Definition
PIPEDA was enacted in 2000 and came into full force across all provinces by 2004. It applies to private-sector organisations that collect, use, or disclose personal information in the course of commercial activities, including federally-regulated industries such as banking, broadcasting, and inter-provincial transportation.
PIPEDA is built around ten Fair Information Principles (Schedule 1) covering accountability, identifying purposes, consent, limiting collection, limiting use disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance. Together they set the substantive privacy obligations Canadian organisations must meet.
In provinces with their own private-sector privacy law substantially similar to PIPEDA — Alberta (Alberta PIPA), British Columbia (BC PIPA), and Quebec (Law 25) — that provincial law applies to most private-sector activity inside the province. PIPEDA still applies to federally-regulated work and to inter-provincial / international personal information transfers.
Core components
- Ten Fair Information Principles. Accountability, identifying purposes, consent, limiting collection, limiting use disclosure and retention, accuracy, safeguards, openness, individual access, challenging compliance.
- Mandatory breach notification (since 2018). Organisations must notify the Office of the Privacy Commissioner and affected individuals of breaches involving a "real risk of significant harm." Records of all breaches (notifiable or not) must be maintained for at least 24 months.
- Privacy Officer. Each organisation must designate a person accountable for compliance and provide their contact information on request.
- Consent. Generally required for collection, use, and disclosure. Form of consent depends on sensitivity of the information and reasonable expectations of the individual.
- Reasonable safeguards. Physical, organisational, and technical safeguards proportionate to the sensitivity of the information.
- Subject access rights. Individuals can request access to their personal information and challenge its accuracy.
- Cross-border data transfers. Permitted with comparable protection. The transferring organisation remains accountable for the information.
Why it matters
For Canadian MSPs and the businesses they serve, PIPEDA (or its provincial equivalent in AB, BC, QC) is the baseline privacy obligation. PIPEDA non-compliance creates regulatory risk (Office of the Privacy Commissioner investigations and reports), reputational risk, and increasingly civil liability through privacy class actions.
Mandatory breach notification, in force since November 2018, makes detection and timely reporting a regulated activity. An organisation that fails to recognise a breach, fails to notify when notification is required, or fails to maintain breach records can face penalties of up to $100,000 per offence — and far more importantly, customer trust evaporates when a breach is reported through the press rather than directly.
For Canadian MSPs, PIPEDA also flows through to clients. The MSP holds personal information on behalf of its clients (the controllers), so the MSP's own technical and organisational safeguards become part of the client's PIPEDA compliance picture. Client procurement increasingly requires the MSP to evidence its safeguards directly.
How Lavawall® helps with PIPEDA (Personal Information Protection and Electronic Documents Act)
Lavawall® bundles PIPEDA into a single Canadian privacy framework alongside Alberta PIPA, BC PIPA, and Quebec Law 25. Most MSPs serve clients under more than one of these regimes; managing them as separate frameworks creates duplicated effort. Lavawall® unifies the controls and asks each question once.
Continuous evidence collection from Windows / macOS / Linux endpoints and Microsoft 365, Entra ID, Azure, and Google Workspace tenants supports PIPEDA's reasonable-safeguards principle. M365 breach detection and identity-threat detection feed the breach notification workflow, including the records-of-all-breaches requirement.
ThreeShield Information Security Corporation, the Calgary-based audit firm that built Lavawall®, has been delivering Canadian privacy work for over a decade. The PIPEDA control mapping reflects what the OPC actually examines in investigations and audits, not just the literal text of the principles.
For Canadian MSPs, Lavawall® produces the safeguards evidence and the privacy-impact-assessment-style documentation that MSP clients increasingly require to evidence PIPEDA compliance up the chain.
Frequently asked
- Does PIPEDA apply to me if I am in Alberta, BC, or Quebec?
- Generally Alberta PIPA, BC PIPA, or Quebec Law 25 applies to private-sector activity inside the province. PIPEDA still applies to federally-regulated work (banks, telcos, airlines, inter-provincial transportation) and to inter-provincial / international personal information flows.
- What triggers PIPEDA breach notification?
- A breach of security safeguards involving personal information that creates a "real risk of significant harm" to the affected individual. The factors include sensitivity of the information and the probability of misuse. The OPC publishes guidance on this assessment.
- What is the maximum penalty under PIPEDA?
- Knowingly contravening the breach notification, record-keeping, or whistleblower-protection provisions is a federal offence punishable by fines of up to $100,000 per offence. The reputational and civil-litigation consequences are typically more significant than the fine.
- Is PIPEDA being replaced?
- There have been multiple federal proposals (the C-11 / C-27 series) to replace PIPEDA with a more modern privacy and AI law. As of early 2026, PIPEDA remains the law in force. Lavawall® will track and update the framework when the replacement law passes.
- Does Lavawall® support the Quebec Law 25 modernisation?
- Yes. Lavawall® includes Quebec Law 25 alongside PIPEDA, Alberta PIPA, and BC PIPA in the unified Canadian privacy framework.