PIPEDA vs. PHIPA vs. Law 25: Canada's Privacy Laws Explained

Why Canada Has Multiple Privacy Laws

Canada's privacy landscape is a patchwork of federal and provincial legislation. If you operate in multiple provinces, serve patients, or do business in Quebec, you may be subject to more than one regime simultaneously. Here's how the major laws break down.

PIPEDA — The Federal Baseline

The Personal Information Protection and Electronic Documents Act applies to private-sector organizations engaged in commercial activities across Canada. It covers interprovincial and international data flows, and federally regulated industries like banking, telecom, and airlines regardless of province. PIPEDA is built on 10 Fair Information Principles and requires meaningful consent, breach reporting to the Office of the Privacy Commissioner (OPC), and 24-month retention of breach records. Fines top out at $100,000.

PHIPA — Ontario's Health Privacy Law

The Personal Health Information Protection Act is Ontario's sector-specific law governing personal health information. It applies to health information custodians — physicians, hospitals, pharmacies, labs, long-term care homes, and others who provide health care in Ontario. PHIPA operates separately from PIPEDA. If you're a health information custodian in Ontario, PHIPA is your primary compliance obligation for PHI. PIPEDA still applies to any non-health commercial activities you conduct.

Law 25 — Quebec's Strict Regime

Quebec's Law 25 applies to any organization that collects personal information about Quebec residents, regardless of where the organization is based. It is currently the most demanding provincial privacy law in Canada, with fines up to $25 million or 4% of worldwide revenue, mandatory Privacy Impact Assessments, and rights to data portability and deindexation.

Side-by-Side Comparison

PIPEDA — Jurisdiction: Federal Canada | Covers: Private sector commercial activity | Regulator: OPC | Max fine: $100,000 | Breach reporting: OPC + individuals | PIA required: No | Right to be forgotten: No

PHIPA — Jurisdiction: Ontario health sector | Covers: Health information custodians | Regulator: IPC Ontario | Max fine: $500,000 | Breach reporting: IPC + individuals | PIA required: No | Right to be forgotten: No

Law 25 — Jurisdiction: Quebec all sectors | Covers: Any org with Quebec residents' data | Regulator: CAI Quebec | Max fine: $25M or 4% revenue | Breach reporting: CAI + individuals | PIA required: Yes (new projects) | Right to be forgotten: Yes

Which Law Applies to You?

Most Canadian businesses will be subject to PIPEDA as their baseline. If you operate in Quebec or handle Quebec residents' data, Law 25 applies and sets a higher standard. If you provide health care in Ontario, PHIPA governs your handling of PHI — but PIPEDA still covers other personal information you hold. When laws overlap, comply with the stricter requirement. Law 25's consent and PIA standards are generally more demanding than PIPEDA's, so organizations subject to both should build their programs to Law 25's level.

Conclusion

Canada's privacy laws aren't mutually exclusive — they stack. Understanding which ones apply to your organization and where they differ is the first step to building a compliance program that actually holds up. If you're not sure which laws apply or where your gaps are, start with a data inventory. You can't manage what you can't see.

Explore PII Protect Suite → https://overallworks.com/piiprotectsuite

This post is for informational purposes only and does not constitute legal advice. Consult a qualified privacy lawyer for guidance specific to your organization.