The Office of the Privacy Commissioner of Canada (OPC) oversees and investigates compliance, and matters can be taken to the Federal Court.

When must a breach be reported under PIPEDA?

Since 1 November 2018, organizations must report breaches of security safeguards that pose a real risk of significant harm to the OPC and notify affected individuals as soon as feasible.

Does PIPEDA require consent?

Yes. PIPEDA requires meaningful consent for collecting, using, and disclosing personal information, with limited exceptions defined in the Act.

🇨🇦 Canada · Data privacy

PIPEDA

Personal Information Protection and Electronic Documents Act

PIPEDA is Canada's federal private-sector privacy law, governing how organizations collect, use, and disclose personal information in commercial activity. It is built on ten fair information principles. Since 2018, organizations must report breaches posing a real risk of significant harm.

Jurisdiction:🇨🇦 Canada

Type:Data privacy

In effect:2000

Authority:Office of the Privacy Commissioner of Canada (OPC)

Who it applies to

Private-sector organizations across Canada that handle personal information in commercial activities, except where a province has substantially similar legislation, and federally regulated businesses.

Identity requirements

Obtain meaningful consent for the collection, use, and disclosure of personal information
Protect personal information with security safeguards appropriate to its sensitivity
Limit collection, use, retention, and disclosure to identified, reasonable purposes
Verify the identity of individuals exercising access rights before disclosing their personal information
Report breaches of security safeguards posing a real risk of significant harm to the OPC and affected individuals
Maintain records of all breaches of security safeguards for at least two years

How it impacts identity systems

Identity area	Impact
Customer identity & consent (CIAM)	Organizations must obtain and manage meaningful consent for collecting and using personal information.
Identity verification (KYC/proofing)	Individuals' identity must be confirmed before granting access to their personal information.
Data residency & cross-border transfer	Organizations remain accountable for personal information transferred to third parties or processed across borders and must use comparable protection.
Breach notification	Breaches posing a real risk of significant harm must be reported to the OPC and affected individuals, with mandatory record-keeping.

Penalties

Failure to report or record breaches, or to comply with certain provisions, can lead to fines up to 100,000 Canadian dollars per offence, alongside OPC investigations and Federal Court orders.

Official source

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

PIPEDA: frequently asked questions

Who enforces PIPEDA?: The Office of the Privacy Commissioner of Canada (OPC) oversees and investigates compliance, and matters can be taken to the Federal Court.
When must a breach be reported under PIPEDA?: Since 1 November 2018, organizations must report breaches of security safeguards that pose a real risk of significant harm to the OPC and notify affected individuals as soon as feasible.
Does PIPEDA require consent?: Yes. PIPEDA requires meaningful consent for collecting, using, and disclosing personal information, with limited exceptions defined in the Act.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all Canada regulations or the full country index.