statute varies in scope, substantive requirements, remedies and enforcement provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.

The summary below focuses on Canada’s private sector privacy statutes:

  • Personal Information Protection and Electronic Documents Act ('PIPEDA')
  • Personal Information Protection Act (Alberta) ('PIPA Alberta')
  • Personal Information Protection Act (British Columbia) ('PIPA BC')
  • Act Respecting the Protection of Personal Information in the Private Sector ('Quebec Private Sector Act'), (collectively, 'Canadian Privacy Statutes')

On June 16, 2022, the federal Government introduced Bill C-27, a wide-reaching piece of legislation intended to modernize and strengthen privacy protection for Canadian consumers and provide clear rules for private-sector organizations. It was the second attempt to modernize federal private-sector privacy legislation, after a previous proposal died on the order paper in 2021. On January 6, 2025, Parliament was prorogued and, as a result, Bill C-27 died on the order paper. Bill C-27 would have replaced PIPEDA with legislation specific to consumer privacy rights and electronic documents. Bill C-27 would have also introduced the Artificial Intelligence and Data Act, which aimed to create rules around the deployment of AI technologies. This means that Canada’s federal privacy regime will remain as-is for the foreseeable future without the modernizations or improvements to PIPEDA that were anticipated in 2025 or the anticipated broad-based federal AI regulation. Parliament is now prorogued until March 24, 2025 and it is unclear what legislative agenda will be implemented when Parliament resumes.

PIPEDA applies to all of the following:

  • Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work, undertaking or business’ (eg, banks, telecommunications companies, airlines, railways, and other interprovincial undertakings)
  • Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec Private Sector Act have been deemed ‘substantially similar’)
  • Inter provincial and international collection, use and disclosure of personal information in connection with commercial activity

PIPA BC, PIPA Alberta and the Quebec Private Sector Act apply to both consumer and employee personal information practices of organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA. In Ontario, amendments have been made to the Ontario Employment Standards Act, 2000 that impose notice obligations related to employee monitoring, although the full range of privacy rights and obligations available in Canadian Privacy Statutes have not been imported into the Employment Standards Act.

Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64 on September 22, 2021, which resulted in the coming into force of several key modifications over the course of several years, with the final amendments having come into effect on September 22, 2024. With Bill 64’s changes, Quebec now has in place a sophisticated legal framework for privacy and data protection that resembles the European GDPR in several key areas.

Continue reading

  • no results

Back to top