Frameworks Index
Canadaregulation

Personal Information Protection and Electronic Documents Act

PIPEDA's accountability principle holds management directly responsible for demonstrating compliant data handling—with proposed reforms increasing maximum fines to 5% of global revenue.

Mapped to Microsoft controls
Effective Date1 January 2001 (full application: 1 January 2004)
Enforcement BodyOffice of the Privacy Commissioner of Canada (OPC)
Penalty FrameworkThe OPC can refer matters to the Federal Court, which can award damages including compensation for humiliation. Fines of up to CAD 100,000 per violation for non-compliance with compliance orders or agreements. The proposed Consumer Privacy Protection Act (CPPA) would increase maximum fines to CAD 25 million or 5% of global revenue.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law governing the private sector. Built on ten Fair Information Principles (Schedule 1), PIPEDA emphasises accountability, meaningful consent, and organisational responsibility for personal information protection.

The 2018 amendments introduced mandatory breach reporting to the OPC and affected individuals for breaches creating a real risk of significant harm. The Digital Charter Implementation Act (Bill C-27) proposes replacing PIPEDA with the Consumer Privacy Protection Act (CPPA) with significantly enhanced penalties.

For Microsoft 365 environments, PIPEDA compliance requires Purview for data classification and discovery, DLP policies for information protection, eDiscovery for access request fulfillment, and Conditional Access for security safeguards. StremarControl engineers and operates the Microsoft-native controls required for PIPEDA mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline for OPC compliance reporting.

Why This Matters Now

PIPEDA governs how private sector organisations collect, use, and disclose personal information in the course of commercial activity across Canada. Its accountability principle requires organisations to demonstrate compliance through documented policies and practices. For M365 environments, this means Purview data classification and DLP for information protection, eDiscovery for access requests, and Conditional Access for security. Canada's EU adequacy status makes PIPEDA compliance critical for organisations transferring data between Canada and the EU.

Scope & Applicability

Applies to private sector organisations collecting, using, or disclosing personal information in the course of commercial activity. Does not apply to provincial government institutions or organisations in provinces with substantially similar legislation (Alberta, British Columbia, Quebec). PIPEDA applies to all interprovincial and international transfers of personal information. M365 tenants used for Canadian commercial operations must comply.

Core Obligations

01
Principle 1 (Schedule 1)

Accountability Principle

Designate an individual accountable for compliance. Implement policies and practices to protect personal information. Train staff accordingly.

02
Principle 3 (Schedule 1)

Consent

Obtain meaningful consent for the collection, use, or disclosure of personal information. The form of consent must be appropriate to the sensitivity of the information.

03
Section 10.1

Breach Reporting

Report to the OPC and notify affected individuals of breaches of security safeguards creating a real risk of significant harm. Maintain breach records.

04
Principle 9 (Schedule 1)

Individual Access

Upon request, inform individuals of the existence, use, and disclosure of their personal information and provide access to that information.

Microsoft 365 Control Mapping

How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.

Obligation

Accountability & Safeguards

M365 Control

Conditional Access with MFA and device compliance. Intune security baselines. Purview sensitivity labels for data classification. Documented security policies aligned to Schedule 1.

Evidence

Conditional Access policy exports, Intune compliance reports, label usage analytics, policy documentation.

Obligation

Breach Reporting

M365 Control

Defender XDR incident detection with Sentinel playbooks for OPC notification workflows. Breach record maintenance in Purview audit logs.

Evidence

Incident timeline reports, OPC notification records, breach register exports.

Obligation

Individual Access

M365 Control

Purview eDiscovery for access request fulfillment. Content Search scoped to individual identifiers. Managed response workflows with SLA tracking.

Evidence

Access request completion logs, response time reports, eDiscovery search exports.

Implementation Timeline

April 2000
PIPEDA receives Royal Assent
January 2004
PIPEDA fully applicable to all commercial activities
November 2018
Mandatory breach reporting provisions come into force
June 2022
Bill C-27 (Digital Charter Implementation Act) introduced - proposes replacing PIPEDA
Ongoing
OPC investigations, guidance, and enforcement actions

Related Frameworks

European Union
EU GDPR

With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.

United States
CCPA/CPRA

Class action exposure reaching hundreds of millions of dollars makes CCPA/CPRA compliance a material financial risk that demands executive-level governance.

United Kingdom
UK GDPR

Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.

Ready to get PIPEDA-ready?

Start with a fixed-scope sprint. We assess your Microsoft 365 controls against PIPEDA requirements, close gaps, and produce audit-ready evidence.

Start a readiness sprint Book a readiness call