Canadian privacy law by jurisdiction

Federal (Canada)

Federal privacy law splits between public-sector institutions and private-sector commercial activity. The Office of the Privacy Commissioner of Canada (OPC) enforces both PIPEDA and the Privacy Act and investigates complaints against federal institutions and private-sector organizations.

Ontario

Ontario separates provincial public bodies, municipal institutions, health information custodians, and children's service providers into different statutes. The Information and Privacy Commissioner of Ontario (IPC) enforces FIPPA, MFIPPA, PHIPA, and the privacy provisions of CYFSA, issuing binding orders under each.

British Columbia

British Columbia separates public bodies and private-sector organizations into different statutes. The Office of the Information and Privacy Commissioner for BC (OIPC BC) enforces both FIPPA and PIPA, issuing binding orders for access and privacy complaints under each.

Alberta

Alberta's access and privacy framework split in June 2025: the former combined FOIP Act was divided into a standalone Access to Information Act (ATIA) and a Protection of Privacy Act (POPA), while PIPA governs private-sector organizations and the Health Information Act covers health custodians. The Office of the Information and Privacy Commissioner of Alberta (OIPC) enforces all five statutes and issues binding orders.

Saskatchewan

Saskatchewan separates provincial institutions, local authorities, and health information into different laws. The Office of the Saskatchewan Information and Privacy Commissioner (OIPC SK) reviews access and privacy matters under FOIP, LA FOIP, and HIPA, issuing review reports, investigation reports, and disregard decisions.

Manitoba

Manitoba's privacy and access framework rests on two complementary statutes: The Freedom of Information and Protection of Privacy Act (FIPPA) for the broader public sector, and The Personal Health Information Act (PHIA) for personal health information held by trustees. Manitoba does not have a dedicated Information and Privacy Commissioner — instead, oversight is a two-stage regime. At Stage 1, the Manitoba Ombudsman investigates access and privacy complaints and reportable privacy breaches and issues case reports with advisory findings and recommendations (FIPPA s.66(1) / PHIA s.47); the public body or trustee decides whether to comply. At Stage 2, if the head refuses to act on the recommendations (or accepts but fails to act in time, or fails to respond), the Ombudsman — not the complainant directly — may refer the matter to an independent Information and Privacy Adjudicator (created by S.M. 2008 c.40) under FIPPA s.66.1 / PHIA s.48.1. The Adjudicator must then dispose of the issues by making an order (FIPPA s.66.8(1) / PHIA s.48.8); the order is binding, the head must comply within 30 days (FIPPA s.66.9(1) / PHIA s.48.9), and the order is challengeable only by judicial review in the Court of King's Bench within 25 days (FIPPA s.66.10 / PHIA s.48.10). A parallel access-only fallback under FIPPA s.67 / PHIA s.49 lets the applicant appeal the head's access decision directly to the Court of King's Bench as a new matter (FIPPA s.69), but only where the Ombudsman did not refer the matter to the Adjudicator.

Quebec

In Progress

Quebec's privacy framework rests on three statutes — all administered by the Commission d'accès à l'information du Québec (CAI), a two-section tribunal under art. 104 of the Public-bodies Act (a Section de surveillance for oversight and investigations, and a Section juridictionnelle for binding adjudicative orders). The Public-bodies Act (CQLR c A-2.1) covers provincial public-sector access and privacy; the Private-sector Act (CQLR c P-39.1) covers private-sector privacy in commercial activity within Quebec; and the Health and Social Services Information Act (RLRQ c R-22.1, in force 2024-07-01) carves out health-sector data into its own dedicated regime. Quebec is one of three Canadian provinces (with BC and Alberta) with a comprehensive provincial private-sector privacy law. The Public-bodies and Private-sector Acts were substantially reformed by Law 25 (Loi 25), enacted 2021 and phased in through 2024, which strengthened consent rules, added breach-notification obligations, introduced a private right of action, and aligned Quebec more closely with European data-protection norms. All three statutes share the same broad order-making framework under art. 141 / 55 / 123 (order disclosure, abstention, rectification, or cessation of a use or disclosure of PI) and the same enforcement chain — orders to do something executory after 30 days, filable as a Cour supérieure judgment, final on questions of fact, and appealable to the Cour du Québec on questions of law. The Public-bodies Act art. 145 government-override (Cabinet decree suspending execution in the public interest) is unique to that statute. CAI decisions are issued in French; the summarizer pipeline translates output fields to English while preserving proper names.

Nova Scotia

Nova Scotia's access and privacy framework rests on four statutes: the Freedom of Information and Protection of Privacy Act (FOIPOP) for provincial public bodies, Part XX of the Municipal Government Act for municipalities and other local bodies, the Personal Health Information Act (PHIA) for health custodians, and the Personal Information International Disclosure Protection Act (PIIDPA) restricting cross-border disclosure of personal information by public bodies. All four are overseen by the Information and Privacy Commissioner (the statutory Review Officer), whose office is established by the Privacy Review Officer Act. The Commissioner reviews access decisions, investigates privacy complaints and reportable breaches, and issues Review Reports and Investigation Reports with advisory recommendations to the public body or custodian — recommendations the body may accept or refuse. If a recommendation is refused, the applicant may appeal to the Nova Scotia Supreme Court for a binding order; binding orders do not come directly from the Commissioner. The OIPC also maintains a separate index of NS Supreme Court and NS Court of Appeal decisions interpreting these statutes, since appeals to court proceed as de novo hearings in which the Commissioner is not a party.

New Brunswick

New Brunswick's privacy and access framework rests on two complementary statutes: the Right to Information and Protection of Privacy Act (RTIPPA, R-10.6) for the broader public sector, and the Personal Health Information Privacy and Access Act (PHIPAA, P-7.05) for personal health information held by custodians. Both were assented to on June 19, 2009 and are administered by the Ombud — an officer of the Legislative Assembly appointed under the Ombud Act. The office was consolidated and renamed from the former Access to Information and Privacy Commissioner by SNB 2016, c.53, s.27 and SNB 2019, c.19, s.6; references to "Commissioner" in earlier materials are read as references to the Ombud. The Ombud receives complaints, conducts investigations, and issues a report containing findings and advisory recommendations to the head of the public body or to the custodian (RTIPPA s.73(1); PHIPAA s.73). The head or custodian then has 20 business days to decide whether to accept or not accept the recommendation (RTIPPA s.74(1)–(2); PHIPAA s.74) and, if accepted, must comply within 20 business days; failure to give notice within the window is deemed a decision not to accept (RTIPPA s.74(4)). If the head or custodian refuses the recommendation, the complainant has a right of appeal to a judge of the Court of King's Bench of New Brunswick (RTIPPA s.75(1); PHIPAA s.75(1)); if the complainant does not exercise that right, the Ombud may on its own motion appeal the matter to the Court of King's Bench (RTIPPA s.75(2)). Both statutes also preserve a direct-bypass route to the Court of King's Bench: an applicant may refer the matter directly to a judge of the court within 40 business days under RTIPPA s.65 or 30 days under PHIPAA s.66, in which case the Ombud is foreclosed from acting in the matter. On a referral under RTIPPA s.65 or PHIPAA s.66, or on an appeal under s.75 of either Act, the Court of King's Bench has full ordering authority (RTIPPA s.66; PHIPAA s.67) — including ordering the head or custodian to grant access in whole or in part, to reply to a request, to correct personal information, or to make any other order the judge considers necessary.

Prince Edward Island

Prince Edward Island's access-to-information and privacy framework rests on two statutes: the Freedom of Information and Protection of Privacy Act (FOIPP) for the broader public sector, and the Health Information Act (HIA) for personal health information held by custodians. Both are overseen by the Information and Privacy Commissioner of Prince Edward Island — an independent officer of the Legislative Assembly who reviews access decisions, investigates privacy complaints, and issues rulings. The Commissioner's rulings are a mix of advisory recommendations (decisions, refusals, investigation reports) and binding-style orders following formal inquiries (Order numbers prefixed OR-YY-NNN). Judicial reviews of Commissioner orders are heard by the PEI Supreme Court.

Newfoundland and Labrador

Newfoundland and Labrador's access and privacy framework rests on two Acts administered by the Information and Privacy Commissioner — an officer of the House of Assembly under ATIPPA, 2015 s.85 and PHIA s.92(2): the Access to Information and Protection of Privacy Act, 2015 (ATIPPA, 2015, SNL 2015 c. A-1.2, assented and proclaimed in force June 1, 2015) for the provincial public sector, and the Personal Health Information Act (PHIA, SNL 2008 c. P-7.01, assented June 4, 2008 and brought into force April 1, 2011) for personal health information held by custodians. ATIPPA, 2015 was drafted on the recommendations of the 2014 Statutory Review (the "Wells Report") that re-engineered the previous Act after the 2011 Cameron Inquiry. Both Acts are recommendation-and-declaration regimes with a distinctive enforcement architecture. Under ATIPPA s.47 and PHIA s.72(2), the Commissioner makes recommendations rather than orders. Under ATIPPA s.49, the head of a public body has 10 business days after receiving a recommendation to decide whether to comply in whole or in part and to give written notice; failure to give notice within the window is deemed acceptance under s.49(2). For an access or correction recommendation the head wishes to refuse, ATIPPA s.50 requires the head to apply to the Trial Division within 10 business days for a declaration that the body is not required to comply — the burden of going to court rests on the public body, not the applicant. If the head agreed (or was deemed to have agreed) to comply but failed to do so within 15 business days, or failed to apply for a declaration, ATIPPA s.51 lets the Commissioner prepare and file an order directly with the Trial Division; under s.51(5) the order is enforceable against the public body as if it were a judgment of the court. Applicants and third parties keep two parallel paths: appeal a public-body decision after receipt of the Commissioner's recommendation under s.54, or appeal directly to the Trial Division (skipping the Commissioner) under s.52. PHIA mirrors the recommendation-and-declaration architecture in s.74 and s.79 with a 15-day custodian-response window and (under s.74(3)) the opposite default — silence on the custodian's part is deemed refusal, not acceptance. PHIA s.72(3) sets one further rule: where the Commissioner concludes a review without making an access or correction recommendation, the Commissioner is deemed to have confirmed the custodian's refusal. The province also has a separate Privacy Act (RSNL 1990 c. P-22), a tort statute creating a private right of action for wilful invasion of privacy heard by the Trial Division — not Commissioner-administered, and outside this database's decision corpus.