Understanding PIPEDA / LPRPDE: Canada's Federal Privacy Law
PIPEDA (LPRPDE) applies to private organizations under federal regulation in Canada. Here is what you need to know, including the upcoming Bill C-27.
What is PIPEDA (LPRPDE)?
The Personal Information Protection and Electronic Documents Act (PIPEDA), known in French as LPRPDE, is Canada's federal law governing the collection, use and disclosure of personal information in the course of commercial activities.
It applies to private organizations whose activities are interprovincial or international in nature — including federally chartered banks, telecommunications companies, airlines and businesses whose operations cross provincial boundaries.
Quebec organizations are primarily subject to Law 25. However, if they process data about individuals outside Quebec or conduct federal activities, PIPEDA may also apply in parallel.
The 6 main obligations
Organizational accountability
Designate a person responsible for personal information protection, implement policies and train staff. Accountability cannot be transferred to a subcontractor.
Identifying purposes
Document before collection why personal information is being gathered. Purposes must be understandable to the individual concerned.
Consent
Obtain consent from the individual concerned. Consent must be free, informed and given for reasonable purposes. Special rules apply to minors.
Limiting collection
Collect only the personal information necessary for the identified purposes, by fair and lawful means.
Breach reporting
Notify the Privacy Commissioner of Canada and affected individuals of breaches that pose a real risk of significant harm. Maintain a register of all breaches.
Access and rectification
Respond to access requests within 30 days. Allow rectification of inaccurate or incomplete information.
Evolution of PIPEDA
2000
PIPEDA comes into force for federally regulated organizations
2004
Extended to all private organizations with interprovincial commercial activities
2015
Amendments — new breach reporting obligations (Digital Privacy Act)
November 2018
Mandatory privacy breach reporting rules come into force
June 2022
Introduction of Bill C-27 (Digital Charter Implementation Act)
Ongoing
Expected adoption of Bill C-27 — increased fines, AI Act, enhanced rights
PIPEDA vs Law 25: key differences
| Criterion | PIPEDA (LPRPDE) | Law 25 (Quebec) |
|---|---|---|
| Jurisdiction | Federal (PIPEDA) | Provincial Quebec (Law 25) |
| Scope | Interprovincial and federal commercial activities | All organizations with information about Quebec residents |
| Supervisory authority | Privacy Commissioner of Canada | Commission d'accès à l'information (CAI) |
| PIA | Not mandatory (best practice) | Mandatory before any new project |
| Reporting deadline | As soon as reasonably possible | 72 hours for certain incidents |
| Maximum fines | $100,000 (currently) | $25M or 4% of revenue (Bill C-27) |
The upcoming Bill C-27: what will change
Bill C-27 currently being adopted
- Fines up to $25M or 5% of global revenue
- Enhanced individual rights: data portability, algorithmic transparency
- Integrated Artificial Intelligence and Data Act (AIDA)
- Complete replacement of PIPEDA by the Consumer Privacy Protection Act (CPPA)
- New investigation powers for the Privacy Commissioner
CapGRC and PIPEDA
CapGRC covers PIPEDA obligations and prepares your organization for Bill C-27. Request a demonstration.
Request a demoSee also: Law 25