Canada's privacy law is changing. The Office of the Privacy Commissioner (OPC) enforces PIPEDA today. Bill C-27 would replace PIPEDA with stronger rules. Canada's EU data transfer deal is also up for review in 2026. Here is what you need to know.
Canada's Current Privacy Law
PIPEDA is Canada's main private sector privacy law. It has been in force since 2001. It covers companies in federally regulated industries. It also applies in provinces without their own privacy law.
Three provinces have their own laws: Alberta, British Columbia, and Quebec.
Quebec's Law 25 is the toughest. It took effect in phases in 2022 and 2023. It requires privacy impact reviews and a named privacy officer. It is much closer to the EU's GDPR than old PIPEDA was.
The OPC handled over 400 PIPEDA complaints in 2024. It issued binding orders against Tim Hortons for collecting location data without consent. Several health app operators also received orders that year.
Bill C-27: Three New Laws
Bill C-27 is moving through Parliament. It has three parts.
Consumer Privacy Protection Act (CPPA) replaces PIPEDA. Key changes:
- Purpose limits and data reduction rules.
- Stronger consent rules.
- Fines up to 3% of global sales or CAD $10M — whichever is more.
- Data portability rights.
- Disclosure rules for automated decisions.
Artificial Intelligence and Data Act (AIDA) adds AI rules:
- Risk-based rules for AI systems.
- Required risk reviews for high-impact AI.
- Disclosure rules for AI that affects people.
- A ban on AI built to cause harm.
Personal Information and Data Protection Tribunal Act creates a new appeals body. This replaces the current Federal Court process.
See how Canada compares to other privacy laws in our global privacy compliance guide.
Canadian PII: What to Detect
Canadian files contain unique ID types. Your tool must handle all of them.
SIN (Social Insurance Number): Nine digits. Format: XXX-XXX-XXX. It uses the Luhn check. SIN appears in tax forms, pay records, and benefit files. It is the most sensitive Canadian ID.
Provincial health card numbers: Canada has 13 provinces and territories. Each uses a different format. There is no federal standard. Key formats:
- Ontario OHIP: 10 digits plus a 2-letter code.
- Alberta AHCIP: 9-digit Personal Health Number.
- BC Services Card: 10-digit PHN.
- Quebec RAMQ: 12 characters — encodes surname initials and birth date.
A compliant tool must support all 13 formats.
CRA Business Number: Nine digits. Issued by the Canada Revenue Agency.
Bilingual PII: English and French
Canada is officially bilingual. Federal forms often mix both languages on one page.
French PII has its own needs:
- Names: French names use accented letters. A tool that misses accents will miss entities.
- Addresses: Quebec addresses use French terms — Rue, Avenue, Boulevard, Chemin. Parsers must handle these.
- RAMQ numbers: Quebec's health number encodes surname initials. Detection must be French-aware.
For a peer view, see how India's DPDPA handles multilingual PII.
The 2026 EU Adequacy Risk
Canada's EU adequacy decision is from 2001. It was the very first one the European Commission granted. It has passed every review so far.
The 2026 review is different. Two issues stand out.
First: Canada's C-26 cybersecurity law (2024) requires critical firms to report incidents to CSE. CSE is Canada's signals intelligence agency. The Commission will check if CSE access to that data conflicts with GDPR.
Second: Canada still runs under PIPEDA. The Commission has flagged PIPEDA's enforcement as weak. CPPA is not yet in force.
If adequacy is suspended or revoked, all EU-Canada transfers must switch to SCCs or BCRs at once.
Start planning now. Waiting for the decision is too late.
For context on how adequacy risk has hurt companies, see our GDPR fines guide.
Minimum Compliance Requirements
For organizations with Canadian operations, the technical baseline is:
- SIN detection with Luhn check.
- Bilingual English and French PII processing.
- Ontario OHIP health card detection.
- Quebec RAMQ health card detection.
- All 13 provincial formats for full CPPA readiness.