Blog

A Comparison of the PPCDA, PIPEDA, Quebec's Privacy Act and PIPA

J. Sébastien A. Gittens, Caroline Poirier, Stephen D. Burns, Ruth E. Promislow, Suzie Suliman, Morgan Sutherland, Kees de Ridder and David Wainer
July 8, 2026
Close-up of several transparent glass panels layered and overlapping on a light blue surface, creating clean geometric lines and reflections.
Social Media
Download
Download
Read Mode
Subscribe
Summarize

Earlier this month, the federal government introduced the proposed federal Protecting Privacy and Consumer Data Act (PPCDA) – a signal that Canada’s private-sector privacy landscape may undergo significant transformation imminently. To assist organizations that conduct business in Canada with their potential compliance efforts with respect thereto, the following is intended to provide a non-exhaustive, high-level comparison between: (i) the PPCDA; (ii) Canada's Personal Information Protection and Electronic Documents Act (PIPEDA); (iii) Quebec’s Act respecting the protection of personal information in the private sector (the Quebec Privacy Act, as amended by Law 25); and (iv) the Personal Information Protection Acts of Alberta and British Columbia (collectively, the PIPAs).

While there are important nuances to each of these regulatory frameworks, they broadly draw on fair information principles, resulting in substantial commonality across them. Organizations that handle personal information should understand how these laws compare as they prepare for this evolving regulatory environment.

Who Does It Apply To?

PPCDA

Subject to its terms, the PPCDA applies to any "organization", which includes an association, a partnership, a person or a trade union.

PIPEDA

Subject to its terms, PIPEDA applies to any "organization", which includes an association, a partnership, a person and a trade union.

Québec Privacy Act

Subject to its terms, the Quebec Privacy Act applies to any person carrying on an enterprise in Quebec.

The Quebec Privacy Act also applies to a professional order to the extent provided for by the Professional Code (chapter C-26) and to a political party, an Independent Member or an Independent candidate to the extent provided for by the Election Act (chapter E-3.3).

PIPAs

Subject to its terms, Alberta's PIPA applies to any "organization", which includes:

  • "… a corporation;
  • an unincorporated association;
  • a trade union as defined in the Labour Relations Code,
  • a partnership as defined in the Partnership Act, and
  • an individual acting in a commercial capacity,

but does not include an individual acting in a personal or domestic capacity."

The Alberta PIPA only applies to non-profit organizations in respect of their commercial activities.

Subject to its terms, British Columbia's PIPA applies to any "organization", which includes "… a person, an unincorporated association, a trade union, a trust or a not for profit organization, but does not include

  • an individual acting in a personal or domestic capacity or acting as an employee,
  • a public body,
  • the Provincial Court, the Supreme Court or the Court of Appeal,
  • the Nisg̱a'a Government, as defined in the Nisg̱a'a Final Agreement, or
  • a private trust for the benefit of one or more designated individuals who are friends or members of the family of the settlor."

The PPCDA, PIPEDA and the PIPAs use similar concepts of an "organization", generally capturing entities such as corporations, partnerships, associations, trade unions and individuals acting in a commercial capacity. While the Quebec Privacy Act is framed somewhat differently (as it applies to a person in the course of carrying on an enterprise), its practical effect is similar: it is primarily directed at regulating private-sector economic and commercial activities, rather than purely personal conduct.

What Does It Apply To?

PPCDA

The PPCDA applies to:

  • the collection, use and disclosure of personal information by an organization in the course of its commercial activity in a province without substantially similar privacy legislation;

  • the transfer of personal information across provinces or internationally;

  • federal works, undertakings or businesses (FWUBs); and

  • the collection, use and disclosure of employee information in connection with FWUBs.

PIPEDA

PIPEDA applies to:

  • the collection, use and disclosure of personal information by an organization in the course of its commercial activity in a province without substantially similar privacy legislation;

  • the transfer of personal information across provinces or internationally;

  • FWUBs; and

  • the collection, use and disclosure of employee information in connection with FWUBs.

Certain jurisprudence has held that PIPEDA has extraterritorial application when, for example, there is a "real and substantial connection" between Canada and the activity undertaken in a foreign jurisdiction.

Quebec Privacy Act

The Quebec Privacy Act applies to the collection, use and communication of personal information, including employee personal information, by a person in the course of carrying on an enterprise in Quebec.

The Quebec Privacy Act has been deemed to be substantially similar to PIPEDA.

PIPAs

The PIPAs apply to the collection, use and disclosure of personal information, including employee personal information, by an organization that occurs within Alberta/British Columbia.

The PIPAs have been deemed to be substantially similar to PIPEDA.


The PPCDA and PIPEDA have a broadly similar application, covering the collection, use and disclosure of personal information in connection with: (i) commercial activities; (ii) cross-border transfers of personal information; and (iii) federal works, undertakings and businesses. PIPEDA and the PPCDA do not apply to activities occurring within provinces with substantially similar private-sector privacy legislation.

Personal Information

PPCDA

The PPCDA applies to "personal information", namely "information about an identifiable individual, including information that is inferred about the individual".

PIPEDA

PIPEDA applies to "personal information", namely "information about an identifiable individual".

Quebec Privacy Act

The Quebec Privacy Act defines personal information as any information which relates to a natural person and directly or indirectly allows that person to be identified.

PIPAs

Alberta's PIPA defines "personal information" to mean "information about an identifiable individual".

British Columbia's PIPA defines "personal information" to mean "information about an identifiable individual and includes employee personal information but does not include:

  • contact information, or

  • work product information".


The PPCDA, PIPEDA, and the PIPAs generally define "personal information" as "information about an identifiable individual," though the PPCDA uniquely expands this definition to include "information that is inferred about the individual." In addition, PIPEDA and Alberta's PIPA do not apply to business contact information collected, used or disclosed solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession, but British Columbia's PIPA expressly excludes "contact information" in the definition of "personal information" (and doesn't apply to such information, regardless of the purpose for which it is used). The Quebec Privacy Act does not exclude business contact information from the definition of "personal information." Instead, it provides that certain specified provisions of the Quebec Privacy Act do not apply to personal information concerning a person's performance of duties within an enterprise, such as the person's name, title, duties, and the address, email address and telephone number of the person's place of work.

Consent

PPCDA

Express consent is required to collect, use or disclose personal information, unless it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.

The PPCDA explicitly requires organizations to obtain express consent for the collection, use, or disclosure of sensitive personal information.

Notably, the PPCDA introduces:

  • a "legitimate interest" exception that can be relied upon if the collection, use or disclosure is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any reasonably foreseeable adverse effect on the individual that could result from that collection, use or disclosure, provided a reasonable person would expect the collection, use and disclosure for such activity and the personal information is not collected, used or disclosed for the purpose of influencing the individual's behaviour or decisions; and

  • a "business activity" exception that can be relied upon in connection with an activity that is necessary: (i) to provide a product or service that the individual has requested from the organization; (ii) for the security of the organization’s information, systems or networks; or (iii) for the safety of a product or service that the organization provides.

PIPEDA

Subject to various exceptions, the consent of an individual is generally required for the collection, use, or disclosure of their personal information.

PIPEDA expressly states that any such consent is only valid if it is reasonable to expect that an individual would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

In a guidance document jointly published with its provincial counterparts in British Columbia and Alberta, the Office of the Privacy Commissioner of Canada has held that consent must be "meaningful" (e.g. an individual must understand what an organization is doing with their information).

PIPEDA recognizes that consent may be implied in certain cases and that consent can be deemed in some specific circumstances.

Quebec Privacy Act

The Quebec Privacy Act is consent-based. Personal information must be collected, used and communicated for a serious and legitimate reason.

Consent to the use or communication of sensitive personal information must be given expressly.

Consent to the use or communication of personal information may be deemed to have been given if prescribed notification has been provided.

The Quebec Privacy Act also imposes additional notification requirements when collecting personal information using technology that includes functions allowing a person to be identified, located or profiled, and certain privacy by default requirements when offering a technology product or service that has privacy settings.

PIPAs

Subject to various exceptions, the consent of an individual is generally required for the collection, use, or disclosure of their personal information.

In a guidance document jointly published with their federal counterpart, the Offices of the Information and Privacy Commissioner of Alberta and British Columbia have held that consent must be "meaningful" (e.g. an individual must understand what an organization is doing with their information).

The PIPAs recognize that consent may be implied in certain cases and that consent can be deemed in some specific circumstances.


Each of the PPCDA, PIPEDA, the Quebec Privacy Act and the PIPAs are based on a consent model, with some differences in how they structure express consent and implied consent. The PPCDA’s "legitimate interest" exception introduces a new lawful basis for processing personal information without consent. This exception may reduce reliance on consent in certain commercial contexts but requires organizations to implement documented assessment processes. Similar to the Quebec Privacy Act, the PPCDA requires express consent for the collection, use or disclosure of "sensitive" personal information.

Accountability

PPCDA

An organization is responsible for any personal information under its control and must designate one or more individuals who are accountable for the organization’s privacy compliance.

Organizations must implement "a privacy management program that includes the policies, practices and procedures the organization has put in place to fulfill its obligations under this Act, including policies, practices and procedures respecting

PIPEDA

An organization is responsible for any personal information under its control and must designate one or more individuals who are accountable for the organization’s privacy compliance.

Organizations must implement applicable policies and practices to give effect to the principles under PIPEDA, including:

Quebec Privacy Act

An enterprise is responsible for protecting the personal information held by the enterprise.

The person exercising the highest authority is responsible for ensuring that the Quebec Privacy Act is implemented and complied with by the enterprise. This person may delegate that function in writing to any person.

The enterprise must establish and implement governance policies and practices to ensure the protection of personal information. Such policies and practices must, in particular:

Detailed information about those policies and practices, in particular as concerns the content required above, must be published in simple and clear language on the enterprise’s website, or if the enterprise does not have a website, made available by any other appropriate means.

PIPAs

An organization is responsible for any personal information under its custody and control, and must designate one or more individuals who are responsible for the organization’s privacy compliance.

Organizations must implement applicable policies and practices to give effect to the PIPAs.


The PPCDA’s detailed privacy management program requirements will require organizations to formalize their privacy governance structures beyond PIPEDA’s accountability framework. The PPCDA requires organizations to implement a comprehensive privacy management program that includes policies, practices and procedures governing the protection of personal information, the handling of access requests and complaints, staff training and the development of materials explaining the organization's privacy practices. This is broadly consistent with the Quebec Privacy Act, which also requires organizations to establish and implement privacy governance policies and practices. However, the Quebec Privacy Act places greater emphasis on governance measures, such as retention and destruction practices and the allocation of responsibilities throughout the information lifecycle, and expressly requires organizations to publish detailed information about their privacy governance policies and practices in clear and simple language.

Data Protection/Security Safeguards

PPCDA

An organization must protect personal information through physical, organizational and technological security safeguards. Such safeguards must protect personal information against, among other things, loss, theft or unauthorized access, disclosure, copying, use or modification and must include reasonable measures to authenticate the identity of the individual to whom the personal information relates.

When establishing its safeguards, an organization must take into account the sensitivity of the information and "the quantity, distribution, format and method of storage of the information, as well as any reasonably foreseeable privacy implications that may arise in relation to the transfer of personal information to a service provider."

PIPEDA

An organization must adopt security safeguards to protect the personal information in its custody and control against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Methods of protection must include physical, organizational, and technological measures.

When establishing its safeguards, an organization must take into account "the sensitivity of the information, the amount, distribution, and format of the information, and the method of storage."

Quebec Privacy Act

An enterprise must take security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed that is reasonable given the sensitivity of the information, the purposes for which it is used, the quantity and distribution of the information and the medium on which it is posted.

PIPAs

An organization must protect personal information that is in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.


The PPCDA expands and further specifies an organization's safeguarding obligations relative to PIPEDA, the Quebec Privacy Act and the PIPAs, including by requiring organizations to take into account any reasonably foreseeable privacy implications that may arise in relation to the transfer of personal information to a service provider. The PPCDA also imposes direct safeguard obligations on service providers. Under the PIPAs, these obligations are imposed through the 'custody or control' wording, which imposes obligations of safeguarding regardless of whether the holder of the information is the processor or controller.

Individual Rights

PPCDA

The PPCDA includes the following rights for individuals:

  • to be informed of whether the organization has any personal information about them, how it uses the information and whether it has disclosed the information;

  • to access their personal information (including the inferred categories of personal information) under the custody or control of an organization;

  • to have their personal information amended when an individual successfully demonstrates the inaccuracy or incompleteness of their personal information;

  • to withdraw their consent at any time, subject to the PPCDA, to federal or provincial law or to the reasonable terms of a contract, and reasonable notice;

  • to request the disposal of their personal information that is under the organization's control; and

  • to request that the personal information an organization has collected about them be disclosed to another organization, if both organizations are subject to a data mobility framework.

PIPEDA

PIPEDA includes the following rights for individuals:

  • to access their personal information under the custody or control of an organization;

  • to have their personal information be accurate, complete and up to date (as is necessary for the purposes for which it is to be used);

  • to have their personal information amended (by the correction, deletion, or addition of information) when an individual successfully demonstrates the inaccuracy or incompleteness of their personal information; and

  • to withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice.

Quebec Privacy Act

The Quebec Privacy Act includes the following rights for individuals:

  • to access their personal information held by an enterprise;

  • to request rectification if personal information is inaccurate, incomplete or equivocal, or if collecting, communicating or keeping it are not authorized by law;

  • to withdraw their consent to the collection, use or communication of their personal information;

  • to demand that their computerized personal information be communicated to another organization; and

  • to request that an enterprise cease disseminating an individual's personal information or de-index any hyperlink attached to the individual's name that provides access to such information by technological means, where the dissemination contravenes the law or a court order, or where the prescribed conditions are satisfied (this also includes the right to require that a de-indexed hyperlink be re-indexed).

PIPAs

The PIPAs include the following rights for individuals:

  • to access their personal information under the custody or control of an organization;

  • to know the purposes for which their information has been and is being used;

  • to request a correction to any error or omission in respect of their personal information, when an individual successfully demonstrates the inaccuracy or incompleteness of their personal information; and

  • to withdraw or vary their consent at any time, subject to legal or contractual restrictions and reasonable notice.


The PPCDA grants individuals broader rights than PIPEDA, including the potential right to access inferred categories of personal information, request the disposal of their personal information and data mobility rights. While the PPCDA's right resembles the portability right under the Quebec Privacy Act, it is subject to a more structured regime, as transfers are permitted only between organizations participating in an applicable data mobility framework, rather than to any organization. Unlike the Quebec Privacy Act, however, the PPCDA does not limit the right to computerized personal information or expressly exclude personal information that has been created or inferred from the original personal information. Organizations should consider the systems and processes required to respond to these expanded individual rights, particularly the right to data mobility.

Automated Decision Systems

PPCDA

The PPCDA requires organizations to:

  • provide a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have a legal or similarly significant effect on them; and

  • upon request, provide an individual with an explanation of the prediction, recommendation or decision if the organization has used an automated decision system to make a prediction, recommendation or decision that could have a legal or similarly significant effect on that individual.

The PPCDA defines "automated decision system" broadly as any technology that assists or replaces the judgment of human decision-makers through the use of rules-based systems, regression analysis, predictive analytics, machine learning, deep learning, a neural network, or other techniques.

PIPEDA

PIPEDA does not expressly address automated decision systems, although general privacy principles (including transparency and accountability) still apply to personal information used in connection with such systems.

Quebec Privacy Act

The Quebec Privacy Act requires that an enterprise who uses personal information to render a decision based exclusively on an automated processing of such information inform the person concerned no later than at the time it informs the person of the decision.

In addition, the enterprise must inform the person concerned, at its request:

The person concerned must be given an opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision.

PIPAs

The PIPAs do not expressly address automated decision systems, although general privacy principles (including transparency and accountability) still apply to personal information used in connection with such systems.


The PPCDA introduces specific transparency and explainability requirements for automated decision systems. Organizations that deploy AI or algorithmic tools to make predictions, recommendations, or decisions about individuals should consider the compliance processes required to provide explanations on request, especially where service providers are involved.

Cross-Border Transfers

PPCDA

The PPCDA requires an organization to: (i) carry out a privacy impact assessment before transferring personal information outside of Canada; and (ii) implement measures to mitigate the risks identified in the privacy impact assessment. On request, an organization must provide the Commission with access to, or a copy of, the assessment.

An organization's policies must state whether or not the organization transfers or discloses personal information interprovincially or outside of Canada that may have reasonably foreseeable privacy implications.

PIPEDA

PIPEDA does not explicitly address the transfer of personal information to a third-party service provider in a jurisdiction outside of Canada.

The Federal Privacy Commissioner has held, however, that an organization may transfer personal information to a third party service provider outside of Canada if the organization: (i) is satisfied that the service provider has policies and processes in place to ensure that the information in its care is properly safeguarded at all times (including training for its staff and effective security measures); (ii) uses contractual or other means to “provide a comparable level of protection while the information is being processed by the third party”; (iii) has the right to audit and inspect how the third party handles and stores personal information; and (iv) at the time that the personal information is collected from an individual, makes it plain that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction.

Quebec Privacy Act

The Quebec Privacy Act requires that a privacy impact assessment be conducted before communicating personal information outside Quebec. The privacy impact assessment must take into account the sensitivity of the information, the purposes for which it is to be used, the protection measures that would apply to it, and the legal framework applicable in the State in which the information would be communicated.

The information may be communicated if the assessment establishes that it would receive adequate protection, in particular in light of generally recognized principles regarding the protection of personal information. The communication must be subject to a written agreement that takes into account the risks identified in the assessment, as well as the prescribed requirements applicable to communications of personal information to third-party service providers.

Individuals must also be informed of the possibility that their personal information could be communicated outside Quebec.

PIPAs

Generally, Alberta’s PIPA provides that an organization may transfer personal information to a third party service provider in a jurisdiction outside of Canada if the organization’s policies and practices include information regarding: (i) the countries outside Canada in which such activities may occur; and (ii) the purpose for which the service provider has been authorized to collect, use or disclose personal information. An organization must make written information available about these policies and practices. Notice must also be given, before or at the time of collecting or transferring the personal information, of: (i) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada; and (ii) the name or title of a person who is able to answer questions about the collection, use, disclosure or storage of personal information by service providers outside Canada.

British Columbia’s PIPA does not explicitly address the transfer of personal information to a third party service provider in a jurisdiction outside of Canada. Nevertheless, this statute appears to contemplate same by the fact that an organization is “responsible for personal information under its control, including personal information that is not in the custody of the organization.”


The PPCDA introduces a more prescriptive cross-border framework by requiring organizations to conduct privacy impact assessments before transferring personal information outside Canada, and to implement mitigating measures for identified risks. This approach is similar to the Quebec Privacy Act’s requirement to conduct a privacy impact assessment before communicating personal information outside Quebec. Organizations that disclose or transfer data outside Canada must integrate these assessments into their data governance processes.

Breach Notification

PPCDA

An organization must:

  • report to the Commission any breach of security safeguards involving personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual; and

  • notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual, unless otherwise prohibited by law.

The PPCDA also requires an organization's service providers to notify the organization that controls the personal information of any breach of security safeguards.

PIPEDA

An organization must:

  • report to the federal Privacy Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual; and

  • notify an individual of any breach of security safeguards involving the individual’s personal information if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

Quebec Privacy Act

An enterprise who has cause to believe that a confidentiality incident involving personal information it holds has occurred must:

  • promptly notify the Commission d’accès à l’information if the incident presents a risk of serious injury; and

  • notify any person whose personal information is concerned by the incident if the incident presents a risk of serious injury.

The Quebec Privacy Act requires that a written agreement between an enterprise and its service provider include a provision requiring the service provider to promptly notify the enterprise's person in charge of the protection of personal information of any violation or attempted violation of an obligation concerning the confidentiality of the personal information communicated.

PIPAs

Alberta’s PIPA states that an organization must provide notice to the Alberta Privacy Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information if there is a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure. The Privacy Commissioner may require the organization to notify affected individuals.

Private sector organizations do not explicitly have any breach reporting obligations under British Columbia's PIPA.


Breach reporting and notification obligations under the PPCDA are generally consistent with those under PIPEDA, the Quebec Privacy Act and the Alberta PIPA. However, the PPCDA directly imposes a statutory obligation on service providers to notify the organization that controls the personal information of any breach of security safeguards. By contrast, the Quebec Privacy Act requires organizations to impose a similar notification obligation on their service providers through a written agreement.

Data Protection Authority

PPCDA

Under the PPCDA, the federal Privacy Commission, as an overarching entity, is tasked with fostering compliance with the Act by promoting public understanding, developing guidance materials, publishing research, overseeing certification programs, and facilitating intergovernmental or interorganizational consultations or agreements.

The Privacy Commissioner, designated as an individual within the Commission, is primarily responsible for administering and enforcing the PPCDA. This includes making findings, issuing compliance orders, approving compliance agreements and recommending administrative monetary penalties for certain contraventions. The Commissioner’s orders could require an organization to take measures to comply with the PPCDA, stop non-compliant conduct, comply with a compliance agreement or make public corrective measures relating to its safeguards, policies, practices or procedures.

PIPEDA

Under PIPEDA, the federal Privacy Commissioner can make non-binding recommendations to organizations, but cannot issue binding orders or impose administrative monetary penalties.

Quebec Privacy Act

Under the Quebec Privacy Act, the Commission d’accès à l’information is primarily responsible for overseeing compliance with the Quebec Privacy Act, including by conducting inspections and inquiries, issuing orders, approving undertakings, and imposing administrative monetary penalties for certain contraventions. The Commission may also institute penal proceedings for offences under the statute, which may result in fines where the statutory conditions are met.

PIPAs

The Alberta and British Columbia Privacy Commissioners have the authority to make various orders, including, for example:

  • directing an organization to give an individual access to their personal information;

  • confirming a decision of an organization regarding access to an individual’s personal information;

  • directing an organization to refuse to give an individual access to their personal information;

  • requiring that a duty imposed by PIPA be performed; or

  • requiring an organization to destroy personal information collected in contravention of PIPA.


The PPCDA would materially strengthen the federal Privacy Commissioner’s role by moving the federal regime beyond PIPEDA’s ombuds-style model. Under the PPCDA, the Commissioner would have order-making powers and could recommend administrative monetary penalties. This would bring the federal regime closer to the more enforcement-oriented models under Quebec’s Law 25 and the Alberta and British Columbia PIPAs, where regulators already have order-making authority.

Administrative Fines and Penalties

PPCDA

Penalties of up to C$10 million or 3% of the organization's gross global revenue for contraventions found to have been committed by an organization following the completion of proceedings in relation to any one investigation.

Fines of up to the greater of C$25 million or 5% of the organization’s gross global revenue for contraventions of specific obligations under the PPCDA, including the obligation to: (i) report a breach of security safeguards to the Commission; (ii) keep and maintain a record of every breach of security safeguards; and (iii) not use de-identified personal information to identify an individual.

PIPEDA

Fines of up to C$100,000 can be imposed by the Federal Court if an organization knowingly: (i) dismisses, suspends, demotes, disciplines, harasses or otherwise disadvantages an employee who acted as a "whistle blower"; (ii) does not retain personal information that is the subject of a request for as long as is necessary to allow the individual to exhaust any recourse that they may have; (iii) does not report to the Commissioner an applicable breach of security safeguards; (iv) does not keep and maintain a record of applicable breach of security safeguards; or (v) obstructs the federal Privacy Commissioner in the investigation of a complaint or in conducting an audit.

Quebec Privacy Act

The Quebec Privacy Act provides for both administrative monetary penalties and penal fines. Administrative monetary penalties may reach the greater of C$10 million or 2% of worldwide turnover, while penal fines may reach the greater of C$25 million or 4% of worldwide turnover.

Penal fines may be imposed, for example, against anyone who: (i) collects, uses, communicates, keeps or destroys personal information in contravention of the Quebec Privacy Act; (ii) fails to report, where required to do so, a confidentiality incident to the Commission or to the persons concerned; (iii) does not take the security measures necessary to ensure the protection of the personal information in accordance with section 10 of the Quebec Privacy Act; (iv) identifies or attempts to identify a natural person using de-identified information without the authorization of the person holding the information or using anonymized information; (v) impedes the progress of an inquiry or inspection of the Commission or the hearing of an application by the Commission by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise; and (vi) fails to comply with an order of the Commission.

PIPAs

An organization who commits an offence under PIPA is liable to a fine of up to C$100,000.

Under Alberta’s PIPA, such a fine can arise if, for example, an organization: (i) collects, uses or discloses personal information in contravention of Alberta’s PIPA; (ii) attempts to gain or gains access to personal information in contravention of Alberta’s PIPA; (iii) makes an adverse employment action against an employee who acted as a "whistle blower"; or (iv) fails to comply with an order made by the Alberta Privacy Commissioner.

Under British Columbia’s PIPA, such a fine can arise if, for example, an organization: (i) uses deception or coercion to collect personal information; (ii) disposes of personal information with an intent to evade a request for access; (iii) dismisses, suspends, demotes, disciplines, harasses or otherwise disadvantages an employee who is a whistleblower; or (iv) fails to comply with an order made by the British Columbia Privacy Commissioner.


The PPCDA would substantially increase the financial consequences of non-compliance under the federal privacy framework, moving beyond PIPEDA’s more limited offence-based fines by introducing administrative monetary penalties of up to C$10 million or 3% of gross global revenue and fines of up to the greater of C$25 million or 5% of gross global revenue for specified contraventions. This would bring federal enforcement closer to the more stringent model already reflected in the Quebec Privacy Act. Under the PPCDA, organizations will have to proactively assess their compliance posture against the specific obligations that trigger penalties under the PPCDA.

Private Right of Action

PPCDA

The PPCDA includes a private right of action that permits an individual to bring an action for damages against an organization in various circumstances, including if "a final decision dismissing any appeal of the finding, or confirming the finding that the organization has contravened this Act, has been made and all rights of appeal have been exhausted."

Notably, the PPCDA does not limit or affect an individual’s right to avail themselves of a civil remedy under another Act of Parliament, under an Act of a legislature of a province or at common law.

PIPEDA

PIPEDA does not provide an independent right of action through which individuals may pursue judicial remedies against an organization for non-compliance under that statute.

Quebec Privacy Act

Under the Quebec Privacy Act, individuals may bring a private claim for damages arising from privacy violations. Punitive damages of at least C$1,000 may be awarded where the infringement of a right under the Quebec Privacy Act or articles 35 to 40 of the Civil Code of Quebec is intentional or results from a gross fault.

PIPAs

An individual has a cause of action against an organization for damages if: (i) the Alberta or British Columbia Privacy Commissioner has made an order against the organization; or (ii) a person has been convicted of an offence under PIPA, and the person has no further right of appeal in either instance.


The PPCDA’s private right of action creates a new avenue for individuals to seek damages for privacy violations, expanding the litigation risk profile for organizations beyond PIPEDA’s limited Federal Court remedies. While the Quebec Privacy Act already provides individuals with a similar right to seek damages for privacy violations, including punitive damages in certain circumstances, the PPCDA introduces a comparable federal statutory cause of action. The potential for class action proceedings under this provision expands the financial exposure for organizations that experience privacy breaches or fail to comply with the statute. Organizations should assess their privacy practices and incident response capabilities in light of this heightened litigation risk

Takeaways

Organizations should view the PPCDA as a signal of where Canadian privacy compliance is heading. A majority government in parliament makes it conceivable that the legislation will pass in substantially the same form as presented. Organizations should accordingly take steps now to reassess consent practices, formalize privacy management programs, prepare for expanded individual rights, and treat privacy compliance as an enterprise risk function.

If you would like to learn more about the potential impact of the PPCDA on your organization, members of our privacy team can assist.

Social Media
Download
Download
Subscribe
Republication Requests

To obtain permission to republish this publication or any other publication, contact Erica Wirthlin at wirthline@bennettjones.com.

For Informational Purposes Only

This publication provides an overview of trends and legal updates for informational purposes only. For personalized legal advice, please contact the authors.