Canada — Data Subject Rights

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) grants individuals a statutory right to access their personal information held by private-sector organizations subject to the Act. Principle 4.9 of Schedule 1 to PIPEDA establishes that "upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and be given access to that information." This right applies to any organization engaged in commercial activities, including all federal works, undertakings, and businesses (such as banks, telecommunications companies, and airlines). Certain provincial private-sector privacy laws have been declared substantially similar to PIPEDA by Order in Council, creating partial exemptions for organizations operating within those regimes.

Scope of the right

An individual is entitled to:

• confirmation whether the organization holds personal information about them;
• access to that personal information in a form that is generally understandable (Principle 4.9.4 requires that abbreviations, codes, and technical terms be explained);
• an account of how the information has been or is being used and a list of third parties to whom it has been disclosed; and
• the opportunity to challenge the accuracy and completeness of the information and to have it amended as appropriate (Principle 4.9.5).

Section 2(1) defines "personal information" broadly as "information about an identifiable individual."

The 30-day response deadline

Subsection 8(3) of PIPEDA requires an organization to "respond to a request with due diligence and in any case not later than thirty days after receipt of the request." The response must either provide the requested information or advise the individual that the organization does not hold it. A mere acknowledgment of receipt does not constitute a response for the purpose of subsection 8(3). Under subsection 8(5), an organization that fails to respond within 30 days is deemed to have refused the request, enabling the individual to file a complaint with the Privacy Commissioner of Canada.

Time extensions

Subsection 8(4) permits an organization to extend the response deadline beyond 30 days in three specific circumstances:

1. Up to 30 additional days if responding within the original 30 days would unreasonably interfere with the organization's activities; or
2. Up to 30 additional days if the time required to conduct consultations necessary to respond to the request would make it impracticable to meet the deadline; or
3. The period of time necessary to convert the personal information into an alternative format if the individual requires an alternative format to accommodate a sensory disability.

If an organization relies on subsection 8(4), it must send a notice of extension to the individual within the original 30-day period, advising the individual of the new time limit, the reasons for the extension, and the individual's right to complain to the Privacy Commissioner about the extension (subsection 8(4)(b)).

Minimal or no cost

Principle 4.9.4 of Schedule 1 provides that an organization "shall respond to an individual's request … at minimal or no cost to the individual." The OPC's guidance on Principle 4.9 states that organizations may charge reasonable photocopying fees but may not impose flat fees that would dissuade individuals from requesting access. If an organization intends to charge a fee, it must notify the requester of the approximate cost and confirm the individual wishes to proceed before processing the request.

Correction and amendment

Principle 4.9.5 requires organizations to amend personal information shown to be inaccurate or incomplete. If an individual successfully demonstrates an error, the organization must correct the record and, "where appropriate," transmit the corrected information to any third parties to whom it had previously disclosed the inaccurate data. If the organization disputes the individual's claim of inaccuracy, the individual has the right to have a notation of the disagreement placed on the file. The individual may then file a complaint with the Privacy Commissioner.

Record retention during dispute

Subsection 8(8) overrides the general retention limits in Principle 4.5: "an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have." This obligation applies once an access request is received. Organizations must preserve responsive information — including audio or video recordings that would otherwise be deleted under routine retention schedules — until the individual has exhausted all complaint and review procedures available under Part 1 of PIPEDA.

Complaint procedure

Subsection 11(3) provides that a complaint alleging refusal to grant an access request under section 8 must be filed with the Privacy Commissioner within six months of the refusal or the expiry of the response deadline, or such longer period as the Commissioner may allow. The Privacy Commissioner is an independent officer who reports to Parliament. After investigating an access complaint, the Commissioner issues a report of findings. If the matter is not resolved, either the individual or the Commissioner may apply to the Federal Court for review under section 14 or section 15 of PIPEDA.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 Source: PIPEDA Fair Information Principle 9 – Individual Access, Office of the Privacy Commissioner of Canada Source: Interpretation Bulletin: Access to Personal Information, Office of the Privacy Commissioner of Canada Source: Responding to access to information requests under PIPEDA, Office of the Privacy Commissioner of Canada

Although PIPEDA Principle 4.9 grants individuals a general right to access their personal information, section 9 of PIPEDA enumerates specific circumstances under which an organization shall refuse access (mandatory) or is not required to provide access (discretionary). These exceptions are narrowly construed; organizations that invoke section 9 must be prepared to justify the refusal to the Office of the Privacy Commissioner of Canada (OPC) if challenged, and the Federal Court retains jurisdiction to review any refusal under sections 14 and 15 of PIPEDA.

Mandatory refusal: Third-party personal information (subsection 9(1))

Subsection 9(1) provides that, "despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party." This is a mandatory prohibition, not a discretion.

However, the statute imposes a severability requirement: if the information about the third party is severable from the record containing the requester's personal information, the organization must sever the third-party information and provide the requester with access to their own information. The OPC has confirmed that severance is required whenever technically feasible; organizations may not withhold an entire record merely because a portion contains third-party personal information.

Exceptions to the third-party rule (subsection 9(2))

Subsection 9(2) carves out two scenarios in which subsection 9(1) does not apply, and the organization must disclose third-party personal information to the requester:

1. The third party consents to the access; or
2. The individual needs the information because an individual's life, health, or security is threatened.

The second exception is narrow and fact-specific. The OPC has interpreted "threatened" to require an imminent and specific threat, not a general or hypothetical concern.

Discretionary refusal grounds (subsection 9(3))

Subsection 9(3) introduces a set of permissive exceptions: "Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if" one of the enumerated grounds applies. The Privacy Commissioner has consistently held that these are discretionary; even if a ground applies, the organization may choose to disclose the information. Each ground is subject to a high evidentiary threshold.

The subsection 9(3) grounds are:

(a) Solicitor-client privilege / professional secrecy of lawyers and notaries

Paragraph 9(3)(a) permits refusal if "the information is protected by solicitor-client privilege or, in civil law, by the professional secrecy of lawyers and notaries." This ground is strictly limited to communications subject to privilege. Organizations must be able to demonstrate that the common-law test for solicitor-client privilege is satisfied (confidential communication between solicitor and client made for the purpose of obtaining or giving legal advice). The OPC may refer claims of privilege to the Federal Court for independent verification under PIPEDA section 14 if the organization and the individual are at an impasse.

(b) Confidential commercial information

Paragraph 9(3)(b) allows an organization to refuse access if doing so "would reveal confidential commercial information." The Privacy Commissioner has set a "very high standard" for this exception. It is not enough that confidential commercial information could or might be revealed; the organization must establish that disclosure would reveal such information. The OPC has applied this exception narrowly, recognizing that personal information (such as an individual's internal credit score) may be derived from a confidential proprietary algorithm, but only after careful case-by-case analysis of whether disclosure of the score itself would in fact reveal the underlying model.

The burden is on the organization to prove both that the information is confidential and that its disclosure would cause competitive harm or other commercial prejudice. General assertions are insufficient.

(c) Information subject to legal privilege

Paragraph 9(3)(c) permits refusal if providing access "could reasonably be expected to threaten the life or security of another individual." This exception addresses scenarios in which disclosure to the requester would endanger a third party — for example, information about an informant or witness in an investigation. The "reasonably be expected" standard requires objective evidence of a real threat, not speculation.

(c.1) Law enforcement, legal proceedings, and investigations

Paragraph 9(3)(c.1) permits refusal if providing access "would likely reveal information that was generated in the course of a formal dispute resolution process." This provision was added by the Digital Privacy Act (S.C. 2015, c. 32) to protect mediation and arbitration materials. Organizations must demonstrate that the information was created within a formal dispute resolution mechanism and that disclosure would undermine confidentiality protections essential to that process.

(d) Information related to government-institution objections (subsections 9(2.1)–(2.4))

Subsections 9(2.1) through 9(2.4) establish a specialized regime for access requests that relate to an organization's disclosure of personal information to a government institution under specific provisions of section 7 (including national-security disclosures under paragraph 7(3)(c), law-enforcement disclosures under subparagraph 7(3)(c.1)(i) or (ii), or disclosures under paragraphs 7(3)(c.2) or (d)).

When an individual requests access to information about such a disclosure — or requests access to the disclosed information itself — subsection 9(2.2) requires the organization to notify the government institution in writing and ask whether the institution objects to the disclosure on enumerated grounds (national security, defense, international affairs, law enforcement, or the detection/suppression of subversive activities).

If the institution objects, subsection 9(2.4) imposes three mandatory obligations on the organization:

1. Refuse the request to the extent it relates to the disclosure or the information disclosed;
2. Notify the Privacy Commissioner in writing and without delay of the refusal; and
3. Do not reveal to the requester the fact of the disclosure to the government institution, the substance of the information disclosed, or the fact that the institution objected.

This creates a limited "mosaic theory" exception under which an organization may be compelled to remain silent about even the existence of a government-institution disclosure. The OPC has affirmed that organizations in this position have no discretion to disclose; the refusal is mandatory once the government institution has objected.

(e) Whistleblower materials

Paragraph 9(3)(e) permits refusal if "the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act." This provision protects the confidentiality of federal public-sector whistleblowing processes. It does not extend to private-sector or provincial whistleblowing regimes unless the disclosure was made pursuant to the federal statute.

Procedural obligations when refusing access

When an organization refuses an access request under any ground in section 9, it must comply with the procedural requirements set out elsewhere in PIPEDA. These include:

• Responding within the 30-day deadline (subsection 8(3)) or the extended deadline if subsection 8(4) applies. A refusal is a response for the purpose of the deadline; the organization must deliver a written refusal, not merely acknowledge receipt.
• Providing a written explanation of the reasons for the refusal, citing the specific paragraph of section 9 that applies (this is required by the note to Principle 4.9 of Schedule 1 and confirmed in OPC guidance).
• Informing the individual of their right to complain to the Privacy Commissioner under subsection 11(1) and their right to apply to the Federal Court for a hearing under section 14.
• If the refusal is grounded on paragraph 9(3)(c.1), notifying the Privacy Commissioner in writing of the refusal (subsection 9(5)).
• Retaining the disputed personal information for as long as necessary to allow the individual to exhaust all recourse under Part 1 of PIPEDA (subsection 8(8)).

Organizations that fail to provide reasons or notify the Commissioner where required may be found in breach of PIPEDA's access obligations independently of the merits of the underlying refusal.

Burden of proof and review

The Privacy Commissioner and the Federal Court have both held that the organization bears the burden of proving that a refusal ground under section 9 applies. Assertions are not enough; the organization must produce evidence — affidavits, expert reports, in camera submissions where necessary — demonstrating that the statutory threshold is met. The exceptions in section 9 are to be construed narrowly, in keeping with the general statutory purpose of maximizing individual access to personal information.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, section 9 Source: Interpretation Bulletin: Access to Personal Information, Office of the Privacy Commissioner of Canada Source: PIPEDA Report of Findings #2002-039 – Bank's refusal to release credit score, Office of the Privacy Commissioner of Canada Source: PIPEDA Report of Findings #2017-009 – Airline relies on access exemption to refuse traveler's access, Office of the Privacy Commissioner of Canada

PIPEDA grants individuals the right to challenge the accuracy and completeness of their personal information and to have it corrected when they successfully demonstrate an error or omission. This correction right is established in Principles 4.9.5 and 4.9.6 of Schedule 1 to PIPEDA and applies to all personal information held by organizations subject to the Act. The correction mechanism is closely linked to the access right under Principle 4.9, as individuals typically discover inaccuracies through the access process.

Mandatory correction when inaccuracy is demonstrated — Principle 4.9.5

Principle 4.9.5 imposes a mandatory obligation: "When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required." The burden of proof is on the individual — the organization is not required to amend information unless the individual provides evidence establishing that the information is factually inaccurate or incomplete. The Office of the Privacy Commissioner of Canada (OPC) has consistently held that assertions or unsupported claims are not sufficient; the individual must produce documentation or other credible evidence showing that the information on file is wrong.

"Amendment involves the correction, deletion, or addition of information," depending on the nature of the inaccuracy (Principle 4.9.5). For example, if a credit file contains an erroneous entry reflecting a debt that was never incurred, the organization must delete the entry. If a customer record omits a material fact (such as a resolved complaint), the organization must add the missing information. The statutory standard for accuracy is purpose-relative: "Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used" (Principle 4.6). The OPC has stated that "PIPEDA does not require that personal information be completely accurate, complete, and up-to-date; rather, it requires that personal information be as accurate, complete, and up-to-date 'as is necessary for the purposes for which it is to be used.'" The use to which the information is put determines the required level of accuracy.

Transmission to third parties

When an organization corrects personal information pursuant to Principle 4.9.5, it must, "where appropriate," transmit the amended information to any third parties to whom it had previously disclosed the inaccurate data. The "where appropriate" qualifier gives the organization limited discretion, but the OPC has interpreted this narrowly: if the third party received the inaccurate information for an administrative purpose — such as a credit bureau, an insurer, or a service provider making decisions about the individual — notification is generally required. The purpose is to prevent the third party from continuing to act on incorrect information. In Nammo v. TransUnion of Canada Inc., 2010 FC 1284, the Federal Court held that in circumstances where it is appropriate to notify third parties, the organization "must also provide the amended information in order to 'set the record straight.'" A mere notification that a correction was made, without transmitting the corrected data itself, is insufficient.

The organization bears the cost and administrative burden of notifying third parties. PIPEDA does not impose a deadline for such notification, but the OPC has stated that where inaccurate information may cause ongoing harm — for example, a credit report affecting the individual's ability to obtain financing — the organization must act promptly.

Notation of unresolved disputes — Principle 4.9.6

When an individual challenges the accuracy of personal information but the organization is not satisfied that the individual has demonstrated an error, the organization may refuse to amend the record. However, Principle 4.9.6 creates a mandatory fallback right: "When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization." This notation is not discretionary. If the individual maintains that the information is inaccurate and the organization disagrees, the organization must attach a notation to the file summarizing the individual's claim of inaccuracy.

Principle 4.9.6 further provides that "when appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question." This ensures that third parties reviewing the record (such as a credit bureau or an employer conducting a reference check) are aware that the individual disputes the accuracy of the information. The OPC has found that organizations meet their obligations under Principle 4.9.6 when they attach the individual's statement of disagreement to the file and transmit both the disputed information and the notation to third parties. For example, in a credit-reporting context, if an individual disputes the accuracy of a credit score or a derogatory entry, and the credit reporting agency declines to remove the entry after investigation, the agency must record the individual's statement of dispute on the credit file and include that statement in future disclosures to lenders and other credit grantors.

Procedural requirements and timelines

PIPEDA does not prescribe a specific deadline by which an organization must respond to a correction request. However, the correction right is functionally part of the access process, and the OPC has stated that organizations should respond to correction requests with the same "due diligence" expected for access requests. If an organization unreasonably delays a correction or fails to respond, the individual may file a complaint with the Privacy Commissioner under subsection 11(1) of PIPEDA, which provides that individuals may complain if they are "not being accorded the rights to which they are entitled under subsection 12(2)" — which includes the right to "request correction of the personal information" and to "require that a notation be attached to the information reflecting any correction requested but not made."

Federal Court review and damages

If the Privacy Commissioner's investigation does not resolve a correction dispute, the individual may apply to the Federal Court for a hearing under section 14 of PIPEDA. Subsection 14(1) permits an individual to apply to the Court "in respect of any matter … that is referred to in … clause 4.9 of [Schedule 1] as modified or clarified by Division 1 or 1.1," which includes the correction obligation under Principles 4.9.5 and 4.9.6. The Court may order the organization to correct the information (section 16 of PIPEDA). If the Court finds that the organization knowingly or recklessly failed to comply with the correction obligation, it may award damages to the individual, including damages for humiliation under subsection 16(c).

In Nammo v. TransUnion of Canada Inc., the Federal Court stated that in assessing the reasonableness of an organization's conduct in a correction dispute (for the purpose of awarding damages), "it is appropriate that the Court be guided by a number of factors including the nature of the response to the complaint, the steps taken to investigate the allegation of inaccuracy, the steps taken to correct the information collected in an organization's own records, the steps taken to correct false information the organization has provided to others, the steps taken to keep the individual informed of actions taken, and the timeliness of all steps taken."

Relationship to accuracy principle — Principle 4.6

The correction right under Principle 4.9.5 enforces the overarching accuracy obligation in Principle 4.6, which requires that "personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used." Organizations may not rely solely on individuals to identify errors; Principle 4.6.2 states that "personal information used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out." The correction mechanism in Principle 4.9 is the procedural safeguard enabling individuals to enforce Principle 4.6 when the organization's own data-quality controls fail.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Schedule 1, Principles 4.6, 4.9.5, and 4.9.6 Source: Interpretation Bulletin: Accuracy, Office of the Privacy Commissioner of Canada Source: Responding to access to information requests under PIPEDA, Office of the Privacy Commissioner of Canada Source: Nammo v. TransUnion of Canada Inc., 2010 FC 1284 (Federal Court)

PIPEDA grants individuals a statutory right to withdraw consent to the collection, use, or disclosure of their personal information at any time. This right is established in Principle 4.3.8 of Schedule 1 to PIPEDA and is a foundational mechanism enabling individuals to exercise ongoing control over their personal information in a consent-centric privacy regime. Withdrawal of consent is distinct from access or correction: it stops the organization from continuing to process the information for the purposes to which the individual previously consented, and in many circumstances triggers an obligation to delete the information.

Statutory text — Principle 4.3.8

Principle 4.3.8 states: "An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal."

The right to withdraw is not absolute. Organizations may refuse or limit withdrawal when a legal or contractual restriction applies (both exceptions are expressly stated in Principle 4.3.8), but the burden is on the organization to identify and prove the restriction. The Office of the Privacy Commissioner of Canada (OPC) has stated that these exceptions are to be construed narrowly; general business inconvenience or cost is not a valid ground for refusing withdrawal.

Subject to legal or contractual restrictions

The "legal restriction" qualifier in Principle 4.3.8 permits organizations to retain personal information when a statute, regulation, or court order requires retention. Common examples include:

• Records retention requirements under tax law (Canada Revenue Agency retention obligations for invoices and receipts);
• Financial-services recordkeeping under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;
• Employment records that must be retained under provincial employment standards legislation;
• Litigation holds when personal information is subject to pending or anticipated legal proceedings.

The "contractual restriction" qualifier in Principle 4.3.8 allows an organization to refuse withdrawal when the processing of personal information is integral to the performance of a contract to which the individual is a party. For example, an individual cannot withdraw consent to the use of their credit card number by their credit card issuer while the card remains active, because that information is essential to the contract for credit services. However, the OPC has emphasized that contractual necessity must be genuine: organizations may not manufacture restrictions by drafting overly broad contract clauses. If the individual can terminate the contract, the contractual restriction ends, and the organization must honor the withdrawal of consent.

Reasonable notice

The "reasonable notice" requirement in Principle 4.3.8 permits organizations to implement withdrawal requests on a timeline that allows orderly processing. PIPEDA does not prescribe a specific deadline. The OPC has stated that what constitutes "reasonable notice" depends on the nature of the processing and the technical complexity of stopping it. In PIPEDA Case Summary #2003-249, the OPC found that requiring a customer to wait on hold for extended periods or to write a letter when the organization had represented that withdrawal could be effected by telephone was unreasonable (OPC finding).

For marketing uses, the OPC has held that withdrawal must take effect "immediately" or "with minimal delay." In PIPEDA Case Summary #2003-116 (OPC finding) and PIPEDA Case Summary #2003-248 (OPC finding), banks that continued to send promotional materials to customers months after those customers had withdrawn consent were found in contravention of PIPEDA. The OPC stated that while some delay may be unavoidable due to systems processing (such as campaigns already in the mail), organizations must implement withdrawal requests promptly and update all relevant databases, including those maintained by affiliates and subsidiaries.

Obligation to inform the individual of the implications

Principle 4.3.8 imposes a mandatory duty on the organization to explain the consequences of withdrawal before the withdrawal takes effect. The purpose is to ensure the individual makes an informed decision. The OPC's Guidelines for Obtaining Meaningful Consent (May 2018) state that organizations should inform individuals of:

• Whether withdrawal will result in the termination of a service or contract (for example, withdrawing consent to credit-score processing means the individual cannot obtain a loan);
• Whether withdrawal will prevent the individual from accessing certain features or benefits (for example, withdrawing consent to location tracking may disable navigation features in an app);
• Whether the organization will delete the individual's personal information or merely cease using it for the withdrawn purpose;
• Whether the organization will notify third parties to whom the information was previously disclosed; and
• Any legal or contractual restrictions that prevent withdrawal.

The notification of implications must be specific, not formulaic. A generic statement that "services may be affected" is insufficient. Organizations must describe the actual, foreseeable consequences for that individual in that context. This guidance is persuasive OPC interpretation, not binding statutory text, but reflects the Commissioner's enforcement position.

Relationship to deletion and data retention

Withdrawal of consent does not, by itself, create a freestanding right to erasure under PIPEDA. (PIPEDA does not contain a "right to be forgotten" equivalent to GDPR Article 17.) However, the interaction of Principle 4.3.8 with Principle 4.5 (the limiting-use principle) means that in many cases, withdrawal effectively requires deletion. Principle 4.5 states: "Personal information shall be retained only as long as necessary for the fulfillment of [the identified] purposes." Once an individual has withdrawn consent and no legal or contractual restriction applies, the organization no longer has a valid purpose for retaining the information, and Principle 4.5 requires destruction.

In PIPEDA Case Summary #2017-005 (OPC finding), an individual requested deletion of his personal information from an automobile insurance company. The OPC reframed the request as a withdrawal of consent under Principle 4.3.8. After the OPC's intervention, the company confirmed that it had no legal requirement to retain the information and deleted it from its systems. The OPC found the complaint well-founded and resolved. The case establishes that when an individual withdraws consent and the organization has no retention obligation, the organization must delete the information, not merely stop using it.

Notification to third parties

When an organization has disclosed personal information to third parties (such as affiliates, service providers, or marketing partners) on the basis of the individual's consent, withdrawal of that consent raises the question whether the organization must notify the third parties or cause them to cease processing.

PIPEDA does not explicitly impose a duty to retrieve or delete information from third-party systems after lawful disclosure. However, the OPC has consistently held that organizations must take reasonable steps to give effect to withdrawal across their entire processing ecosystem. In PIPEDA Case Summary #2003-116 (OPC finding), a bank's failure to propagate a customer's withdrawal of consent to its affiliates and subsidiaries was found to be a contravention of PIPEDA. The OPC stated that "not only must an organization provide an opportunity for its customers to withdraw consent, it must also ensure that such withdrawal, where expressed, is also communicated to related businesses, affiliates and subsidiaries."

Organizations are not strictly liable for third-party non-compliance after proper notification, but they must make a good-faith effort to ensure the withdrawal is honored by entities acting on their behalf or to whom they disclosed the information for shared purposes.

Procedural requirements

Organizations must establish a convenient and accessible procedure for individuals to withdraw consent. The OPC's Interpretation Bulletin on Form of Consent states that organizations should provide an "ongoing mechanism for withdrawing consent" and ensure that withdrawal "takes effect with minimal delay." These are persuasive OPC guidance, not binding statutory requirements, but reflect the Commissioner's interpretation of Principle 4.3.8's "reasonable notice" standard.

Best practices identified by the OPC include:

• Offering multiple channels for withdrawal (online form, email, toll-free telephone, written request);
• Ensuring that withdrawal mechanisms are as easy to use as the original consent mechanism (if consent was obtained by clicking a button, withdrawal should not require a notarized letter);
• Confirming receipt of the withdrawal request in writing and providing a timeline for implementation;
• Maintaining an audit log of withdrawal requests and actions taken to implement them;
• Training customer-service staff to recognize and process withdrawal requests correctly; and
• Periodically reminding individuals of their right to withdraw consent and the available mechanisms.

Complaint and enforcement

If an organization refuses to honor a withdrawal request or imposes unreasonable conditions, the individual may file a complaint with the Privacy Commissioner under subsection 11(1) of PIPEDA. The Commissioner will investigate and may issue findings. If the matter is not resolved, the individual may apply to the Federal Court for a hearing under section 14 of PIPEDA, and the Court may order the organization to comply and award damages under section 16, including damages for humiliation if the organization's conduct was egregious.

In cases where an organization continues to use or disclose personal information after an individual has withdrawn consent without valid legal or contractual justification, the organization is in contravention of Principle 4.5 (limiting use, disclosure, and retention) as well as Principle 4.3.8. The OPC has issued numerous findings of non-compliance in such cases, particularly involving financial institutions that continued marketing to customers who had opted out.

Cross-border considerations and business transactions

PIPEDA subsection 7.2(2)(a)(iii) explicitly requires that when personal information is transferred to a successor entity in a business transaction (merger, acquisition, asset sale), the successor organization must "give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1." This ensures that an individual's withdrawal of consent survives corporate restructuring and binds the acquiring entity.

Marketing and CASL interaction

Individuals frequently exercise withdrawal of consent in the context of commercial electronic messages (emails, text messages). While PIPEDA Principle 4.3.8 governs the use of personal information for marketing purposes, Canada's Anti-Spam Legislation (CASL) separately regulates the sending of commercial electronic messages and requires an unsubscribe mechanism in every message. The two regimes overlap: withdrawing consent under PIPEDA to the use of an email address for marketing purposes also terminates implied consent under CASL. Organizations subject to both statutes must honor unsubscribe requests under both frameworks.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Schedule 1, Principle 4.3.8 Source: PIPEDA Fair Information Principle 3 – Consent, Office of the Privacy Commissioner of Canada Source: Interpretation Bulletin: Form of Consent, Office of the Privacy Commissioner of Canada Source: PIPEDA Case Summary #2017-005: Insurance company required to delete individual's personal information after individual withdraws consent, Office of the Privacy Commissioner of Canada Source: PIPEDA Case Summary #2003-249: Customer calls toll-free number to withdraw consent but is unable to reach the call centre, Office of the Privacy Commissioner of Canada Source: PIPEDA Case Summary #2003-116: Customer opts-out of receiving promotional material but bank continues to send it, Office of the Privacy Commissioner of Canada

When an organization refuses or fails to comply with a data subject rights request under PIPEDA — access, correction, or withdrawal of consent — the individual may file a written complaint with the Privacy Commissioner of Canada (OPC) under section 11 of PIPEDA. The complaint and investigation procedure is the statutory enforcement mechanism for the privacy rights established in Schedule 1 to PIPEDA, and it leads to an independent investigation by the Commissioner followed, if necessary, by a hearing before the Federal Court with the power to award damages and injunctive relief. This two-stage administrative-then-judicial process is mandatory; individuals cannot apply directly to the Federal Court without first filing a complaint with the Commissioner.

Filing a complaint — section 11(1)

Subsection 11(1) provides that "an individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1." The statutory language is permissive ("may"), but in practice a complaint is the only mechanism available to enforce privacy rights against private-sector organizations subject to PIPEDA. The complaint may be filed directly by the individual or by a representative acting on the individual's behalf (subsection 11(4) permits the Commissioner to receive complaints submitted on behalf of complainants, though there is no statutory requirement for a power of attorney or written authorization).

Complaints must be in writing. The OPC does not prescribe a mandatory form; individuals may file a complaint via an online form on the OPC website (priv.gc.ca), by email, or by postal mail. The complaint must identify the organization, describe the alleged contravention, and explain what harm or impact the individual has suffered. The OPC's published guidance recommends that complainants include supporting documentation (copies of the access request, the organization's response, and any correspondence), though the absence of documentation does not render a complaint inadmissible.

Time limit for access-refusal complaints — subsection 11(3)

When an organization refuses an access request under section 8 of PIPEDA, or fails to respond within the 30-day statutory deadline (in which case the organization is deemed to have refused the request under subsection 8(5)), subsection 11(3) imposes a six-month limitation period: "A complaint that results from the refusal to grant a request under section 8 must be filed within six months, or any longer period that the Commissioner allows, after the refusal or after the expiry of the time limit for responding to the request, as the case may be."

The six-month clock begins to run on the date of the organization's written refusal or, if the organization fails to respond, on the date the 30-day deadline (or extended deadline under subsection 8(4)) expires. The Commissioner has discretion to extend the limitation period "for any longer period that the Commissioner allows." The OPC has stated that extensions are granted when the individual can demonstrate a reasonable explanation for the delay — for example, medical incapacity, reliance on the organization's assurances that a response was forthcoming, or difficulty obtaining legal advice. Complainants who file late should include a request for an extension and an explanation in the complaint submission.

For complaints not arising from an access refusal — for example, complaints alleging unauthorized collection, use, or disclosure of personal information, or complaints about correction or consent-withdrawal requests — PIPEDA does not prescribe a statutory limitation period. However, subsection 12(1)(c) permits the Commissioner to decline to investigate a complaint if "the complaint was not filed within a reasonable period after the day on which the subject matter of the complaint arose." The OPC has interpreted "reasonable period" to mean generally within one year of the alleged contravention, but the analysis is fact-specific and takes into account the nature of the harm and whether the individual was aware of the contravention when it occurred.

Investigation by the Privacy Commissioner — sections 12 and 12.1

Upon receipt of a complaint, the Commissioner must give notice to the organization against which the complaint was made (subsection 11(6)). The Commissioner then conducts an investigation under section 12, unless one of the discretionary grounds for declining to investigate applies: the complaint is trivial, frivolous, vexatious, or made in bad faith (paragraph 12(1)(a)); the complaint could more appropriately be dealt with under another law (paragraph 12(1)(b)); or the complaint was not filed within a reasonable period (paragraph 12(1)(c)).

Subsection 12(2) authorizes the Commissioner to attempt to resolve complaints "by means of dispute resolution mechanisms such as mediation and conciliation." The OPC frequently invokes early resolution: if the organization agrees to provide access, correct the information, or implement the requested change during the investigation, the OPC will close the complaint as "resolved" without issuing formal findings. In OPC statistics, approximately 40–50% of complaints are resolved informally. Organizations are well advised to engage constructively with the OPC during investigation; a demonstrated willingness to remedy a breach often leads to a faster and less public resolution than a contested finding and Federal Court proceeding.

Section 12.1 grants the Commissioner broad investigatory powers, including the power to summon and compel the attendance of witnesses, compel the production of records, administer oaths, and enter any premises (other than a private dwelling) occupied by the organization. These powers are modeled on those of a superior court. Subsection 12.1(2) provides that "despite any other Act of Parliament," the Commissioner may examine "any information recorded in any form" under the organization's control and "no information that the Commissioner may examine under this subsection may be withheld from the Commissioner on any grounds" — subject only to very narrow exceptions for solicitor-client privilege when expressly invoked by the organization in a refusal under section 9. In practice, organizations that assert privilege must be prepared to defend the claim before the Federal Court under section 14 if the individual applies for review.

The Commissioner's report — section 13

At the conclusion of an investigation, the Commissioner prepares a report of findings under section 13. Subsection 13(1) requires the report to contain:

• (a) the Commissioner's findings and recommendations;
• (b) any settlement reached by the parties during investigation;
• (c) the Commissioner's reasons; and
• (d) notice of the complainant's right to apply to the Federal Court for a hearing under section 14 if the complaint is not resolved to the complainant's satisfaction.

The report is sent to the complainant and to the organization. The Commissioner's findings are persuasive but not binding. The organization is not legally obliged to implement the Commissioner's recommendations; PIPEDA grants the Commissioner investigative and mediation authority but no order-making power. However, organizations that decline to implement the Commissioner's recommendations face the risk that the complainant will apply to the Federal Court under section 14, and in Federal Court proceedings the Commissioner's findings are admissible and carry significant weight.

Discontinuance of investigation — section 12.2

Under section 12.2, the Commissioner may discontinue an investigation if satisfied that the subject matter of the complaint has been adequately dealt with or that the complaint does not warrant further investigation. If the investigation is discontinued, the Commissioner must notify the complainant and the organization and provide reasons (subsection 12.2(3)). A discontinuance does not constitute a finding that the organization complied with PIPEDA; it simply means the Commissioner has declined to investigate further. The complainant retains the right to apply to the Federal Court under section 14 following a discontinuance.

Federal Court application for a hearing — section 14

If the Commissioner's findings and recommendations do not resolve the complaint — either because the organization refuses to implement them or because the complainant is dissatisfied with the outcome — subsection 14(1) permits the complainant to apply to the Federal Court "for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner's report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1 or 1.1, in subsection 5(3) or 8(6) or (7), in section 10 or in Division 1.1."

This statutory language grants the Federal Court jurisdiction to review contraventions of the ten Fair Information Principles (the access right under Principle 4.9, the accuracy requirement under Principle 4.6, the consent principle under Principle 4.3, the limiting-use principle under Principle 4.5, and so on) as well as contraventions of the specific statutory provisions in Part 1 of PIPEDA, including the access and correction regime in section 8 and the breach-notification requirements in section 10.

Time limit for Federal Court application — subsection 14(2)

An application under section 14 must be made "within one year after the report or notification is sent or within any longer period that the Court may, either before or after the expiry of that year, allow." The one-year clock begins on the date the Commissioner sends the report of findings to the complainant (or the notification of discontinuance under section 12.2(3)). The Federal Court has discretion to extend the limitation period, but the applicant must demonstrate a reasonable explanation for the delay and that the organization will not be prejudiced. Extensions are not routinely granted; complainants who wish to preserve the right to a Federal Court hearing should file the application promptly.

Standard of review and the Federal Court's role

The Federal Court hearing under section 14 is a de novo proceeding, not a judicial review of the Commissioner's findings. Subsection 17(1) provides that applications "shall be heard and determined without delay and in a summary way unless the Court considers it inappropriate to do so." In practice, Federal Court proceedings under PIPEDA are conducted on affidavit evidence with cross-examination, followed by oral argument. The Court is not bound by the Commissioner's findings but frequently affords them considerable weight, particularly on questions of statutory interpretation and the proper application of the Fair Information Principles.

The burden of proof is on the complainant to establish, on a balance of probabilities, that the organization contravened PIPEDA. However, when the organization asserts a refusal ground under section 9 (for example, that disclosure would reveal confidential commercial information or third-party personal information), the organization bears the burden of proving that the exception applies.

Remedies available under section 16

If the Federal Court finds that the organization contravened PIPEDA, section 16 authorizes the Court to:

• (a) "order an organization to correct its practices in order to make them conform with [Division 1 or 1.1]" — this includes orders to provide access, to correct information, to cease unauthorized collection or use, or to implement specific safeguards;
• (b) "order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a)" — the purpose is both remedial and deterrent, requiring the organization to notify affected individuals and the public of the breach and the corrective measures; and
• (c) "award damages to the complainant, including damages for any humiliation that the complainant has suffered" — this is the statutory basis for PIPEDA damages awards.

The damages power under section 16(c) is significant. The Federal Court has consistently held that PIPEDA damages are compensatory, not punitive, but that compensation includes both pecuniary loss (out-of-pocket costs, lost income, credit-repair expenses) and non-pecuniary injury in the form of humiliation, distress, and loss of dignity. The leading authority is Nammo v. TransUnion of Canada Inc., 2010 FC 1284, in which the Court stated that "humiliation" under section 16(c) includes "wounded feelings, injured dignity, emotional upset and anxiety, and hurt feelings." Awards have ranged from nominal amounts (a few hundred dollars for minor breaches involving no significant harm) to tens of thousands of dollars in cases involving serious invasions of privacy, prolonged failure to respond to access requests, or egregious organizational indifference.

In assessing damages, the Federal Court considers:

• the nature and sensitivity of the personal information at issue (health information, financial information, and information about children attract higher damages);
• the organization's conduct and level of culpability (whether the breach was inadvertent or deliberate, whether the organization cooperated with the OPC investigation, whether the organization implemented corrective measures promptly);
• the duration and extent of the contravention;
• the impact on the complainant (whether the complainant suffered financial loss, reputational harm, emotional distress, or other tangible consequences); and
• the organization's size and resources (larger organizations with sophisticated compliance programs are held to a higher standard).

There is no statutory cap on damages under section 16(c). The OPC has recommended in submissions to Parliament that a statutory cap be introduced to bring PIPEDA into alignment with GDPR-style administrative monetary penalties, but as of June 2026 no such amendment has been enacted.

The Commissioner's role in Federal Court proceedings — section 15

Under section 15, the Privacy Commissioner may:

• (a) apply to the Federal Court for a hearing "if the Commissioner has the consent of the complainant" — this permits the Commissioner to act as the complainant's representative;
• (b) "appear before the Court on behalf of any complainant who has applied for a hearing under section 14"; or
• (c) "with leave of the Court, appear as a party to any hearing applied for under section 14."

The Commissioner frequently intervenes in section 14 proceedings, either on behalf of the complainant (when the issue raises a systemic privacy concern or the complainant lacks resources to proceed alone) or as an independent party with leave of the Court (when the Commissioner's institutional expertise and perspective would assist the Court). Organizations facing a section 14 application should anticipate that the OPC may participate and should review the Commissioner's published positions on the relevant Fair Information Principles.

Costs

Federal Court proceedings under PIPEDA are subject to the Federal Courts Rules regarding costs. Subsection 17(1) states that applications "shall be heard and determined without delay and in a summary way," which in practice means that costs awards are modest and track the summary nature of the proceeding. The usual rule is that costs follow the event: the losing party pays a portion of the successful party's legal fees and disbursements. However, the Federal Court has discretion under the Federal Courts Rules to decline to award costs or to award reduced costs when a complainant brought the application in good faith on a novel or unsettled question of law, even if the application is ultimately dismissed.

Confidentiality protections in Federal Court proceedings — subsection 17(2)

Subsection 17(2) imposes a mandatory confidentiality obligation on the Federal Court: "In any proceedings arising from an application made under section 14 or 15, the Court shall take every reasonable precaution, including, when appropriate, receiving representations ex parte and conducting hearings in camera, to avoid the disclosure by the Court or any person of any information or other material that the organization would be authorized to refuse to disclose if it were requested under clause 4.9 of Schedule 1."

This provision protects third-party personal information, confidential commercial information, and other sensitive material that would be exempt from disclosure under section 9 of PIPEDA. In practice, when an organization asserts that certain records contain information exempt under section 9, the Federal Court will receive those records in camera and review them without disclosing the contents to the complainant. The Court may then order redactions or other protective measures. This balances the complainant's right to a fair hearing with the statutory protection for sensitive information.

No direct right of action — administrative complaint is mandatory

PIPEDA does not create a private right of action. Individuals cannot sue an organization for a PIPEDA violation in provincial superior court or claim PIPEDA damages in tort. The exclusive enforcement mechanism is the administrative complaint to the Privacy Commissioner under section 11 followed, if necessary, by the Federal Court application under section 14. Complainants who file a statement of claim in provincial court alleging a PIPEDA contravention will see the claim dismissed for lack of jurisdiction; the Federal Court has exclusive original jurisdiction over PIPEDA applications under the Federal Courts Act and subsection 14(1).

Interaction with provincial substantially-similar regimes

When an organization operates in a province with a private-sector privacy law that has been declared substantially similar to PIPEDA by Order in Council — Alberta's Personal Information Protection Act (PIPA), British Columbia's PIPA, and Quebec's Act respecting the protection of personal information in the private sector (and, since 2024, Quebec's Law 25 amendments) — individuals must generally file complaints under the provincial regime rather than PIPEDA. The federal exemption orders carve out organizations operating within the province for activities wholly within provincial jurisdiction, and the provincial privacy commissioners have exclusive jurisdiction over such complaints. However, if the organization's activities cross provincial or international borders (for example, a federally regulated bank or airline, or interprovincial data flows), PIPEDA applies and the complaint goes to the federal Privacy Commissioner. Practitioners should analyze the organization's regulatory status and the nature of the data flows before filing a complaint.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 11–17

PIPEDA establishes a two-stage enforcement mechanism for individuals whose data-subject rights have been violated. An individual may first file a complaint with the Office of the Privacy Commissioner of Canada (OPC), an independent officer of Parliament appointed under section 53 of the Privacy Act. The Privacy Commissioner investigates the complaint and issues a report of findings, but has no order-making power. If the complaint is not resolved through investigation, the individual may apply to the Federal Court under section 14 of PIPEDA for a binding order and damages. This ombudsman-then-court structure balances informal dispute resolution with judicial enforcement.

## Who may file a complaint — section 11

Subsection 11(1) grants standing to "any individual" to file a written complaint against an organization "for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1." Division 1 comprises PIPEDA's substantive fair information principles (Principles 4.1 through 4.9 of Schedule 1, as modified by sections 5–10 of the Act). Division 1.1 contains the breach-notification obligations added by the Digital Privacy Act in 2015. The language "any individual" has been interpreted broadly: the complainant need not be a Canadian citizen or resident, and need not be the data subject (although subsection 11(2) permits the Commissioner to decline a third-party complaint if the alleged victim does not consent).

The complaint must be in writing. The OPC provides an online complaint form and accepts complaints by mail, fax, or email. There is no filing fee.

Subsection 11(2) grants the Privacy Commissioner the power to initiate a complaint ex proprio motu (on the Commissioner's own initiative) "if the Commissioner is satisfied that there are reasonable grounds to investigate a matter under this Part." Commissioner-initiated complaints are rare but have been used in systemic investigations and where the OPC becomes aware of widespread non-compliance through other means (such as breach notifications under section 10.1).

## Time limit for access-refusal complaints — subsection 11(3)

Subsection 11(3) imposes a six-month limitation period for complaints "that result from the refusal to grant a request under section 8" (access requests under Principle 4.9). The six months run from the date of the refusal or "the expiry of the time limit for responding to the request" under subsection 8(3) (the 30-day or extended deadline), whichever is later. The Commissioner has discretion to accept a late-filed access complaint if the individual shows good cause for the delay. For non-access complaints (complaints alleging improper collection, use, disclosure, retention, or breach of any other principle), subsection 11(3) does not apply. However, the Commissioner retains discretion under paragraph 12(1)(c) to decline to investigate a complaint "not filed within a reasonable period after the day on which the subject matter of the complaint arose." The OPC has stated that what constitutes a "reasonable period" depends on the circumstances, including whether the individual had actual knowledge of the alleged contravention at the time it occurred.

## Notice to the organization — subsection 11(4)

Subsection 11(4) requires the Commissioner to "give notice of a complaint to the organization against which the complaint was made." The organization is referred to as the "respondent" in OPC practice. Notice triggers the organization's obligation to respond and participate in the investigation. The OPC's Organizations' Guide to Complaint Investigations states that the investigator will outline the substance of the complaint in writing and request the organization to designate a representative, respond to the allegations, and produce relevant documentation (policies, records, logs).

## Commissioner's discretion to refuse or discontinue investigation — sections 12 and 12.2

Section 12(1) permits the Commissioner to decline to investigate a complaint if any of the following apply:

• (a) The complaint is trivial, frivolous, vexatious, or made in bad faith;
• (b) The complaint could more appropriately be dealt with by another procedure under federal or provincial law (for example, a complaint that overlaps with the jurisdiction of a provincial privacy commissioner in a "substantially similar" province such as Alberta, British Columbia, or Quebec);
• (c) The complaint was not filed within a reasonable period after the subject matter arose (as discussed above).

These are discretionary grounds. The Commissioner is not required to refuse even if a ground applies. The OPC has stated that paragraph 12(1)(a) is applied narrowly; general dissatisfaction with an organization's practices or multiple complaints from the same individual do not automatically render a complaint vexatious.

Section 12.2 permits the Commissioner to discontinue an investigation that has already commenced if the Commissioner forms the opinion that any of the subsection 12(1) grounds apply or if the matter is being or has been addressed under another procedure. Subsection 12.2(3) requires the Commissioner to notify the complainant and the organization in writing if an investigation is discontinued and to provide reasons for the decision. A complainant who receives a discontinuance notice under subsection 12.2(3) may apply to the Federal Court under subsection 14(1) (the subsection explicitly permits a Court application "after … being notified under subsection 12.2(3) that the investigation of the complaint has been discontinued").

## Investigative powers — section 12.1

Section 12.1(1) grants the Commissioner or a delegate broad investigative powers, including the power to:

• Summon and examine witnesses under oath;
• Compel the production of documents and things;
• Enter any premises (other than a dwelling) where the Commissioner believes on reasonable grounds that records relevant to the investigation are located;
• Examine and make copies of records.

These powers are subject to procedural safeguards. Subsection 12.1(5) requires the Commissioner to issue a certificate of delegation to any person exercising entry powers, and the delegate must produce the certificate on request to the person in charge of the premises.

Subsection 12.1(2) authorizes the Commissioner to "attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation." The OPC's guidance states that the investigation process is "cooperative and conciliatory" and that many complaints are resolved informally before a formal report of findings is issued. Organizations frequently agree to correct practices, update policies, or provide access to information during the investigation, and the Commissioner will close the file if the complainant is satisfied with the outcome.

## One-year deadline for the Commissioner's report — section 13

Subsection 13(1) requires the Commissioner to prepare a report within one year after the complaint is filed or initiated by the Commissioner. The one-year period is mandatory but the statute provides no remedy for late reports; the Commissioner cannot be compelled to meet the deadline, and delays do not vitiate the investigation or deprive the individual of the right to apply to the Federal Court. The OPC's Guide to the PIPEDA Complaint Process acknowledges that the one-year timeline may be extended by the complexity of the case, the number of issues, the level of cooperation from the parties, and opportunities for early resolution.

The report must contain:

• (a) The Commissioner's findings and recommendations;
• (b) Any settlement reached by the parties during the investigation;
• (c) If appropriate, a request that the organization give the Commissioner, within a specified time, notice of any action taken or proposed to implement the recommendations or reasons why no action has been or will be taken; and
• (d) The recourse available under section 14 (the individual's right to apply to the Federal Court).

The Commissioner's findings are styled as "well-founded," "not well-founded," or "resolved." A finding that a complaint is well-founded means the Commissioner is satisfied that the organization contravened a provision of PIPEDA. A "resolved" finding means the complaint was substantiated but the organization took corrective action during the investigation and the complainant accepted the outcome. The Commissioner's report is sent to both the complainant and the organization.

The Commissioner's recommendations are not binding. As an ombudsman, the Commissioner cannot order an organization to take any action, impose fines, or award damages. The OPC's guidance states: "The Commissioner cannot impose fines for contraventions. However, the Federal Court, which is the next level of review, has the power to award damages to a complainant." Recommendations commonly include directives to provide access, correct information, amend policies, implement training, or cease a specified practice. Organizations that refuse to implement recommendations risk Federal Court proceedings under section 14 or, in egregious cases, a compliance agreement under section 17.1.

## Compliance agreements — section 17.1

Subsection 17.1(1) authorizes the Commissioner to enter into a compliance agreement with an organization if the Commissioner "believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute a contravention" of PIPEDA. The compliance agreement is "aimed at ensuring compliance" and may contain any terms the Commissioner considers necessary (subsection 17.1(2)). Compliance agreements are enforceable by the Federal Court; if an organization breaches a compliance agreement, the Commissioner or the individual may apply to the Court for enforcement. Compliance agreements are published on the OPC's website.

## Federal Court application by the complainant — section 14

Subsection 14(1) grants the complainant the right to apply to the Federal Court for a hearing "after receiving the Commissioner's report or being notified under subsection 12.2(3) that the investigation of the complaint has been discontinued." The application must concern "any matter in respect of which the complaint was made, or that is referred to in the Commissioner's report," and must relate to one of the enumerated Principles in Schedule 1 (clauses 4.1.3, 4.2, 4.3.3, 4.4, 4.5, 4.6, 4.7, 4.8, or 4.9, as modified or clarified by Divisions 1 or 1.1).

The time limit for a Federal Court application is not prescribed by section 14 itself, but is set by the Federal Courts Rules at 45 days from the date the complainant receives the Commissioner's report (this is the general deadline for judicial review applications under the Federal Courts Act). The Federal Court has discretion to extend the deadline on motion if the complainant shows good cause.

The complainant is not required to obtain the Commissioner's consent or support to apply to the Federal Court. The Commissioner's report is not binding on the Court. The Court conducts a de novo hearing (a fresh hearing on the merits), not a judicial review of the Commissioner's decision. The Court may reach conclusions different from the Commissioner's findings.

## Federal Court application or intervention by the Commissioner — section 15

Section 15 grants the Commissioner three distinct roles in Federal Court proceedings:

• (a) The Commissioner may apply to the Federal Court for a hearing on the same matters available to the complainant under section 14, provided the Commissioner has the consent of the complainant. This provision allows the Commissioner to litigate test cases or systemic issues where the individual lacks resources or wishes the Commissioner to act as the party.
• (b) The Commissioner may appear before the Court on behalf of any complainant who has applied for a hearing under section 14. This is a supportive role; the individual remains the applicant.
• (c) The Commissioner may, with leave of the Court, appear as a party to any hearing applied for under section 14. This allows the Commissioner to intervene even when the Commissioner is not representing the complainant, for example to provide the Court with the Commissioner's interpretation of PIPEDA or to present systemic evidence.

In practice, the Commissioner frequently appears under paragraph 15(c) as an intervener in significant Federal Court cases, particularly those that raise novel statutory interpretation issues.

## Federal Court remedies — section 16

If the Federal Court is satisfied that the organization has contravened PIPEDA, section 16 authorizes the Court to:

• (a) Order the organization to correct its practices in order to comply with the Act;
• (b) Order the organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not the Court has ordered correction under paragraph (a); and
• (c) Award damages to the complainant, including damages for any humiliation that the complainant has suffered.

Paragraph 16(c) creates a private right of action for damages, unique among Canadian privacy statutes (the Privacy Act does not contain an equivalent damages provision). The damages provision has been interpreted to include both pecuniary damages (out-of-pocket losses, lost opportunity costs) and non-pecuniary damages for humiliation. In Nammo v. TransUnion of Canada Inc., 2010 FC 1284, the Federal Court stated that damages for humiliation under paragraph 16(c) are compensatory, not punitive, and that the Court should consider the nature of the contravention, the organization's response, and the impact on the individual. Awards for humiliation have ranged from nominal amounts to several thousand dollars in cases involving refusal of access to sensitive personal information or prolonged organizational intransigence.

The Court's power to order publication under paragraph 16(b) is designed to provide both specific and general deterrence. Publication orders have required organizations to post corrective notices on their websites, inform affected individuals of changes to privacy policies, and publish summaries of the Court's findings in industry newsletters.

## Summary procedure — section 17

Subsection 17(1) provides that Federal Court applications under section 14 or 15 "shall be heard and determined without delay and in a summary way unless the Court considers it inappropriate to do so." This language directs the Court to use an expedited process similar to judicial review proceedings, rather than a full civil trial. In practice, most PIPEDA Federal Court applications are decided on the basis of affidavit evidence and written submissions, with limited oral hearing. The summary-procedure requirement reflects the ombudsman model: the Commissioner's investigation has already developed a factual record, and the Court is reviewing compliance with statutory obligations, not adjudicating complex factual or credibility disputes.

Subsection 17(2) requires the Court to "take every reasonable precaution, including, when appropriate, receiving representations ex parte and conducting hearings in camera, to avoid the disclosure by the Court or any person of any information or other material that the organization would be authorized to refuse to disclose if it were requested under clause 4.9 of Schedule 1." This provision protects third-party personal information, solicitor-client privilege, confidential commercial information, and the other refusal grounds enumerated in section 9 of PIPEDA. The Court may review disputed material in camera (without the complainant present) to determine whether it is properly withheld, a procedure analogous to the Vaughan index process under access-to-information law.

## No direct private right of action without the OPC complaint process

PIPEDA does not permit an individual to bypass the OPC and file a lawsuit directly in the Federal Court or a provincial superior court for breach of PIPEDA. The Federal Court's jurisdiction under section 14 is contingent on the complainant having first filed a complaint with the OPC and either received the Commissioner's report or been notified that the investigation has been discontinued. This exhaustion requirement ensures that the Commissioner has an opportunity to investigate, mediate, and potentially resolve the matter before litigation. However, nothing in PIPEDA precludes an individual from pursuing common-law or statutory tort claims (such as intrusion upon seclusion, breach of confidence, or negligence) in provincial superior courts on the same underlying facts. The Federal Court's exclusive jurisdiction under section 14 extends only to claims for breach of PIPEDA itself, not to parallel common-law or provincial-statute claims.

## OPC enforcement statistics and practice

The OPC publishes annual statistics on complaint volumes, investigation timelines, and outcomes. In recent years, the OPC has received approximately 600–800 PIPEDA complaints annually (this figure excludes breach notifications under section 10.1, which are reported separately). The majority of complaints concern access requests (refusal or delay), followed by complaints about improper collection, use, or disclosure, and inadequate safeguards. A significant portion of complaints are resolved informally through the OPC's early-resolution process or mediation, without a formal report of findings. Fewer than 5% of PIPEDA complaints proceed to Federal Court litigation.

The OPC's published case summaries — anonymized reports of investigation findings — serve as persuasive interpretive guidance for organizations and practitioners. The summaries are organized by PIPEDA principle and are searchable on the OPC website at priv.gc.ca. While not binding precedent, they reflect the Commissioner's consistent enforcement positions and are frequently cited by the Federal Court in PIPEDA decisions.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 11–17 Source: Guide to the PIPEDA complaint process, Office of the Privacy Commissioner of Canada Source: Organizations' Guide to Complaint Investigations under PIPEDA, Office of the Privacy Commissioner of Canada

PIPEDA imposes a mandatory duty on organizations to destroy, erase, or anonymize personal information once it is no longer required for the purposes for which it was collected. This obligation is established in Principle 4.5 of Schedule 1 to PIPEDA and operates as both a proactive data-minimization requirement and a mechanism enabling individuals to request deletion of their information when the retention purpose has lapsed. Unlike the GDPR's explicit "right to erasure" under Article 17, PIPEDA does not create a standalone deletion right; instead, the deletion obligation flows from the intersection of Principle 4.5 (limiting retention), Principle 4.3.8 (withdrawal of consent), and the overarching accountability principle in Principle 4.1.

Statutory text — Principle 4.5 retention and destruction

Principle 4.5 states: "Personal information shall be retained only as long as necessary for the fulfilment of [the identified] purposes." Principle 4.5.2 mandates that organizations "develop guidelines and implement procedures with respect to the retention of personal information," including "minimum and maximum retention periods." Principle 4.5.3 imposes the destruction obligation: "Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous."

Although Principle 4.5.3 uses the word "should" rather than "shall," the Office of the Privacy Commissioner of Canada (OPC) has consistently interpreted this as a mandatory requirement, not a discretionary best practice. The OPC's 2014 guidance document Personal Information Retention and Disposal: Principles and Best Practices states that "personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information." The Commissioner has found organizations in contravention of Principle 4.5 when they retain information beyond the period necessary for its stated purpose without a legal or business justification.

Deletion requests — how PIPEDA treats them

PIPEDA does not use the term "deletion request" in the statute. However, when an individual asks an organization to delete their personal information, the OPC reframes the request as either:

1. A withdrawal of consent under Principle 4.3.8 (if the processing was consent-based and the individual is withdrawing that consent going forward); or
2. A challenge to the organization's compliance with Principle 4.5 (if the individual asserts that the information is no longer necessary for the identified purposes and should already have been destroyed).

In PIPEDA Case Summary #2017-005, an individual requested deletion of his personal information from an automobile insurance company after the insurance relationship ended. The company refused, stating that it retained the information to provide insurance history to other insurers. The OPC reframed the request as a withdrawal of consent under Principle 4.3.8. After the OPC's intervention, the company confirmed it had no legal requirement to retain the information and deleted it from its systems. The OPC found the complaint well-founded and resolved, establishing that when an individual withdraws consent and the organization has no retention obligation under Principle 4.5.2, the organization must delete the information, not merely stop using it.

In the 2026 PIPEDA Findings #2026-001 (Loblaw PC Optimum investigation), the OPC investigated complaints that individuals were unable to delete their loyalty-program accounts and that Loblaw was unresponsive to deletion requests. The OPC found that upon account closure, Loblaw deleted only the personal identifiers (name, email, phone number, address) while retaining purchase transaction data indefinitely. The OPC held that organizations must establish retention schedules for the deletion of records as required by Principle 4.5.2 and that retaining information indefinitely without a documented retention purpose contravenes PIPEDA. Loblaw committed to enhancing its procedures to ensure timely deletion.

The "only as long as necessary" standard — purpose-relative retention

The retention limit in Principle 4.5 is purpose-relative, not calendar-based. Organizations must retain personal information "only as long as necessary for the fulfilment of [the identified] purposes" for which it was collected. The OPC's 2014 retention guidance states: "A specifically identified purpose is often a clear indicator of how long this information needs to be retained. There is no 'one size fits all' retention period."

Organizations must document the purposes for which personal information is collected (Principle 4.2) and then establish maximum retention periods tied to those purposes. For example:

• Transaction records for order fulfillment: retention is necessary only until the goods are delivered, any warranty or return period expires, and any payment dispute is resolved (typically months, not years).
• Marketing contact information: retention is necessary only while the individual's consent to marketing remains valid. Once consent is withdrawn under Principle 4.3.8, the purpose lapses and Principle 4.5 requires deletion.
• Employee records: retention may be necessary for employment-standards compliance, tax reporting, or pension administration, and must comply with applicable provincial and federal record-retention statutes.

Principle 4.5.1 provides that "personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made." This ensures individuals can exercise their access and correction rights under Principle 4.9 even after the primary processing purpose is complete. However, once the access window has closed (and any complaint or litigation period has expired), the retention purpose ends and the destruction obligation in Principle 4.5.3 applies.

Legal retention requirements and the interaction with Principle 4.5

Principle 4.5.2 recognizes that "an organization may be subject to legislative requirements with respect to retention periods." When a statute, regulation, or court order mandates retention, that legal requirement constitutes an ongoing purpose for retention under Principle 4.5, and the organization may (and must) retain the information until the legal obligation ends.

Common legal retention requirements in Canada include:

• Tax records: The Income Tax Act requires businesses to retain books and records for six years from the end of the last tax year to which they relate (subsection 230(4)).
• Anti-money laundering records: The Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its regulations require financial institutions to retain records of certain transactions and client identification for five years.
• Employment records: Provincial employment standards statutes and federal labour laws impose retention periods ranging from three to seven years for payroll, hours-of-work, and termination records.
• Litigation holds: When personal information is or may become relevant to pending or anticipated litigation, arbitration, or regulatory proceedings, the organization must preserve the information until the matter is resolved and all appeals are exhausted.
• Statutory limitation periods: Organizations may retain information for the duration of any applicable limitation period (e.g., two years for most provincial consumer-protection claims, six years for contract claims) to defend against potential litigation. However, the OPC has cautioned that retention solely for speculative future litigation is not a valid purpose under Principle 4.5; the organization must demonstrate a reasonable expectation of a claim.

Once the legal retention period expires, the organization must move to destroy the information in accordance with Principle 4.5.3. Retaining information beyond the statutory retention period without a documented business or legal justification is a contravention of PIPEDA.

Mandatory procedures for destruction — Principle 4.5.3 and OPC guidance

Principle 4.5.3 requires that personal information no longer required "should be destroyed, erased, or made anonymous." Principle 4.7.5 specifies that "care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information." Organizations must implement secure destruction methods proportionate to the sensitivity of the information.

The OPC's 2014 retention guidance identifies three tiers of destruction methods:

1. Clearing (for low-to-moderate sensitivity information): deleting information using methods that resist simple recovery methods, such as data-recovery utilities and keystroke-recovery attempts. One method for clearing media is overwriting, which can be done using software and hardware products that overwrite the media with non-sensitive data.

1. Purging (for moderate-to-high sensitivity information): degaussing, in which magnetic media are exposed to a strong magnetic field to make data unrecoverable. This can be used to protect against more robust data-recovery attempts, such as a laboratory attack using specialized tools (for example, signal processing equipment). Degaussing cannot be used to purge nonmagnetic media, such as CDs or DVDs.

1. Physical destruction (for highly sensitive information or when other methods are impracticable): shredding paper records; incinerating or pulverizing hard drives, optical media, and solid-state storage.

The OPC has stated that "while the chosen disposal method depends greatly on the type of media used to store the personal information, an organization must also consider the information's sensitivity and the context. For example, is the personal information of a particularly sensitive nature?" Organizations that fail to implement secure destruction procedures and suffer a breach during disposal (such as discarding unshredded credit-card applications or failing to wipe hard drives before recycling computers) have been found in contravention of Principles 4.5.3 and 4.7.5.

No obligation to retrieve information from third parties after lawful disclosure

When an organization has lawfully disclosed personal information to third parties (such as affiliates, service providers, or credit bureaus) and later receives a deletion request, the organization is not strictly required to retrieve or delete the information from the third party's systems. Subsection 4.1.3 of Schedule 1 provides that "an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing." However, the OPC has held that this accountability obligation does not create a duty to "claw back" information that was lawfully disclosed prior to the deletion request.

In PIPEDA Case Summary #2017-005, the OPC stated: "Under PIPEDA, an organization does not have to ensure that an individual's personal information is deleted from a third-party's records if the information has already been lawfully disclosed." The organization is responsible for deleting the information in its own possession or custody and for ceasing any further disclosures to third parties, but it is not liable for the third party's retention practices once the disclosure was complete.

That said, the OPC expects organizations to take reasonable steps to notify third parties of a deletion request when the third party is acting as the organization's service provider (a "processor" in GDPR terms) rather than as an independent data controller. In PIPEDA Case Summary #2003-116, the OPC found that a bank's failure to propagate a customer's withdrawal of consent to its affiliates and subsidiaries contravened PIPEDA, stating that "not only must an organization provide an opportunity for its customers to withdraw consent, it must also ensure that such withdrawal, where expressed, is also communicated to related businesses, affiliates and subsidiaries" when those entities are processing the information on behalf of the organization.

Retention during pending access requests or complaints — subsection 8(8)

Subsection 8(8) of PIPEDA creates a mandatory retention override once an access request or complaint is filed: "An organization that has personal information that is the subject of a request [under section 8] shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have." This obligation applies from the moment the organization receives an access request and continues until the individual has exhausted all complaint and court-review procedures available under Part 1 of PIPEDA.

In PIPEDA Case Summary #2010-003, a telecommunications company deleted audio recordings of customer service calls in accordance with its six-month retention policy after the individual had filed an access request but before the organization responded. The OPC found the company in contravention of subsection 8(8), stating: "For personal information contained within a specific access request, organizations should consider, and where necessary, override their regular deletion/retention practices until such time as the individual has exhausted any recourse under the Act to get access to that information." The organization was required to improve its policies to preserve responsive information once an access request is received, even if the information would otherwise be subject to automated deletion.

Organizations must implement litigation holds or similar preservation protocols to ensure that information responsive to an access request, correction request, or complaint is not deleted during the pendency of the matter. This includes audio and video recordings that would otherwise be deleted under routine retention schedules.

Complaint and enforcement

Individuals who believe an organization is retaining their personal information longer than necessary, or who have requested deletion and been refused, may file a complaint with the Privacy Commissioner under subsection 11(1) of PIPEDA. The Commissioner will investigate and may issue findings. If the matter is not resolved, the individual may apply to the Federal Court for a hearing under section 14 of PIPEDA, and the Court may order the organization to comply and award damages under section 16, including damages for humiliation if the organization's conduct was knowing or reckless.

The OPC has issued numerous findings of non-compliance involving inadequate retention schedules, failure to respond to deletion requests, and retention of information beyond the purposes for which it was collected. Organizations that fail to document retention purposes, establish maximum retention periods, or implement secure destruction procedures face reputational harm, Commissioner findings, and potential court-ordered remediation.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Schedule 1, Principle 4.5 Source: Personal Information Retention and Disposal: Principles and Best Practices, Office of the Privacy Commissioner of Canada Source: PIPEDA Case Summary #2017-005: Insurance company required to delete individual's personal information after individual withdraws consent, Office of the Privacy Commissioner of Canada Source: PIPEDA Findings #2026-001: Investigation into the personal information retention practices of Loblaw for the PC Optimum Loyalty Program, Office of the Privacy Commissioner of Canada Source: PIPEDA Case Summary #2010-003: Poor response to customer's access requests causes unnecessary deletion of his personal information, Office of the Privacy Commissioner of Canada Source: PIPEDA Fair Information Principle 5 – Limiting Use, Disclosure, and Retention, Office of the Privacy Commissioner of Canada