Legal Compliance

Any personal information your Canadian business collects, processes, uses, disseminates, discloses or retains, must be managed and protected with administrative, physical and technical safeguards to comply with applicable Canadian data protection laws.


Rules and principles within Canadian privacy laws govern the collection, use and dissemination of personal information in the public and private sectors.

Public Sector:
Federal Privacy Act

  • Applies to the collection, use and disclosure of individuals and federal employees’ personal information
  • Provides an individual with the right to access and correct personal information held by the federal government
  • Establishes the Office of the Privacy Commissioner to oversee and enforce the act

Provincial Privacy Act

  • Provinces have their own act, based on the Federal act


Private Sector:
Federal Act: Personal Information Protection and Electronic Documents Act (PIPEDA)

  • Applies to every organization that collects, uses, or discloses personal information from individuals or employees, in the course of commercial activities

Provincial Acts

If provinces have passed substantially similar legislation to PIPEDA, organizations within those provinces do not have to comply to PIPEDA, but must comply with their own provincial acts. The following provincial acts have been declared to be substantially similar:

  • Alberta: Personal Information Protection Act
  • British Columbia: Personal Information Protection Act
  • Ontario: Personal Health Information Protection Act
  • Quebec: Act Respecting the Protection of Personal Information in the Private Sector


Sector-Specific Privacy Laws

Some organizations may have sector-specific privacy laws, which they also need to comply with:

  • Federal Bank Act
  • Consumer credit reporting
  • Credit Unions


In Canada, privacy commissioners or ombudsmen (in provinces which do not have commissioners), oversee the enforcement of these laws to ensure compliance and investigate alleged breaches. 


Other jurisdictions

General Data Protection Regulation (GDPR)​
As of May 25, 2018, the European Union's GDPR may also apply to your organization, if you:

  • have an established presence in the European Union (EU)
  • offer goods and services to European citizens
  • monitor the behaviour of individuals in the EU


United States

The U.S. does not have federal privacy law and several but not all states have enacted their own privacy laws. 


For up-to-date information and details on privacy laws and compliance around the world, we recommend you refer to the IAPP Global Privacy Law and DPA Directory.