Federal vs. Provincial Privacy Law: Which Applies to You

How to figure out whether PIPEDA, a provincial private-sector law, a public-sector law, or a health privacy law applies to your issue.

TL;DR

The right law depends on who holds the information (private sector, public sector, health custodian), where the organization operates, and whether the activity is interprovincial or international. PIPEDA fills the gaps but can be displaced by 'substantially similar' provincial laws in BC, Alberta, and Quebec.

Three buckets of law

Canadian privacy law has three main buckets:

Private-sector: PIPEDA federally, BC PIPA, Alberta PIPA, Quebec Law 25 provincially.
Public-sector: Privacy Act federally, FIPPA/FOIP/ATIPP provincially.
Health: dedicated statutes like PHIPA, HIA, HIPA, PHIA.

How PIPEDA interacts with provincial laws

Where a province has 'substantially similar' private-sector legislation, PIPEDA generally does not apply to intraprovincial activities.

PIPEDA still applies to interprovincial and international flows of personal information, and to federally regulated businesses in all provinces.

When multiple laws apply

An incident can involve multiple regimes. For example, a health care organization in BC that sends data to an Ontario service provider triggers BC PIPA, Ontario PHIPA, and potentially PIPEDA for the cross-border flow.

Sources & References

Personal Information Protection and Electronic Documents Act (PIPEDA)—Federal private-sector privacy law governing the collection, use, and disclosure of personal information.Justice Laws Website
Quebec Law 25 (Act respecting the protection of personal information in the private sector)—Quebec's modernized privacy regime introducing mandatory breach notification, privacy impact assessments, data portability, right to be forgotten, and automated decision-making transparency.Publications du Québec
Personal Information Protection Act (PIPA British Columbia)—BC's private-sector privacy law governing the collection, use, and disclosure of personal information by organizations operating in British Columbia.BC Laws
Personal Information Protection Act (PIPA Alberta)—Alberta's private-sector privacy law governing how organizations handle personal information including employee personal information.King's Printer of Alberta
Privacy Act (Canada)—Federal statute governing the collection, use, disclosure, and protection of personal information by federal government institutions.Justice Laws Website

All sources link directly to official government websites. This page provides legal information, not legal advice. Consult a qualified professional before acting on any information presented here.

Federal vs. Provincial Privacy Law: Which Applies to You

Three buckets of law

How PIPEDA interacts with provincial laws

When multiple laws apply

Related topics