Canadian Privacy Laws — PIPEDA and Provincial Access Request Requirements

Canada's privacy framework is split between federal and provincial legislation. At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. At the provincial level, Quebec, Alberta, and British Columbia have enacted their own private-sector privacy laws that have been declared substantially similar to PIPEDA by the federal government.

This layered structure means a business operating across Canada may need to comply with PIPEDA in some provinces and with provincial legislation in others. If you process personal information of Canadian residents, understanding which law applies to your operations is the first step toward compliance.

Federal and Provincial Jurisdiction

PIPEDA applies to all private-sector organizations that collect, use, or disclose personal information in the course of commercial activities, except where a province has enacted substantially similar legislation. There is no revenue threshold or company size exemption — if you handle personal information commercially, PIPEDA or a provincial equivalent applies.

Three provinces have substantially similar laws:

• Quebec — An Act Respecting the Protection of Personal Information in the Private Sector, significantly amended by Law 25 (formerly Bill 64), which came into full force in September 2024. Law 25 is the strictest provincial privacy law in Canada, introducing mandatory privacy impact assessments, consent requirements for automated decision-making, and a private right of action for individuals.
• Alberta — Personal Information Protection Act (PIPA), applying to provincially regulated private-sector organizations in Alberta.
• British Columbia — Personal Information Protection Act (PIPA), applying to provincially regulated private-sector organizations in BC.

For organizations operating in these three provinces, the provincial law generally applies instead of PIPEDA for intra-provincial activities. PIPEDA continues to apply to interprovincial and international transfers of personal information, and to federally regulated industries (banking, telecommunications, airlines) across all provinces.

PIPEDA's 10 Fair Information Principles

PIPEDA is built on 10 fair information principles drawn from the Canadian Standards Association Model Code. These principles form the backbone of federal privacy compliance:

1. Accountability — An organization is responsible for personal information under its control and must designate a privacy officer.
2. Identifying purposes — The purposes for collecting personal information must be identified before or at the time of collection.
3. Consent — Knowledge and consent are required for the collection, use, or disclosure of personal information.
4. Limiting collection — Collection must be limited to what is necessary for the identified purposes.
5. Limiting use, disclosure, and retention — Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law.
6. Accuracy — Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used.
7. Safeguards — Personal information must be protected by appropriate security safeguards.
8. Openness — An organization must make its privacy policies and practices readily available.
9. Individual access — Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and given access to it.
10. Challenging compliance — An individual must be able to challenge an organization's compliance with these principles.

The individual access principle (Principle 9) is the foundation of access requests under PIPEDA. It gives every individual the right to know what personal information an organization holds about them and how it has been used.

Access Request Process

Under PIPEDA, individuals have the right to request access to their personal information held by an organization. The key requirements are:

• 30-day deadline: Organizations must respond to access requests within 30 calendar days of receiving the request.
• Minimal cost: Access must be provided at minimal or no cost. Organizations cannot charge excessive fees to discourage requests.
• Format: Information should be provided in a form that is generally understandable — for example, abbreviations and codes should be explained.
• Right to correction: If an individual demonstrates that their personal information is inaccurate or incomplete, the organization must amend it.
• Refusal grounds: Organizations may refuse access in limited circumstances, such as when disclosure would reveal personal information about a third party, when the information is protected by solicitor-client privilege, or when providing access could threaten the life or security of another individual.

Organizations must document any refusal and provide the individual with the reasons for the refusal along with information about how to file a complaint with the Office of the Privacy Commissioner.

The Office of the Privacy Commissioner (OPC)

The Office of the Privacy Commissioner of Canada (OPC) is the federal regulator responsible for overseeing PIPEDA compliance. The OPC investigates complaints from individuals, conducts audits, publishes guidance, and makes findings and recommendations.

Unlike the EU's GDPR enforcement model, the OPC's findings under PIPEDA are recommendations, not orders. However, the OPC can refer matters to the Federal Court of Canada, which has the power to order compliance and award damages. The OPC can also publish the names of organizations found to be non-compliant, which carries significant reputational consequences.

In Quebec, the Commission d'acces a l'information (CAI) enforces Law 25 and can impose administrative monetary penalties of up to CAD 25 million or 4% of worldwide turnover.

Guides

• PIPEDA Access Request Requirements — full compliance breakdown including rights, deadlines, identity verification, and OPC complaint process
• Quebec Law 25 Access Request Requirements — Quebec's enhanced privacy framework, consent requirements, and penalties

Related Resources

• How to Respond to a DSAR — step-by-step response process
• DSAR Response Deadlines — deadline comparison across jurisdictions