Canada's Office of the Privacy Commissioner (OPC) is overseeing a significant transition in Canadian privacy law. The Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal private sector privacy law since 2001 — is being replaced by the Consumer Privacy Protection Act (CPPA) under Bill C-27, which would also create a new Artificial Intelligence and Data Act (AIDA). This legislative transition occurs while Canada's EU GDPR adequacy decision is under review in 2026.
Canada's Current Privacy Landscape
PIPEDA governs private sector personal information processing in federally regulated industries and in provinces without substantially similar legislation. Alberta, British Columbia, and Quebec have their own provincial private sector laws. Québec's Law 25 (2022-2023 phased implementation) is the most GDPR-like provincial law, requiring privacy impact assessments and privacy officer appointments.
OPC enforcement: The OPC investigated 400+ PIPEDA complaints in 2024, with binding orders against Tim Hortons (location data collection without consent) and several health app operators being the most significant 2024 enforcement actions.
EU adequacy: Canada retains its EU GDPR adequacy decision — granted in 2001 under the original adequacy framework. This means EU personal data can transfer to Canada without additional safeguards (SCCs, BCRs). However, the European Commission is conducting a review in 2026, and adequacy is not guaranteed to survive the review given Canada's evolving surveillance law landscape.
Bill C-27: The Proposed New Framework
Bill C-27 is progressing through Parliament with three components:
Consumer Privacy Protection Act (CPPA): Replaces PIPEDA with:
- Purpose limitation and data minimization requirements (closer to GDPR than PIPEDA)
- Meaningful consent requirements
- Significantly enhanced enforcement — OPC can now impose administrative penalties up to 3% of global revenue or CAD $10M, whichever is greater
- Data portability rights
- Automated decision-making transparency requirements
Artificial Intelligence and Data Act (AIDA):
- Risk-based oversight of AI systems (high-impact AI requires mandatory assessment)
- Transparency requirements for automated decisions affecting individuals
- Prohibition on AI systems designed to cause harm
Personal Information and Data Protection Tribunal Act: Creates a new tribunal to hear appeals of OPC orders — reducing the current complaint-investigation-Federal Court review cycle.
Canadian National Identifiers
SIN (Social Insurance Number): 9-digit number assigned to all Canadian residents for employment and social benefit access. Format XXX-XXX-XXX, with a check digit using the Luhn algorithm. SIN is the most sensitive Canadian identifier — appears in employment records, tax documents, and benefits enrollment.
Provincial health card numbers: Canada has 13 provinces and territories, each with its own health card numbering system. Provincial health numbers are not standardized at the federal level:
- OHIP (Ontario): 10-digit number + 2-letter version code
- AHCIP (Alberta): 9-digit Personal Health Number
- BC Services Card (BC): 10-digit PHN
- RAMQ (Québec): 12-character alphanumeric (HHH-AAAA-MMDD format encoding surname initials, birth date)
- Other provinces: various formats
A Canadian PII tool must handle at least 13 distinct provincial health card formats for comprehensive PIPEDA/CPPA compliance.
CRA business number: 9-digit Business Number (BN) issued by Canada Revenue Agency for all Canadian businesses. Format NNNNNNNNN.
Bilingual Processing: English and French
Canada is officially bilingual — English and French. Organizations operating federally or in bilingual contexts process documents in both languages, often in the same document (e.g., bilingual federal government forms).
Bilingual PII requirements:
- Names: French-language names include characters like é, è, ê, ë, à, â, î, ô, û, ç, œ. NLP models that do not handle French accented characters correctly generate errors in French-language entity recognition.
- Addresses: Québec addresses use French conventions ("Rue," "Avenue," "Boulevard," "Chemin"). Address parsing models must handle French-language address formats.
- RAMQ numbers: Québec's health number format encodes surname initials — a French-language identifier that requires French-aware detection.
Canada's EU Adequacy: The 2026 Risk
Canada's 2001 adequacy decision was the first EU adequacy decision ever granted. It has survived multiple reviews. But the 2026 review occurs in a different context:
- Canada's C-26 cybersecurity legislation (2024) requires critical infrastructure to report cyber incidents to the Communications Security Establishment (CSE) — Canada's signals intelligence agency. The adequacy review will assess whether CSE access to incident data constitutes surveillance-law conflict with GDPR.
- Canada has not yet implemented Bill C-27's CPPA or AIDA, meaning the review occurs under PIPEDA — a law the Commission has previously noted has enforcement weaknesses.
Organizations using Canada's GDPR adequacy decision as the basis for EU-Canada transfers should monitor the 2026 review. If adequacy is suspended or revoked, immediate implementation of SCCs or BCRs would be required.
For organizations with Canadian operations: SIN detection with Luhn validation, bilingual English/French PII processing, and at least Ontario OHIP and Québec RAMQ provincial health number support are the baseline Canadian PII compliance requirements.
Sources: